The Green Sheet Online Edition
February 22, 2016 • Issue 16:02:02
Compliance: a costly, multi-headed monster
Compliance with all applicable industry and regulatory mandates can be a costly proposition for financial institutions – and for their partners, such as ISOs and processors. Not complying, however, can be equally, if not more costly.
Executives at the Bank of Mingo, an $83 million asset bank in Williamson, W.V., understand this first hand. The six-branch community bank paid $4.5 million in penalties in 2015 for Bank Secrecy Act violations. Specific problems included failure to implement internal controls that would have resulted in the bank obtaining sufficient know-your-customer (KYC) information, and allowing customers to structure transactions to avoid reporting rules for large-dollar cash transactions.
This pales in comparison to what happened to First Bank of Delaware in 2012. A $256 million asset institution, First Bank paid $30 million in fines, plus it was stripped of its state banking charter and federal deposit insurance after it was determined the bank had failed to implement internal controls for managing risks associated with third-party payment processors and money services businesses.
Another community bank, Saddle River Valley Bank, in Saddle River, N.J., suffered a similar fate when it was discovered to have executed $1.5 billion in transactions over a span of three years on behalf of money exchanges in Mexico and the Dominican Republic that had ties to drug cartels. Jennifer Shasky Calvery, Director of the Financial Crimes Enforcement Network (FinCEN), a branch of the U.S. Treasury Department that enforces anti-money laundering (AML) laws, said she found it "remarkable" that a small community bank attracted billions of dollars in transactions from new customers and that it didn't set off internal alarms.
Shasky Calvery also held the case out as a lesson to others. "Banks of all sizes, in any part of the country, may be tempted by such lucrative ventures," she said at the time. "However, banks must use common sense in evaluating customer risk or seemingly lucrative businesses could become quite the opposite."
Vantiv takes pass on fantasy sports
Top 10 acquirer Vantiv Inc. seems to have done that. In the face of increased state scrutiny of daily fantasy sports operators, Vantiv decided to suspend all processing of payments for these firms effective Feb. 29, 2016. Vantiv is said to be the largest provider of acquiring services for these businesses.
Daily fantasy sports is a turbo-charged version of traditional fantasy sports. Instead of lasting an entire season, like traditional fantasy sports games, though, participants draft players for teams that play just one game and compete for cash prizes. Several state attorneys general recently issued cease-and-desist orders to the online companies behind daily fantasy sports games, asserting the games amount to illegal gambling. And, in fact, six states have ruled the games illegal.
Vantiv President and Chief Executive Officer Charles Drucker addressed the company's decision to exit this particular aspect of the business in a Feb. 3 earnings call. "We have decided that it is prudent to suspend processing for transactions involving daily fantasy sports due to the increasingly uncertain regulatory and judicial environment around these operations," he said. "We may re-enter the space in the future should conditions change.
"In the meantime, we remain firmly committed to processing for online and land-based gaming operators, including state lotteries and other regulated gaming activity where the regulatory and judicial frameworks are more clearly established."
Compliance impacts everything
As the Vantiv decision illustrates, AML regulations are not the only issues keeping compliance officers awake at night. Compliance is a multiheaded monster that can impact every aspect of banking, from vendor selection to boarding and ongoing customer service.
A recent study by Finextra revealed that the cost to banks of boarding new clients has risen 61 percent over the last five years. And most of that growth has sprung from on-going changes to KYC and AML regulations. Eighty-eight percent of banks queried agreed that KYC due diligence requirements are impacting boarding times, Finextra reported.
Separately, a report released in October 2015 by the Federal Reserve and the Conference of State Bank Supervisors revealed that compliance costs consume 22 percent of net income at community banks. "Respondents to the 2015 survey reported that regulatory compliance accounted for 11 percent of personnel expenses, 16 percent of data processes expenses, 20 percent of legal expenses, 38 percent of accounting and auditing expenses, and 48 percent of consulting expenses," the regulators wrote.
"To the extent that these percentages are accurate and representative of the community banking industry, they imply a hypothetical compliance cost to community banks, in these areas alone, of $4.5 billion annually."
