By: Dan Frechtling, SVP of Marketing and Chief Product Officer
When you say Third-Party Payment Processor (TPPP) or Know Your Customer (KYC) supervision, most US banks think first of prudential regulators. In particular, the Office of the Comptroller of the Currency (OCC) oversees nationally chartered banks and the Federal Deposit Insurance Corporation (FDIC) oversees state-chartered banks.
But the Conference of State Bank Supervisors (CSBS) is an important source of regulation and policy for the 50 states, DC and three US territories it represents. It offers useful guidance on managing risks of TPPPs. The CSBS outlines specific risk exposures, namely fraud, BSA/AML, consumer protection and reputation.
1. Regarding fraud risk, the CSBS observes increasing instances of merchant fraud coming from processor relationships. This includes unauthorized transactions with stolen account numbers and illegal repeat debit entries by merchants. Specifically, “the risk of fraud arises when an illicit telemarketer or online merchant obtains the consumer’s account information through coercion or deception and initiates an ACH debit transfer that may not be fully understood or authorized by the customer.”
2. On BSA/AML and compliance risk, the CSBS says:
Certain practices expose banks to risk, such as “ODFIs and RDFIs relying on each other to perform adequate due diligence on their customers” without clear accountability and “batch processing that obscures the identities of originators,” including unknown or nested TPPPs or originators.
3. Consumer protection and liability risk comprises, “high-risk or illegal merchants [that] may attempt to process transactions through a processor. These transactions may be considered unfair or deceptive, as defined by the Federal Trade Commission Act.” Further, “if processing an illegal transaction results in harm to a consumer, the institution may be required to pay restitution and/or civil money penalties.”
4. Finally, there is reputational risk. Especially for community banks, “news of a large loss sustained from a failed processor relationship may impact the community’s perception of the safety and soundness of an institution.”
In their Examination Workplan (what state bank supervisors are urged to detect), the CSBS offers a checklist. Auditors are asked if their financial institutions:
- Require adequate due diligence standards before taking on a TPPP customer, such as required background checks
- Identify the major lines of business for the processor’s customer(s)
- Control for the possibility that a processor resells its services to a third party that may act as agent
- Require payment processors to provide updated information on their merchant clients, such as names, principal business, location, and sales patterns, and the legality of their business operations?
- Verify the processor through public record databases and has the institution checked for state or federal regulatory actions or criminal actions against the merchant customers?
- Apply increased, yet appropriate, due diligence requirements for higher-risk customers who originate or receive international ACH?
- Employ appropriate methods to track, review, and investigate consumer complaints or unauthorized returns regarding possible fraudulent or duplicate ACH transactions, including international ACH transactions?
- Demonstrate that the TPPP has an effective means of verifying merchant clients’ identities and business practices, including the verification of an entity’s OFAC status?
Despite the focus on the risk aspects of TPPP relationships, the CSBS cites many positive aspects of TPPPs. Banks can earn attractive fee income by entering into depository relationship with TPPPs and facilitating TPPP transactions. Business customers benefit from using TPPPs because of the convenience they offer by aggregating batches of ACH transactions.
G2 clients grow their TPPP businesses and keep their risks in check. See how they do it here.