The Green Sheet Online Edition
January 12, 2015 • Issue 15:01:01
Coming to terms with escalating compliance requirements
AML. EMV. KYC. OFAC. PCI. The alphabet soup of laws and regulations banks face on a daily basis may carry the air of marketing catch phrases, but these rules have teeth. Indeed, compliance has become a costly proposition.
One estimate, widely discussed in the financial press in recent months, puts the cost of complying with anti-money laundering (AML) requirements, alone, at $10 billion a year over the next several years. A worldwide survey of banks by KPMG LLP revealed that the cost of complying with AML rules rose 53 percent between 2011 and 2014. "[A]nd it shows no signs of slowing down in the near future," the consultancy wrote in a discussion of its 2014 anti-money laundering survey.
Of course, the cost of not complying with AML and related dictates can be significantly greater, triggering financial and law enforcement audits, fines and, in some cases, forced business closures.
The international banking giant HSBC Holdings Plc had to fork over $1.9 billion in U.S. government fines in 2012 over suspicions the bank had been used to launder drug monies. And it's not just complying with federal government edicts that banks must contend with. Europay/MasterCard/Visa (EMV) implementation deadlines and PCI requirements have the weight of the card brands behind them.
"The card brands and acquirer banks are clearly pushing the underwriting risks down to the ISOs" and other sales partners," said Eric Thomson, co-founder of KYC SiteScan, a web-based information service that automates know your customer (KYC) due diligence reporting for payment services companies.
At the same time, banks are being pressured by regulators to ensure transactions sent through clearing and settlement networks are not tied to nefarious activities, whether or not the transactions were originated by or through them. "We have entered into an era in which electronic payments are no longer a commodity, but rather a privilege that businesses will have to earn and share in the compliance costs going forward," Thomson said.
The Office of the Comptroller, the U.S. Treasury Department unit that supervises federally chartered banks, made this clear in August 2014 with a 90-page supplement to its examination handbook. The supplement is devoted to merchant processing – what it entails and what examiners should look for when reviewing a bank's merchant acquiring operations. It updates guidance the regulator first published in 2001.
The handbook is the primary reference document used during regular bank examinations – it details how examiners should assess the effectiveness of risk management policies, procedures and control systems. It also constitutes a set of marching orders for bank managers and board members.
The law firm Pepper Hamilton LLP, in an August 2014 client alert, said the fact that the OCC has updated examination procedures for merchant acquiring activities at this time "is an unmistakable signal that banks should dedicate serious attention and resources to this newest 'hot button' concern."
It continued: "While the affinity with everyday usage of credit by bank customers makes merchant processing a natural candidate as a profit center, the associated high volume of transactions obligates banks to enter the field cautiously and with robust systems to manage the heightened risks."
The OCC supplement sets forth different merchant acquiring relationships, associated risks, the need for formal underwriting policies, various legal obligations, security standards, and required controls.
"Merchant processing can be a safe and profitable business if bank management properly understands and controls the primary risks: strategic, credit and operational," the OCC wrote. "Failure to control these primary risks may result in loss exposures from other risks, such as compliance and reputation.
"The OCC expects the bank to have risk management systems commensurate with an activity's risks and complexity. Management experience, staffing, systems and reporting must be sufficient to enable the bank to monitor merchants and their activities knowledgeably and effectively." In other words: KYC.
KPMG said its survey indicates KYC is a major area of concern for banks, with 70 percent of those queried last year reporting they recently had been visited by examiners who focused on KYC protocols and procedures. Additionally, 60 percent said transaction monitoring systems represented one of the largest AML investments. KYC reviews, updates and maintenance represented the second largest investment in AML compliance for 59 percent of banks, KPMG reported.
Getting to know you
"Identity verification is fundamental to the KYC process, especially when underwriting a merchant account or verifying international customers' identities, foreign nationals and underbanked consumers," said Daniel Mattes, CEO of Palo Alto, Calif.-based Jumio. The company offers an app that turns a smartphone into a device capable of scanning licenses and other types of credentials.
