The Payvision cybercrime case continues to unfold, symbolizing the proliferation of cybercrime, money laundering, and fraud on an international scale. This narrative delves into the intricate web woven by Payvision, once a promising fintech startup turned facilitator of high-risk transactions, and scrutinizes the implications of its settlement with the Dutch Public Prosecution Service—a resolution that many might argue sends a tepid message to perpetrators of financial cybercrime.
The Amsterdam Connection
Founded in the early 2000s by Rudolf Booker, Payvision quickly established itself as a significant player in the high-risk payment processing sector. The firm catered to a clientele that frequently skirts the fringes of legality, and its specialization in industries like pornography and gambling already places it in a delicate operational niche.
However, Payvision‘s involvement with known scammers cemented its notoriety within the cyberfinance community. This involvement was not tangential; it was central to its business model for a period, especially highlighted by the engagement with figures such as Uwe Lenhoff, a German cybercrime mastermind, and Gal Barak, an orchestrator of online broker scams.
In 2015 or 2016, the then Payvision CEO Booker met the German cybercrime mastermind Uwe Lenhoff through the intermediary of the Amsterdam real estate investor Dirk-Jan Bakker.
Lenhoff subsequently acquired the Israeli boss of an online broker scam network, Gal Barak, as a client for Payvision. Bakker and Lenhoff had a joint venture with the Veltyco Group, which was listed on AIM in London and acted as a holding company for a portfolio of vast cybercrime schemes. These illicit ventures also became Payvision customers.
Veltyco also developed cybercrime activities in the Balkans. Money laundering activities were carried out together with a lawyer in Belgrade via the subsidiary Velmont, which was established in Montenegro. Another partner involved was one of the bosses of a notorious criminal cleaning company in Belgrade. Later, Lenhoff and his Serbian partners fell out, which also resulted in attacks on life and limb. Bakker has always denied having been informed about these Veltyco activities. Lenhoff, however, claims that Bakker was involved in the Veltyco activities.
Lenhoff and Barak were arrested in early 2019. Lenhoff died under mysterious circumstances in a German prison in 2020. Rumors persist to this day that Lenhoff’s death is connected to these Serbian complications. In September 2020, Barak was sentenced by an Austrian court to several years in prison and a payment of several million euros for money laundering and investment fraud. Further arrests and convictions in various jurisdictions followed.
Payvision played a pivotal role in the criminal files as a payment facilitator for Lenhoff, Barak, and their cybercrime activities. It is clear from the criminal files that Booker and the management team knew about their customers’ criminal activities and still supported them with their payment services. Booker was even on vacation with Lenhoff and gave Lenhoff and Barak tips for their illegal business.
The ING Acquisition: A Misjudged Endeavor
The acquisition of the cybercrime-inflated Payvision by ING for an alleged €400 million was heralded as a milestone in digital banking. Yet, this celebration was short-lived. The acquisition, lauded by then-CEO Ralph Hamers, quickly soured as the reality of Payvision‘s entanglements with illegal operations surfaced, casting a long shadow over the due diligence processes employed by ING.
In 2019, ING sold part of Payvision‘s operations back to the founders for a nominal 1 euro. It was the part of the business that included payments processing for gambling and pornography customers including PornHub. In 2020 INGhad to write down €188 million in goodwill from the value of Payvision. Hamers left ING and became CEO of the Swiss UBS where he had to resign in 2023.
Finally, ING announced the closure of Payvision in October 2021. In October 2022, ING informed that the phasing-out of Payvision was completed.
The Questionable Settlement and Forgotten Victims
On April 5, 2024, the Dutch Public Prosecution Service announced that Payvision‘s former directors have received a fine of €180,000 and €150,000 respectively for their “de facto leadership in a long-standing and structural violation” of anti-money laundering (AML) and counter-terrorism financing laws—underscore a broader issue within the regulatory and enforcement landscape. While these fines represent a nominal acknowledgment of wrongdoing, they pale in comparison to the extensive financial and emotional devastation inflicted on the victims of the scams Payvisionfacilitated.
While the public prosecutor accused the former directors of having failed in their gatekeeper function under their responsibility, the settlement is a slap on the wrist. It raises critical questions about the effectiveness of financial penalties as a deterrent to corporate complicity in cybercrime. The disparity between the fines and the scale of the facilitated fraud highlights a worrying precedent: entities, through strategic neglect, can contribute to the financial underworld and emerge with minimal financial repercussions.
Despite the finding that Payvision structurally neglected its KYC/AML obligations for years, thereby enabling the fraud against tens of thousands of victims of its scam customers, the two directors have only received a fine of €330,000. This is an unremarkable fraction of the damage they caused to tens of thousands of victims and the Dutch financial market.
Lawsuits are currently still being filed against Payvision and ING by victims of Payvision scam customers. These lawsuits are being coordinated by the European Funds Recovery Initiative (EFRI). With the findings of the public prosecutor’s office, it is at least officially clear that Payvision has committed massive, systematic and therefore intentional KYC/AML misconduct and thus enabled fraud by its scam customers.
The Role of Regulatory Oversight
This case accentuates the critical function of regulatory bodies and the need for a robust framework to scrutinize and monitor financial institutions. The Dutch Central Bank‘s investigation revealed Payvision‘s ambition to bypass stringent KYC/AML protocols from 2016 to 2020, thus violation financial laws. It revealed that Payvision indeed facilitated cybercrimine by systematically violating the regulatory framework and financial laws. In this instance, the regulatory oversight was reactive rather than proactive, allowing Payvision to operate unchecked for an extended period.
Conclusion: A Call for Strengthened Oversight and Deterrence
The Payvision cybercrime saga serves as a call for regulatory authorities and law enforcement. The settlement with the Dutch prosecution, viewed by some as an underwhelming response to serious regulatory violations, suggests a need for a reevaluation of how penalties are assessed and imposed. It calls into question the deterrent effect of current punitive measures and underscores the importance of rigorous regulatory oversight to safeguard the integrity of the financial system.