Banking

Rogue Business Agents Are Misusing Bank APIs To Launder Money

Rogue agents leverage payout APIs that are designed for legitimate business use to operate intricate money laundering syndicates through the banking system

Business Agents Are Misusing Bank APIs To Launder Money
info_icon

Specific payment aggregators (PAs) and business correspondents (BCs) have discovered a method of abusing banking technology to launder huge amounts of money, as per a news article by The Economic Times. These agents, who are typically relied upon to assist individuals in rural or distant locations to access fundamental banking services, are now being accused of abusing payment systems to transfer illicit funds.

Business correspondents are bank agents who are appointed to assist customers in remote areas in conducting simple banking transactions such as sending or receiving money. It is particularly beneficial for the migrant workers who transfer money to their families in villages. Nevertheless, some of these BCs have diverted from their original purpose. They are currently impersonating merchants and employing equipment designed for online businesses to assist in transferring cash for individuals without showing where the funds originate.

Advertisement

The centre of this abuse is something known as a "payout API".  APIs (Application Programming Interfaces) are computer equipment that assist two systems in communicating with one another. A payout API specifically enables a business to send funds to various payees at a single click of a button, easily and promptly. These APIs are designed to be used by firms to pay employees, issue refunds, or give payouts to suppliers. But this tool falls into the wrong hands and turns out to be sending cash to unnamed bank accounts unsuspectingly.

Here's what the process is all about. A team of agents on behalf of a rogue BC collects money from people who do not disclose their identities or where the money comes from. This money is put in the bank account of the BC. The BC then utilises a payout API—taken from a payment aggregator it collaborates with—to transfer the money to several beneficiary bank accounts. On paper, BC seems to be an ordinary merchant paying regular amounts to other merchants. In actuality, the money is being stretched across numerous accounts to evade discovery.

Advertisement

These accounts that receive the benefits are usually "mule accounts". A money mule is an individual who permits their bank account to be utilised for the transfer of illegal funds, usually for a small payment. When the money goes into these accounts, it is either taken out or transferred to other accounts, rendering it difficult for authorities to track its final destination.

Part of the reason why this technique is such an allurement to the criminals is that it circumvents the restrictions that otherwise apply to BCs' money transfers. According to the provisions for direct money transfers (DMT) that are normally practiced by BCs, each transaction would be restricted to Rs 5,000, and the aggregate in a month would not exceed Rs 25,000. But when BCs act as merchants and utilise a payment aggregator's API, these restrictions don't hold. This enables much higher amounts to be transferred in a short time without raising any alarms.

Advertisement

As reported by The Economic Times, the issue has already been seen by banks and the government. The BC industry has informed the Reserve Bank of India (RBI) and the Financial Intelligence Unit (FIU) of these suspicious practices, a government agency that tracks illegal financial actions. The FIU approached banks after the problem was brought up, telling them to be careful and to be on the lookout for API abuse.

Banking authorities are convinced that some of the rules must be made stringent to avoid such abuse. For instance, banks and payment aggregators must not share APIs with third parties. They must also verify that the recipients of the money are genuine businesses and not mere forged accounts opened for money laundering operations. Beneficiaries' PAN numbers should be cross-checked beforehand, and limits must be imposed on the number of merchants that can be associated with a single API.

Advertisement

The issue appears to be more prevalent among large, corporate BCs—e.g., companies, NGOs, and microfinance institutions—operating on a larger scale and having greater exposure to technology and financial networks than individual agents such as local shopkeepers or retired bankers.

With more people using digital payments, the technology designed to enable financial inclusion has to be watched closely to avoid abuse. In the absence of effective checks and balances, tools designed to assist legitimate users can quickly become avenues for illegal purposes.

CLOSE