Illicit proceeds are routed into legitimate payment flows via merchant accounts or gateways, commonly under false pretenses. By mixing criminal funds with genuine customer transactions, adversaries add opacity to payment records, making it difficult for financial institutions to isolate the illicit portion. In some cases, the merchants themselves are unaware of these unauthorized deposits. Criminals also exploit third-party payment processors (TPPPs) and other payment processing service providers that connect merchants to payment networks for transaction authorizations and settlements. By aggregating multiple merchants’ transactions into a single account or opening an account under a merchant’s name without the merchant’s knowledge, they obscure the true ownership and nature of suspicious transactions, complicating detection and tracing by financial institutions. In certain instances, smaller amounts are funneled repeatedly into these accounts to avoid detection thresholds, expanding the overall volume of blended funds en route to fraudulent merchants or front entities. This commingling not only frustrates investigators’ ability to pinpoint and freeze illicit flows but also leverages the high-traffic environment of legitimate business pipelines to conceal the origin and ultimate destination of criminal proceeds.
Undisclosed Payment Aggregation
Tactics
By blending illicit proceeds with legitimate payment flows across merchant accounts and gateways, criminals create transactional complexity that hinders the ability of financial institutions and investigators to trace funds back to their origin.
Risks
By opening or misusing merchant accounts—sometimes without the legitimate merchant’s knowledge—criminals exploit weaknesses in verifying the true customer or beneficial owner. This misrepresentation conceals the actual parties behind illicit funds, undermining AML checks intended to link transactions to genuine identities.
This technique primarily exploits payment aggregators, gateways, and sub-merchant models to commingle illicit proceeds with legitimate transactions. Criminals leverage these high-volume channels—often unmonitored or poorly segmented—to mask the true source of funds, making it difficult for financial institutions to identify or isolate suspicious flows.
Indicators
Significant mismatches between the merchant’s declared business model and actual transaction descriptions processed through the payment gateway (e.g., items or services outside the stated scope).
Significant increases in settlement payments compared to the merchant’s historical transaction volumes or industry benchmarks, lacking corresponding sales or invoice records.
Sustained patterns of small, repetitive incoming transactions from numerous payer accounts with no legitimate business rationale, inconsistent with the merchant’s stated goods or services.
Merchant receives funds from payers not listed in any documented client, vendor, or partner records, reflecting absence of a lawful business relationship.
Frequent or abnormally high refunds or credits exceeding normal industry benchmarks, suggesting cyclical flow of funds in and out of the merchant’s account.
A merchant or payment processor account is opened using a merchant’s identity without the merchant’s knowledge or authorization, indicating potential identity misuse.
Single aggregator or TPPP settlement account commingles transactions from multiple unrelated merchants, lacking clear sub-account separation to trace individual merchant proceeds.
Data Sources
- Documents the normal range and frequency of product or service usage (e.g., transaction size, refund rates) under typical merchant conditions.
- Highlights anomalies such as unusual spikes in refund or credit activity and repetitive small incoming payments without legitimate rationale.
- Enables investigators to spot funneling or structuring tactics designed to commingle illicit proceeds with normal merchant transactions.
- Provide comprehensive records of transactions, including deposit amounts, timestamps, payer/recipient details, and transaction identifiers.
- Enable detection of suspicious patterns, such as sudden settlement spikes, repetitive small-value deposits, or the commingling of multiple merchants’ funds into a single TPPP/aggregator account.
- Support uncovering unusual refund or credit activities indicative of illicit mixing of proceeds.
- Contains operational data on a merchant’s declared products, services, and revenue streams.
- Helps investigators compare a merchant’s stated business model against actual transactions, identifying mismatches that may signal unauthorized or illicit deposit activity.
- Supports validation of declared sales volumes, preventing criminals from hiding illegal fund flows under legitimate business operations.
- Consolidate verified identities, beneficial ownership details, authorized signatories, and risk profiles for merchants and associated accounts.
- Facilitate the detection of unauthorized or fraudulent merchant account openings and identity misuse, particularly in cases where criminals open TPPP or merchant accounts without legitimate consent.
- Enable cross-referencing of payers with approved client lists and verify business relationships, exposing suspicious funds lacking lawful connections.
- Provide official records of registration details, shareholders, directors, and beneficial owners, which are crucial for verifying legitimate control over merchant entities.
- Help validate or refute claimed relationships between payers and the merchant, revealing shell companies or hidden ownership structures used to obscure illicit proceeds.
- Aid in tracing beneficial ownership when criminals open aggregator or merchant accounts under false pretenses to conceal the true recipients of funds.
Mitigations
Subject aggregator or TPPP accounts to stringent vetting by verifying operating licenses, sub-merchant agreements, and beneficial ownership details. Ensure each merchant has explicitly authorized the aggregator, and periodically reassess account records to detect hidden relationships or identity misuse. This heightened scrutiny uncovers unauthorized or falsified aggregator setups masking illicit funds.
