A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

June 14, 2021 • Issue 21:06:01

AML for ISOs

By Adam Atlas
Attorney at Law

Money laundering is the illegal activity of concealing the origins of money or crypto and facilitating its flow through legitimate banks, payment processors or crypto businesses. Terrorists, drug dealers, fraudsters and other criminals are always looking for ways to inject their ill-gotten or ill-purposed funds into the legitimate financial and crypto ecosystem.

The purpose of this article is to give ISOs and processors an entry-level understanding and appreciation of the importance of money laundering controls and where ISOs fit into the fight against financial crime. Bear with me, as I must include some acronyms and legal jargon.

Pursuant to the Bank Secrecy Act (BSA), the U.S. Department of the Treasury Financial Crimes Enforcement Network (FinCEN) regulates anti-money laundering (AML) standards for U.S. financial institutions, and the Office of Foreign Asset Control (OFAC) publishes lists of persons who are prohibited by law from being served by U.S. financial or other businesses (Specially Designated Nationals – SDNs).

All U.S. banks (including acquiring and issuing banks) must comply with the standards and other requirements set by FinCEN, OFAC and other federal and state regulatory agencies. They must operate pursuant to a BSA-compliant anti-money laundering program (AML Program), which is an institution-specific set of rules and procedures by which the institution will comply with the BSA.

Where the institution has identified suspicious activity on the part of an account-holder (for example, processing for fraudulent merchants), the institution may file a suspicious activity report (SAR) with FinCEN. FinCEN shares SARs with law enforcement to help them catch criminals.

AML requirements for merchant accounts

It turns out that, from an AML perspective, opening a merchant account with a processor or acquiring bank is not different from opening a regular checking account. Indeed, a MID works a lot like a checking account, but with a very specific and narrow purpose: to acquire funds from payment cards and settle them to the owner of the MID.

Every person or business that opens a bank account or MID must be screened by the bank opening the account against SDN lists as well as other filters set out in the applicable AML program. The account-holder (for example, merchant) must also be monitored throughout their relationship with the institution and may be the subject of suspension, termination, SAR filings or other actions by the institution depending on their activity.

AML responsibility in merchant processing

Technically, the primary legal responsibility in conventional credit and debit card payment processing rests with the acquiring bank. However, as readers of The Green Sheet know, acquiring banks outsource much of their operational functions to processors, ISOs, payfacs and other agents.

That outsourcing often includes imposing obligations on agents to collect merchant IDs, verify IDs against SDN lists, monitor merchants for suspicious activity and assist in providing information that could support the filing of a SAR.

That's the technical answer. In the real world, all participants in the payment processing marketplace have an obligation to participate in AML; that is what regulators and banks expect.

To be precise, when a payment facilitator (payfac) opens a bank account through which they settle merchant settlement funds, in addition to the AML requirements of the sponsoring bank, the bank where the payfac is banking will usually require the payfac to submit its AML program and possibly even share the report of an external auditor attesting to the effectiveness of the AML program.

There was a time when processors could turn a blind eye to the activities of their merchants. That time is over. A handful of Federal Trade Commission cases where processors and ISOs have been held liable for the bad acts of their merchant clients has forever changed the liability of processors and ISOs and prevents them from benefiting from the ignorance of the goings-on of their merchants.

This principle has migrated into AML as acquirers and the banks serving payfacs impose real AML screening and monitoring obligations on entities that had not previously had them. If a merchant is boarded without being screened and monitored pursuant to an AML program, someone is not doing their job.

AML tools

Wait, is there an app for that? The automation of certain key AML functions, such as screening merchant owners against SDN lists and certain aspects of transaction monitoring, is now the norm. A number of third parties supply screening and monitoring services that are superior to any manual effort. As merchants or their activities are flagged, however, human intervention is often required to make decisions about the activity in question.

AML training

Any individual involved in managing AML risk deserves (and indeed requires) suitable training for the task. Just like training a sales agent on selling merchant services, the process of screening and monitoring merchant activity requires unique skills that need to be learned.

AML training is readily available from a number of sources. The leading AML accreditation is the ACAMS certification (www.acams.org). Given that all payments professionals deserve professional enrichment, training in AML is a good idea even if you are not managing that task within a business.

The amount of training recommended is commensurate with the degree of responsibility a person has.

Privacy and security

Fun fact: It is illegal to inform the subject of a SAR that a SAR has been filed on them. This, and the fact that merchant and transaction monitoring often involves non-public personal information, means that the AML function must be done with caution and with extreme prudence regarding privacy and security.

An AML program is not a public document. It is an internal and confidential document that should not be shared outside of the payments institution. One reason for this is that you would not want to give bad actors a recipe for circumventing AML controls.

ISOs are on the team that fights financial crime. Basic investment in policies, tools and training in support of that fight is good for security and good for business because bad apples can cause processors and their ISOs a lot of harm. end of article

In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, attorney at law via email at atlas@adamatlas.com or by phone at 514-842-0886.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next

Current Issue

View Archives
View Flipbook

Table of Contents

Company Profile
New Products
A Thing