Emerging payment methods, including peer-to-peer (P2P) applications, have been widely adopted by American consumers. Unfortunately, perpetrators of human trafficking (HT) have also adopted P2P payments.
HT is the exploitation of a person through force, fraud or coercion, for forced labor or commercial sex, or the exploitation of a minor by causing the minor to engage in commercial sex.1 Human traffickers use P2P to collect, move and launder funds, while consumers of sex trafficking use P2P apps to pay for services.
Banks need to be aware of how P2P HT payments may flow through their institution and how to identify potential P2P HT transactions.
How Do P2P Transactions Work?
The Office of the Comptroller of the Currency (OCC) Payment Systems Handbook explains:
“A P2P payment provider offers customers a digital wallet, which is funded by a payment card or bank account. The funds transfer is processed through a card network or [automatic clearing house (ACH)] network, and funds are settled as a typical card or ACH transaction….
To withdraw funds from the digital wallet, a customer initiates a transfer, which is processed through a card network or ACH network.”2
While P2P platforms are often referred to as an alternative to banks, funding and withdrawal P2P transactions are processed and settled through traditional finance networks. A 2022 Consumer Reports survey found that consumers’ source of funds in a P2P account was 51% from a linked checking account, 26% from a debit card and 9% from a credit card.3
Nacha (formerly the National Automated Clearing House Association), the operator of the ACH network, reports that P2P payments relying on the ACH network grew from slightly more than $77 billion in 2015 to $570 billion in 2023, as shown in Graphic 1.4
Graphic 1: P2P Payments by Dollar Value
Source and visualization by: Nacha5
Meanwhile, transfers between customers within the P2P app are executed by the platform. Customers can transfer funds in a P2P digital wallet to other platform users using a phone number, email address or other unique identifiers. Common P2P payment solutions (e.g., Venmo, CashApp and Apple Pay) and consortiums (e.g., Zelle) generally use a directory of accounts and associated phone numbers or email addresses.6
While P2P platforms themselves have meaningful exposure to HT risk, this article will focus on the risks posed to banks through P2P transactions.
ACH and HT Risks
The OCC Payments Handbook and the Federal Financial Institutions Examination Council Bank Secrecy Act exam manual enumerate risks posed by ACH that potentially have a nexus with HT transactions.
- The bank may lack either ACH reviews or comprehensive reviews and does not test for compliance with regulatory requirements and network rules.
- Batch processing by the bank can obscure the identities of originators.
- Lack of information sharing on or about originators and receivers inhibits a bank’s ability to appropriately assess and manage the risk associated with correspondent and ACH processing operations, monitor for suspicious activity and screen for Office of Foreign Assets Control compliance.
Case Study: TD Bank, P2P and HT
The risks to banks from P2P HT payments are not hypothetical. The October 2024 multi-agency enforcement action against TD Bank demonstrates the necessity of properly monitoring P2P payments regarding HT.
In announcing the $1.3 billion dollar penalty, the Financial Crimes Enforcement Network (FinCEN) found that “TD Bank’s processing of peer-to-peer transactions (e.g., Venmo and Zelle), including transactions indicative of human trafficking, was insufficient, and as a result, TD Bank failed to identify and timely report these transactions to FinCEN.”7
TD Bank’s HT-related failures centered around two issues.
First, FinCEN found that TD Bank’s monitoring system lacked the transaction codes necessary to monitor 98% of domestic ACH transactions. Since P2P transactions are often processed as ACH transactions and due to the lack of domestic ACH monitoring, TD Bank did not examine P2P ACH transactions through platforms such as Venmo or PayPal.8
Moreover, TD Bank did not create the transaction codes necessary to monitor P2P platforms. Therefore, Venmo, PayPal, CashApp, Apple Pay, Facebook Pay (now Meta Pay) and Google Pay were lumped together with other ACH transactions.9
Secondly, FinCEN found that TD Bank incorrectly set transaction monitoring thresholds for P2P transactions through Zelle. Despite anti-money laundering (AML) staff requesting unique transaction monitoring scenarios be implemented for Zelle, the bank instead reused scenarios developed to monitor debit card transactions.10 When the bank later applied velocity scenarios to Zelle transactions, TD recycled scenarios designed for wire activity which FinCEN described as “not fit for purpose.”11
Here's why the Zelle transaction monitoring scenario was inadequate:
Zelle had a daily transaction limit of $2,500 and a rolling 30-day limit of $10,000. However, the velocity scenario would only alert when a personal account received $10,000 or more in five business days or sent $9,000 or more in five business days. FinCEN noted that the disconnect between the P2P product’s transaction limits and the transaction monitoring scenario “would not reasonably mitigate the risks associated with Zelle.”12
P2P HT Red Flags
The TD Bank FinCEN consent order provided an example of suspicious activity that was indicative of HT and processed, in part, through P2P transactions. A purported HVAC company, in the span of nine months, had more than 1,000 P2P transactions. The total suspicious activity in the account during the period was $3.5 million. However, the customer due diligence for the company reported an annual sales revenue of only $500,000.
