The Green Sheet Online Edition
February 27, 2012 • Issue 12:02:02
FDIC warns banks about processors
The Federal Deposit Insurance Corp. revised guidelines for banks doing business with payment processors. In a Jan. 31, 2012, letter, the FDIC recommended banks assess the risks associated with each processor with which they do business because some processors carry a higher risk of fraud.
In the letter, Sandra L. Thompson, FDIC Director of the Risk Management Supervision Division, and Mark Pearce, FDIC Director of the Depositor and Consumer Protection Division, wrote, "While payment processors generally effect legitimate payment transactions for reputable merchants, the risk profile of such entities can vary significantly depending on the make-up of their customer base."
The FDIC noted some payment processors, such as companies that process for telemarketers and online businesses, operate at greater risk of fraud. The letter stressed processors "must have effective processes for verifying their merchant clients' identities and reviewing their business practices."
The letter stated that without effective supervision of processors' clients, banks will have an increased risk of exposure to money laundering and fraud. "Financial institutions are reminded that they cannot rely solely on due diligence performed by the payment processor," the FDIC directors said. "The FDIC expects a financial institution to adequately oversee all transactions and activities that it processes and to appropriately manage and mitigate operational risks.
"Financial institutions that fail to adequately manage these relationships may be viewed as facilitating a payment processor's or merchant client's fraudulent or unlawful activity and, thus, may be liable for such acts or practices."
Vigilance isn't optional
The FDIC recommended banks pay particular attention to processors that have more than one sponsoring financial institution or have a history of changing banks frequently. The directors said, "Financial institutions should also be on alert for payment processors that solicit business relationships with troubled financial institutions in need of capital." Processors do this because such banks are more willing to engage in higher-risk transactions in exchange for increased fee income, according to the letter.
The directors also said processors will sometimes provide capital to beleaguered banks through stock purchases or large deposit guarantees. They advised banks to keep a close eye on sudden increases in chargebacks and consumer complaints about processors and/or their clients, as these occurrences may be fraud indicators.
The letter also reminded banks to be aware, when possible, of investigations or legal actions against processors. When a bank believes there may be fraud involved in payment processing, the FDIC recommends several options: file a Suspicious Activity Report with the U.S. Department of the Treasury; tell the processor to stop processing for problem merchants; freeze deposit accounts to cover the cost of anticipated chargebacks; and terminate business with the processor.
"Controls and due diligence requirements should be robust for payment processors and their merchant clients," the directors advised. "At a minimum, the policies and procedures should authenticate the processor's business operations and assess the entity's risk level." It is important that banks verify information from processors to be certain the processors' merchants are doing legitimate business, they said.
Banks ought to audit
The directors added independent audits of processors are important because such reviews "ensure that the processor's controls are sufficient and that contractual agreements between the financial institution and the third-party payment processor are honored."
But single audits are not enough, according to the directors. Ongoing monitoring is needed to alert banks when red flags are raised, such as when sudden higher rates of returns or chargebacks occur. Additionally, banks should frequently analyze and monitor reserve balances and chargeback accounts. The letter recommends formalizing the audits of third-party payment processing relationships.
"At a minimum, board-approved policies and programs should assess the financial institution's risk tolerance for this type of activity, verify the legitimacy of the payment processor's business operations, determine the character of the payment processor's ownership, and ensure ongoing monitoring of payment processor relationships for suspicious activity among other things," the letter stated. The FDIC guidance letter can be found at www.fdic.gov/news/news/financial/2012/fil12003.html.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.