FDIC Financial Institution Letters
Payment Processor Relationships
Revised Guidance FIL-3-2012
January 31, 2012 Printable Format:
FIL-3-2012 - PDF download

Visit FDIC web site

Revised Guidance on Payment Processor Relationships

The FDIC has recently seen an increase in the number of relationships between financial institutions and payment processors in which the payment processor, who is a deposit customer of the financial institution, uses its relationship to process payments for third-party merchant clients. Payment processors typically process payments either by creating and depositing remotely created checks (RCCs)—often referred to as “Demand Drafts”—or by originating Automated Clearing House (ACH) debits on behalf of their merchant customers. The payment processor may use its own deposit account to process such transactions, or it may establish deposit accounts for its merchant clients.

While payment processors generally effect legitimate payment transactions for reputable merchants, the risk profile of such entities can vary significantly depending on the make-up of their customer base. For example, payment processors that deal with telemarketing and online merchants¹ may have a higher risk profile because such entities have tended to display a higher incidence of consumer fraud or potentially illegal activities than some other businesses. Given this variability of risk, payment processors must have effective processes for verifying their merchant clients’ identities and reviewing their business practices. Payment processors that do not have such processes can pose elevated money laundering and fraud risk for financial institutions, as well as legal, reputational, and compliance risks if consumers are harmed.

Financial institutions should understand, verify, and monitor the activities and the entities related to the account relationship. Although all of the core elements of managing third-party risk should be considered in payment processor relationships (e.g., risk assessment, due diligence, and oversight), managing this risk poses an increased challenge for the financial institution when there may not be a direct customer relationship with the merchant. For example, it may be difficult to obtain necessary information from the payment processor, particularly if a merchant is also a payment processor, resulting in a “nested” payment processor or “aggregator” relationship.

Financial institutions should ensure that their contractual agreements with payment processors provide them with access to necessary information in a timely manner. These agreements should also protect financial institutions by providing for immediate account closure, contract termination, or similar action, as well as establishing adequate reserve requirements to cover anticipated charge backs. Accordingly, financial institutions should perform due diligence and account monitoring appropriate to the risk posed by the payment processor and its merchant base. Risks associated with this type of activity are further increased if neither the payment processor nor the financial institution performs adequate due diligence on the merchants for which payments are originated. Financial institutions are reminded that they cannot rely solely on due diligence performed by the payment processor. The FDIC expects a financial institution to adequately oversee all transactions and activities that it processes and to appropriately manage and mitigate operational risks, Bank Secrecy Act (BSA) compliance, fraud risks, and consumer protection risks, among others.

Potential Risks Arising from Payment Processor Relationships

Deposit relationships with payment processors expose financial institutions to risks not customarily present in relationships with other commercial customers. These include increased operational, strategic, credit, compliance, and transaction risks. In addition, financial institutions should consider the potential for legal, reputational, and other risks, including risks associated with a high or increasing number of customer complaints and returned items, and the potential for claims of unfair or deceptive practices. Financial institutions that fail to adequately manage these relationships may be viewed as facilitating a payment processor’s or merchant client’s fraudulent or unlawful activity and, thus, may be liable for such acts or practices. In such cases, the financial institution and responsible individuals have been subject to a variety of enforcement and other actions. Financial institutions must recognize and understand the businesses and customers with which they have relationships and the liability risk for facilitating or aiding and abetting consumer unfairness or deception under Section 5 of the Federal Trade Commission Act.²

Financial institutions should be alert for payment processors that use more than one financial institution to process merchant client payments or that have a history of moving from one financial institution to another within a short period. Processors may use multiple financial institutions because they recognize that one or more of the relationships may be terminated as a result of suspicious activity.

Financial institutions should also be on alert for payment processors that solicit business relationships with troubled financial institutions in need of capital. In such cases, payment processors will identify and establish relationships with troubled financial institutions because these financial institutions may be more willing to engage in higher-risk transactions in exchange for increased fee income. In some cases, payment processors have also committed to purchasing stock in certain troubled financial institutions or have guaranteed to place a large deposit with the financial institution, thereby providing additional, much-needed capital. Often, the targeted financial institutions are smaller, community banks that lack the infrastructure to properly manage or control a third-party payment processor relationship.

Financial institutions also should be alert to an increase in consumer complaints about payment processors and/or merchant clients or an increase in the amount of returns or charge backs, all of which may suggest that the originating merchant may be engaged in unfair or deceptive practices or may be inappropriately obtaining or using consumers’ personal account information to create unauthorized RCCs or ACH debits. Consumer complaints may be made to a variety of sources and not just directly to the financial institution. They may be sent to the payment processor or the underlying merchant, or directed to consumer advocacy groups or online complaint Web sites or blogs. Financial institutions should take reasonable steps to ensure they understand the type and level of complaints related to transactions that it processes. Financial institutions should also determine, to the extent possible, if there are any external investigations of or legal actions against a processor or its owners and operators during initial and ongoing due diligence of payment processors.