Holly Merrill, Chief Compliance Officer at Giact Systems LLC, stated, "In today's regulatory environment, and with internal and external auditors always watching, know your customer, know your customer's customer, vendor management, all of these things are very important."
Giact, a Dallas firm that provides automated risk analysis and management tools in support of payment acceptance, has access to over a dozen databases with detailed information about companies and individuals, including government watch lists like the one maintained by the Office of Foreign Assets Control, Merrill noted. This enables the company to present a full picture of a prospective client or transactions involving an existing customer.
Giact said it has provided real time risk analysis on more than 1 billion transactions in just over 10 years. In 2015, the company introduced a solution for authenticating mobile users and devices, in real time, across mobile, web and call center platforms. Merlin Bise, co-founder and Chief Technology Officer at Giact, said the company can access details on 94 percent of mobile users across all major carriers to verify customer identities in real time. This, he said, "drives fact-based decisions" that simplify and improve boarding and transaction authorization for client firms.
"As mobile commerce has exploded, companies are spending more and more to prevent fraud and ensure the integrity of their customer interactions," Bise said. "Not only can mitigating payments risk be expensive, it can also be difficult to implement and cause frustration on the part of the end customer," especially potential new customers, he added.
Consumer protection drives much activity
Companies that handle consumer transactions, of course, also face myriad consumer protection regulations, as well as fraud and anti-trust considerations. These are areas where the Federal Trade Commission, the Justice Department, state attorneys general, and the Consumer Financial Protection Bureau wield regulatory and enforcement authority.
The CFPB, created under the 2010 Dodd-Frank Act, is authorized to send its own examiners into large financial services firms and their service providers to ensure compliance with consumer protection laws and to enforce those laws, when necessary, with banks and processors.
Card fraud by the numbers
Payment processing companies don't operate under the same state and federal regulatory regimes that apply to the banks and credit unions, especially AML rules. Regulators have made it clear, however, that financial institutions are responsible for ensuring the third-party processors they work with keep miscreants from accessing the financial system.
"Guidance" from federal financial institutions regulators, developed by the inter-agency council known as the FFIEC, speaks directly to payment processor relationships. It was last updated in July 2014.
These are key highlights:
- Account relationships with companies that process payments for merchants "require careful due diligence, close monitoring, and prudent underwriting."
- Account relationships with high-risk entities can lead to trouble with the Federal Trade Commission, which enforces numerous consumer protection laws.
- Financial institutions should be on alert for consumer complaints and unusual return rates.
- Financial institutions need to ensure processors perform thorough and frequent verifications of the identities and business practices of high-risk merchants.
- Financial institutions "should act promptly when fraudulent or improper activities occur relating to a payment processor, including possibly terminating the relationship."
"To limit the potential for statutory or regulatory violations and related consumer harm, supervised banks and nonbanks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers," the CFPB wrote in a 2012 bulletin.
The CFPB has taken actions against several payment companies since, including Global Client Solutions, an Oklahoma-based firm that specializes in processing debt settlement payments. "Global Client Solutions made it possible for debt-settlement companies to collect tens of millions of dollars in illegal upfront fees from consumers," said CFPB Director Richard Cordray. He promised the CFPB "will continue to crack down on illegal debt-settlement firms and the companies that help these operations collect illegal fees from consumers."
The FTC has taken a particularly hard line on payment processors. In December 2015 the FTC, working in concert with the State of Florida, issued an eight-count indictment against an unscrupulous telemarketing firm and its payment processor, CardReady LLC, and two of that company's executives for processing payments for a fraudulent debt relief program the telemarketer was selling. CardReady was charged with card laundering, in violation of federal law and illegal factoring of credit card transactions under Florida law.
"Our investigation went beyond the telemarketers who swindled consumers out of their money," said Jessica Rich, Director of the FTC's Bureau of Consumer Protection. "We also stopped the credit card processing operation that hid their illegal transactions. Credit card laundering isn't just bad business; it's against the law," Rich said.
