The FDIC recently released a consent order with Meridian Bank (Paoli, Penn.) which dealt largely with the bank’s oversight and management of its electronic payment program and third-party payment processors (TPPPs), as well as BSA/AML issues. Although this order is tailored by the FDIC to address specific issues found at the bank and focuses on merchant transaction processing, a review of the requirements outlined in the order may be useful for banks and other financial services companies that deal with third-party providers or high-risk customers.
The order includes a lengthy and detailed list of the steps the bank must take regarding its oversight and management of third parties involved in the bank’s electronic payments program, including the following:
Due diligence, policies, procedures and processes. The bank is prohibited from providing merchant processing services for TPPPs, TPPP merchants or direct merchants (together referred to in the consent order as “E-Payment Entities”), unless it (1) conducts comprehensive due diligence on all E-Payment Entities; (2) develops and implements consistent policies, procedures and processes (PP&P) regarding E-Payment activities; and (3) maintains adequate reserves for potential chargebacks from all E-Payment Entities. Regarding items 1 and 2, the order further requires that:
—-The bank’s due diligence must include a comprehensive written analysis performed by a knowledgeable bank employee or qualified consultant regarding any reputational, compliance, legal, fraud, Unlawful Internet Gambling Enforcement Act (UIGEA) and BSA risks posed by the entity.
—-The bank’s E-Payment PP&Ps must adequately:
- Reflect actual E-Payment activities at the bank.
- Address Unfair or Deceptive Acts and Practices (UDAP) and UIGEA.
- Manage merchant acquiring, ACH and remotely created check (RCC) activities.
- Identify and eliminate instances of “nested” TPPPs (i.e, TPPPs that provide services to other TPPPs, who then in turn provide services to merchants).
- Provide internal monitoring and complaint coverage.
- Include a comprehensive list of entities that present elevated risk or potential for consumer harm and for which the bank will not process transactions.
Review of existing customers; risk assessments; suspicious activity monitoring. The bank is ordered to review all existing TPPP merchant and direct merchant files for sufficiency of data and documentation. A trained and qualified bank employee must prepare a thorough written analysis of each file, including a review of the types of business activity conducted by the merchant, the legality of such activity, and a full risk assessment that covers BSA, compliance and reputational risk, as well as the likelihood of fraud, identity theft or misrepresentation. The bank must also, among other things, revise its BSA risk assessment to include E-Payment-related risks, and develop a formalized process for BSA monitoring and review of E-Payment Entities for suspicious activity monitoring and reporting purposes.
Third party risk management program. The bank is required to adopt and implement systems and controls to ensure proper third-party risk management. The third-party risk management program must conform to FDIC guidance on managing third-party risk and on payment processor relationship, and must address the following:
- Initial and subsequent periodic risk assessments.
- Due diligence procedures for selecting third-party vendors and service providers.
- Procedures to review contract terms.
- Effective vendor and service provider oversight.
- Effective oversight of merchant acquiring, RCC and ACH activities, and the E-Payment Entities, to ensure compliance with all applicable consumer laws and FDIC guidance on payment processor relationships, including (1) clarifying acceptable rates of returns and actions to be taken if those rates are exceeded, (2) complaint monitoring and handling processes, (3) actions to be taken if complaint levels and/or trends warrant intervention and (4) updating the bank’s TPPP policy and procedures.
The order also addresses a number of other TPPP issues, including related to employee and board training, reporting to the board, the board’s involvement and input on the bank’s E-Payment program, independent testing and a third-party look back review for suspicious activity reporting. The order addresses a number of general BSA/AML issues as well, regarding internal controls, risk assessments, customer due diligence, enhanced customer due diligence, OFAC compliance, independent testing, designation of a qualified BSA officer and training.
The consent order is available here.