FinCEN emphasized contextualizing the voluminous P2P transactions with other suspicious transactions, such as purchasing flight tickets to high-risk jurisdictions, hotels, multiple mobile phone providers and ATM withdrawals in multiple countries.
Lessons Learned
TD Bank was not alone in the insufficient monitoring of ACH rails. For example, Thread Bank was ordered by the Federal Deposit Insurance Corporation to implement a process “to monitor transactions for potential suspicious activity, including ACH transactions.”13 Banks’ lack of scrutiny of ACH transactions may be explained by the historical but perhaps outdated assumption that domestic ACH transactions are lower risk.
With P2P, financial technology and banking-as-a-service growing yet relying on traditional financial rails, including ACH, debit or card networks, banks’ assessment of the AML risks posed by those products should also evolve.
How to Apply Lessons Learned
- Assign transaction codes to P2P transactions to distinguish and analyze P2P apart from other ACH, credit or debit card transactions.
- Develop and apply monitoring scenarios specific to P2P products.
- Set appropriate dollar thresholds for P2P transaction monitoring.
- Examine customers whose business or occupation does not warrant the volume or nature of P2P transactions.
- Evaluate P2P transactions in context with other account transactions (e.g., cash, high-risk businesses or jurisdictions) to detect potential transactions indicative of HT.
Conclusion
P2P payment methods have been enthusiastically adopted by consumers—and by perpetrators of HT. Financial institutions may face exposure by rotely applying traditional transaction monitoring and risk assessments without accounting for the evolving use of ACH, debit cards and card networks in P2P payments. By understanding the touch points of P2P payments within a bank, and by specifically and appropriately monitoring for unusual P2P transactions, banks can help turn the tide against HT facilitated by emerging payments.
Alison Jimenez, CAMS, president/founder, Dynamic Securities Analytics, Inc. ajimenez@securitiesanalytics.com,
- “Trafficking: Use of Online Marketplaces and Virtual Currencies in Drug and Human Trafficking,” U.S. Government Accountability Office, February 2022, https://www.gao.gov/assets/gao-22-105101.pdf
- “OCC Payment Systems Handbook, Version 1.0,” Office of the Comptroller of the Currency, October 2021, https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/payment-sys-funds-transfer-activities/pub-ch-payment-systems.pdf
- “Peer-to-Peer Payment Services,” Consumer Reports, January 10, 2023, https://advocacy.consumerreports.org/wp-content/uploads/2023/01/P2P-Report-4-Surveys-2022.pdf
- “ACH Network Volume and Value Statistics,” Nacha, https://www.nacha.org/content/ach-network-volume-and-value-statistics
- Ibid.
- “OCC Payment Systems Handbook, Version 1.0,” Office of the Comptroller of the Currency, October 2021, https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/payment-sys-funds-transfer-activities/pub-ch-payment-systems.pdf
- “FinCEN Assesses Record $1.3 Billion Penalty Against TD Bank,” Financial Crimes Enforcement Network, October 10, 2024, https://www.fincen.gov/news/news-releases/fincen-assesses-record-13-billion-penalty-against-td-bank
- “FinCEN Consent Order Number 2024-02—In the Matter of: TD Bank, N.A. and TD Bank USA, N.A.,” Financial Crimes Enforcement Network, p. 25, https://www.fincen.gov/sites/default/files/enforcement_action/2024-10-10/FinCEN-TD-Bank-Consent-Order-508FINAL.pdf
- Ibid. pp. 22, 26.
- Ibid. pp. 27.
- Ibid. pp. 27.
- Ibid. pp. 28.
- “FDIC Enforcement Decisions and Orders,” Federal Deposit Insurance Corporation, https://orders.fdic.gov/s/press-release-orders?prYear=2024&prDate=28&prMonth=6