New Guidance on Payments Processing
FDIC Stresses Due Diligence, Transaction MonitoringThe Federal Deposit Insurance Corp. has issued revised guidance describing potential risks linked to relationships with third-party entities that process payments for merchants. The key message: The onus is on banks to perform due diligence and ongoing monitoring of these relationships.
See Also: How Healthcare Can Stay Ahead of Ransomware Attacks
In its revised guidance for payment processor relationships, the FDIC says certain deposit accounts with payment processors pose unusual risks.
"Payment processors that deal with telemarketing and online merchants may have a higher risk profile because such entities have tended to display a higher incidence of consumer fraud or potentially illegal activities than some other businesses," the guidance states. "Financial institutions should understand, verify, and monitor the activities and the entities related to the account relationship."
Institutions that fail to adequately manage these relationships may be viewed as facilitating a processor's or merchant's fraudulent activity and could be held liable, the FDIC states.
What's the new guidance mean for banks? Avivah Litan, a financial fraud analyst at Gartner, says this is likely a first step toward heightened scrutiny. "I think the regulators are going to get more involved and require more due diligence on the processors," she says.
But for now, the burden of discovery is on the banks.
"The banks need to take this guidance and meet with their processors and see how their processors are monitoring transactions for fraud," Litan says. "It's not easy. There are so many mandates now; but from the point of view of the regulators, they have no one else to lean on."
Six Expectations
To mitigate risk, regulators suggest banks review processors' transactional histories, as well as their clients. Adequate reviews may require involvement from multiple departments, including IT, operations, Bank Secrecy Act/anti-money laundering and compliance.
The guidance highlights six key points:
- Account relationships with high-risk entities pose increased risks for unfair and/or deceptive acts or practices;
- Payment processors pose heightened risks for money laundering and fraud when merchant identities are not verified and business practices are not reviewed;
- Banking institutions need to assess risk tolerance in overall risk assessments and develop due diligence policies and ongoing monitoring;
- Monitoring consumer complaints or unusual return rates could suggest inappropriate use of personal account information;
- Regulators expect banks to quickly respond when fraudulent or improper activities are identified; and
- Improper risk management on the part of banks and credit unions may result in penalties and other enforcement actions.
Ultimately, regulators are asking banks to do more diligence on their payments processors.
AML expert Kevin Sullivan says it's often the extensive payments chain of entities between financial institutions and their customers that increases risk.
"The bank has to do due diligence on any third party that they hire, and the third party needs to do quality due diligence on anyone they are going to subcontract [or do business] with," Sullivan says. "It is tough to maintain command and control over your business if you contract outsiders who contract more outsiders who contract additional outsiders."
Risk Assessments Recommendations
Financial institutions should ensure contractual agreements with payment processors provide them with access to necessary information in a timely manner. "These agreements should also protect financial institutions by providing for immediate account closure, contract termination or similar action, as well as establishing adequate reserve requirements to cover anticipated charge-backs," the guidance states.
Regulators also suggest financial institutions regularly monitor accounts and perform ongoing risk assessments: "The FDIC expects a financial institution to adequately oversee all transactions and activities that it processes and to appropriately manage and mitigate operational risks, Bank Secrecy Act compliance, fraud risks and consumer protection risks, among others."
The FDIC lists eight areas all institutions should include in processor risk assessments:
- Identify the major lines of business and volume for the processor's customers;
- Review the processor's policies, procedures and processes to determine the adequacy of due diligence standards for new merchants;
- Review corporate documentation, including independent reporting services and, if applicable, documentation on principal owners;
- Review the processor's promotional materials, including the website, to determine target clientele;
- Determine if the processor re-sells services to a third-party, such as an agent or independent sales organization, and whether sufficient due diligence procedures have applied to those entities;
- Visit the processor's business center;
- Review appropriate databases to ensure that the processor and its principal owners and operators have not been subject to law enforcement actions; and,
- Determine whether any conflicts of interest exist between management and insiders of the financial institution.
Aite analyst Julie McNelley says regulators want banks and credit unions to have solid understandings of processors' risk-mitigation practices.
"This guidance highlights the need to not only have those practices in place, but to also have a good understanding of the types of clients that the payment processors serve, as they can represent vastly different types of risk," she says. "A payment processor enabling payroll cards will have a different risk profile than a processor enabling online gaming, and FIs [financial institutions] should have a good understanding of the types of payments flowing through the processors, and risk-adjust their own AML systems accordingly."