WHEN CRIMINALS TAKE OVER OUR BANK ACCOUNTS
Criminal syndicates are increasingly bold and ingenuous in their attack on your bank account.
As a matter of common sense, we do not allow our bank account to be used by strangers. Too bad this is exactly what happens, and the statistics are unnerving. Increased reports of online scams in various permutations : love scams, macau scams, etc just remind us of the weakness of the system; the weak link being the human being in the security chain.
If you allow other people to use your bank account, you will be held liable if they use your account for illegal purposes. Broadly, there are 2 ways you can be caught in such a situation:
(1) Knowingly allowing other people to use your account.
a. Shady persons offer quick money to “rent” your bank account. They may inform you that they need to use your account because their account has been blacklisted, or they are a foreigner who desperately needs a place to receive their income. For people who need quick money, renting out their account is an attractive proposition.
b. Some unethical moneylenders (licensed or otherwise) may require your ATM card as a security, together with your password, used for reasons that may or may not be obvious to you.
c. There are people who offer to buy your active ATM cards /active accounts on social media.
(2) Unknowingly your account is used by irresponsible persons.
a. By some sophisticated methods, phishers may obtain your access code and use your bank account, especially if they see that your account is inactive or that you seem unattentive about transactions of your account.
b. You lose your ATM card or it is stolen, and the thief has access to your account because your password was found together with the ATM card. And you did not bother to block the account because you did not care for it.
The distinction above between knowingly and unknowingly relates to the legal concept of intention or mens rea, and goes to the your defence, discussed at “Legal Defences” below.
This conduct falls within an offence punishable under Section 424 of the Penal Code, which is punishable with imprisonment for up to 5 years or with fine or with both. You could also be exposed to a civil claim from the victim, who might think that you conspired with the scammers. In any event, your account facilitated the commission of the offence, regardless of your degree of involvement or lack thereof.
Social Engineering
An important concept for this discussion is “social engineering”, which in this context has nothing to do with nation-building. Social engineering means a method used by criminal syndicates to manipulate you into giving them access to your bank account. Members of the criminal organisations impersonate trustworthy organisations such as banks, police, inland revenue board or other authority, and put you in fear so that you will give them access and do their bidding (i.e. give them control over your account). Knowing that their unlawful activities are gaining public notoriety, criminal syndicates would not merely pose as police officers or bank staff, but will spoof credible-looking phone numbers, make you voluntarily install dangerous apps into your mobile device used to obtain your passwords and then compromise your e-banking account.
Why are owners of Bank Accounts liable for its use in criminal activity, but not owners of vehicles or houses? Vehicles and houses are used in criminal activities too.
It is intriguing that registered vehicle owners whose vehicles were used in drug trafficking by third parties, are not themselves prosecuted for facilitating drug trafficking (from my own observation and 15 years’ experience with criminal matters). House owners who let their homes to tenants are not prosecuted for drug trafficking if the tenants are so prosecuted. At most, the police seize the vehicle (until released under Section 413 of the CPC or other similar mode) or cordon the premises (momentarily) – the owners are at most called as prosecution witnesses to confirm that they have no knowledge of the drug trafficking and they only knew the users of their vehicle or their tenant as no more that users and tenants.
In my view, the role of a car owner or house owner is comparable to a bank account owner. Criminals want what these 3 owners have but the benefit and emphasis differs. For a vehicle, the benefit is mobility. For the house, the benefit is security. But for a bank account, the benefit is identity; not the account per se because it is not terribly difficult to open one.
Identity is a unique “asset” which allows a criminal to distance himself from a criminal allegation in a special way. Not only does it deflect the bite of a particular pleaded in a charge sheet, it forces the prosecution’s hand to produce even more evidence to justify the action against him. Some may argue that a different identity found in the evidence should be a “Fact Favourable to the Accused” and should be disclosed together with the Section 51A CPC documents.
