Modern scamming operations across the world are highly organized and possess deep technological expertise and international capabilities, presenting unprecedented challenges for law enforcement agencies and financial institutions. To prevent being regularly exploited by these organizations to move embezzled funds, banks must make full use of Article 8 of the Fraud Crime Hazard Prevention Act.

According to the 2024 annual report of the United Nations Office on Drugs and Crime (UNODC), international fraud, alongside human trafficking, the drug trade, terrorist financing, and cybercrime, constitute Transnational Organized Crime (TOC). Criminal organizations no longer commit fraud haphazardly, but rather through “Crime-as-a-Service” (CaaS), forming international criminal networks, who avoid the prying eyes of regulators and conceal their cash flows by exploiting international financial systems, accessing black-market financial networks, and transacting in cryptocurrency.

Additionally, a new report published by blockchain analysis firm Chainalysis indicates that cryptocurrency has become the cornerstone of international fraud. Offshoots of the crypto paradigm including decentralized finance (DeFi), cross-chain trading, and stablecoins allow criminal conglomerates to engage in money laundering, making it nearly impossible for authorities to trace their cashflows and transaction history.

The UNODC report reveals numerous significant trends related to the increase in organization of global fraud. First, Southeast Asia has become a hotbed of fraud, most prominently in Myanmar, Cambodia and Laos. These countries have all established Special Economic Zones (SEZ) in the hopes of boosting economic growth, which have instead become the base of operations for massive scam conglomerates.

Second is the advent of generative AI technology, and its integration within the scamming model. Scammers can now use deep-faked audio in combination with AI-generated images to pass off as customer service agents at the target’s bank, or public officials, inciting large-scale disinformation to achieve their goals. Additionally, scammers use social media to credibly impersonate accounts, including celebrities and financial institutions, to promote fraudulent ads or to deceive victims into giving up their personal information.

Moreover, cryptocurrency and blockchain technology also enable financial crime. Many of these organizations launder their ill-gotten gains using currencies like Tether and Bitcoin, making it significantly more difficult for investigators to trace these funds. In fact, many virtual asset exchanges, which have historically been able to avoid regulation, have been ousted as knowingly laundering money for criminal organizations. These organizations engage in short-term exchange of various digital assets, concealing their overall capital flows. This year, Taiwan is set to institute new regulations for these virtual exchanges, another issue that requires the close attention from financial institutions.

While fraud does not operate in Taiwan at the same scale as in some South-East Asian countries, with dedicated campuses, it still runs rampant, and organizations continue to upgrade their capabilities. Statistics from the Financial Supervisory Commission (FSC) indicate that although the quantity of suspicious bank accounts continues to increase, under current regulations, banks can only take passive measures in response. After receiving permission from the FSC, they can attempt to freeze these accounts, but the threat actors have often long transferred their funds to “mule accounts” across many other banks. As these mule accounts are already controlled by the scammers, victims are unlikely to report them to authorities. Consequently, they won't be flagged as suspicious, allowing scammers to continue operating freely outside the law. Despite this, strong blame cannot be placed on banks, as before fraudulent accounts are reported by victims, they rarely engage in abnormal activity that would flag them as suspicious.

However, when scammers engage in cross-bank transfers, in which cash flows rapidly cascade into many different mule accounts, it becomes possible for banks to connect these transfers and flag them as abnormal. First, they can use a graylist approach to combine analysis of designated accounts with other indicators to thoroughly block intermediary mule accounts. To proactively identify suspicious designated transfer accounts and block illicit financial flows, the FSC requested the Financial Information Service Company (FISC) to establish a graylist reporting platform for designated incoming transfer accounts.

On this platform, which was launched in 2024, upon receiving an application for a designated transfer account, the originating bank immediately transmits a cross-bank “designated incoming account number” to the receiving bank. That bank then queries the originating bank about the risk threshold and status of that account (such as suspicious or derivative control account), allowing both banks to jointly manage the risk of online designated transfer account transactions, enabling readily identification of potential risks and protective measures, including timely reminders for customers. Through the graylist mechanism, the receiving bank identifies suspicious designated transfer account patterns, continuously monitors the account, and handles the situation according to its own risk control mechanisms.

For example, when a customer requests a designated transfer account at another bank as a beneficiary, through this mechanism, both the originating and receiving banks can detect that the beneficiary account has rarely been designated in the past, but has been designated for multiple scheduled transfers from other accounts in a short time period, indicating potential suspicious activity. In this case, the originating bank can reach out to the customer to prevent them from proceeding with the designated transfer, thus avoiding potential fraud. The receiving bank can also flag this as a suspicious account for continuous monitoring, enabling early detection of illegal activities.

As of the end of July 2024, FSC statistics show that originating banks implemented customer care measures in 34,999 cases. Among these, 8,236 designated transfer setups were cancelled after the care measures were taken, resulting in 23% effectiveness in preventing outgoing designated transfers. However, current efforts are limited to providing care and dissuasion for originating accounts setting up designated transfers, with no active handling of receiving accounts – a conservative approach which only achieves half its potential. In addition to the common risk thresholds shared among banks on this platform, banks should also cultivate their own judgment and execution in determining and handling cases, without over-relying on the gray list mechanism. For example, if a receiving account is constantly being designated, or if a receiving account consistently exhibits high-risk characteristics such as multiple large rapid in-and-out transactions within a single day, and complete deposits and withdrawals, the bank can take proactive action.

Article 8 of the Fraud Crime Hazard Prevention Act empowers banks to take proactive action against suspicious accounts. The first paragraph of this provision stipulates that financial institutions should exercise their duty of a good administrator with respect to savings accounts. To address suspicious savings accounts suspected of engaging in fraud, banks should pursue robust and continuous identity verification, as well as temporary complete or partial suspension of deposits, withdrawals, transfers, and remittances. Some financial institutions have been given expressed authority to take even stronger action against suspected scammers, including implementing Know Your Customer (KYC) identification standards, and additional identification verification requirements for high-risk accounts.

In fact, many of these measures are expressly stipulated in Article 16(1) of the Regulations Governing Fraud Crime Hazard Prevention by Financial Institutions and Businesses or Personnel Providing Virtual Asset Services, which was authorized by the FSC Fraud Crime Hazard Prevention Ordinance. That article was put in place at the end of July 2024, but so far, only a small number of banks have used their new authorization to take active action against scammers.

Additionally, banks should strengthen cooperation and freely share information regarding abnormal accounts. No single bank can fully restrict the cash flows of scammers, as they often employ multiple layers of mule accounts and cross-bank transfers to shirk investigation. Therefore, in addition to collaboration on a graylist mechanism, banks must also make full use of the authority entrusted to them by the FSC in the above legislation to form a multi-bank coalition.

In accordance with the Regulations Governing Fraud Crime Hazard Prevention by Financial Institutions and Businesses or Personnel Providing Virtual Asset Services, information sharing is restricted to banks, not including the virtual asset industry. Therefore, if banks identify suspicious outflows into virtual assets, under the current law, they cannot exchange this information with the platforms hosting said assets – a potential policy shortfall yet to be addressed.

The landscape of fraud has undergone a fundamental shift, evolving into more organized and technologically sophisticated global schemes which increasingly overwhelm traditional prevention methods. Should Taiwan’s banking sector maintain an overly cautious response, effectively intercepting illicit financial flows will prove challenging, potentially exposing them to heightened risks and accusations of lax enforcement. Only by embracing technology, fostering robust cross-bank collaboration, and through enhanced proactive enforcement, can banks truly fulfill their crucial role as stewards of the public’s funds.

The author is President of The Institute of Internal Auditors-Chinese Taiwan