It has been five years since the FDIC first warned bankers through a Financial Institution Letter (FIL) about increased risks associated with providing banking services to payment processors, and in our experience, these types of arrangements remain a significant concern for the FDIC and other regulatory agencies. Although the FDIC emphasized in a September 27, 2013, FIL that the FDIC does not prohibit banks from offering banking services to payment processors, the FDIC also emphasized that banks engaging in such activities must implement proper policies and procedures, which, based on applicable guidance and our experience, need to be extremely robust. This article discusses the nature of such relationships and red flags and regulatory expectations associated with such relationships.
A payment processor relationship typically exists where the bank’s customer has a deposit account through which it processes payments for third party merchants. Although the vehicle of payment may take many forms, the FDIC notes the payment methods of greatest concern consist of remotely created checks and ACH debits processed by the payment processor through the bank on behalf of the processor’s merchant customers. The complicating factor is that the payment processor stands between the bank and the merchant, the ultimate end user of the service. Therefore, without proper diligence and monitoring, the bank might not know much about the end user’s business lines, thus resulting in the potential for the bank to act as an unknowing conduit for unscrupulous or outright fraudulent activity by the merchants.
For example, who is the payment processor for illegal internet gambling? Who is the payment processor where those popups unexpectedly open and request personal and/or payment-related information? If your bank has account holders conducting payment processing services for third parties and has not developed robust policies regarding diligence, underwriting and oversight, your bank just might be the payment processor for unscrupulous internet schemes or illegal activities – thus the FDIC’s concern with these types of arrangements.
FDIC EXPECTATIONS: DUE DILIGENCE
The FDIC clarifies that, “at a minimum, Board approved policies and programs should assess the financial institution’s risk tolerance for this type of activity, verify the legitimacy of the payment processor’s business operations, determine the character of the payment processor’s ownership, and ensure ongoing monitoring of payment processor relationships for suspicious activity, among other things.” To summarize, the primary expectation of the FDIC with respect to payment processing arrangements is due diligence. Banks should conduct diligence upon, and perform a risk assessment with respect to, potential payment processors and watch for red flags such as use of multiple banks, frequent moves from one bank to the next, and lawsuits against processors or their owners. Further, the guidance indicates that not only is the bank responsible for knowing the payment processor (and its owners) as the bank’s direct customer, the bank is also responsible for gathering due diligence regarding the payment processor’s merchant customers, including merchant names, principal business activity, location, and sales techniques. However, it is not enough simply to gather such information from the payment processor; the FDIC also expects banks to verify such information, where possible, through public records, fraud databases, and other trusted third parties. Further, the FDIC recommends, and sometimes requests, obtaining independent third party audits of payment processors to confirm such processor is verifying the legitimacy of its merchant customers and such merchants’ business practices.
FDIC EXPECTATIONS: MONITORING
The FDIC also expects banks providing services to payment processors to implement systems to monitor for certain types of red flags associated with high risk merchants, such as consumer complaints regarding merchants, higher rates of returns, and higher rates of chargebacks. Importantly, payment processors are not often subject to Bank Secrecy Act or other anti-money laundering requirements, so the bank must assess and manage risks associated with merchant money laundering, identity theft, fraud and other illicit transactions.
Although payment processing arrangements may present a potential opportunity to generate additional fee income, banks should not enter such arrangements lightly. In fact, the FDIC warns that unscrupulous payment processors often target troubled institutions, suspecting such institutions may be the most in need of fee income and willing to accept greater risks associated with payment processor arrangements. However, the FDIC and other regulators expect that banks will implement proper procedures and policies and hire experienced staff to ensure the bank actually adheres to such policies and procedures, and based on our experience, the FDIC is willing to enforce these expectations. Therefore, properly providing services to payment processors is a costly endeavor. Further, banks should ensure they execute a thorough contract with all payment processors that, among other important provisions, provides a quick exit in the event of suspicious activity and indemnification for any losses. Banks associating with payment processors should also expect and prepare for close examination of such activities by their regulators.
Although banks may be able to generate high fee income by offering banking services to payment processors, banks should implement and enforce thorough risk mitigation policies and procedures with respect to such activities and prepare for close regulatory review.