Prepaid debit cards have paved the way to cashless shopping and fast, digital transactions for millions of people across the world. But there is a dark side that leaves payment processors, banks and other card issuers like Google and Apple Inc. exposed to criminal activity that could lead to reputational damage and run-ins with regulators.
Issued by major banks and others, and running on the networks of payments giants like Visa and Mastercard, these prepaid cards are used to launder the proceeds of crime or fund terrorist plots. Victims of scams are pressured into handing over hundreds or thousands of dollars through gift cards from iTunes and Google Play. And there is a growing range of reloadable debit cards that allow holders of bitcoin and other cryptocurrencies to spend their funds in the real economy, with no real way of knowing whether those funds are the proceeds of illicit activity.
Rising popularity
The popularity of prepaid cards shows no signs of abating. The global prepaid card market is anticipated to reach $3.653 trillion of revenue by 2022, with a CAGR of 22.7% between 2016 and 2022, according to Allied Market Research.
Paying fees to the card providers that vary depending on the type of card in use, consumers can use them to make purchases at home and abroad, offer them as gifts or have them provide deposit and savings facilities instead of or alongside traditional bank accounts. The latter function can be a lifeline for those otherwise excluded from mainstream financial services.
Most reloadable debit cards use the networks of major card processors including Visa Inc., Mastercard Inc. and Discover Financial Services to handle transactions. Between them, the three companies had some 388.7 million prepaid cards in circulation in 2018 from the 50 largest card issuers in the U.S. alone. Those cards generated $197.71 billion in purchase volume, according to the latest data available from research firm The Nilson Report.
The nearly $200 billion in U.S. prepaid card volume is forecast to rise to $352 billion by 2022, according to The Nilson Report. That would equate to a rise of about 78%, whereas total card spending is forecast to increase to $10.086 trillion from $7.266 trillion in 2018, a gain of roughly 39%.
The largest issuers of prepaid cards in the U.S. by the number of purchase transactions are a mix of global banks such as JPMorgan Chase & Co. and lesser-known names including MetaBank NA, The Bancorp Inc. and Green Dot Corp.
Global networks
Given prepaid cards' popularity and the anonymous nature of many of them, fraud experts are increasingly concerned about the potential for abuse, from petty scams to money laundering for drug lords and terrorists.
"We see these cards present in many crimes from drug trafficking to human trafficking," John Tobon, deputy special agent in charge of Homeland Security Investigations in South Florida, told S&P Global Market Intelligence.
Terrorists used prepaid cards to anonymously pay hotel bills and other expenses leading up to the 2015 Bataclan attacks in Paris, while the Mexican drug cartel led by Joaquin "El Chapo" Guzman routinely used them to move money across national borders.
Part of the appeal to criminals of prepaid cards is that they can be used to parcel large sums of money into small amounts, helping to avoid arousing anti-money-laundering, or AML, alerts when the funds are paid into the banking system and the wider economy. This is a practice dubbed "smurfing" by financial crime experts.
In most countries, customers depositing large amounts into a bank account must disclose where the money came from. In the U.S., for example, a bank must notify FinCEN, the bureau of the Treasury that deals with financial intelligence and AML, if a customer carries out a transaction or series of transactions of more than $10,000 in cash.
Criminals have long circumvented such rules by enlisting human "mules" to move physical money around in small quantities. But that is changing, according to Tobon.
"Criminal organizations that in the past would utilize money mules are now shifting to using prepaid cards," he said.
Grey areas
None of this is lost on regulators and lawmakers in their ongoing effort to fight financial crime. Within the European Union, for example, the Fourth Anti Money Laundering Directive prohibits the loading of anonymous debit and gift cards with more than €250 at a time, an amount that will fall to €150 later in 2020.
But loopholes and stumbling blocks remain.
For example, moving more than $10,000 in cash or other monetary instruments across a U.S. border without declaring it — and with specific intent to conceal it from authorities — is a criminal offense, carrying a maximum jail sentence of five years under the Bank Secrecy Act. Prepaid cards are not considered monetary instruments under the act. But according to Homeland Security's Tobon, they should be, as this would empower law enforcement to crack down on cross-border smuggling, he said.
In the U.S., senators across both main parties have been trying for over a decade to introduce a law requiring prepaid cards loaded with over $10,000 to be reported at border crossings. Chuck Grassley, a Republican senator and chairman of the Senate Finance Committee, most recently reintroduced the bill in June 2019, but it has made no further progress.