Profile of a Bank Mule : You could be one too
Upon studying a number of research findings from several countries, Mohanamerry Vedamanikam, a manager on AML compliance with Western Union found that, “money mules are accomplices in the criminal activity as they launder illegal funds. Compared to the risk taken by the money mule, the reward is relatively low”[1]. The dynamics of these factors has provided an interesting profile of a bank mule, in line by the Royal Malaysia Police statistics from 2015-2020 that the number of bank mule accounts have increased by 8 times. The said Western Union manager found in her research, “Between December 2018 and January 2019, RMP has detained 145 individuals which was comprised of 90 male and 55 female foreign nationals and locals nationwide suspected to have allowed their bank accounts to be used by third parties. The suspects were between the age of 19 and 63 and were mostly students, retirees and drug addicts. The suspects were introduced to unknown individuals via social media sites, thereafter they handed over their ATM cards and personal identification numbers (PIN) to a syndicate, mentioned for business dealings”.
What to do if you find that your account has been compromised
#1 Record All Evidence
I have advised a victim who was not even alerted of the impugned transactions, because the criminals had somehow found a way to divert the bank’s notification to a phone number that did not belong to my client’s. He believed that this happened when the scammers duped him into downloading a suspicious app that resembled a legit Bank Negara Malaysia App (MyBNM). Again, this was a case of social engineering where the scammers posed as officers form government agencies such as the Inland Revenue Board (LHDN) and the police, contact him using spoofed phone numbers that resemble official phone numbers, and speaking patterns that simulate the behavior of official government communication. The good thing he did was he saved a screenshot of all communications and recorded a number of conversations with the scammers. This was compiled and conveyed to the police when they opened investigations into the case.
You may not even know that your personal data and passwords were compromised until it is too late.
We were informed of the following telltale signs:
a. Scammers ask for access to your bank account. In the example stated above, the scammers posed as officers from government agencies and persuaded the victim to download an app that had convincing features : the name was MyBNM, the logo looked crisp and unpixellated. However, the http address should have alerted him as it was garbled and not official-looking. But who would have known?
b. Due to the persuasiveness of the officers, and them pressing the victim for time, the victim never thought about cross-checking with mainstream references.
#2 Cross-Check with Authoritative Sources
The point of cross-checking cannot be overstated. It is of paramount importance because scammers also take advantage of the information imbalance between scammer versus victim. To level the playing field, the victim must cross-check with reliable, authoritative information sources.
On the point of cross-checking above, several years ago I was involved in the first full civil trial conducted by the Securities Commission (SC) against alleged scammers, lead by senior counsel S. Nanthabalan (now Dato’ and a Court of Appeal Judge) with a team of lawyers. The Defendants in that case were a group of individuals who worked in concert to scam over 200 persons in various parts of the country to purportedly invest in crude palm oil futures under the auspices of CIMB Futures. The case was exposed when one of the duped investors, a government servant, cross-checked by physically visiting a CIMB Branch and asked whether such crude palm oil scheme existed and whether his agent (later Defendant) was one of the authorized representatives for the said scheme. Besides the said investor, an officer from CIMB also lodged a police report.
It turned out that the whole scheme was a fraud and though the SC was successful in the civil proceedings, the victims were only able to recover part of their “invested” money. I was then tasked to attend to several meetings with the Insolvency Department to pursue the bankruptcy of the scammers. By then it was too late, because though the SC obtained a freezing order on the scam accounts very soon after initiating investigations, by then some of the invested monies were dissipated by the scammers. The SC successfully recovered some of the money and obtained a court order to restitute the victims.
#3 Report ASAP and do not Delay
Report immediately to your bank or to the police. ASAP. Before they turn up at your house with silver bracelets (that means handcuffs).
The Commercial Crimes Investigation Department (“CCID”) under the Royal Malaysia Police has provided the following:
a. “Semak Mule” portal that can be accessed by the public to check on bank accounts or phone numbers which have been linked to criminal activities.
b. Send a Whatsapp message to CCID’s info line at 013-2111222.
c. Check out the latest modus operandi of scammers at the Facebook page Cyber Crime Alert Royal Malaysia Police.
