Bank Secrecy Act
Third-Party Payment Processors—Overview
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with its relationships with third-party payment processors, and management’s ability to implement effective monitoring and reporting systems.
Nonbank or third-party payment processors (processors) are bank customers that provide payment-processing services to merchants and other business entities. Traditionally, processors contracted primarily with retailers that had physical locations in order to process the retailers’ transactions. These merchant transactions primarily included credit card payments but also covered automated clearing house (ACH) transactions, remotely created checks (RCC),199 and debit and prepaid cards transactions. With the expansion of the Internet, retail borders have been eliminated. Processors now provide services to a variety of merchant accounts, including conventional retail and Internet-based establishments, prepaid travel, telemarketers, and Internet gaming enterprises.
Third-party payment processors often use their commercial bank accounts to conduct payment processing for their merchant clients. For example, the processor may deposit into its account RCCs generated on behalf of a merchant client, or act as a third-party sender of ACH transactions. In either case, the bank does not have a direct relationship with the merchant. The increased use by processor customers, particularly telemarketers, of RCCs also raises the risk of fraudulent payments being processed through the processor’s bank account. The Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency have issued guidance regarding the risks, including the BSA/AML risks, associated with banking third-party processors.200
Processors generally are not subject to BSA/AML regulatory requirements. As a result, some processors may be vulnerable to money laundering, identity theft, fraud schemes, and illicit transactions or transactions prohibited by OFAC.
The bank’s BSA/AML risks when dealing with a processor account are similar to risks from other activities in which the bank’s customer conducts transactions through the bank on behalf of the customer’s clients. When the bank is unable to identify and understand the nature and source of the transactions processed through an account, the risks to the bank and the likelihood of suspicious activity can increase. If a bank has not implemented an adequate processor-approval program that goes beyond credit risk management, it could be vulnerable to processing illicit or OFAC-sanctioned transactions.
Banks with third party payment processor customers should be aware of the heightened risk of unauthorized returns and use of services by higher-risk merchants. Some higher-risk merchants routinely use third parties to process their transactions because of the difficulty they have in establishing a direct bank relationship. These entities might include certain mail order and telephone order companies, telemarketing companies, illegal online gambling operations, online payday lenders, businesses that are located offshore, and adult entertainment businesses. Payment processors pose greater money laundering and fraud risk if they do not have an effective means of verifying their merchant clients’ identities and business practices. Risks are heightened when the processor does not perform adequate due diligence on the merchants for which they are originating payments.
Banks offering account services to processors should develop and maintain adequate policies, procedures, and processes to address risks related to these relationships. At a minimum, these policies should authenticate the processor’s business operations and assess their risk level. A bank may assess the risks associated with payment processors by considering the following:
- Implementing a policy that requires an initial background check of the processor (using, for example, the Federal Trade Commission Web site, Better Business Bureau, state incorporation departments, Internet searches, and other investigative processes) and of the processor’s underlying merchants, on a risk-adjusted basis in order to verify their creditworthiness and general business practices.
- Reviewing the processor’s promotional materials, including its Web site, to determine the target clientele. A bank may develop policies, procedures, and processes that restrict the types of entities for which it will allow processing services. These entities may include higher risk entities such as offshore companies, online gambling-related operations, telemarketers, and online payday lenders. These restrictions should be clearly communicated to the processor at account opening.
- Determining whether the processor re-sells its services to a third party who may be referred to as an "agent or provider of Independent Sales Organization (ISO) opportunities" or "gateway" arrangements.201
- Reviewing the processor’s policies, procedures, and processes to determine the adequacy of its due diligence standards for new merchants.
- Requiring the processor to identify its major customers by providing information such as the merchant’s name, principal business activity, and geographic location.
- Verifying directly, or through the processor, that the merchant is operating a legitimate business by comparing the merchant’s identifying information against public record databases, and fraud and bank check databases.
- Reviewing corporate documentation including independent reporting services and, if applicable, documentation on principal owners.
- Visiting the processor’s business operations center.
Banks that provide account services to third-party payment processors should monitor their processor relationships for any significant changes in the processor’s business strategies that may affect their risk profile. Banks should periodically re-verify and update the processors’ profiles to ensure the risk assessment is appropriate.
In addition to adequate and effective account opening and due diligence procedures for processor accounts, management should monitor these relationships for unusual and suspicious activities. To effectively monitor these accounts, the bank should have an understanding of the following processor information:
- Merchant base.
- Merchant activities.
- Average number of dollar volume and number of transactions.
- "Swiping" versus "keying" volume for credit card transactions.
- Charge-back history, including rates of return for ACH debit transactions and RCCs.
- Consumer complaints that suggest a payment processor’s merchant clients are inappropriately obtaining personal account information and using it to create unauthorized RCCs or ACH debits.
With respect to account monitoring, a bank should thoroughly investigate high levels of returns and should not accept high levels of returns on the basis that the processor has provided collateral or other security to the bank. A bank should implement appropriate policies, procedures, and processes that address compliance and fraud risks. High levels of RCCs or ACH debits returned for insufficient funds or as unauthorized can be an indication of fraud or suspicious activity.