On
Supervision of Banks' Relationships with
Third Party Payment Processors
Before the
Subcommittee on Oversight and Investigations
Committee on Financial Services
U.S. House Of Representatives; U.S. House of Representatives;
2128 Statement of Federal Deposit Insurance Corporation
By
Richard J. Osterman, Jr.
Acting General Counsel Rayburn House Office Building
July 15, 2014
Chairman McHenry, Ranking Member Green and members of the Subcommittee, I
appreciate the opportunity to testify on behalf of the Federal Deposit Insurance
Corporation (FDIC) on the FDIC's supervisory approach regarding insured institutions
establishing account relationships with third-party payment processors (TPPPs). I also
will discuss the FDIC's interaction with the Department of Justice's consumer fraud
initiative, Operation Choke Point.
As the primary federal regulator of state-chartered financial institutions that are not
members of the Federal Reserve System, the FDIC is responsible for supervising these
institutions for adherence with safety and soundness standards, information technology
requirements, Bank Secrecy Act and other anti-money laundering laws and regulations,
and consumer protection laws1.
The USA PATRIOT Act, enacted in 2001, added new due diligence requirements for
banks under the Bank Secrecy Act (BSA). Section 326 of the Act requires banks to
establish and maintain a Customer Identification Program (CIP). At a minimum, financial
institutions must implement reasonable procedures for: (1) verifying the identity of any
person seeking to open an account, to the extent reasonable and practicable; (2)
maintaining records of the information used to verify the person's identity, including
name, address, and other identifying information; and (3) determining whether the
person appears on any lists of known or suspected terrorists or terrorist organizations
provided to the financial institution by any government agency. The purpose of the CIP
is to enable banks to form a reasonable belief that they know the true identity of each
customer. In its most basic form, knowing one's customer serves to protect banks from
the potential liability and risk of providing financial services to an unscrupulous
customer. In addition, but no less important, it provides another level of protection to the
general public against illegal activity (including terrorist financing and money laundering)
since banks are a common gateway to the financial system.
Certain kinds of businesses, transactions, or geographic locations may pose greater risk
for suspicious or illegal activity. Higher-risk activities have been understood by
industry2 and the financial regulators as activities that may be subject to complex or
varying legal and regulatory environments, such as activities that may: be legal only in
certain states; be prohibited for certain consumers, such as minors; be subject to
Supervision of Banks' Relationships with
Third Party Payment Processors
Before the
Subcommittee on Oversight and Investigations
Committee on Financial Services
U.S. House Of Representatives; U.S. House of Representatives;
2128 Statement of Federal Deposit Insurance Corporation
By
Richard J. Osterman, Jr.
Acting General Counsel Rayburn House Office Building
July 15, 2014
Chairman McHenry, Ranking Member Green and members of the Subcommittee, I
appreciate the opportunity to testify on behalf of the Federal Deposit Insurance
Corporation (FDIC) on the FDIC's supervisory approach regarding insured institutions
establishing account relationships with third-party payment processors (TPPPs). I also
will discuss the FDIC's interaction with the Department of Justice's consumer fraud
initiative, Operation Choke Point.
As the primary federal regulator of state-chartered financial institutions that are not
members of the Federal Reserve System, the FDIC is responsible for supervising these
institutions for adherence with safety and soundness standards, information technology
requirements, Bank Secrecy Act and other anti-money laundering laws and regulations,
and consumer protection laws1.
The USA PATRIOT Act, enacted in 2001, added new due diligence requirements for
banks under the Bank Secrecy Act (BSA). Section 326 of the Act requires banks to
establish and maintain a Customer Identification Program (CIP). At a minimum, financial
institutions must implement reasonable procedures for: (1) verifying the identity of any
person seeking to open an account, to the extent reasonable and practicable; (2)
maintaining records of the information used to verify the person's identity, including
name, address, and other identifying information; and (3) determining whether the
person appears on any lists of known or suspected terrorists or terrorist organizations
provided to the financial institution by any government agency. The purpose of the CIP
is to enable banks to form a reasonable belief that they know the true identity of each
customer. In its most basic form, knowing one's customer serves to protect banks from
the potential liability and risk of providing financial services to an unscrupulous
customer. In addition, but no less important, it provides another level of protection to the
general public against illegal activity (including terrorist financing and money laundering)
since banks are a common gateway to the financial system.
Certain kinds of businesses, transactions, or geographic locations may pose greater risk
for suspicious or illegal activity. Higher-risk activities have been understood by
industry2 and the financial regulators as activities that may be subject to complex or
varying legal and regulatory environments, such as activities that may: be legal only in
certain states; be prohibited for certain consumers, such as minors; be subject to
varying state and federal licensing and reporting regimes; or tend to display a higher
incidence of consumer complaints, returns, or chargebacks. Because these risks may
be posed directly by a bank's customer, or indirectly through relationships established
by bank customers with other parties (merchants, for example), banks have enhanced
their customer due diligence policies and processes to better protect against harm.