But KYC is about more than just verifying customers at account opening. "Financial institutions should be doing this on an ongoing basis," said John Leekley, founder and CEO of RemoteDepositCapture.com. "Not doing so can increase risks. After all, people and corporations do change over time."
For example, the federal Office of Foreign Assets Control maintains and regularly updates a list of foreign countries where U.S. firms are not permitted to do business, such as Iran. "Knowing where a [mobile] transaction originated will help enhance [OFAC] compliance as well as prevent fraud," Leekley said. That's why many mobile remote deposit solutions support location awareness functionality, he added.
Indeed, the proliferation of mobile and e-commerce transactions significantly increases credit risks posed by otherwise low-risk merchants by introducing delayed deliveries into their sales processes. Consequently, even acquirers and ISOs focused on card-present transactions are potentially exposed to more risks.
While controls like these are not unusual, Thomson suggested that many banks have been lax about ongoing monitoring of merchants. "Most processors will acknowledge that they perform underwriting for new applicants, but generally don't vet these merchants for years," he said.
The OCC's examination standards specifically address the need for controls and ongoing monitoring of merchant acquiring activities.
"By implementing effective and appropriate controls over processors and their merchant clients, a bank should be able to identify those processors that process fraudulent transactions for merchants to ensure that the bank is not facilitating these transactions," it stated. "In the event that a bank identifies a fraudulent or other improper activity with a processor or specific merchant, the bank should take immediate steps to address the problem, including filing a Suspicious Activity Report (SAR) when appropriate, terminating the bank's relationship with the processor, or requiring the processor to cease processing for that specific merchant."
Benefiting from knowing
Keeping close tabs on customer and processor activities is more than just a good strategy for staying compliant with regulators and the card brands. It's good business. "[W]hile you may initiate a KYC program because you have to, that doesn't mean you can't use KYC to make money, lower costs, or in short perform better as a bank," the consulting and outsourcing firm Capgemini stated in a recent tome, Know Your Customer, Understand Your Business.
The best way to accomplish this is through automation, Capgemini said. "Given the volume and variety of customer data typically maintained across an enterprise's IT systems, automating customer identification and data integration across these systems is the only long-term option."
Thomson agrees. "Compliance has become a major cost," he said. "Ongoing portfolio scans provide a means for rationale and means for implementing compliance fees." To assist clients in making the most of this opportunity, KYC SiteScan offers an ongoing service, Portfolio Scan, which Thomson said has been shown to help clients retain and upsell more merchants.
"We are able to give clients 35 different dimensions to segment their existing clients for direct sales referral based upon known high-value criteria demographics and contact officer details," Thomson said. For example, using the SIC number an ISO can filter candidates (e.g.: medical offices or restaurants) for specific offerings. "We can further filter out firms that won't pass underwriting reviews, or can't qualify for specific offerings" (e.g.: cash advances).
Additional enhancements are also in the works. "We will be benchmarking this new data analytics tool [Portfolio Scan] against a client's current cost of upselling and reduced attrition on high-value clients," Thomson noted. It's a move he said "could quickly convert the risk/compliance department into a profit center."
KYC SiteScan is not the only company that has developed compliance automation tools for banks and ISOs. Most are focused on PCI compliance, however, Thomson noted. KYC SiteScan goes further, offering detailed analysis of reputation risks, business license and principal authentication, street view address verification and deep website scans within minutes of entering a query. Despite the depth of reporting, KYC SiteScan is relatively inexpensive to use.
"The highest price we charge for the most extensive SiteScan is $8.95," he said. Noting that the average cost to board a new merchant is about $75, Thomson asserted "our scans can quickly screen out 10 to 30 percent of applicants and save the write off of that sunk cost."
Although KYC SiteScan appears to be alone in the extent to which it can automate compliance routines for banks and others in the acquiring stream, it's a good bet others will follow as the burden of compliance continues to grow for merchant acquiring organizations.
No mad rush by merchants to PCI 3.0
It's 2015, and a new day in Payment Card Industry (PCI) Data Security Standard (DSS) compliance. Are your merchants ready? If your answer is no, or if you aren't sure, you are not alone. When NTT Com Security, an information security and risk management company, surveyed merchants in April 2014, it found that 41 percent of organizations had heard something about the changes, but only 30 percent had created a plan for the new compliance requirements.