(I’m sure the CCID has made criminal syndicate-proofed such valuable information accessible above)
#4 Make sure the scammers did not leave behind dubious standing orders[2]
Some fraudsters enjoin a modus operandi which, at the time of this writing is still a novelty at this part of the world. Once the scammers gain control of your e-banking account, not only will they transfer funds out of it, but they will also set up “scheduled payments” for subsequent days to siphon out money belonging to you, or some unfortunate scam victim.
We are made to understand that scammers set up the scheduled payments because you are likely to call the bank to block the transaction on the day you discovered the suspicious activities.
Sometimes the block does not cover your entire actual savings / current account. This is because the bank does not want to block legitimate scheduled payments or other legitimate fund movements.
Therefore, if you are the victim of a fraudster and you believe he has access to your e-banking account, you should not only call the bank to block access to the account or to re-set the password. You should also request the bank to freeze the account so that there is no other payments out of it.
After your account is frozen, take stock of all your scheduled payments and report any suspicious scheduled payments to the bank, remove them, and only then do you inf-reeze your banking account to allow funds to move again.
What should you tell the police if they investigate you
Just tell them the truth – the most important thing is to do it immediately with no delay. You would need to explain yourself especially if there is a time gap between the date of the illegal transaction and the date of your report. But I believe that the police know that transactions often happen within a short span of time, so your belated explanation is still a worthwhile effort.
Scammers, illegal moneylenders, and other criminal types would use your account as a “mule” for the purpose of cheating other victims. These victims could be scammed into making a payment into the mule account. They are confident of success because a casual check would show that the account is owned by you – a legitimate person – and the victim would not bother to verify that fact. Soon after the money is received into the mule account (which is under your name), the criminal group would withdraw the scammed money (considered “stolen property” in the parlance of the Penal Code and our anti money laundering law) at an ATM machine. The CCTV recording would fail to assist investigators due to the quality of the recording or the difficulty to identify the suspects. The process of operationalising your bank account, cheating the victim, and withdrawing the money from the mule account, requires more than one individual in this conspiracy and is always well coordinated. Our financial system is fortified against criminal manipulation through numerous safeguards and countermeasures. However, even the best security features will be unable to protect victims of scammers and mules because of the human factor. Mohamad Rizal Abd Rahman, UKM law lecturer aptly describes:
“The phrase weakest link here refers to a human being. The moment a scammer manages to manipulate the victim’s emotion and interest, it will be a walk in the park to the scammer who will not have to endure painstaking hacking and cracking scheme. Bypassing the technical stage, by social engineering the victim himself will allow access.” Please refer to his article “Online Scammers and Their Mules in Malaysia”
(2020) 26 JUUM 65-72 for a discussion on social engineering.
LEGAL ELEMENTS OF THE CRIME
“424. Whoever dishonestly or fraudulently conceals or removes any property of himself or any other person, or dishonestly or fraudulently assists in the concealment or removal thereof, or dishonestly releases any demand or claim to which he is entitled, shall be punished with imprisonment for a term which may extend to five years or with fine or with both.”
Section 424 of the Penal Code is not a novel offence. It has originated mostly unamended from India’s 1860 Penal Code, existing even before radio. It appeared in the Federated Malay States Penal Ordinance of 1927, and then post-independence went through a process of revision in 1976. For your information, the current penalty for Section 424 of the India Penal Code is maximum jail 2 years or fine or both, which is more lenient than in Malaysia despite the words being virtually identical and with a common colonial origin.
Despite the long life of the provision, the broad language of the provision has allowed it to be translated into the modern online context, where this provision, seldom used in the past (past meaning, when finished I law school in the middle of the first decade of the 21st century), has enjoyed newfound prominence. Taking action under this section is too easily a vehicle of choice for investigators who are not bothered to consider whether you are also a victim of the criminal syndicate. The rise in online scams supported by the burgeoning online retail industry (including online romances) has resurrected this offence within a modern cyber-romance and cyber-scam context. Despite repeated warnings from Bukit Aman like this [https://malaysia.news.yahoo.com/bukit-aman-offence-rent-bank-214255989.html], people still get caught up in cyber romance and lulled into allowing their accounts to be used on the one hand, and allowed to be scammed on the other.
