The Green Sheet Online Edition
October 22, 2018 • Issue 18:10:02
Law, payments and national security
For a typical payments professional, national security can seem like a remote concern addressed by government security agencies tasked with protecting the nation. Typical payments companies do, however, have a substantial role in protecting national security.
There are laws that mandate the involvement of payments companies in national security and, above mandatory legal rules, payments companies may take various actions to ensure that their businesses are not unwitting facilitators in doing harm. The purpose of this article is to address some of the legal issues at the intersection of payments and national security.
National security payments law
It's illegal to process payments for criminals. Knowingly processing a payment for a criminal purpose exposes the processor for conspiracy to commit the underlying crime as well as an additional crime of money laundering. That basic, common sense reach of criminal law is augmented by the U.S. Department of the Treasury, Office of Foreign Asset Control (OFAC), which publishes the Specially Designated Nationals And Blocked Persons List comprising people (dubbed SDNs) for whom it is illegal to transact business.
Every time a merchant applies for a merchant account, the merchant is supposed to be run through OFAC screening to see that the merchant account owners are not SDNs.
Financial institutions, such as banks and money transmitters, which include numerous new fintech businesses, are required by the Bank Secrecy Act (BSA) to also maintain anti-money laundering policies that help prevent their businesses from being abused by criminals and terrorists. OFAC screening is but one of a number of precautions that payments businesses take as part of protecting national security under the BSA.
The Financial Crimes Enforcement Network (FinCEN) has a mandate to collect suspicious activity reports from financial institutions, money transmitters and other fintech businesses, and make those reports available to law enforcement – all for the protection of national security.
State laws and banking departments also provide for state licensing of money transmitters and other kinds of fintech businesses to be sure they are not owned by criminals or terrorists, as well as ensure that they have policies and procedures in place to prevent their abuse by criminals or terrorists. Dozens of federal and state laws regulate payments with the purpose of protecting national security. The requirements of these laws are woven in throughout our industry.
Negligence as security vulnerability
Based on the handful of security incidents I have seen as legal counsel to hundreds of payment services providers over many years, I've found that payments providers involved in breaches of national security are not usually intentionally complicit. Instead, they are complicit by their own negligence. If a payments provider has loose underwriting criteria, weak system security or weak transaction monitoring, its "rails" become an easy target for bad actors to abuse and use for illicit purposes.
There are legal reasons to have effective compliance policies, such as the rules of the BSA, FinCEN, OFAC and payment network (such as Visa and Mastercard) rules. There are also business reasons to have excellent security monitoring, for example, to prevent fraud, service interruption and the financial costs of being associated with criminal activity. These legal and business motivators for better security run throughout the payments industry and serve a dual purpose: they make payments businesses better as businesses, and they make payments businesses less likely to be vulnerable to abuse by criminals.
Where payments providers strive for best-in-class policies and procedures and systems, they are likely to earn a collateral benefit of being less likely to be abused by bad actors who wish to exploit the U.S. payments industry for harmful purposes.
Individual rights versus national security
Payments providers, as with all businesses, should be mindful to not trample on individual rights when looking to improve the security of their systems. As a payments provider, the decision to provide services to clients should not be based in illegal grounds of discrimination, such as the proposed client's race or religion. The balancing of individual rights versus security plays out in all parts of society – the payments industry is no exception.
The law does, however, allow for discrimination pertaining to payments to certain geographic, such as North Korea or Iran, as well as certain designated individuals, such as SDNs. These rules are based on government-enacted national security considerations and not on the race or religion of the countries singled out for sanctions.
Payments businesses are often offered lucrative opportunities of dubious provenance. When a merchant has an enormous volume of processing but no corresponding marketing, sales or operational substance, a provider is right to ask questions about the basis of the high volume of payments. This is common sense and practiced by most payments providers that I have advised.
Newer providers are particularly vulnerable to abuse by criminals. Startups have three strikes against them that make them vulnerable to abuse. First, they are up against the high cost of starting a new business. Second, they do not yet have revenue, which would otherwise allow them to be more selective in choosing clients. Finally, early startups are sometimes naïve as to the illicit purpose of certain potential clients.
These three factors come together requiring investors, suppliers and advisors to startups to reduce the risk of abuse of their services by exercising mature decisions about client selection and oversight – despite temptations otherwise.
Today, common sense often involves incorporating screening services into client underwriting and monitoring that are powerful complements to human oversight.
Each person in a payments business should benefit from training that fits his or her specific function. Training is especially important in KYC/AML roles where specific skills are required to comply with the law and protect payments businesses from abuse. Without the right training; policies, procedures and screening services are not much use, and can even be harmful to the business.
Typically, the point of failure of payments in national security is found only after the fact. That's why payments providers should implement best practices throughout their operations to catch failures before they happen.
In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, attorney at law by email at firstname.lastname@example.org or by phone at 514-842-0886.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.