Implement targeted monitoring rules for aggregator or TPPP settlement flows by flagging recurring small deposits from multiple unrelated payer accounts, abrupt spikes in transaction volumes departing from historical baselines, or payments inconsistent with the declared merchant business model. By analyzing transaction narratives, merchant identifiers, and payer details, institutions can detect undisclosed commingling or unauthorized aggregator activities.
Require formal AML clauses and strict operational transparency from all aggregators or TPPPs, demanding proof of sub-merchant disclosures and clear separation of funds. Conduct ongoing due diligence on third-party providers to confirm compliance with transaction tracking, preventing cryptic payment flows or unauthorized accounts from blending illicit funds with legitimate transactions.
- Deny or curtail payment processing services when aggregators or TPPPs fail to provide full sub-merchant details or substantiate legitimate transaction commingling.
- Freeze or block accounts immediately upon evidence of unauthorized merchant identity usage, halting additional undisclosed funding flows.
Continuously review aggregator or TPPP transaction patterns against each merchant’s declared business model. Closely observe any sudden growth in settlement volumes or shifts in transaction characteristics. Request updated merchant agreements and supporting documentation when unusual activity is detected, ensuring consistent visibility into aggregators’ evolving payment flows.
Instruments
Criminals exploit these accounts—often opened or used without the genuine merchant’s knowledge—to channel illicit funds through normal customer payment channels. By routing unauthorized deposits into legitimate transaction flows, they mix criminal proceeds with genuine sales, making it difficult for financial institutions to isolate suspicious activity. In aggregator or sub-merchant models, multiple merchants’ funds are collectively settled into a single account, further obscuring the true origin and beneficial owners of the illicit portion. Repeated small-sum transactions remain below typical detection thresholds, effectively hiding illicit funds among legitimate revenues.
Service & Products
- Criminals open or misuse accounts at third-party payment providers (TPPPs), sometimes without the genuine merchant’s awareness, to process unauthorized transactions.
- Aggregating multiple merchants’ funds into unified settlement accounts obscures beneficial ownership and complicates detection of illicit activity.
- Criminals exploit payment processing channels to funnel illicit proceeds into legitimate transaction flows, mixing criminal funds with authentic sales.
- By leveraging aggregator or sub-merchant models, they conceal the true source of funds and complicate oversight, allowing seemingly normal transactions to mask fraudulent deposits.
- Fraudsters impersonate or misuse merchant accounts, processing illicit funds under the guise of normal business sales.
- Legitimate merchants may be unaware their accounts are receiving unauthorized deposits, enabling repeated layering of illicit proceeds among real customer transactions.
Actors
Illicit operators knowingly funnel criminal proceeds into legitimate payment flows by:
- Opening or misusing merchant accounts and aggregator models to blend illicit funds with genuine customer transactions.
- Structuring deposits or splitting them into smaller increments below detection thresholds.
This practice obscures the true origin of funds and hampers financial institutions in identifying suspicious activity or freezing illicit flows.
Shell or front companies receive blended proceeds from undisclosed payment aggregation by:
- Appearing as legitimate entities to which repeated transfers are made from aggregated merchant accounts.
- Obscuring the final recipients, complicating beneficial ownership checks and investigations.
Financial institutions struggle to trace the true purpose of these transactions when front entities pose as legitimate businesses.
Payment service providers connect merchants to payment networks and handle transaction settlements. Criminals exploit these providers by:
- Using aggregator or sub-merchant setups to combine multiple merchants’ payments into single accounts.
- Mixing unlawful transactions with legitimate sales volumes, making it difficult for financial institutions to detect anomalies.
This aggregation model conceals the ultimate source of funds within routine settlement flows.
Merchants, whether complicit or unaware, become conduits for laundering illicit proceeds by:
- Having unauthorized deposits channeled through their accounts, intermingling legitimate customer payments with criminal funds.
- Allowing criminals (knowingly or unknowingly) to open aggregator or sub-merchant accounts in their name, masking beneficial ownership.
Financial institutions face difficulty distinguishing illicit inflows when these payments appear as normal business transactions.
References
Financial Action Task Force (FATF). (2023, October). Crowdfunding for Terrorism Financing. FATF. https://www.fatf-gafi.org/en/publications/Methodsandtrends/crowdfunding-for-terrorism-financing.html
FinCEN (Financial Crimes Enforcement Network). (2014, May 28). Update on U.S. currency restrictions in Mexico: Funnel accounts and TBML. FinCEN. https://www.fincen.gov/resources
Department of the Treasury. (2024, February). 2024 National Money Laundering Risk Assessment. Department of the Treasury.https://home.treasury.gov/system/files/136/2024-National-Money-Laundering-Risk-Assessment.pdf