Related laws that could be connected to this conduct is Section 411 of the Penal Code for receiving stolen goods, and Section 29(1) of the Minor Offences Act 1955 for being in possession of stolen goods. At the other extreme is you could be exposed to action under the anti-money laundering provisions.
2 ELEMENTS: CONCEALED OR ASSISTED THE PROPERTY AND DISHONESTLY
“[22] The defence submitted that for an offence under s 424 of Act 574, the prosecution has to prove that the accused had concealed or assisted in concealing the property belonging to PW1 and that the accused did so dishonestly or fraudulently.”
THE PROSECUTION MUST SHOW THERE IS AN OVERT ACT
At the date of this writing, the Court of Appeal decision to Sarimah Peri v Pendakwa Raya[3] is probably the best reported judgment on point. This is how counsel argued in favour, in another case[4]:
“[24] The learned defence counsel referred to Sarimah Peri v. Pendakwa Raya [2019] 3 MLRH 568; [2019] 1 AMR 73 where the court held that for a successful prosecution under s 424, in particular if the charge is one that relates to assisting the concealment or removal of property, the prosecution must show the overt act by the accused to assist in the concealment or removal of the property and mere proving the opening of an account by an individual without more cannot tantamount to him assisting the commission of the offence.”
I am just suggesting that the Prosecution could respond to this argument by showing evidence that:
There was almost zero deposit just before the impugned receipt of victim’s money, and
The bank account was opened within a short time before the first impugned receipt.
The two factors above could be used to support a submission that the purpose of opening the said account is to facilitate the crime. To me, it’s quite damning and I imagine the court would expect the accused to explain himself. How unlucky must he be to have lost his ATM card just a day or two after he received it or soon after opening his bank account?
The DPP tendering the bank opening form containing the suspect’s handwriting and signature could also not look so good on the account holder. More so if there is a column under “Recommended by” and the person so named is either another bank mule or someone otherwise linked to the syndicate.
THE PROSECUTION MUST SHOW THAT THE ACCUSED WAS IN POSSESSION OF THE ATM CARD AND ACTUALLY USED IT
I’m not fully confident about this argument, but if the truth is the accused lost or misplaced the ATM card, or that it was held by a moneylender as security, then he should have disclosed it in his police statement, tendered in support for consistency’s sake.
“[26] The defence further submitted anyone who has access to the ATM card and its pin number could withdraw the money kept in the bank account. Hence, the prosecution must prove that there was an irresistible inference that the accused was in possession of the ATM card and it was the accused who withdrew the money from his account. There is also no presumption under any legislation against any accused person to prove that he was not in possession of the ATM card and he was not the person who withdrew the money in the bank account. Hence, the burden lies on the prosecution to prove that the ATM card was in the accused's possession and not the defence.”
OVERT ACT HE WAS INVOLVED
This argument could be effective against a prosecution where the investigation was superficial and “asal buat”. For this kind of case, which would likely involve a smaller number of unconnected witnesses (i.e. they are connected only because the process of investigation), I do not think you could really gauge the depth of the investigation until the IO takes the stand.
“[40] In this Court's considered view, the word 'conceals' denotes an act of intentionally hiding or depriving another person the whereabouts of a property which is owned by either the person who conceals it or the person to whom the concealing was made against. Upon interpreting the provision of s 424 of Act 574 and the principle in Sarimah Peri (supra) this Court is of the view that in order for the first ingredient of the offence charged against the accused to be proved, it is insufficient to make a finding that the accused had concealed the monies which belonged PW1 merely by the fact that the monies were deposited by PW1 into the accused's bank account. There must evidence either direct or circumstantial that the accused was actively involved in the concealment of PW1's monies in the accused bank account.”
