Filter Results CategoriesCart
Highlight Updates

1.4.3.2 The Role of Financial Institutions in Monitoring Payment Processors

While many legitimate merchants use payment processors to manage their payments, putting a third party in between the merchant and the bank that processes the payment can obscure the identity of the merchant or hide any red flags. For that reason, bank regulators have issued guidances about special obligations particular to financial institutions that have payment processor customers.36

When the bank’s customer is a payment processor, the bank must not only conduct due diligence on its own customer; the bank must also know their customers’ customers in order to avoid complicity in fraudulent or other unlawful conduct by those customers. For example, if a bank’s customer is a payment processor, the bank must also be aware of for whom the payments are ultimately being processed, especially if the end user is in a business (like a payday lending company) that is illegal in some states or one that carries a high risk of illegality.

Payment processors themselves are not directly bound by bank regulator guidances governing payment processing activities. However, unless the financial institution itself conducts the due diligence on the processor’s customers, the financial institutions covered by the guidance must require the processor to provide information on the processor’s merchant clients and to verify that the originator of the payment is operating a legitimate business.37 The ODFI must “evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes, and controls to enable the bank to remain compliant with domestic and international laws and regulations.”38

Thus, the financial institution’s contract with the payment processor may require the processor to comply with bank regulator guidance or to perform key duties required by such guidance.39

The most basic responsibility of financial institutions and payment processors is monitoring the rates at which payments are “returned” (that is, challenged as unauthorized, bounced due to insufficient funds or incorrect account numbers, or other types of returns). Monitoring of return rates is a well-established component of risk management practices.40

However, monitoring return rates alone does not prevent unlawful practices. Some unscrupulous players are adept at manipulating how they submit payments in order to avoid excessive returns in any one place.41 Some payment processors specialize in processing high-risk payments, seeking out customers who have been rejected by other payment services and who have a greater likelihood of engaging in fraudulent activity. Merchants that pose a high risk of unlawful conduct require especially strict due diligence under regulator guidance and industry policies.

Thus, the Financial Crimes Enforcement Network (FinCEN)42 has issued an advisory for financial institutions that lists some potential red flags for illicit activity by payment processors, including accounts at more than one institution, changing institutions within a short period of time, and consolidation accounts that can conceal high chargeback rates.43 In particular, when a payment processor processes payments for an entity that is itself a payment processor (“nesting”) or an aggregator of payments from other merchants (“factoring”), those arrangements can conceal the origin of the payment or obscure return rates.44

The FDIC has issued a series of guidances,45 and subsequent clarifications and revisions,46 describing potential risks and corresponding financial institution duties vis-à-vis relationships with third-party entities that process payments for telemarketers, online businesses, and other merchants. Financial institutions “need to assure themselves that they are not facilitating fraudulent or other illegal activity,” and institutions must be aware of the risks of payment processing for higher-risk activities.47 Financial institutions that provide payment processing services for customers engaged in higher-risk activities must “conduct due diligence sufficient to ascertain that the merchants are operating in accordance with applicable law.”48

Previously, FDIC guidance contained a list of high-risk industries, including online payday lenders, online payment processors, certain credit-repair services, certain mail order and telephone order (MOTO) companies, illegal online gambling operations, businesses located offshore, and adult entertainment businesses. However, the FDIC was forced to revise its guidance and to eliminate the list after complaints that the list was leading banks to terminate relationships with lawful businesses.49 Under its revised guidance, institutions that properly manage higher-risk activities are neither prohibited nor discouraged from providing payment processing services to customers operating in compliance with applicable law.50

Although the FDIC’s guidance no longer identifies specific industries that pose high risks of unlawful transactions, the rules and practices of private industry participants still may.51

The FDIC requires financial institutions to be alert to consumer complaints or unusual rates of returned or challenged payments that suggest the inappropriate use of personal account information and possible deception or unfair treatment of consumers. The FDIC has warned that higher rates of payments returned as unauthorized or for insufficient funds, or returns for other reasons, may indicate fraudulent activity.

Moreover, in a letter to a congressman, the FDIC stated

When a bank has a customer relationship with a company whose business line is prohibited or restricted in at least some states, the bank must take reasonable measures to ensure that the company is operating only where the activity is legally permitted. To the extent the activity is permitted but restricted, the bank should take reasonable steps to ensure that the company is complying with applicable law.52

Financial institutions should act promptly when fraudulent or improper activities occur relating to a payment processor, including possibly terminating the relationship.53

The OCC has also issued guidance to national banks for due diligence, underwriting, and monitoring of entities that process payments for telemarketers and other merchant clients, noting that certain merchants, such as telemarketers, pose a higher risk than other merchants and require additional due diligence and close monitoring.54

NACHA has similar rules for ODFIs that originate automated clearinghouse payments.55

Financial institutions that ignore their Bank Secrecy Act, know-your-customer, and due diligence obligations or that overlook warning signs of fraud may be found complicit in helping to process fraudulent payments.56 Cases discussing the obligations and liability of financial institutions in connection with payment processors is discussed in the context of their role in remotely created checks and payment orders,57 ACH payments,58 card payments,59 and other payment systems.

