FDIC: Transaction Monitoring for Payment Processing

  

 Email Article  

Tweet  

  

  

Source: Bank Info Security

The Federal Deposit Insurance Corp. has issued revised guidance describing potential risks linked to relationships with third-party entities that process payments for merchants. The key message: The onus is on banks to perform due diligence and ongoing monitoring of these relationships.

"Payment processors that deal with internet merchants may have a higher risk profile because such entities have tended to display a higher incidence of consumer fraud or potentially illegal activities than some other businesses," the guidance states. "Financial institutions should understand, verify, and monitor the activities and the entities related to the account relationship."

Institutions that fail to adequately manage these relationships may be viewed as facilitating a processor's or merchant's fraudulent activity and could be held liable, the FDIC states.

Avivah Litan, a financial fraud analyst at Gartner, says this is likely a first step toward heightened scrutiny. "I think the regulators are going to get more involved and require more due diligence on the processors," she says. "The banks need to take this guidance and meet with their processors and see how their processors are monitoring transactions for fraud," Litan says. "It's not easy. There are so many mandates now; but from the point of view of the regulators, they have no one else to lean on."

Six Expectations

To mitigate risk, regulators suggest banks review processors' transactional histories, as well as their clients. Adequate reviews may require involvement from multiple departments, including IT, operations, Bank Secrecy Act/anti-money laundering and compliance.

The guidance highlights six key points:

• Account relationships with high-risk entities pose increased risks for unfair and/or deceptive acts or practices;
• Payment processors pose heightened risks for money laundering and fraud when merchant identities are not verified and business practices are not reviewed;
• Banking institutions need to assess risk tolerance in overall risk assessments and develop due diligence policies and ongoing monitoring;
• Monitoring consumer complaints or unusual return rates could suggest inappropriate use of personal account information;
• Regulators expect banks to quickly respond when fraudulent or improper activities are identified; and
• Improper risk management on the part of banks and credit unions may result in penalties and other enforcement actions.

Ultimately, regulators are asking banks to do more diligence on their payment processors.

AML expert Kevin Sullivan says it's often the extensive payments chain of entities between financial institutions and their customers that increases risk.

"The bank has to do due diligence on any third party that they hire, and the third party needs to do quality due diligence on anyone they are going to subcontract [or do business] with," Sullivan says. "It is tough to maintain command and control over your business if you contract outsiders who contract more outsiders who contract additional outsiders."