A gift to criminals?
Criminologists and other fraud experts are also keeping close watch on another form of prepaid cards — gift cards, such as those from Apple and Google.
In the U.S., more than 38,000 reported crime cases in 2019 involved gift and other prepaid cards, accounting for $103 million of losses, up from $77.9 million a year previously, according to U.S. Federal Trade Commission data.
"Scammers are always looking for an easy way to make a fast buck. ... Gift cards are attractive to scammers because they can stay anonymous and get the money quickly," an FTC spokesperson said in an email. "Once they get their hands on a gift card [PIN], it's very difficult for the consumer to reverse the transaction."
Of late, that has meant scammers trying to take advantage of the coronavirus crisis. Several government departments and civil society organizations in the U.S. have warned the public to be wary of criminals demanding payment via gift card for bogus charity donations, medical equipment or requests for a deposit in order to "maintain" social security checks.
After getting hold of the unique numbers on the gift cards, scammers typically sell them at an attractive discount on resale or auction websites.
Apple's iTunes gift cards accounted for the highest number of reported scams in 2018, at 23.7%, followed by Google Play at 18.3%, the FTC said. The government agency could not comment on why gift card fraud has increased but said that the figures were based on reported incidents only and that the full scope of the problem could be greater.
A
It is not just a U.S. phenomenon. Action Fraud, the U.K. police's fraud and cybercrime reporting division, said it received 11,329 reports of fraud involving iTunes gift cards between April 2015 and March 2018, with some £6.6 million lost as a result. Individuals affected by the scam lost £579 on average.
For a Toronto-based money-laundering and financial crime expert, gift card fraud struck close to home when her 70-year-old mother-in-law lost C$10,000 to scammers pretending to be tax authorities demanding quick payment of an outstanding tax bill.
The expert, speaking to Market Intelligence on condition of anonymity, described how her mother-in-law, who has a cognitive disability, was threatened and bullied into making multiple trips to supermarkets and drug stores over several weeks to purchase at least 30 gift cards.
"Even when she said that she would talk to my husband and me because we understand finances, the scammer told her that she should not do that because we would be ashamed of her," said the expert, who contacted Apple upon learning about the scam, relaying the numbers for all the approximately 30 gift cards involved.
The fraud expert would soon discover how deeply flawed the security around prepaid cards is. Not only was Apple unable to retrieve any of the money, but the police also failed to find leads that could help them pursue the case.
"If someone had forced my mother-in-law at gunpoint to withdraw funds, the police would have investigated [the case]. ... But when there is no violence, a fraud [or] theft of C$10,000 just isn't something that they have the resources or inclination to pursue," she said.
"Maybe [the victim's] bank could also have noticed these transactions of thousands of dollars at different stores across the city and put a hold of some sort on her account, because they were certainly outside of her normal activity."
Corporate vigilance?
Banks are limited in what they can do to protect consumers when it comes to gift card fraud, according to a spokesperson from Barclays PLC.
While a bank statement provides general transaction information, such as the amount paid and identity of the retailer, it does not show what was bought, making it impossible to identify multiple gift card purchases, the spokesperson said.
In terms of the supermarkets and other shops that sell the cards, some have policies aimed at curbing gift card fraud. For example, they can limit the number of cards sold to an individual in a single transaction and staff training can help spot and prevent unusual buying habits.
As for the gift card issuers, neither Google nor Apple responded to requests for comment from Market Intelligence. However, various fraud experts have no shortage of ideas of measures they could be taking beyond carrying warnings about the scams on their websites.
John Breyault, vice president for public policy at the National Consumers League, a Washington, D.C.-based consumer rights nonprofit, said Google collaborated with the league to roll out a fraud alert campaign about scammers using Google Play gift cards in late 2019.
Breyault would like to see other measures, such as more prominent warnings on gift card packaging, as well as changing public policy limiting consumer liability in the event of fraud, similar to the limited or zero liability consumers have with respect to credit card fraud. Current measures, he said, mean the companies appear to have "placed all of the responsibility on the consumer" to eradicate the problem.
In addition, Apple and Google could insist that card users' smartphones validate cards and codes, said Keith Furst, managing director of New York-based Data Derivatives, a consultancy company specializing in fighting financial crime.
