Bank Secrecy Act |
Third-Party Payment Processors—Overview
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with its relationships with third-party payment processors, and management’s ability to implement effective monitoring and reporting systems.
Non-bank or third-party payment processors (processors) are bank customers that provide payment-processing services to merchants and other business entities. Traditionally, processors contracted primarily with retailers that had physical locations in order to process the retailers’ transactions. These merchant transactions primarily included credit card payments but also covered automated clearing house (ACH) transactions, remotely created checks,173 and debit and stored value cards transactions. With the expansion of the Internet, retail borders have been eliminated. Processors may now service a variety of merchant accounts, including conventional retail and Internet-based establishments, prepaid travel, and Internet gaming enterprises.
Risk Factors
Processors generally are not subject to BSA/AML regulatory requirements. As a result, some processors may be vulnerable to money laundering, identity theft, and fraud schemes.
The bank’s BSA/AML risks when dealing with a processor account are similar to risks from other activities in which the bank’s customer conducts transactions through the bank on behalf of the customer’s clients. When the bank is unable to identify and understand the nature and source of the transactions processed through an account, the risks to the bank and the likelihood of suspicious activity can increase. If a bank has not implemented an adequate processor-approval program that goes beyond credit risk management, it could be vulnerable to processing illicit or OFAC-sanctioned transactions.
Risk Mitigation
Banks offering account services to processors should develop and maintain adequate policies, procedures, and processes to address risks related to these relationships. At a minimum, these policies should authenticate the processor’s business operations and assess their risk level. Verification and assessment of a processor can be completed by performing the following procedures:
- Reviewing the processor’s promotional materials, including its web site, to determine the target clientele. (Businesses with elevated risk may include offshore companies, on-line gambling-related operations, and on-line payday lenders.) For example, a processor whose customers are primarily offshore would be inherently riskier than a processor whose customers are primarily restaurants.
- Determining whether the processor re-sells its services to a third party who may be referred to as an “agent or provider of Independent Sales Organization (ISO) opportunities” or “gateway” arrangements.174
- Reviewing the processor’s policies, procedures, and processes to determine the adequacy of its due diligence standards for new merchants.
- Identifying the processor’s major customers.
- Reviewing corporate documentation including independent reporting services and, if applicable, documentation on principal owners. Visiting the processor’s business operations center.
Banks that provide account services should monitor their processor relationships for any significant changes in the processor’s business strategies that may affect their risk profile. Banks should periodically re-verify and update the businesses’ profiles to ensure the risk assessment is appropriate.
In addition to adequate and effective account opening and due diligence procedures for processor accounts, management should monitor these relationships for unusual and suspicious activities. To effectively monitor these accounts, the bank should have an understanding of the following processor information:
- Merchant base.
- Merchant activities.
- Average number of dollar volume and number of transactions. “Swiping” versus “keying” volume for credit card transactions.
- Charge-back history, including rates of return for ACH debit transactions and remotely created checks.