Financial institutions should act promptly to minimize possible consumer harm, particularly in cases involving potentially fraudulent or improper activities relating to activities of a payment processor or its merchant clients. Appropriate actions include filing a Suspicious Activity Report,³ requiring the payment processor to cease processing for a specific merchant, freezing certain deposit account balances to cover anticipated charge backs, and/or terminating the financial institution’s relationship with the payment processor.

Risk Mitigation

Financial institutions should delineate clear lines of responsibility for controlling risks associated with payment processor relationships. Controls may include enhanced due diligence; effective underwriting; and increased scrutiny and monitoring of high-risk accounts for an increase in unauthorized returns, charge backs, suspicious activity, and/or consumer complaints. Implementing appropriate controls for payment processors and their merchant clients can help identify payment processors that process items for fraudulent telemarketers, online scammers, or other unscrupulous merchants and help ensure that the financial institution is not facilitating these transactions. Appropriate oversight and monitoring of these accounts may require the involvement of multiple departments, including information technology, operations, BSA/anti-money laundering (AML), and compliance.

Due Diligence and Underwriting

Financial institutions should implement policies and procedures designed to reduce the likelihood of establishing or maintaining inappropriate relationships with payment processors used by unscrupulous merchants. Such policies and procedures should outline the bank’s thresholds for unauthorized returns, the possible actions that can be taken against payment processors that exceed these standards, and methods for periodically reporting such activities to the bank’s board of directors and senior management.

As part of such policies and procedures, financial institutions should develop a processor approval program that extends beyond credit risk management. This program should include a due diligence and underwriting policy that, among other things, requires a background check of the payment processor, its principal owners, and its merchant clients. This will help validate the activities, creditworthiness, and business practices of the payment processor, as well as identify potential problem merchants. Payment processors may also process transactions for other payment processors, resulting in nested payment processors or aggregator relationships. The financial institution should be aware of these activities and obtain data on the nested processor and its merchant clients. Nested processors and aggregator relationships pose additional challenges as they may be extremely difficult to monitor and control; therefore, risk to the institution is significantly elevated in these cases.

Controls and due diligence requirements should be robust for payment processors and their merchant clients. At a minimum, the policies and procedures should authenticate the processor’s business operations and assess the entity’s risk level. An assessment should include:

• Identifying the major lines of business and volume for the processor’s customers;

• Reviewing the processor’s policies, procedures, and processes to determine the adequacy of due diligence standards for new merchants;

• Reviewing corporate documentation, including independent reporting services and, if applicable, documentation on principal owners;

• Reviewing the processor’s promotional materials, including its Web site, to determine the target clientele;⁴

• Determining if the processor re-sells its services to a third party that may be referred to as an agent or provider of “Independent Sales Organization opportunities” or a “gateway arrangement”⁵ and whether due diligence procedures applied to those entities are sufficient;

• Visiting the processor’s business operations center;

• Reviewing appropriate databases to ensure that the processor and its principal owners and operators have not been subject to law enforcement actions; and,

• Determining whether any conflicts of interest exist between management and insiders of the financial institution.

Financial institutions should require that payment processors provide information on their merchant clients, such as the merchant’s name, principal business activity, location, and sales techniques. The same information should be obtained if the merchant uses sub-merchants (often called “affiliates”). Additionally, financial institutions should verify directly, or through the payment processor, that the originator of the payment (i.e., the merchant) is operating a legitimate business. Such verification could include comparing the identifying information with public record, fraud databases, and a trusted third party, such as a consumer reporting agency or consumer advocacy group, and/or checking references from other financial institutions. The financial institution should also obtain independent operational audits of the payment processor to assess the accuracy and reliability of the processor’s systems. The more the financial institution relies on the payment processor for due diligence and monitoring of its merchant client without direct financial institution involvement and verification, the more important it is to have an independent review to ensure that the processor’s controls are sufficient and that contractual agreements between the financial institution and the third-party payment processor are honored.

Ongoing Monitoring

Financial institutions that initiate transactions for payment processors should implement systems to monitor for higher rates of returns or charge backs and/or high levels of RCCs or ACH debits returned as unauthorized or due to insufficient funds, all of which often indicate fraudulent activity. This would include analyzing and monitoring the adequacy of any reserve balances or accounts established to continually cover charge-back activity.