Harm to the bank can range from operating losses attributable to unanticipated
consumer reimbursements that were not properly reserved for, to civil or criminal
actions for facilitation of violations of law.
As challenging as it can be for financial institutions to understand the risks involved in
the activities of a direct customer, the difficulty is magnified when the activities involve
third parties. TPPPs may have relationships with hundreds or even thousands of
merchant clients for which they initiate transactions. The vast majority of transactions
passing through financial institutions and payment processors are legitimate
transactions initiated by reputable merchants. These functions provide a valuable
service to customers, both individual consumers and businesses, and are typically
performed at a low cost. For example, banks often process customers' automated
clearing house (ACH) transactions to credit or debit a bank account of another party as
a service for their customers.
However, where transactions from the merchant client of a bank's TPPP customer are
not legitimate, there is real risk for the bank because it can be held legally responsible
for facilitating the activities and transactions of the TPPP. This is because in cases
where the transaction was initiated by a third party, the bank still has a relationship,
albeit indirect, with the TPPP's merchant clients, and thus would be exposed to the risks
associated with their transactions. If the bank, through its customer relationship with the
TPPP, is facilitating activity that is either impermissible in a state or being performed in
a manner illegal under applicable state or federal law, the bank can be exposed to
significant risks. As a financial regulator, the FDIC is responsible for ensuring that the
financial institutions we supervise fully appreciate these risks, have policies and
procedures in place to identify and monitor these risks, and take reasonable measures
to manage and address these risks.
Supervisory Approach
Traditionally, TPPPs contracted primarily with U.S. retailers that had physical locations
in the United States to help collect monies owed by customers on the retailers'
transactions. These merchant transactions primarily included credit card payments, but
also covered ACH and remotely created checks (RCCs). Guidance for FDIC-supervised
institutions conducting business with TPPPs was contained within examination manuals
and guidance related to credit card examinations, retail payment systems operations,
and the Bank Secrecy Act.3 However, as the financial services market has become
more complex, the individual federal banking agencies, the Federal Financial Institution
Examinations Council (FFIEC) and the Financial Crimes Enforcement Network
(FinCEN) have issued additional guidance on several occasions warning financial
institutions of emerging risks and suggesting mitigation techniques.
incidence of consumer complaints, returns, or chargebacks. Because these risks may
be posed directly by a bank's customer, or indirectly through relationships established
by bank customers with other parties (merchants, for example), banks have enhanced
their customer due diligence policies and processes to better protect against harm.
Harm to the bank can range from operating losses attributable to unanticipated
consumer reimbursements that were not properly reserved for, to civil or criminal
actions for facilitation of violations of law.
As challenging as it can be for financial institutions to understand the risks involved in
the activities of a direct customer, the difficulty is magnified when the activities involve
third parties. TPPPs may have relationships with hundreds or even thousands of
merchant clients for which they initiate transactions. The vast majority of transactions
passing through financial institutions and payment processors are legitimate
transactions initiated by reputable merchants. These functions provide a valuable
service to customers, both individual consumers and businesses, and are typically
performed at a low cost. For example, banks often process customers' automated
clearing house (ACH) transactions to credit or debit a bank account of another party as
a service for their customers.
However, where transactions from the merchant client of a bank's TPPP customer are
not legitimate, there is real risk for the bank because it can be held legally responsible
for facilitating the activities and transactions of the TPPP. This is because in cases
where the transaction was initiated by a third party, the bank still has a relationship,
albeit indirect, with the TPPP's merchant clients, and thus would be exposed to the risks
associated with their transactions. If the bank, through its customer relationship with the
TPPP, is facilitating activity that is either impermissible in a state or being performed in
a manner illegal under applicable state or federal law, the bank can be exposed to
significant risks. As a financial regulator, the FDIC is responsible for ensuring that the
financial institutions we supervise fully appreciate these risks, have policies and
procedures in place to identify and monitor these risks, and take reasonable measures
to manage and address these risks.
Supervisory Approach
Traditionally, TPPPs contracted primarily with U.S. retailers that had physical locations
in the United States to help collect monies owed by customers on the retailers'
transactions. These merchant transactions primarily included credit card payments, but
also covered ACH and remotely created checks (RCCs). Guidance for FDIC-supervised
institutions conducting business with TPPPs was contained within examination manuals
and guidance related to credit card examinations, retail payment systems operations,
and the Bank Secrecy Act.3 However, as the financial services market has become
more complex, the individual federal banking agencies, the Federal Financial Institution
Examinations Council (FFIEC) and the Financial Crimes Enforcement Network
(FinCEN) have issued additional guidance on several occasions warning financial
institutions of emerging risks and suggesting mitigation techniques.