Footnotes

  • 36 {35} See, e.g., Fed. Deposit Ins. Corp., Payment Processor Relationships, FIL-3-2012 (Jan. 31, 2012, revised July 2014), available at www.fdic.gov; Office of the Comptroller of the Currency, OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance (Oct. 30, 2013), supplemented by Supplemental Examination Procedures for Risk Management of Third-Party Relationships, OCC Bulletin 2017-7 (Jan. 24, 2017) and Frequently Asked Questions, OCC Bulletin 2017-21 (June 7, 2017), available at www.occ.gov; Financial Crimes Enforcement Network (FinCEN), FIN-2012-A010, Risk Associated with Third-Party Payment Processors (Oct. 22, 2012), available at www.fincen.gov (listing red flags for illicit use of payment processors).

  • 37 {36} See, e.g., Fed. Deposit Ins. Corp., Payment Processor Relationships, FIL-3-2012 (Jan. 31, 2012, revised July 2014), available at www.fdic.gov.

  • 38 {37} Office of the Comptroller of the Currency, OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance (Oct. 30, 2013), available at www.occ.gov. See also Office of the Comptroller of the Currency, OCC Bulletin 2008-12, Payment Processors: Risk Management Guidance (Apr. 24, 2008), available at www.occ.gov (not superseded by OCC Bulletin 2013-29 and applicable to federal savings associations as of October 30, 2008).

  • 39 {38} Office of the Comptroller of the Currency, Third-Party Relationships: Risk Management Guidance, OCC Bulletin 2013-29 (Oct. 30, 2013), supplemented by Supplemental Examination Procedures for Risk Management of Third-Party Relationships, OCC Bulletin 2017-7 (Jan. 24, 2017) and Frequently Asked Questions, OCC Bulletin 2017-21 (June 7, 2017), available at www.occ.gov (identifying particular practices banks should have in place to monitor and manage third-party relationships). See also Office of the Comptroller of the Currency, OCC Bulletin 2008-12, Payment Processors: Risk Management Guidance (Apr. 24, 2008), available at www.occ.gov (not superseded by OCC Bulletin 2013-29 and applicable to federal savings associations as of October 30, 2008).

  • 40 {39} See FTC, Telemarketing Sales Rule, 80 Fed. Reg. 77,520, 77,521–77,523, 77,533–77,535 (Dec. 14, 2015) (describing system protections applicable to electronic debit and credit card transactions and absence of those protections to remotely created checks and remotely created payment orders); Complaint for Civil Penalties, Permanent Injunction and Other Equitable Relief, No. CV 15-00394, at 16, U.S. v. Plaza Bank (C.D. Cal. Mar. 12, 2015) (alleging return rates over 50%); Complaint for Civil Penalties, Permanent Injunction and Other Equitable Relief, No. CV 15-00379, at 14–15, U.S. v. CommerceWest Bank (C.D. Cal. Mar. 10, 2015); Fed. Deposit Ins. Corp., No. FIL-3-2012, Payment Processor Relationships (Jan. 31, 2012, revised July 2014); Complaint for Injunctive Relief and Civil Money Penalties, No. 5:14-cv-00014-BO, United States v. Four Oaks Fincorp, Inc. et al. (E.D.N.C. Jan. 8, 2014), available at www.nclc.org/unreported. See also Reyes v. NetDeposit, L.L.C. et al., 802 F.3d 469 (3rd Cir. 2015) (finding evidence that bank was aware of scammers’ shocking return rates may be sufficient to support class certification of RICO claim; noting that NACHA publishes return rates).

    The Reyes case settled in 2016. See Evan Weinberger, Zions Shells Out $37M to End Pa. Telemarketer Lawsuit, www.Law360.com (July 5, 2016), available at www.law360.com.

  • 41 {40} FinCEN Advisory, FIN-2012-A010, Risk Associated with Third-Party Payment Processors (Oct. 22, 2012), available at www.fincen.gov.

  • 42 {41} “The mission of the Financial Crimes Enforcement Network is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.” See Fin. Crimes Enforcement Network, Mission, available at www.fincen.gov.

  • 43 {42} See Fin. Crimes Enforcement Network, FIN-2012-A010, Risk Associated with Third-Party Payment Processors (Oct. 22, 2012), available at www.fincen.gov.

