FDIC Speaks Out on Payment Processing Services; Another Banking Product in Regulatory Disfavor
On September 27, 2013, the FDIC issued Financial Institution Letter FIL-43-2013, which is intended to clarify the FDIC’s policy and supervisory approach related to financial institutions that facilitate payment processing services—directly or through a third party—for merchant customers engaged in “higher-risk activities.”
The letter states that banks that perform these services for merchants engaged in activities that “tend to display a higher incidence of consumer fraud or potentially illegal activities” are expected to perform proper risk assessments, conduct due diligence to determine the merchants are operating in accordance with applicable law, and maintain systems to monitor the relationships with payment processors and merchants.
In a possible reference to unsuspecting community banks, the FDIC guidance states “The FDIC is aware that some payment processors or merchants may target institutions that are unfamiliar with the related risks or that lack proper due diligence or controls to manage these risks.”
Institutions that properly manage payment processing relationships and risks are not prohibited or discouraged from providing such services to businesses operating in compliance with applicable law. But the practical effect of the FDIC’s guidance is that many banks will be discouraged without knowing for certain what systems, controls and due diligence will be considered adequate by regulatory standards.
The FDIC intends to assess whether institutions are adequately overseeing these activities and addressing related risks. The FDIC’s statement follows concerns raised by certain banks, their representatives in Congress, and third-party payment processors about the scope of the governmental scrutiny of online lenders, and their relationships with banks.
Wariness of payment processing services also extends to the Federal Reserve and the OCC. See below for a list of agency issuances related to payment processing services.
FDIC guidance on this topic includes:
- Financial Institution Letter, FIL-44-2008, Guidance for Managing Third-Party Risk, issued June 2008
- Financial Institution Letter, FTL-127-2008, Guidance on Payment Processor Relationships, issued November 2008
- Managing Risks in Third-Party Payment Processor Relationships, Summer 2011 Supervisory Insights Journal
- Financial Institution Letter, FIL-3-2012, Payment Processor Relataonships, Re vr.’sed Guidance, issued January 2012.
Other agency guidance includes:
- The FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual
- The FFIEC IT Examination Handbook, Retail Payment Systems Booklet
- FinCEN Advisory, FIN-2012-A010 Risk Associated wzth Third-Party Payment Processors dated October 22, 2012
- OCC 2008-12, Payment Processors: Risk Management Guidance dated April 24, 2008
- OCC Bulletin 2006-39, ACHActivities: Risk Management Guidance dated September 1, 2006
- OCC Bulletin 2001-47, Third-Party Relationships: Risk Management Principles dated November 1, 2001