JTIP Blog

Within the past decade, companies outside of the traditional financial services firms have disrupted the financial industry due to technology shifts. Gaming companies now offer in-game currencies creating virtual economies and technology companies like Venmo and Zelle have disrupted the digital wallet space. With the creation of new virtual economies comes additional risk for consumers. These market entrants create new venues for cybercriminal activity, such as scams and money laundering.

Video Games and Microtransactions

In-game currency in video games pre-dates the current trend of digital currency. Many video games give users the ability to expand their experience by creating a virtual economy. Players engage in microtransactions where real currency is exchanged for virtual currency to use within a video game. The video game industry generated $21.1 billion in revenue in 2020 and has risen in recent years due to the pandemic which led to a rise in people seeking entertainment through online gaming.

Many game companies incorporate in-game currency to extend a player’s game time. For example, Minecraft, a sandbox video game with over 238 million copies sold, developed its own currency called “coins” as well as a marketplace within the game. Other games with active in-game economies include Second Life and World of Warcraft. While the intention of marketplaces in video games is to give gamers new and exciting features that drive them to increase their play time, cyber criminals have tapped these platforms to engage in money laundering and fraud. These games have players from all over the world, generating risks of cross-border money laundering and financing terrorism.

There are several ways a cybercriminal can engage in money laundering. The first is through using Skins. “Skins” are customized looks or accessories that gamers buy in-app to enhance their characters and extend their play time. These items are purchased, traded, or earned within the game. Another way is through third-party skin gambling sites such as CSGOEmpire, or Thunderpick where people can bid on these add-ons in exchange for cash. People use multiple accounts to build their reputation, and then sell items to other members in exchange for cash, with the option to withdraw those funds. Another way that money laundering can occur is when criminals use game platforms to clean dirty money. They load their account with the dirty money using stolen credit cards or other means, then transact with others several times until the money is clean and withdraw those new funds. Lastly, cybercriminals leverage stolen credit cards to engage in money laundering. They build profiles in digital gaming economies with lots of in-game features, such as skins or in-game currency. Cybercriminals will then sell these accounts on the secondary market to another user in exchange for cash.

Money Laundering in E-Payments

With Covid-19, we also saw an increase in fraud through use of money transfer apps. Criminals find individuals to deposit funds into an electronic payment app and then move funds to various accounts in order to clean the money. The Secret Service has over 700 pending investigations regarding payment fraud specifically related to COVID-19 relief funds. While these apps are easy to use and provide flexibility to customers and businesses, oftentimes at no cost, they also have led to an increase in fraud as well as a lack of consumer protection. While the transactions may be small at the individual level, used often to pay someone back for a meal or another shared expense, in aggregate these digital payment apps see huge traffic. Customers transferred $490 billion through Zelle and $230 billion was through Venmo in 2021. The rise in popularity of digital payment channels have led to more avenues for fraudulent activity.

There are various types of scams that cybercriminals can engage in using digital payment services. Users can be targeted for phishing scams via text message. They also can be targeted for a reverse charge: a stolen credit card is used for the transaction, the goods are delivered, and then a few days later the charge reverses because the card is illegitimate, but the goods are already out of the seller’s hands. Additionally, the goods themselves may not exist: a buyer might transact on Zelle or Venmo with the intention of purchasing the product, authorize a payment, but never receive the item.

With the rise in digital payment services as well as fraud, there is a question about whether consumers should bear responsibility for their actions or if they deserve protection from the platform. Zelle was created in 2017 by banks to promote digital transactions. However, these same banks claim that they are not liable to protect consumers against fraud because they authorize each transaction. Additionally digital payment platforms are starting to participate in cryptocurrency, another area in which legislators are looking to regulate to reduce fraud and protect the economy.

Relevant Regulations and Challenges

There are various regulations that impact the use of digital currency services as well as video games in relation to money laundering and fraud; however, they may not be comprehensive enough to apply to these new platforms.

Title 18 §1960 of the U.S. Code criminalizes unlicensed operation of money transmitting businesses. This regulation was developed by Congress in response to money launderers’ shift towards nonbank financial institutions in the 1990s. While digital payment services would qualify as engaging in “money transmitting,” it is unclear if video games, and their in-game currencies would fall under the code’s definitions of “funds.” In-game currencies could be considered funds due to the existence of vast secondary markets. Accounts are often sold between users, and skins are auctioned on dedicated platforms. On the other hand, courts have found that in-game currency and virtual items do not hold real-world value and fail to meet the meaning of “money” (see Soto v. Sky Union, LLC, a class action lawsuit where the court held that in-game currency did not hold real-world value because they could not be cashed out into real currency).

Additionally, the European Global Data Protection Regulation (”GDPR”) challenges safeguards against money laundering through video games and digital payment services through individuals‘ “right to be forgotten,” which can impede traceability of money laundering and fraud identification.

The US Consumer Financial Protection Bureau (“CFPB”) also has established regulations for unauthorized transfers.  Under 12 CFR §1005.2, the Code of Federal Regulations defines unauthorized transfers as ones which are “initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit,” but does not include a transaction by someone who was given access to the device to make the transaction. Additionally, the liability is capped at $50 or $500 depending on if they provide notice to the financial institution.

The federal government, under the USA PATRIOT Act, also regulates money transfer services. The intention of the Act is to lay groundwork to deter and punish terrorist attacks through law enforcement and money laundering protection. Venmo, which qualifies as a money transfer services, had to implement a Customer Identification Program and collect additional information (e.g. Social Security Number) to verify the identities of users making transactions in accordance with the Act. While the Act intends to crackdown to reduce money laundering criminals are now instead looking for other venues to transact. Video games serve as an alternative as they are full of users engaging in micro transactions, thereby making it easier for money launderers to blend in and harder for government agents to catch.

Lastly, there are efforts underway to develop and review Anti-Money Laundering (“AML”) regulations. The European Commission published draft regulations in July 2021 to establish an EU AML authority and impose a single rulebook to coordinate approaches. While these regulations intend to restrict cybercriminals, it is unclear if these regulations are robust enough to protect consumers against cybercriminal activity in this digital age. Congress and regulators need to keep a close watch to new market entrants in digital payments to ensure regulations are comprehensive and continue to protect consumers against potential fraud in all venues.

Kathleen Denise Arteficio is a third-year JD-MBA student at the Northwestern Pritzker School of Law.