"In other words, it would be harder for scammers to simply use the code by itself to redeem gift cards. The redeemer would physically need the card with the code in hand and [artificial intelligence] could help identify fakes," Furst said.
"These steps are doable, but would drive up the costs for the tech giants."
The challenge for Apple and Google is to find a way to increase antifraud enforcement "without changing the nature of gift cards," said David Glance, director of the University of Western Australia's Centre for Software and Security Practice. He added that the anonymity component could be scrapped by creating an account or profile linked to the card.
Crypto crime
The prospect of tougher laws does not appear to have dampened the enthusiasm to push the boundaries of prepaid cards. This includes introducing new prepaid cards using cryptocurrencies from platforms such as Bitcoin, Ethereum and Ripple.
Roughly 30 crypto debit card products are available worldwide, according to U.K.-based McKay Research. Among the issuers rolling out such cards over the past year or so are Singapore's Tenx Pte. Ltd., the U.K.'s Wirex Ltd and Monolith, and BitPay Inc. in the U.S.
Their cards enable cryptocurrencies to be converted into a fiat currency to buy goods and services in shops where Visa and Mastercard are accepted. The amount of a purchase is deducted from the holder's virtual wallet at a conversion rate based on the value of the cryptocurrency at the time of sale.
Alongside this innovation, however, sits another opportunity for criminal abuse of the cards, notably by converting "dirty" cryptocurrency earned via illicit activities into fiat money.
"The ease with which these card services allow crypto to be exchanged for goods and services can make them a target for cybercriminals, fraudsters and other illicit actors seeking to turn illicit crypto proceeds into 'clean' purchases of everyday items," David Carlisle, head of community at global cybersecurity consultancy Elliptic, said in an email.
Crypto cards were among items seized by Spanish police in the bust of a major cybercrime gang in 2018, according to Europol. The gang was allegedly behind the Carbanak and Cobalt cyberattacks, which infected with malware the internal networks of over 100 financial institutions in more than 40 countries, enabling the fraudsters to siphon off money via ATM withdrawals and fund transfers.
The gang stole up to €10 million per attack in a global operation that is estimated to have cost the financial services industry some €1 billion.
Unregulated and anonymous
Unregulated and traded anonymously, cryptocurrencies play a key role in criminal activity on the so-called dark web. An estimated $76 billion of illegal activity annually involves bitcoin — accounting for nearly half of all bitcoin transactions, according to a 2018 paper from the University of Sydney.
"The level of technical and financial skill needed to convert 'dirty' cryptocurrency into fiat money is greatly lowered by these debit cards," said Rolf van Wegberg, a criminologist and researcher in the faculty of technology, policy and management at Delft University of Technology in the Netherlands.
Although most prepaid crypto cards require applicants to provide a photo ID and personal information, van Wegberg said criminals appeared to have gotten around these requirements by supplying fake or incomplete personal details to enable a sale.
Such lapses and abuse could hypothetically land payment networks such as Visa and Mastercard in hot water given regulators' focus on AML and know-your-customer, or KYC, procedures. Western Union Co. paid more than $600 million in combined settlements in 2017 and 2018 to various U.S. regulators for failing to crack down on agents who were abetting scammers, and fellow money transfer company Moneygram handed over $125 million to the U.S. Justice Department for fraud and AML shortcomings.
Payment network operators could similarly fall foul of regulators if a prepaid crypto card company using their network were found to have facilitated crime, van Wegberg said.
However, a Mastercard spokesperson said in an interview that the company has appropriate controls in place and that, "Where a cryptocurrency is converted into fiat, it is done separately by the program manager or a third party, outside of our systems. Mastercard has no involvement in that process and our anti-money-laundering and know-your-customer requirements are applicable to all program managers who issue cards with us."
Visa did not respond to a request for comment.
Prepaid crypto card companies contacted by Market Intelligence, including Wirex and Tenx, also said they have thorough know-your-customer processes in place, as well as robust mechanisms to alert them to potential money laundering, making the cards as safe as, if not safer than, traditional banking cards.
"We receive alerts if transactions are originated from or involve dark web transactions or known wallets that have such connections; we can tell if a digital wallet contains previously reported stolen crypto, even if it is just $1 of value," said Matias Lapuschin, a spokesperson for Crypterium Ou, an Estonia-based mobile payments company, which launched a crypto card in 2019.
"Could a bank do the same thing with the money paid in over the counter? Of course not."