FDIC SunFirst action a reminder of third-party processor risk to banks (Complinet)
By Brett Wolf, Complinet
An enforcement action brought by the Federal Deposit Insurance Corporation against SunFirst Bank, of Utah, has provided a stark reminder of the legal and regulatory obligations that firms face when dealing with third-party payment processors. Third-party payment processors, sometimes known as TPPPs, are bank customers who use their accounts to process payments for merchant clients. They are a growing concern for banks, in no small part because they have of late attracted the attention of regulators and the U.S. Department of Justice.
“Third-party payment processors have clearly become a major concern for the bank regulators over the last several years. Any bank considering a TPPP as a possible customer should approach the relationship with its eyes wide open and realize that if it doesn’t have a good grasp of its third-party payment processor customer, it may be exposed to substantial risk,” Carol Van Cleef, a partner with the Washington, DC law firm Patton Boggs LLP, told Complinet.
The FDIC in late December announced it had issued a consent order to SunFirst over failures to comply with the Bank Secrecy Act, which governs financial institutions’ anti-money laundering obligations. One of the bank’s primary failures revolved around its lax treatment of accounts belonging to third-party payment processors, the FDIC said.
A spokesman for the Electronic Transactions Association, a trade group whose membership includes several of the largest TPPPs, estimated that the annual payment processing conducted by non-bank processors ranged into “the many billions of dollars.” ETA members were well aware of the risks that their merchant customers could pose, both to themselves and to the banks, and the association’s members were prepared to do everything they could to offset the risks, he added.
TPPPs typically process payments by creating and depositing remotely created checks or by originating Automated Clearing House debits on behalf of their merchant customers. Traditionally, TPPPs have primarily served retailers with physical locations. With the growth of internet-based commerce, however, they are increasingly providing services to online businesses and telemarketers — firms that can pose substantially greater risks. The FDIC said in a 2008 guidance: “Payment processors pose greater money laundering and fraud risk if they do not have an effective means of verifying their merchant clients’ identities and business practices.”
The FDIC consent order against SunFirst, a small bank with a handful of branches, obliged it to ensure that all personnel whose work involves TPPP activities had sufficient training “on the risks of such activities and BSA/AML (Bank Security Act/Anti Money Laundering) training on the specialized risks of TPPP activity, fraud red flags, and appropriate customer due diligence maintenance and documentation”. It added that the bank had to develop a “formalized process” for reviewing TPPPs’ transactions to ensure that no related suspicious activity went unreported.
“The bank shall immediately cease providing third-party payment processing for Triple Seven LLC, Mastery Merchant LLC, Powder Monkeys LLC, Elite Debit and its associated accountholders, customers, and clients … or any other third-party payment processor, or their client entities unless the FDIC has provided written notice approving the activity,” the FDIC order mandated.
In December, the Federal Trade Commission filed a complaint against Elite Debit and a slew of other internet-based entities that allegedly made millions of dollars by luring consumers into “trial” memberships for bogus government-grant and money-making schemes. They then repeatedly charged them monthly fees for these and other memberships to which they never signed up, the FTC said. This scheme caused hundreds of thousands of consumers to seek chargebacks — reversals of charges to their credit cards or debits to their banks accounts. The suspect firms relied on TPPPs, as well as dozens of shell companies, to keep their scheme afloat once they lost direct access to merchant accounts, the FTC charged.
Still, the FDIC’s requirement that SunFirst get permission before doing business with TPPPs appears moot, industry officials said. A source close to SunFirst, who is familiar with its regulatory woes and remedial action plan, and who spoke on condition of anonymity, told Complinet that the bank had no intention of serving third-party payment processors in the future and recommended that most other banks also steer clear. The source did add, however, that large banks which were “better adapted to analyzing [TPPP activity]” might be able to serve such customers safely.
SunFirst is not the first bank to be accused of failing to properly offset risks associated with TPPPs. In March 2010, Wachovia Bank reached a deferred prosecution agreement with the Justice Department in which it agreed to forfeit $110 million for “willfully” failing to establish an adequate anti- money laundering program between May 2003 and June 2008. The Financial Crimes Enforcement Network and the Office of the Comptroller of the Currency also took action against Wachovia, with the latter issuing a $50m civil monetary penalty. Although the focus of all three actions was Wachovia’s alleged laundering of billions of dollars in drug money that cartels funneled through Mexican casas de cambio, the bank’s relationship with TPPPs was a significant element of all three actions.
According to court documents, Wachovia’s problematic account relationships involved TPPPs that served the telemarketing industry. These processors deposited hundreds of millions of dollars into Wachovia accounts on behalf of the telemarketers using remotely created checks, often drawn on accounts of Wachovia customers. Many of these checks — in some cases more than 40 percent — were returned as “unauthorized” and were linked to a massive telemarketing scam, according to prosecutors.
“Wachovia admitted that it failed to identify, detect, and report the suspicious transactions in the third-party payment processor accounts … due to deficiencies in its anti-money laundering program. Specifically, Wachovia failed to conduct appropriate customer due diligence by delegating most of this responsibility to business units instead of compliance personnel,” the Justice Department said.
According to Van Cleef, the Wachovia case appeared to play a major role in shaping regulatory guidance with regard to the kind of due diligence that must be conducted on TPPPs. That must-read information is outlined in the FFIEC BSA/AML Examination Manual and can be found here.
Van Cleef said that it was important for banks to conduct sufficient due diligence on the TPPPs to understand the kinds of customers they were serving. She added that banks should closely scrutinize the transaction records of the TPPPs and look for red flags such as high rates of returned or rejected payments and customer complaints. Van Cleef also suggested that banks would be wise to ascertain whether the TPPPs or their customers had faced regulatory enforcement actions under federal or state law. Reviews of FTC actions and state attorney general records were good starting points, she said.
“Depending on the bank, and its risk tolerance, it may want to conduct more extensive due diligence on its TPPP customers, reviewing not only the TPPP’s own AML compliance program, but also the TPPP’s customer due diligence files and its analysis of transactional records,” Van Cleef said.
In some cases the bank might want to conduct its own testing of the TPPP’s customers’ transactions, she added. Van Cleef conceded that such enhanced due diligence could be costly but that it was important. “If providing banking services to TPPPs is deemed to be a profitable enough business, the bank will likely decide to put the necessary resources behind its due diligence efforts,” she said.
Brett Wolf (Brett.Wolf@thomsonreuters.com) is a correspondent for Complinet.Complinet, part of ThomsonReuters, is a leading provider of connected risk and compliance information and on-line solutions to the global financial services community. Established in 1997, Complinet serves over 100,000 industry professionals in 80+ countries. Its connected approach provides one single place to get all the relevant regulatory news, analysis, rules and developments from the region to support firms in highly regulated industries.