The FDIC recently issued Revised Guidance regarding account relationships with payment processors that process RCC and ACH payments on behalf of third-party merchants (the “Revised Guidance”). The Revised Guidance is an update and expansion of guidance previously issued by the FDIC in November of 2008. Such account relationships are relatively common for financial institutions, but come with the risk of association with unscrupulous third-party merchants serviced by the payment processor. The Revised Guidance focuses on the need for caution with respect to payment processors and merchants that have a higher risk profile for unauthorized payments and fraudulent/unlawful activity, such as those involved in telemarketing and certain internet-based industries. In response to this risk, the Revised Guidance provides greater specificity and increased expectations with regard to the vetting and monitoring of payment processors and their merchant customers.
Financial institutions that hold accounts for payment processors should review the Revised Guidance thoroughly. The Revised Guidance emphasizes and expands on the following requirements:
1. Written Agreements. The contracts between the financial institution and the payment processor are key to protecting the institution. Provisions should include (at a minimum) timely access to due diligence on merchants, requirements for adequate reserves to cover chargebacks, and rights of account closure and contract termination. Financial institutions should bear in mind that, with respect to ACH transactions, payment processors have specific obligations under the NACHA rules that must be included in the agreements between the financial institution and the payment processor, and between the payment processor and the merchant.
2. Monitoring and Due Diligence. Adequate account monitoring and merchant due diligence are required. Financial institutions cannot rely solely on a payment processor’s due diligence of its own merchants. Ongoing due diligence obligations include (i) monitoring accounts for unauthorized returns, nonsufficient funds returns, and chargebacks; (ii) monitoring complaints to consumer advocacy groups, websites and blogs; and (iii) researching whether a merchant or payment processor has been subject to investigation or legal action.
3. Troubled Institutions. Payment processors may seek account relationships with troubled institutions in need of capital, where the institution lacks infrastructure to properly manage the relationship but is anxious to receive fee income. In some cases, payment processors have gone so far as to purchase stock in a troubled institution.
4. Policies and Procedures. Financial institutions must implement policies and procedures to reduce the risk of establishing a relationship with a payment processor used by unscrupulous merchants. These policies and procedures should include thresholds for unauthorized returns, actions to be taken against payment processors that violate these thresholds, and periodic reporting to the board and senior management. Institutions should also develop “processor approval programs” that include robust due diligence and underwriting policies; validate and scrutinize processor business operations; identify potential problem merchants; and assess processor business operations and risk.
The Revised Guidance warns that financial institutions may be viewed as facilitating fraudulent or unlawful activity if they fail to adequately manage a payment processor relationship. Under such circumstances, an institution could be subject to enforcement action and civil liability for aiding and abetting an unfair and deceptive trade practice.
Financial institutions must also comply with their obligations under the Bank Secrecy Act, including the obligation to file a SAR in response to suspected unlawful activity. They should also recognize the importance of ensuring that payment processors and merchants comply with the legal and regulatory framework of the payment processing relationship. The NACHA rules and Regulation CC are examples of legal frameworks that payment processors and merchants must comply with. Merchants may also be subject to industry-specific regulations, such as rules applicable to telemarketers, financial service providers, and promoters of sweepstakes and contests.