Financial institutions are required to have a BSA/AML compliance program and appropriate policies, procedures, and processes for monitoring, detecting, and reporting suspicious activity. However, nonbank payment processors generally are not subject to BSA/AML regulatory requirements, and therefore some payment processors are more vulnerable to money laundering, identity theft, fraud schemes, and illicit transactions. The FFIEC BSA/AML Examination Manual urges financial institutions to effectively assess and manage risk associated with third-party payment processors. As a result, a financial institution’s risk mitigation program should include procedures for monitoring payment processor information, such as merchant data, transaction volume, and charge-back history.

Consumer complaints and/or high rates of return may be an indicator of unauthorized or illegal activity. As such, financial institutions should establish procedures for regularly surveying the sources of consumer complaints that may be lodged with the payment processor, its merchant clients or their affiliates, or on publicly available complaint Web sites and/or blogs. This will help the institutions identify processors and merchants that may pose greater risk.

Similarly, financial institutions should have a formalized process for periodically auditing their third-party payment processing relationships; including reviewing merchant client lists and confirming that the processor is fulfilling contractual obligations to verify the legitimacy of its merchant clients and their business practices.

Conclusion

The FDIC recognizes that financial institutions provide legitimate services for payment processors and their merchant clients. However, to limit potential risks, financial institutions should implement risk mitigation policies and procedures that include oversight and controls appropriate for the risk and transaction types of the payment processing activities. At a minimum, Board-approved policies and programs should assess the financial institution’s risk tolerance for this type of activity, verify the legitimacy of the payment processor’s business operations, determine the character of the payment processor’s ownership, and ensure ongoing monitoring of payment processor relationships for suspicious activity, among other things. Adequate routines and controls will include sufficient staffing with the appropriate background and experience for managing third-party payment processing relationships of the size and scope present at the institution, as well as strong oversight and monitoring by the board and senior management. Financial institutions should act promptly if they believe fraudulent or improper activities potentially resulting in consumer harm have occurred related to activities of a payment processor or its merchant clients, in accordance with their duties under BSA/AML policies and procedures, as well as under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts and practices.

¹ Examples of telemarketing, online businesses, and other merchants that may have a higher incidence of consumer fraud or potentially illegal activities or may otherwise pose elevated risk include credit repair services, debt consolidation and forgiveness programs, online gambling-related operations, government grant or will-writing kits, payday or subprime loans, pornography, online tobacco or firearms sales, pharmaceutical sales, sweepstakes, and magazine subscriptions. This list is not all-inclusive.

² Under Section 8 of the Federal Deposit Insurance Act, the FDIC has authority to enforce the prohibitions against Unfair or Deceptive Acts or Practices (UDAP) in the Federal Trade Commission Act. UDAP violations can result in unsatisfactory Community Reinvestment Act ratings, compliance rating downgrades, restitution to consumers, and the pursuit of civil money penalties.

³ The U.S. Department of Treasury’s Regulation 31 (CFR 103.18) requires that every federally supervised banking organization file a SAR when the institution detects a known or suspected violation of federal law. Part 353 of the FDIC’s Rules and Regulations addresses SAR filing requirements and makes them applicable to all state-chartered financial institutions that are not members of the Federal Reserve System.

⁴ See footnote 1 for examples of potentially high-risk areas.

⁵ An Independent Sales Organization is an outside company contracted to procure new merchant relationships. Gateway arrangements are similar to Internet service providers that sell excess computer storage capacity to third parties, who in turn distribute computer services to other individuals unknown to the provider. The third party would make decisions about who would be receiving the service, although the provider would be responsible for the ultimate storage capacity.

View article on FDIC web site: FDIC Payment Processor Relationships Revised Guidance

On October 27, 2011, the IRS announced that backup withholding will be postponed for one year. Backup withholding will be applied to amounts paid after 12/31/2012.  The penalty relief will not, however, extend to entities that fail to file or make no effort to file 2011 Forms 1099-K as required.

Bottom line: If your IRS TIN does not match your merchant account information, then you could be subject to penalties.
“First Data continues to review State regulations related to Section 6050W backup withholding.    Based on our research to date, we currently believe that the backup withholding delay will apply to both Federal and State.    As a result, First Data is in the process of adjusting our project timelines to support backup withholding for missing / invalid TINs as of January 1, 2013. Although the delay impacts activation of backup withholding processes, development efforts continue for timely implementation.
We are in the process of researching IRS plans for the CP2100 process, expected for the Fall of 2012. Once we have additional details we will notify you.
The above announced changes do not impact our client’s responsibility to obtain valid Tax Filing Names and Tax Identification Numbers from their merchants as applicable. This information is required to ensure accurate filing of the form 1099-K reporting to the merchants and the IRS.”