  • 44 {43} See Fed. Deposit Ins. Corp., Michael Benardo et al., Managing Risks in Third-Party Payment Processor Relationships, Supervisory Insights 8–9 (Summer 2011), available at www.fdic.gov (“[F]inancial institutions and examiners should be alert for payment processors that use more than one financial institution to process merchant client payments, or nested arrangements where a payment processor’s merchant client is also doing third-party payment processing. Spreading the activity among several institutions may allow processors that engage in inappropriate activity to avoid detection. For example, a single institution may not detect high levels of returned items if they are spread among several financial institutions. Payment processors also may use multiple financial institutions in case one or more of the relationships is terminated as a result of suspicious activity.”).

    NACHA rules that require ODFIs to monitor return rates and to ensure that those rates are below specified levels are discussed in § 5.3, infra.

  • 45 {44} Fed. Deposit Ins. Corp., FIL-3-2012, Payment Processor Relationships (Jan. 31, 2012, revised July 2014); Fed. Deposit Ins. Corp., FIL-127-2008, Guidance on Payment Processor Relationships (Nov. 7, 2008, revised July 2014), available at www.fdic.gov.

  • 46 {45} The original payment processor guidances contained a footnote with a list of merchant categories, such as online payday lenders, who posed high risks of unlawful activity. The FDIC later amended the guidance to remove that footnote in response to concerns that the footnote had been misunderstood as setting forth a policy that banks should not have relationships with even lawful businesses in those categories. Fed. Deposit Ins. Corp., FIL-41-2014, FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors (July 28, 2014), available at www.fdic.gov.

    The FDIC also clarified that financial institutions properly managing the risks are neither encouraged nor discouraged from serving high-risk customers. Fed. Deposit Ins. Corp., FIL-43-2013, FDIC Supervisory Approach to Payment Processing Relationships with Merchant Customers That Engage in Higher-Risk Activities (Sept. 27, 2013, revised July 2014).

  • 47 {46} Fed. Deposit Ins. Corp., FIL-43-2013, FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities (Revised July 2014) (Sept. 27, 2013, revised July 2014), available at www.fdic.gov.

  • 48 {47} Id.

  • 49 {48} Fed. Deposit Ins. Corp., FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors, FIL-41-2014 (July 28, 2014), available at www.fdic.gov; Fed. Deposit Ins. Corp., FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities (Revised July 2014), FIL-43-2013 (Sept. 27, 2013, revised July 2014), available at www.fdic.gov.

  • 50 {49} Fed. Deposit Ins. Corp., FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors, FIL-41-2014 (July 28, 2014), available at www.fdic.gov.

  • 51 {50} See § 1.4.3.3, infra.

  • 52 {51} Letter from FDIC Chairman Martin J. Gruenberg to Rep. Blaine Luetkemeyer (Sept. 17, 2013).

  • 53 {52} Fed. Deposit Ins. Corp., FIL-3-2012, Payment Processor Relationships (Jan. 31, 2012, revised July 2014).

  • 54 {53} See OCC Bulletin 2008-12, Payment Processors—Risk Management Guidance (Apr. 24, 2008), available at www.occ.gov. See also Press Release, Office of the Comptroller of the Currency, Merchant Processing—Revised Comptroller’s Handbook Booklet (Aug. 20, 2014), available at www.occ.gov (including link to booklet that provides updated guidance on: the selection of third-party organizations and due diligence; technology service providers; on-site inspections, audits, and attestation engagement; data security standards in payment card industry for merchants and processors; member alert to control high-risk merchants (MATCH) list; Bank Secrecy Act/Anti-Money Laundering compliance programs and appropriate policies, procedures, and processes to monitor and identify unusual activity; and, appropriate capital for merchant processing activities).

    Like the FDIC, the OCC clarified that it does not direct banks to open, close, or maintain individual accounts, nor does the agency encourage banks to engage in the termination of entire categories of customers without regard to the risks presented by an individual customer or the bank’s ability to manage the risk. Office of the Comptroller of the Currency, OCC Bulletin 2014-58, Banking Money Services Businesses—Statement on Risk Management (Nov. 19, 2014), available at www.occ.gov.

  • 55 {54} See § 5.3.1.3.2, infra.

  • 56 {55} See, e.g., Reyes v. Zions Nat’l Bank, 2012 WL 947139 (E.D. Pa. Mar. 21, 2012) (denying motion to dismiss RICO claims against bank with affiliate payment processor but granting motion of other banks.)

  • 57 {56} See § 3.13.3, infra.

  • 58 {57} See §§ 5.3.1.3.2–5..3.1.3, infra.

  • 59 {58} See § 5.3.1.3.4, infra.