Bank Secrecy Act
Third-Party Payment Processors
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with its relationships with third-party payment processors, and management’s ability to implement effective monitoring and reporting systems.
1. Review the policies, procedures, and processes related to third-party payment processors (processors). Evaluate the adequacy of the policies, procedures, and processes given the bank’s processor activities and the risks they present. Assess whether the controls are adequate to reasonably protect the bank from money laundering and terrorist financing.
2. From a review of MIS and internal risk rating factors, determine whether the bank effectively identifies and monitors processor relationships, particularly those that pose a higher risk for money laundering.
3. Determine whether the bank’s system for monitoring processor accounts for suspicious activities, and for reporting suspicious activities, is adequate given the bank’s size, complexity, location, and types of customer relationships.
4. If appropriate, refer to the core examination procedures, “Office of Foreign Assets Control,” pages 157 to 159, for guidance.
5. On the basis of the bank’s risk assessment of its processor activities, as well as prior examination and audit reports, select a sample of higher-risk processor accounts. From the sample selected:
- Review account opening documentation and ongoing due diligence information.
- Review account statements and, as necessary, specific transaction details to determine how expected transactions compare with actual activity.
- Determine whether actual activity is consistent with the nature of the processor’s stated activity.
- Assess the controls concerning identification of high rates of unauthorized returns and the process in place to address compliance and fraud risks.
- Identify any unusual or suspicious activity.
6. On the basis of examination procedures completed, including transaction testing, form a conclusion about the adequacy of policies, procedures, and processes associated with processor accounts.