Federal agencies are again stepping up their scrutiny of banks’ relationships with third-party payment processors. Typically, payment processors are deposit customers of banks and use deposit accounts to process large volumes of payments for merchants. This type of relationship raises difficult compliance issues for both banks and payment processors. Although payment processors provide a critical service for merchants, government agencies look closely at banks that have payment processors as customers. Regulators have criticized certain payment processors because the processors make it difficult for consumers to identify the ultimate merchant. The consumer’s bank account statement only has the payment processor’s name and not the merchant’s name. Also, some payment processors have been used by abusive telemarketers and other entities engaged in consumer fraud. Banks opening accounts in the names of payment processors are exposed to a higher degree of risk of enforcement action by regulators, class-action lawsuits by consumers, and even criminal investigation.
For example, federal agencies have opened high-profile investigations and imposed tough penalties on banks that do business with wayward payment processors. Recently, in November 2010, the Federal Deposit Insurance Corporation (FDIC) ordered SunFirst Bank of Utah to revamp and improve its compliance systems and to cease doing business with certain abusive payment processors. The FDIC order also required SunFirst to increase its board oversight of compliance systems as they relate to payment processors and to name a compliance officer to enforce consumer protection laws. The Federal Trade Commission obtained an injunction against these same payment processors in February of this year. Likewise, in April 2008, Wachovia paid $144 million to settle enforcement actions brought by the Office of the Comptroller of the Currency (OCC). Wachovia also faced actions by the United States Department of Justice and class-action plaintiffs. The actions resulted from Wachovia’s relationship with payment processors allegedly engaged in abusive telemarketing preying on senior citizens.
These are just a couple of examples of federal regulators’ recent efforts. On the heels of these enforcement actions, this summer, the FDIC issued additional guidance reminding banks of their obligation to conduct appropriate due diligence to uncover and report suspicious activities by payment processors. See www.fdic.gov/regulations/examinations/supervisory/insights/sisum11/si_sum11.pdf. The FDIC and OCC have long scrutinized payment processors, repeatedly warning banks of the potential risks of doing business with them. The FDIC and OCC require banks to do more than just engage in routine credit and other similar underwriting when considering relationships with payment processors. Rather, banks must: (a) look at payment processors’ businesses, and review their Web sites and promotional materials; (b) determine whether the payment processors sell their excess capacity (in such a situation, the payment processor itself actually processes payments for another payment processor), thus further concealing the ultimate users of such payment services; (c) examine the payment processors’ business policies, procedures and history of complaints; and (d) even visit the payment processors’ business locations. The FDIC has identified various lines of business that are particularly “high-risk” when involving payment processors. These businesses include pharmaceutical sales, credit repair services, government grants, and home-based charities.
Banks that do not heed the OCC and FDIC’s recent warnings to improve compliance systems act at their own risk, which might ultimately invoke enforcement and other actions. Likewise, payment processors will need to examine their compliance procedures as they run the same risk. This time around, federal scrutiny will not be by regulators alone. Federal prosecutors have taken a very active interest in banks’ relationships with payment processors and will likely open criminal and civil investigations of the processors and the banks. Indeed, in February 2011, the U.S. Attorney’s Office in Philadelphia obtained an indictment of six defendants for processing gambling payments from offshore companies. See United States v. Hellinger, Crim. No. 11-83 (February 10, 2011). Also, in April 2011, a federal grand jury in New York returned an indictment charging 11 defendants, including the vice chairman of SunFirst Bank and the operator of a payment processor, related to their processing of payments for Internet poker companies.
Look for these actions to increase, with U.S. Attorneys’ Offices around the country and the Criminal and Civil Divisions at the Department of Justice in Washington dedicating more resources to investigations of payment processors. These investigations undoubtedly will look at more than just the payment processors. When prosecutors bring actions against payment processors, they almost always investigate the banks where the payment processors have deposit accounts. Investigations and actions against payment processors run the risk of exposing both the payment processors and banks to regulatory and even criminal investigations scrutinizing their compliance systems.
Comprehensive compliance systems are not a luxury for banks and payment processors. They are a must in today’s climate. They can also provide a strong defense against criminal and civil actions for processing payments for abusive telemarketers and other entities engaged in consumer fraud. Such measures are powerful evidence to show to regulators and prosecutors during investigations and enforcement actions.