Revised Guidance on Third Party Payment Processors

The FDIC issued a “clarification” on July 28 to the effect that banks had gone overboard in their reaction to the FDIC’s expressed concerns about third party payment processors. The pressure the banks have been subjected to is related to “Operation Choke Point” where the Justice Department, with the assistance of the federal bank regulators, have attempted to block of the flow of funding to certain businesses such as payday lenders by attacking the ability of third party payment processors who deal with the targeted businesses to maintain deposit accounts  with commercial banks. The expressed regulatory reason for this was that banks were exposed to undue reputational risk by assisting such companies to stay in business. While the ability of some of the underlying companies to operate across state lines is currently being litigated by various parties across the US including local cities, the FTC and the New York Attorney General, the businesses for the most part conduct businesses where they are located.

Operation Choke Point has received a great deal of publicity, particularly since it seeks to cut off funding to businesses whose operations are not illegal. The rub being that regardless of what you believe the merits of payday lending to be, once an agency of the federal government decides to put the squeeze on one line of commercial business, what stops them from picking on other lines business. In other words, why do they get to pick and choose who the winners and losers might be and isn’t there some risk that politics can raise its ugly head in the process.

The FDIC and the OCC published Guidance in November of 2013 where they define Reputation Risk as:

Reputation risk is the risk arising from negative public opinion. Deposit advance products are receiving significant levels of negative news coverage and public scrutiny. This increased scrutiny includes reports of high fees and customers taking out multiple advances to cover prior advances and everyday expenses. Engaging in practices that are perceived to be unfair or detrimental to the customer can cause a bank to lose community support and business.

Szell:  Is it safe?
Babe:  I don’t know what you mean. I can’t tell you something’s safe or not, unless I know specifically what you’re talking about.
Szell:  Is it safe?
Babe: Yes, it’s safe, it’s very safe, it’s so safe you wouldn’t believe it.
Szell:  Is it safe?
Babe:  No. It’s not safe, it’s… very dangerous, be careful.

In the 1976 movie Marathon Man, Babe (Dustin Hoffman) is held down while Nazi war criminal Szell (Laurence Olivier) drills Babe’s teeth without anesthetic, trying to learn if it is safe to sell a cache of diamonds stolen from concentration camp victims.  Babe has no idea what Szell was asking about so has no information to disclose, even under torture.

After a decade of painful regulatory examinations without anesthetic, bankers are now asking the same question from the perspective of the tortured.  Is it safe to do business again?  As in Marathon Man, whether it is safe depends in part on what “it” means – what the proposed business is and who the customer is.  It also depends on the bank’s systems and infrastructure to manage the risk.

Given the changing legal and liability landscape, and changing expectations of examiners, bankers are uncertain about the risks of engaging in many types of business.  Some of the areas of uncertainty include providing banking services to third party payment processors, payday lenders, or money services businesses.  Other bankers are wondering about banking services for legal marijuana retailers, or their clients taking courses for forex, or buyers, sellers, or processors of virtual currencies.  Some bankers are even hesitant to return to mortgage lending in light of all of the new regulations and regulatory scrutiny.

DC Partner John ReVeal, New York Partner Judith Rinearson and Santa Monica Partner Brette Simon will provide insight at the Money2020 Expo. The conference promises to bring together a global community of innovators in payments and financial services with 400-plus speakers spanning more than 100 sessions and workshops. More than 4,000 attendees are expected.

October 6, 2013 – October 10, 2013
Aria Resort and Casino
3730 Las Vegas Blvd.
Las Vegas, NV 89158

On Oct. 6, ReVeal will moderate a panel on the risks and rewards of credit-based emerging payment products. In addition to discussing what people need to know when launching or distributing credit-based products, this panel will address the current consumer group and regulatory pressure to restrict or prohibit credit as part of emerging payments and financial services solutions.

Later in the afternoon, Rinearson will moderate the panel “Money Transmitter Licensing: Kafka Revisited,” which will offer insight on how to manage the ambiguities of state money transmitter licensing laws.

Simon then will join a panel on how to prepare in advance of raising capital from institutional investors. Topics will include getting your legal and business house in order to maximize value upon a capital raise and avoid the “10% valuation haircut;” due diligence and the risks of having the wrong investors; and structuring investment to avoid “change of control” regulatory issues.

The FDIC recently released a consent order with Meridian Bank (Paoli, Penn.) which dealt largely with the bank’s oversight and management of its electronic payment program and third-party payment processors (TPPPs), as well as BSA/AML issues. Although this order is tailored by the FDIC to address specific issues found at the bank and focuses on merchant transaction processing, a review of the requirements outlined in the order may be useful for banks and other financial services companies that deal with third-party providers or high-risk customers.

