Friday, February 3, 2012
The Federal Deposit Insurance Corp. revised guidelines for banks doing business with payment processors. In a Jan. 31, 2012, letter, the FDIC recommended banks assess the risks associated with each processor with which they do business because some processors carry a higher risk of fraud.
In the letter, Sandra L. Thompson, FDIC Director of the Risk Management Supervision Division, and Mark Pearce, FDIC Director of the Depositor and Consumer Protection Division, wrote, "While payment processors generally effect legitimate payment transactions for reputable merchants, the risk profile of such entities can vary significantly depending on the make-up of their customer base." The FDIC noted some segments of the payment processing industry, such as companies that process for telemarketers and online businesses, operate at greater risk of fraud. The letter stressed processors "must have effective processes for verifying their merchant clients' identities and reviewing their business practices."
Without effective supervision of a processor's clients, banks will have a significantly increased risk of exposure to money laundering and fraud, the letter warned, adding that banks should be particularly careful of processors that service merchants that are also processors because of the difficulty of obtaining information from merchants/processors.
"Financial institutions are reminded that they cannot rely solely on due diligence performed by the payment processor," the FDIC directors said. "The FDIC expects a financial institution to adequately oversee all transactions and activities that it processes and to appropriately manage and mitigate operational risks."
The directors noted, "Financial institutions that fail to adequately manage these relationships may be viewed as facilitating a payment processor's or merchant client's fraudulent or unlawful activity and, thus, may be liable for such acts or practices."
The FDIC recommended banks pay particular attention to processors that have more than one sponsoring financial institution or have a history of changing banks frequently. The directors said, "Financial institutions should also be on alert for payment processors that solicit business relationships with troubled financial institutions in need of capital." Processors do this because such banks are more willing to engage in higher-risk transactions in exchange for increased fee income, according to the letter.
The directors said processors will sometimes provide capital to beleaguered banks through stock purchases or large deposit guarantees. They advised banks to also keep a close eye on sudden increases in chargebacks and consumer complaints about processors and/or their clients, as these occurrences may be fraud indicators.
The letter also reminded banks to be aware, when possible, of any investigations or legal actions against processors. When a bank believes there may be fraud involved in payment processing, the FDIC recommends several options:
"Controls and due diligence requirements should be robust for payment processors and their merchant clients," the directors advised. "At a minimum, the policies and procedures should authenticate the processor's business operations and assess the entity's risk level." It is important that banks verify information from processors to be certain the processors' merchants are doing legitimate business, they said.
The directors added independent audits of processors are important because such reviews "ensure that the processor's controls are sufficient and that contractual agreements between the financial institution and the third-party payment processor are honored."
But single audits are not enough, according to the directors. Ongoing monitoring is needed to alert banks when red flags are raised, such as when sudden higher rates of returns or chargebacks occur. Additionally, banks should frequently analyze and monitor reserve balances and chargeback accounts. The letter recommends formalizing the audits of third-party payment processing relationships.
The FDIC authors concluded, "At a minimum, board-approved policies and programs should assess the financial institution's risk tolerance for this type of activity, verify the legitimacy of the payment processor's business operations, determine the character of the payment processor's ownership, and ensure ongoing monitoring of payment processor relationships for suspicious activity among other things."
A copy of the FDIC Payment Processor Relationships Revised Guidance letter can be found at www.fdic.gov/news/news/financial/2012/fil12003.html .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.