Cybersex enablers – following the money (Part 2)

Disclaimer

All names have been masked for legal reasons, however, if anyone with a legitimate interest in knowing more about my research wishes to contact me, I will be happy to discuss further with them.

In part 1 of this two-part article I looked at the mechanics of Cybersex – at how different parties interact, and at the structures that underlay those interactions. The focus was on one type of enabler, namely web-based “chat” service providers.

In this part I am going to look a little deeper into the financial enablers – without which much of cybersex would be no more than a less than salubrious hobby.

Some of us may be taken a-back at how brazen cybersex can be. And it is true, much of what goes on is operating on the open web using services that you and I use – including ubiquitous social media apps such as WhatsApp, Viber, Fb, and so-on. Whilst there are or have been activities on the dark web, it is the accessibility of services that gives Cybersex its reach, and which makes it a viable business proposition. In other words, cybersex needs to be hiding in plain sight.

That said, whilst the tools are visible, the owners and beneficiaries of the trade are understandably a little coyer. All sorts of rumours are circulating the Philippines about which US billionaire owns one of the sites I discussed in the first part – namely LJ. Some rumours even claim that the current US President is the ultimate beneficial owner. That claim lacks credibility, not because the current President has moral scruples, but because if there was any substance in the rumour it would have been all over the US newspapers long ago.

The website in question is in fact owned by a company called D****** IT S***** Sarl, which is registered in Luxembourg. It is registered as a “Society a responsibilite limite 1855”, at A**** Office Building, ** John F Kennedy, Grand Dutchy of Luxembourg. I have not been able to check the ownership beyond that.

Hiding in plain site is just as necessary for the financial enablers as it is for the services linking buyer and seller, performer and protagonist.

Although different sites have different payment partners and different payment methods at their disposal, they are similar in that they all access commonly used, and widely accepted payment channels. I will be illustrating how this works using the LJ example and its partnership with GH.

For any person seeking a direct relationship with clients (i.e. as a top level “boss”) the LJ website requires the user to have a GH card.

Applying for the card is a simple on-line process. If an applicant is applying for a card on the GH website, they will be asked to input the following information.

  • Name
  • Date of birth
  • Address
  • Telephone number
  • Email
  • Copy of photo ID (govt issued).
  • Bank account IBAN or other details

However, if the applicant is on LJ, the application process is conducted via a LJ interface, and the information required does not include a bank account number. In other words, there is no independent face-to-face verification of identity.

As a result, there is little or nothing to stop impersonation or identity theft. This is not great from either a fraud or AML/CTF perspective, and rather undermines the GH Website’s claims to be performing world class AML and KYC due diligence. I would love to quote but that would make the subject immediately identifiable, so paraphrasing instead ….:

“Due Diligence requirements are one of our foremost competencies achieved by world-class forensics technics and extensive experience in managing payments associated risks”

 We “….follow robustly anti money laundering policies and procedures, fully complying with FATF-GAFI, EU and US regulations, and strict CDD and CIP processes based on payment method and jurisdiction”

Indeed, if one looks at the GH website it appears to have partnered with two Eastern European on-line banks (Bank K of Belarus and P Bank of Ukraine). If GH is equating its KYC verification with the standards of these two banks it is very probable that identity abuse is going to be all too easy in all its payment partnerships. It is hard to imagine these two banks having the same levels of CDD on their relationships with payment service providers as any bank subject to BSA or the equivalent in other more regulated jurisdictions.

In a matter of days after the card application is made on-line, a GHX card” will arrive in the post and the card holder is ready to start performing himself, or to get others linked to him to start performing.

But there is another slight issue here as well. The address to which delivery is made is often not the applicant’s address, as either the applicant is seeking anonymity, or the applicant lives in a shanty settlement, which is more often than not a collection of temporary shacks with no formal address. Moreover, the password to activate the card, I was informed, is struck to the back of the card when it arrives. Hardly a robust control!

Once the card has been activated (say through an ATM terminal, or on-line) business begins. The clients can make payments to LJ using any card accepted by the website or via well established (and regulated, at least in the US) on-line payment services. In short, the standard consumer interface and payment mechanisms exist at the client end of the transaction.

Not being privy to LJ’s innermost workings I am now going to have to extrapolate what happens next.