Even more telling of the general lack of readiness: 70 percent of those polled were unaware of the deadline for compliance with PCI 3.0.
More recently, Profico, a managed security services company, polled security experts at retail, financial services, healthcare and government entities. It found that just 43 percent are prepared for PCI 3.0. Thirty-four percent said they were not prepared; 23 percent weren't sure if their organizations were ready.
The PCI Security Standards Council unveiled PCI 3.0 in January 2014, and gave organizations 12 months to get on board with the changes. The update aims to take PCI compliance beyond simple security standards that focus on perimeter firewalls and preventing outside access to merchants' servers. The proliferation of mobile and other remote-access devices has rendered firewalls less effective, the PCI Council noted when it introduced PCI 3.0.
The newly updated rules focus on securing data as well as the servers where data resides. PCI 3.0 includes improved password protocols, more specific firewall requirements and hands-on attention to hardware. In a major change, the standards make it clear that merchants cannot shirk direct responsibility for security by outsourcing PCI requirements to a third party. It's not that they can't outsource aspects of their PCI compliance workload, but everything (duties and responsibilities) must be clearly documented and adhered to.
"PCI 3.0 increases the demands on organizations to improve payment card data security and further emphasizes the need for continuous security monitoring," said Brad Taylor, Chief Executive Officer of Proficio Inc.
The changes require businesses to document and diagram how cardholder data flows within and outside of payment networks; conduct systems audits for both in-house and vendor systems; and provide documented guidance to end users on protecting authentication credentials.
All of the businesses surveyed by NTT expressed concerns about PCI compliance: 53 percent admitted they did not fully understand the requirements update contained in PCI 3.0. Other problems included educating employees, budgeting for compliance and resource allocation.
Who shoulders the most blame for data breaches?
Meanwhile, retailers are taking umbrage with financial institutions pointing the finger of blame at them for the latest rash of card security breaches.
In a letter dated Dec. 29, 2014, executives from seven retail trade associations blasted the Independent Community Bankers Association of America for recent claims of huge bank losses resulting from card data breaches involving retailers. In December 2014, the ICBA issued a press release stating that community banks were forced to reissue 7.5 million credit and debit cards at a total cost that exceeded $90 million in the wake of The Home Depot Inc. data breach in 2014. And the group directed blame at retailers.
"Community banks continue to absorb exorbitant costs due to data breaches, and they do so upfront because their primary concern is to protect their customers," said John Buhrmaster, Chairman of the ICBA, and President and CEO of the First National Bank of Scotia in upstate New York. "For this reason, we continue to advocate that the costs associated with data breaches be borne by the party that experiences the breach. Communities and customers should not suffer for the faults of retailers."
Hold on, came the reply from retailers; this is a multiparty problem. "At the outset, it is important to acknowledge that the cyber-criminals who perpetrate these attacks do not exclusively target retailers. Financial institutions – including your member community banks – face the same or greater levels of risk," the retailer groups wrote. Key executives of the Retail Industry Leaders Association, National Retail Federation, National Grocers Association, National Association of Convenience Stores, Food Marketing Institute, National Restaurant Association and the Merchant Advisory Group were all signatories to the letter.
The retailers also argued that data breaches involving merchants are far less prevalent than bank breaches. The letter cited findings reported in the 2014 Verizon Data Breach Investigations Report, which analyzed 1,367 breaches detected in 2013: 465 involved financial institutions; those involving retailers totaled fewer than 150.
Further increasing costs are the fines imposed by the card brands, litigation and lost business. (Target Brands Inc., for example, saw net income fall by more than 40 percent during the fiscal quarter following news of the massive data breach it suffered in 2013, according to its earnings statements.)
The retailers also reiterated their support for chip and PIN technology. "The sooner this migration is begun in earnest, the better," they wrote. "While no technology will work to prevent all cyber-attacks, anytime, anywhere, it is worth noting that stronger security might have resulted in fewer cards being compromised in recent breaches, and therefore fewer reissuances by banks."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.