International Money Flow
JOINT ADVISORY · v1.0 · 2026-04-08

Joint advisory: shell-company exploitation in third-party payment processing

We are issuing this joint advisory together with five sector partners to draw attention to a sustained pattern of shell-company onboarding through third-party payment processors. The pattern moves between jurisdictions on a weekly cycle, exploits inconsistencies in beneficial-ownership data, and is currently observed against small-and-mid-sized payment processors in particular.

joint-advisory financial-crime third-party-payment-processing shell-company
Published
2026-04-08
Status
PUBLISHED
Version
1.0
Author
IMF Practice — with five sector partners
Reading time
4 min
Co-signed
  • International Money Flow Practice
  • Anti-Fraud Coalition for Payments (AFCP)
  • Financial Crime Information Exchange (FCIX)
  • European Payment Integrity Group
  • Cross-Border Settlement Working Group
  • Shared Threat Intelligence for Fintech
We are seeing the same shell-company patterns being onboarded across multiple processors in the same week. The gap is not in any individual processor's controls; it is in how slowly the signal travels between them.
— IMF Practice, Joint Advisory Briefing, 2026-04-08
Contents

The undersigned organisations are issuing this joint advisory in response to a pattern of shell-company onboarding observed across third-party payment processors during the first quarter of 2026. We have chosen to publish jointly because the pattern is structural — it exploits the absence of a shared signal between processors, not the inadequacy of any one processor’s controls. Coordinated mitigation requires coordinated awareness.

What we have observed

Between January and March 2026, partners across this advisory observed shell entities being onboarded as merchants or beneficial owners across five separate third-party payment processors, on a seven-to-ten day cycle. The same legal entity, with cosmetically varied directors, registered addresses, and articles of association, appeared in onboarding queues at multiple processors during the same week. In each case the entity passed first-line KYC, processed transactions for between four and seventeen days, and was deregistered after a regulatory query — only to re-emerge in a different processor’s pipeline soon after.

The pattern is not novel. The cycle time is.

Affected sectors

We assess with high confidence that small-and-mid-sized third-party payment processors are the primary current target. Larger processors have observed similar onboarding attempts but have detected and rejected them at higher rates due to richer beneficial-ownership data sources. The pattern has not yet been observed at the level of acquiring banks or card networks, but the methodology applied to those targets would be available to the same actor with minor adaptations.

We also assess with moderate confidence — and this is the more worrying assessment — that the cycle time will continue to compress as the actor automates portions of the onboarding interaction. Where seven-to-ten days has been observed in Q1 2026, we expect to see three-to-five days by mid-2026 unless the cross-processor signal is substantially improved.

What processors should do

The primary recommendation is to participate in cross-processor intelligence sharing through one of the existing channels listed at the foot of this advisory. The signal that the same entity has been deregistered by a peer processor in the past fourteen days is exactly the signal that, if shared in something close to real time, would close the cycle.

In the absence of shared signal, we recommend three immediate controls:

  • A second-line review of any merchant onboarded with a registered address, director set, or article filing that is less than ninety days old.
  • A cross-check against the OpenSanctions and OpenCorporates datasets before final approval, with the cross-check repeated weekly for the first three months of any new merchant relationship.
  • A defined deregistration-event escalation that includes notifying one of the partner channels listed below within five working days.

None of these controls is novel. The advisory is to make them non-optional in the next ninety days, given the observed cycle time.

What organisations using third-party processors should do

If your organisation contracts with one or more third-party payment processors for merchant services, the question to ask your processor representative this week is whether they participate in any of the intelligence-sharing channels listed at the foot of this advisory. The answer should be yes; if the answer is no, the next question is when they intend to.

Organisations that depend on third-party processors for inbound customer payments should also satisfy themselves that their processor’s deregistration cadence is not so aggressive that legitimate merchants are routinely caught — the response to this advisory must not be to overcorrect by raising the false-positive rate on small-business onboarding.

What we will publish next

We will republish a follow-up assessment in Q3 2026 with updated cycle-time figures and a sector breakdown of where mitigation has and has not landed. The follow-up will be co-signed by the same group and will include any additional observations from our peer organisations in jurisdictions not currently represented.

How to receive future joint advisories

The same channels we use for this advisory:

We expect to issue between four and six joint advisories per year on patterns affecting financial-sector infrastructure. We do not issue joint advisories on single-vendor disclosures or on issues already adequately covered by the originating disclosing party.

RELATED

Also see

FEEDBACK

Was this paper useful?