The CardReady case isn't apt to be the last word out of the FTC on matters like this. When it took action against CardReady, the commission made it clear that it would continue to crack down on companies that violate the federal Fair Debt Collection Practices Act and the companies they use to process payments. It even has a name for the initiative: Operation Collection Protection.
First Annapolis Consulting Inc., in a paper prepared for the Electronic Transactions Association in 2014, said that going after acquirers that process payments for merchants that violate the federal Telemarketing Sales Rule is a stretch for the FTC. The paper, titled The FTC's Potential Impact on the Merchant Acquiring Industry, explained that the FTC would have acquirers effectively repay consumers for transactions with fraudulent merchants, even though those consumers are likely to be unaware of the company's role in the transaction.
"The FTC's expectation that the acquirer should repay consumers for transactions that were not even disputed is far outside the long-established operating model utilized in the card-based payments industry," the consultancy wrote.
In 2015, the FTC changed its Telemarketing Sales Rule to specifically ban the use of certain payment instruments, namely remotely created checks and prepaid card cash reloads. The rule only applies to telemarketing firms. (See, "FTC kills telemarketers' remotely created payments," The Green Sheet, Dec. 28, 2015, issue 15:12:02.)
Getting to know customers
All this attention from the states and federal agencies is putting pressure on ISOs, acquirers and their processing partners to really know their customers. "You have to look at everything," Merrill said.
Traditionally, evaluating, boarding and monitoring merchants has been a labor- and time-intensive process. Tools of the trade have included reviews of websites, street maps, Better Business Bureau complaints, pending lawsuits, even driving by prospects' businesses.
Now these are being supplanted by automated solutions that can accomplish the task quickly and more cheaply than an hourly employee. Plus they can be tweaked on the fly in response to changing market conditions and organizational needs.
"The concept of automation really seems to be resonating now," said Matthew Parker, co-founder of KYC SiteScan. KYC SiteScan is one of a small cadre of firms that automate KYC and other due-diligence processes for payment companies and banks. They flag potential problems that need closer scrutiny by humans – typically a small subset of total transactions.
At the heart of these automation solutions is something theorists call Bayesian probability, which can predict the probability of an event occurring (for example, a payment returned) based on conditions that might relate to that event. So, for example, an individual who has a history of chargebacks or bankruptcy may not be a good candidate for a merchant account. Parker described the process as "machine learning," and likens it to spam filters.
"It needs to be trained, but you can get to a very high level of accuracy very quickly," Parker said. "When we scrutinize something [or someone] we can come at it from many different angles." These would include business and/or personal financial information, information about a company's marketing and customer service policies and practices, and what people are saying on social media.
"We don't use just one formula or algorithm," Parker added. "We use many different methods and data sources." All that information is gathered and packaged in a matter of minutes and sent to the end user who writes specific rules for leveraging the information, depending on objectives and circumstances.
"Each SiteScan can generate 20 different values that a few of our clients have used to score and/or auto-decision micro-merchant applications," noted Eric Thomson, KYC SiteScan co-founder. Other uses include verifying vendors for compliance with regulators' third-party processor risk guidelines, screening portfolios for high-risk merchants and daily scans of government databases (for example, CFPB complaints and OFAC watch lists).
Identifying potential fraud
Many of these automated solutions are used in tandem with fraud tools, such as those developed for account opening and transaction authorization. Indeed, there appears to be significant cross over.
Early Warning Services LLC, a consortium owned by five of the country's largest banks that operates a shared database of bank account and accountholder information, began working with BioCatch in 2015. BioCatch specializes in authentication and behavioral biometrics, using a new offering that maps criminal behavior in the digital ecosystem.
"The solution reduces fraud by providing critical intelligence to participating [financial services companies] based on shared user behavior insights and data gathered from bank-contributed fraud records," the company said in a statement.
Early Warning CEO Paul Finch added, "Integrating BioCatch's behavior analytics, plus our ability to authenticate consumers and their [mobile] devices … enables participating banks to provide a more seamless and secure digital experience for their customers as well as increase their own operational efficiencies."
Given the potentially devastating impact of government agency actions, the payments community must adhere to KYC best practices to be reasonably sure that our businesses, our merchants and our merchants' customers are operating within the law.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.