On October 22, 2012, FinCEN issued an advisory (FIN-2012-A010) on the risks associated with third-party payment processors and to provide additional guidance on identifying suspicious activities and filing SARs. The advisory highlights many of the same risks and concerns that were addressed by the FDIC in its January 2012 revised guidance on payment processor relationships (our post on the January 2012 revised guidance  can be found here.).

Less than one month later, FinCEN and the FDIC assessed concurrent $15 million civil money penalties against First Bank of Delaware arising from alleged deficiencies in that bank’s anti-money laundering program relating to, among other things, third party payment processors. The bank separately settled with the U.S. Department of Justice on these same issues. (We will post separately on the details of the FinCEN/FDIC orders and DOJ settlement.)

Taken together, the advisory and the First Bank of Delaware orders indicate greatly increased regulatory focus on third party payment processors. This heightened scrutiny brings to mind the regulatory focus on money services businesses in the mid-2000s, when many banks concluded that it was safer to refuse to provide services to MSBs rather than to risk regulatory criticism. The industry seems to be facing the same question today with respect to providing services to third party payment processors. It seems clear that at a minimum, as the Advisory itself notes, financial institutions providing services to third party payment processors may need to update their anti-money laundering compliance programs.

FinCEN’s Advisory

FinCEN’s advisory explains that payment processors “present a risk to the payment system by making it vulnerable to money laundering, identity theft, fraud schemes, and illicit transactions.” While many payment processors provide legitimate payment transactions for reputable merchants, the risk profile of such entities “can vary significantly depending on the composition of their customer base.” FinCEN states that the risk profile is higher for entities processing consumer transactions for telemarketing and Internet merchants or creating and depositing remotely created checks (RCCs). The agency adds that these entities “tend to have relatively higher incidences of consumer fraud or potentially illegal activities.”

Red flags. FinCEN provides a number of potential red flags that may indicate illicit use of payment processors, based in part on trends and indicators provided by federal, state and local law enforcement agencies through the Financial Fraud Enforcement Task Force’s Consumer Protection Working Group. These red flags include

  • Fraud. A large number of consumer complaints about a payment processor and/or its merchant clients, as well as high numbers of chargebacks or returns, suggests that “the originating merchant may be engaged in unfair or deceptive practices or fraud, including using consumers’ account information to create unauthorized RCCs or ACH debits.” 
  • Accounts at multiple financial institutions and use of check consolidation accounts
  • Money laundering. Payment processors can be used to mask criminals’ illegal or suspicious transactions and to launder criminal proceeds, including the proceeds of consumer fraud. ACH credit transactions originating abroad also have been used to place illicit funds directly into domestic financial institutions. 
  • Enhanced risks. FinCEN states that there are potential risks associated with third-party entity relationships, particularly “foreign-located payment processors that process payments for telemarketers, online businesses, and other merchants;” therefore, these relationships may require careful due diligence and monitoring. 
  • Soliciting business. Some payment processors may solicit business relationships with distressed financial institutions that are in need of revenue and capital or commit to purchasing stock in such institutions, believing they may be more willing to engage in risky transactions. Targeted financial institutions are often “smaller community banks that lack the infrastructure to properly manage or control” a relationship with a high risk payment processor. 
  • Higher rate of returned debit items due to unauthorized transactions.

AML compliance programs. Due diligence. Through initial and ongoing due diligence, financial institutions should determine whether any external investigations or legal actions are pending against a payment processor, or its owners or operators. In addition, financial institutions should determine whether a payment processor has obtained all the necessary state licenses, registrations and approvals. We note that both the Federal Trade Commission and the Consumer Financial Protection Bureau maintain databases of publicly accessibly consumer complaint data, and make public their enforcement actions. Banks may want to consider reviewing such information, among other things, before providing significant services to any third party payment processor.

Suspicious activity reporting.  FinCEN reminds financial institutions of their SAR filing obligations and requests that, when reporting suspicious activity related to payment processors, financial institutions check the appropriate box on the SAR form to indicate the type of suspicious activity involved as well as include the term “payment processor” in the SAR narrative and in the subject occupation portion of the SAR.

FinCEN’s advisory is available here