Related article, Jan. 1, 2011 Deadline for credit processing reporting to IRS looms.

The IRS announced a penalty enforcement delay for merchants. Set to begin January 2012, merchants would have been subject to penalty of 30% withholding, with deductions automatically taken from their merchant account deposits.

PDF download: Official IRS noticeIRS bulletin n-11-89 regarding backup withholding 1099k for card payments

The Federal Reserve Board on Monday, October 17, 2011, announced the approval of a final rule to implement the resolution plan requirement in the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The final rule requires bank holding companies with assets of $50 billion or more and nonbank financial firms designated by the Financial Stability Oversight Council for supervision by the Board to annually submit resolution plans to the Board and the Federal Deposit Insurance Corporation.

Each plan will describe the company’s strategy for rapid and orderly resolution in bankruptcy during times of financial distress. A resolution plan must include a strategic analysis of the plan’s components, a description of the range of specific actions the company proposes to take in resolution, and a description of the company’s organizational structure, material entities, interconnections and interdependencies, and management information systems.

Under the final rule, companies will submit their initial resolution plans on a staggered basis. The first group of companies, generally those with $250 billion or more in non-bank assets, must submit their initial plans on or before July 1, 2012; the second group, generally those with $100 billion or more, but less than $250 billion, in total non-bank assets, must submit their initial plans on or before July 1, 2013; and the remaining companies, generally those subject to the rule with less than $100 billion in total non-bank assets, must submit their initial plans on or before December 31, 2013.

Which merchants will receive the new low debit fee rates? This video provides a detailed look at rate differences and how to examine your merchant agreement schedule A and statement. While all merchants qualify for them, only a fraction will actually have debit discounts passed down from their processor. Will you be one of them? Pull out your merchant statement, then watch the video so you can compare data.

On October 1, 2011, new debit interchange rates go into effect as a result of the Durbin Amendment, part of the Dodd-Frank Wall Street Reform Act.

There are multiple bills pending regarding data breach responsbilities and summaries are below. With PCI Compliance never achieving the goal of 100%, can we really expect any better with theses other issues. Government regulation is increasing due to the failure of businesses to self police and protect data they collect.

S. 1535: Personal Data Protection and Breach Accountability Act of 2011

6/7/2011–Introduced.
Personal Data Privacy and Security Act of 2011 – Amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of personally identifiable information (in electronic or digital form) a predicate for racketeering charges, and (2) prohibit concealment of security breaches involving sensitive personally identifiable information. Sets penalties for attempts and conspiracies to commit fraud and related activity in connection with computers. Requires a data broker to: (1) disclose to an individual, upon request, personal electronic records pertaining to such individual maintained or accessed for disclosure to third parties; (2) disclose adverse actions by third parties against an individual; and (3) maintain procedures for correcting inaccuracies and incompleteness in such records. Defines a “data broker” as a business entity that collects, transmits, or provides access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity for purposes of providing such information to non-affiliated third parties on an interstate basis. Establishes standards for developing and implementing safeguards to protect the security of sensitive personally identifiable information. Imposes upon data brokers and business entities civil penalties for violations of such standards. Requires business entities to notify: (1) any individual whose information has been, or is reasonably believed to have been, accessed or acquired, (2) all nationwide consumer reporting agencies if an agency or entity is required to notify more than 5,000 such individuals, and (3) the United States Secret Service and the Federal Bureau of Investigation (FBI) if the number of individuals involved exceeds 10,000.
Authorizes the Attorney General and state attorneys general to bring civil actions against business entities for violations of this Act. Requires the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000, to evaluate: (1) the data privacy and security program of a data broker, (2) program compliance, (3) the extent to which databases and systems have been compromised by security breaches, and (4) data broker responses to such breaches. Requires federal agency information security programs to include procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the agency information systems or operations involving personally identifiable information and for ensuring remedial action to address any significant deficiencies. Requires federal agencies to conduct a privacy impact assessment before purchasing personally identifiable information from a data broker.