NO PROOF OF DISHONESTY – Wrongful gain and wrongful loss
Dishonesty is surely an ingredient of many commercial crimes including this one, and is connected to the concept of wrongful gain and wrongful loss. All these concepts are interpreted in the Penal Code.
“[28] For the second ingredient, the defence contended that there was no evidence to prove that the accused had intended to cause wrongful loss to PW1 or wrongful gain to other person. The learned defence counsel referred to Sarimah Peri (supra) where the court held that the duty of the prosecution was to prove from available evidence the acts of the accused to enable an inference of such dishonest intention. It was argued that the loan application was facilitated by Vasukhi and later by Chandran. There was no evidence to prove dishonesty on the part of the accused.”
Many Magistrates would consider that dishonesty is inferred -- Their Honours would likely steer away using the word “presume” even though that were the mental exercise which took place. This inference arises from the fact of transaction. Just thinking out loud, it could be argued that this inference could be supported had the scammer and account holder been acquainted for a long time or that the bank mule is somehow involved in the scamming (which would likely be statistically miniscule). Making a comparison with other types of cases, inference of this quality is rampant from my experience before many lower courts, equally supported by many appellate courts who found it fit not to interfere with such finding.
In all fairness, there are statutory presumptions that justify similar findings of dishonesty, because Parliament had enacted a statutory presumption to fulfil that purpose. For example dishonesty is presumed by proof of transaction (i.e. misappropriation) under Section 409B(1) of the Penal Code – that is for criminal breach of trust. I do not know the jurisprudential basis for this, but it could be due to the philosophy of entrustment. There is no such philosophy and no such jurisprudence for a case under Section 424 of the Penal Code. Magistrates should not infer there was dishonesty for money from unknown sources being deposited into a bank mule’s account
Legal Defences
From the 2 decisions referred above, I believe you could direct your defence head-on against the ingredients one by one. No need for elaborate narratives, just hit them at two points:
a. Knowledge and intention. For cases where you have volunteered your account, you could adduce evidence of the relationship between yourself and the person you rented it to. If it was contractual (albeit a not so legal one), you could attempt to emphasise that you contemplated your account be used for a lawful purpose only. Good luck with that. For cases where the account was used without your knowledge, go strong on your denial and testify on your “langkah berjaga-jaga” when maintaining the said account, as well as the fact that you reported immediately after discovering something amiss.
b. Dishonesty – wrongful gain / wrongful loss. Attack these head on. Your lawyer will know what to do. The victim is likely so remote from you that you would never have intended to cause them to sustain wrongful loss. Argue on remoteness of causation between your act of allowing your account to be used (not the actual event of deposit, but the consent to do so) resulted in wrongful loss to the victim.
c. Actus reus : The concealment or retention of property – following the quoted case law, the mere deposit is not proof of concealment. This is mainly a legal argument, leave it to your lawyer.
CONCLUSION
We should feel safe transacting our money in the financial system. Despite all the sophisticated security infrastructure to secure the e-banking space, criminal elements continue to test the system by manipulating the human link through social engineering and other methods. Unfortunately, some law enforcement officers may take a “shoot the messenger” or “punish the victim” approach by arresting and pressing charges against owners of accounts that have been compromised – of all things relying on an archaic law adapted for modern circumstances. Fortunately the Courts will can give victims an opportunity to present legal defences.
Keywords : Scam victim, commercial crime, cheating, criminal syndicate, white collar crime, mangsa penipuan, jenayah komersil, penipuan, aktiviti sindiket, penggubahan wang haram, bank mule, akaun keldai, scammer.
[1] PUPIL: International Journal of Teaching, Education and Learning (2020) Vol. 4, Issue 1 pp. 19-37
[2] On this point on dubious standing orders, I credit an advice from a senior bank officer from an international financial institution.
[3] Sarimah Peri lwn Pendakwa Raya[2019] 3 MLRH 568 (Court of Appeal)
[4] PP v Ong Jia Yong [2020] MLRSU 5 (High Court of Malacca) by Muhammad Nazrin J.