Given that payments to the card holder do not go into a bank account mandated or controlled by the card holder (indeed many card holders are un-banked), but the card holder does have use of the card, and credits to and debits from the card are particular to that card and that card holder, one can only assume that transactions are entering a pooled account controlled by either LJ or GH, and are then divided amongst many sub-accounts.

GH’s website hints at such an arrangement in its description of its services, one of which is “international mass payments” on a client’s behalf. The website states (again I paraphrase to mask identities): –

You can simply make payments to a considerable number of payees in just minutes using our super robust payments APIs. Our range of mass pay-out choices includes payments to pre-paid X cards, transfers to local banks, local e-Wallets, and international cheques.”

Thus, it sounds very much as if GH maintains some sort of banking relationship for the client (the website) it its own name. Thus, all cards issued on the client’s instruction are linked to a bank account in GH’s name, but which it uses exclusively for that particular client. It then distributes funds from this account using the methods mentioned in the quote above. Distribution will be performed in line with the client’s (in this case LJ’s) instructions delivered by the API. Super convenient for the client and a great business model.

But there is more. Money needs to come into the account first, before it can be distributed. It may well be that collection of payments made to LJ is collected by LJ and then sent to its GH account in bulk. This might put a convenient circuit breaker in what GH gets to see and know about LJ’s business.

The problem with this model, though, is that other banks need to be involved, and explanations need to be given. There are ways round this, and that is to set up dummy companies to collect payments and disguise their true nature. Such payments can then be transferred to the affiliate GH account.

However, all this is unlikely and completely unnecessary, as GH seems willing to manage collections as well – to ensure that payments to the website in their various forms get into the banking system, before being distributed according to the website’s instructions.

It is hard to imagine a better collections and payments model for on-line business, and long may it continue, but it is also perfectly honed for businesses such as on-line sex chats.

For any banks doing business with GH such a business model will mean that their direct customer is GH. Depending upon how GH is positioned as a Payment Service Provider, perhaps being itself a merchant acquirer as well as a card issuer, it is likely it also has a contract with X card and is X card’s customer.

At the next level down GH (as a potential Payment Service Provider, merchant acquirer or card issuer) will have thousands, if not of hundreds of thousands of its own customers, each with their own customer base. And if we look at the LJ business model, there will be customers of those customers, or at least – linked parties.

Thus, for a bank to have any real assurance that it is not nesting a brood of vipers, it needs to do due diligence on its customer, its customers’ customers, and its customers’ customers’ customers. To mince the words of the nursery rhyme…’kits, cats, sacks and wives, how many KYC checks might arise’!

Banks usually take a risked based approach to performing KYCC due diligence. But given the demands (and commercial plus privacy issues) of doing KYCC due diligence for a client such as GH it is hard to imagine that the bank has done much more than seek assurances from its direct customer, GH, that it (GH) is performing due diligence to the bank’s own standards. The bank may also demand that the customer report issues to the bank if they arise and will like as not also request that the bank be allowed to test the customer’s controls.

That might be a good approach if it was actually happening, and if the bank’s own standards were rigorous. However, given that the only two banking relationships GH has openly admitted to are both relatively new on-line Eastern European banks, it may be a bit much to expect they have developed standards as rigorous as their established competitors. Business hungry banks in less aggressively regulated jurisdictions may not be the best institutions upon whom to put reliance for holding the line.

There is also the nagging suspicion that these two banks were either deliberately selected by GH as they may be more amenable, or that these were the only two banks willing to take on the GH risk without demanding too much in return.

The other important control is transaction monitoring. There is no specific detection scenario that will clearly label a transaction as cybersex, though some types of activity could be reflective of such an activity. Everything has to have a context though. Weak due diligence weakens transaction monitoring.

As we have seen here, if the client banks are allowing GH to pool its client funds, it will be very difficult for the bank to detect cybersex, or any form of associated “modern slavery” through transaction monitoring alone. They will need to understand how GH operates, and how GH’s customers operate to make sense of the transaction pool.

The “player” best placed to understand whether transactions are suspicious is GH itself. The problem its business models facilitate the very scenarios that could (without mitigating context) be treated as suspicious in a standard rules-based monitoring system. As such it runs the risk of blinding itself.

Modern slavery, for example, looks for transactions where one person holds many accounts, or where many accounts can be linked to one address or other unifying identifier, or one person seems to be controlling accounts in the names of other individuals, and so on.  Pretty much the business models that GH supports.