7/22/2011–Introduced.
Data Breach Notification Act of 2011 - Requires any federal agency or business entity engaged in interstate commerce that uses, accesses, or collects sensitive personally identifiable information, following the discovery of a security breach, to notify: (1) any U.S. resident whose information may have been accessed or acquired, and (2) the owner or licensee of any such information that the agency or business does not own or license. Exempts: (1) agencies and business entities from notification requirements for national security and law enforcement purposes and for security breaches that a risk assessment concludes do not have a significant risk of resulting in harm if specified certification or notice is provided, subject to review by the Secret Service; and (2) business entities which utilize a security program that blocks the use of sensitive personally identifiable information and provide notice of a breach to affected individuals. Requires notifications regarding security breaches under specified circumstances to the Secret Service, the Federal Bureau of Investigation (FBI), the Postal Inspection Service, and state attorneys general. Authorizes the Attorney General to bring a civil action in U.S. district court against any business entity that violates this Act. Sets civil penalties for violations. Amends the Fair Credit Reporting Act to require agencies to include a fraud alert in the file of a consumer that submits evidence of compromised financial information to a consumer reporting agency. Authorizes: (1) civil actions by state attorneys general to enforce this Act, and (2) appropriations for costs incurred by the Secret Service to investigate and conduct risk assessments of security breaches.

You can follow these bills here:  Data Breach Protection US Congress (official list of bills and links)

Within the 700-page Housing and Economic Recovery Act of 2008 is an important new measure that requires “merchant acquiring entities” to report the gross amounts of their merchant customers’ payment card transactions to the IRS. A “merchant acquiring entity” is defined as the bank or other organization contractually obligated to make payment to merchants in settlement of payment card transactions. These new requirements apply to transactions beginning on January 1, 2011 (with required reporting and tax withholding to begin in 2012).

In order to identify under-reported sales, the IRS will collect information via third-party corroboration of the
amount of a merchant’s credit card, debit card, gift card (open loop only) and eCommerce (such as PayPal or Bill Me Later) transactions. The IRS also requires the reporting entity to collect and verify the tax identification number (TIN) and the information (legal name and address) associated with that number for its merchant customers. If a merchant fails to provide its TIN or if there is a discrepancy between the merchant’s TIN and the associated information in the reporting entity’s records and the IRS’ records, the reporting entity will be required to withhold 28 percent of the merchant‘s future payment card transactions until the issue is resolved.

This withholding provision goes into effect for transactions starting in 2012 (unlike the reporting provisions of the legislation which apply to transactions beginning on January 1, 2011).

Resulting Requirements for Reporting Entities and Merchants

- Reporting entities must collect and verify the TINs and associated legal names and addresses of their

merchant customers

- Beginning with the 2011 tax year, reporting entities are responsible for filing individual information returns (presumably a Form 1099) reporting the total annual dollar amount of payment card transactions for each of their merchant customers. In January 2012, reporting entities will file the information return with the IRS and distribute a corresponding statement for the 2011 tax year to each merchant.

- Beginning in 2012, reporting entities must withhold 28 percent of payment card transactions for any merchant whose TIN/name combination used by the reporting entity does not match the merchant’s information on file with the IRS.

Merchants

-  Merchants must ensure that their TIN/name combination on file with the IRS matches the information held by the reporting entity for their payment card transactions.

- When merchants receive copies of the information returns filed by their reporting entities each year, merchants should compare that information with their own records to validate the accuracy of the information.

EDITORS NOTE:  Institutions now usually require a W9 with any contractual paperwork for merchant services to ensure accuracy for IRS reporting requirements. The penalties are high for a mismatch and it is strongly recommended merchants review prior IRS filings for accuracy.

The Dodd-Frank Wall Street Reform and Consumer Protection Act, including the Durbin Amendment, set off a series of changes in the financial world, several with big impacts to businesses. This bulletin reduces hundreds of pages of regulations into a a two page overview. Included are critical excerpts from each regulation, advice, and real world solutions you can use to leverage legislation to your benefit. It answers the questions-  What do I need to know, and how can I use this to improve EBITDA and reduce risk?

This reference guide is targeted primarily towards the needs of businesses that match our current and future client base. Mid to large size retail and card not present business operations including manufacturers, distributers, non-profits, utilities, retailers, and non-grocery, non-fuel entities.

KEY TAKEAWAYS:
• Lower cost debit coming soon will create huge incentive for merchants to drive debit.
• Merchants may steer customers to lower cost payment methods by offering discounts and publicly stating their preference for payment types.
• Merchants may be held criminally liable for identity theft.
• Merchants need to make it easy for customers to opt-out of recurring billing.
• Merchants updating technology should consider the flexibility they’ll have for ongoing regulation changes.

Download PDF 3D Merchant Services Condensed Guide for Merchant Payments Related Legislative Updates 2010, 2011 and to 2012. An apology in advance, it was very difficult to fit and is best viewed on your screen.

Download secondary PDF about some of the solutions mentioned. 3D Merchant Payment Processing Technology to increase debit and other benefits.

Did you like this article? Share your friends.