The order includes a lengthy and detailed list of the steps the bank must take regarding its oversight and management of third parties involved in the bank’s electronic payments program, including the following:

Hot on the heels of FinCEN’s advisory on risks associated with third-party payment processors (see Government Update, issue 18), FinCEN and the FDIC assessed concurrent $15 million civil money penalties against First Bank of Delaware for violations of BSA/AML laws and regulations. Among other things, FinCEN and the FDIC found that the bank “failed to adequately oversee third-party payment processor relationships and related products and services commensurate with associated risks.”

The bank also settled related civil claims with the DOJ, which alleged it “established direct relationships with several fraudulent merchants and third-party payment processors working in cahoots with a large number of additional fraudulent merchants.” On behalf of those entities, the DOJ alleged, the bank originated hundreds of thousands of debit transactions against consumers’ bank accounts, many of which originated via remotely created checks (RCCs). The DOJ also alleged that the bank was aware of “significant red flags warning the bank that the debit transactions were tainted by fraud.” The DOJ’s $15 million penalty is concurrent with those of FinCEN and the FDIC. The bank also is required to maintain an account with $500,000 to pay consumer claims arising from its alleged conduct. 

On October 22, 2012, FinCEN issued an advisory (FIN-2012-A010) on the risks associated with third-party payment processors and to provide additional guidance on identifying suspicious activities and filing SARs. The advisory highlights many of the same risks and concerns that were addressed by the FDIC in its January 2012 revised guidance on payment processor relationships (our post on the January 2012 revised guidance  can be found here.).

Less than one month later, FinCEN and the FDIC assessed concurrent $15 million civil money penalties against First Bank of Delaware arising from alleged deficiencies in that bank’s anti-money laundering program relating to, among other things, third party payment processors. The bank separately settled with the U.S. Department of Justice on these same issues. (We will post separately on the details of the FinCEN/FDIC orders and DOJ settlement.)

On January 31, 2011, the FDIC released revised guidance on payment processor relationships, spelling out with a lot more specificity its expectations for banks’ relationships with payment processors.

We have summarized below some highlights of what was added to the guidance by the FDIC, and also provide a redline showing the changes from the FDIC’s prior guidance, released in 2008.  Of particular interest to many of our clients, the FDIC notes that some payment processors may target smaller community banks, based on a belief that they may be more willing to engage in higher-risk transactions in exchange for increased fee income and may lack the infrastructure to properly manage or control a third-party payment processor relationship.

Highlights of some additions to the guidance include the following (not an exhaustive list):

• Financial institutions should ensure their contractual relationships with payment processors provide them with access to necessary information in a timely manner. Agreements should also protect financial institutions by providing for immediate account closure, contract termination, or similar action, and establish adequate reserve requirements to cover anticipated chargebacks.
• Financial institutions should adequately oversee all transactions and activities that they process and appropriately manage and mitigate operational risks, BSA compliance, fraud risks, and consumer protection risks, among others.  Financial institutions cannot rely solely on  due diligence performed by the payment processor.
• Financial institutions that fail to adequately manage relationships may be viewed as facilitating the payment processor’s or merchant’s fraudulent or unlawful activity, and thus may be liable for such acts or practices. (Italicized portion is new.)
• Financial institutions should take reasonable steps to ensure they understand the type and level of complaints related to transactions that they process. Consumer complaints may be sent to the financial institution, as well as to the payment processor, the merchant, consumer advocacy groups, online complaint websites, or posted on blogs.
• Financial institutions should determine if there are any external investigations of or legal actions against a processor or its owners and operators, during initial and ongoing due diligence.
• Policies and procedures should outline the financial institution’s thresholds for unauthorized returns, the possible actions that can be taken against payment processors that exceed these standards, and methods for periodically reporting such activities to the financial institution’s board and senior management.
• Financial institutions should be aware of nested processing relationships, and obtain data on the nested processor and its merchant clients. Risk is significantly elevated with such relationships because nested processor and aggregator relationships may be extremely difficult to monitor and control.
• The more a financial institution relies on a processor for due diligence and monitoring of merchants without direct financial institution involvement and verification, the more important it is to have an independent review to ensure that the processor’s controls are sufficient and that contractual agreements between the financial institution and processor are honored.
• Board-approved policies and programs should assess the financial institution’s risk tolerance for payment processing activity, verify the legitimacy of the payment processor’s business operations, determine the character of the payment processor’s ownership, and ensure ongoing monitoring of payment processor relationships for suspicious activity, among other things. (Italicized portion is new.)
• Adequate routines and controls include sufficient staffing with the appropriate background and experience for managing third party payment processing relationships of the size and scope present at the institution, as well as strong oversight and monitoring by the board and senior management.