Other than GH only the card networks might have sufficient information to conduct some sort of relatively effective transaction surveillance. However, they are unlikely to be as data rich in respect of the surveillance targets as GH.

So, if the onus to weed out scabrous on-line businesses and individuals falls to GH, and the onus to hold GH to account rests with the banks and card networks, is the wider payments infrastructure safe from cybersex related money?

Unfortunately, all this gives me a horrible sense of déjà vu. Over ten years ago a bank in Asia opened a relationship with an on-line payment provider controlled by an individual called Julian Lankry. The bank had a card merchant acquirer relationship with its customer but allowed the customer to bring on its own sub-merchants. All this was using an established card network.

The customer (a Payment Services Provider) was in many respects doing similar things to GH, though GH seems to be issuing cards as well as acting acquiring its own merchants. In the Lankry case, either wittingly or unwittingly, the customer’s customers included porn-sites (some strongly suspected to be purveying child pornography).

No one noticed the relationship as the bank’s surveillance systems and due diligence were at the customer level, not the customer’s customer level. It was only when the card network provider started fining the bank substantive sums for processing payments it deemed to be in breach of its contract with the bank, that the bank’s management noticed the problem.

When Compliance looked at the relationship in detail a multitude of discoveries were made which suggested even at the direct customer level the bank could have done more to probe the relationship before it was opened. As it turned out the payment services provider was a new company, and its beneficial owner was a convicted drugs trafficker recently released from gaol. The most important public domain red flag, however, was litigation between Barclays Bank (in the UK) and another company owned by Julian Lankry (Lancore Services Ltd). The Judge’s summary reverberated with reasons why no bank should have been banking any business owned or controlled by Mr. Lankry (https://www.casemine.com/judgement/uk/5a8ff7dc60d03e7f57eb2820 ).

Even though the facts of this case predate the 2008 financial crisis it makes instructive reading. Its most worrying aspect, though, is that more than a decade later, despite all the money and effort being poured into AML and compliance, gatekeepers and regulators are repeating the mistakes of the past with dire consequences for the lives of the innocent.

The fact that (as stated on its website) GH is a global payments business moving money across 200 countries and in 70 currencies is a little worrisome when faced with some of the issues we mentioned, namely the potential ease with which card holders’ identities can be faked, the standards of due diligence, and the nature of on-line businesses facilitated. The volumes and amounts may also be significant, if (as boasted by at least one cybersex enabling website) participants can earn up-to USD 10,000 per month on-line.

GH claims to be licenced and regulated by 6 authorities (US, Australia, Gibraltar, Japan, Hong Kong and India) but is “global” in its reach. In the US GH is treated as a Money Service Business (MSB). Here I have to confess the limits of my comprehension. Banks as a rule are required to have licences in any country in which they do business. Why not the on-line payments business?

There are of course essential differences between banks and MSBs, but in terms of the rationale for licensing those differences are being eroded daily. MSBs (which is what GH is – certainly in the US) are not only considered financial “gate keepers”, therefore squarely within the ambit of AML Laws and regulations, but also considered to be high risk.

Whilst regulators and governments understand the important part this sector plays in the overall financial infrastructure (in particular for the unbanked and lower endo of the socio-economic order) some have been slow to demand and exercise oversight.

We are all aware of the challenges oversight means, and of the need not to overburden innovative payment channels with costly regulation that could ultimately rebound on the poor and unbanked. And it is universally accepted that co-operating across borders is never going to be easy. Incremental improvements to international standards may be the best we can hope for. But does it make sense to supervise a global payments system in one country but not in another?

In the words of Philippine Justice Undersecretary Emmeline Aglipay-Villar, “we need to act as a global community”(Philippine Inquirer 21st May 2020), or financial defences will be as about as effective as the Maginot Line.

Now, as ever, the interconnected financial infrastructure is easily infected at points of weakness. Caulking some holes and leaving others to leak is not an effective response to financial crime risk.

 

End

The author leads TSG’s Advisory Services. He has spent many years in law enforcement and banking – specializing in financial crime risk and compliance. TSG is a Research (including due diligence) specialist, also offering Ethics Compliance and Advisory services to its clients. TSG offers expertise in Eastern Europe, as well as East Asia.