FDIC Clarifies Third-Party Payments RisksRegulator Removes High-Risk Merchant Categories from Guidance
See Also: Splunk Security Predictions 2021
The banking regulator says the clarification was made to eliminate confusion among smaller banking institutions, which had expressed concern about doing business with merchants associated with high-risk businesses, such as payday lenders and check-cashers.
"The lists of examples of merchant categories have led to misunderstandings regarding the FDIC's supervisory approach to TPPPs [third-party payment processors], creating the misperception that the listed examples of merchant categories were prohibited or discouraged," the FDIC says in its July 28 notice about the clarification. "It is [the] FDIC's policy that insured institutions that properly manage customer relationships are neither prohibited nor discouraged from providing services to any customer operating in compliance with applicable law. Accordingly, the FDIC is clarifying its guidance to reinforce this approach, and as part of this clarification, the FDIC is removing the lists of examples of merchant categories from its official guidance and informational article."
Guidance and articles amended to reflect the clarification include the FDIC's 2008 Guidance on Payment Processor Relationships and the revision to that guidance issued in 2012; the FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities; and an informational article, "Managing Risks in Third-Party Payment Processor Relationships," published in the summer 2011 edition of the FDIC's Supervisory Insights.
Some banking experts suggest the revisions were made because of backlash to the Department of Justice's so-called "Operation Choke Point," which high-risk merchants argue has put them at a business disadvantage.
Operation Choke Point refers to an effort attorneys within the Justice Department organized in late 2012 to help banking regulators enforce tighter anti-money laundering controls on banking institutions and payments processors.
On July 17, the House Judiciary Committee reviewed Operation Choke Point and the regulatory impact it had on the way banking institutions deal with merchants.
The FDIC did not respond to Information Security Media Group's request for comment regarding its clarification announcement.
Payments: A Regulatory Worry
Paul Reymann, partner at Washington-based financial services and payments consultancy McGovern Smith Advisors, says regulators' reaction to increasing third-party concerns, especially as they relate to payments, may have been too prescriptive.
"Whenever an agency includes a static list of examples in guidance, there is a risk that the list of examples will become outdated before the ink is dry on the published guidance," he says. "In the payments industry, we are seeing a lot of fast-paced change. So, in part, this may be one reason for today's clarifying guidance."
In its notice, the FDIC highlights that its clarification aims to help community institutions better understand the intent of its guidance for managing third-party risk.
"The focus of the FDIC's supervisory approach to institutions establishing account relationships with TPPPs is to ensure institutions have adequate procedures for conducting due diligence, underwriting, and ongoing monitoring of these relationships," the FDIC says. "When an institution is following the outstanding guidance, it will not be criticized for establishing and maintaining relationships with TPPPs."
Message for Banks
Al Pascual, a financial fraud and security leader at consultancy Javelin Strategy & Research, says the FDIC is merely reminding banks that they must stay focused on third-party risks and vendor management.
"I'm sure they were under some pressure to make the distinction as clear as possible," he says. "Despite the recent rash of retailer breaches, the merchant industry is still a powerful force to contend with. Federal regulators are used to some degree of pushback from banks under their supervision, but compound that with the kind of pressure that the retail industry can bring to bear, and it is something different entirely."
Reymann says community banks will benefit from the elimination of specific third-party categories from regulatory guidance.
"It is more about the risk management process than it is about a list of static examples," he says. "Over-attention to the example list can distract from the real paramount issue - the fact the third-party risk management is broken and it needs to be fixed."
Banking regulators have increasingly warned banks and credit unions about risks associated with third parties, especially payments processors (see FDIC: Improve Vendor Management).
In March 2013, Micheal Bresnick, executive director of the President's Financial Fraud Enforcement Task Force, highlighted during a speech that that Justice Department planned to crack down on banking institutions that were not adequately addressing cyber-risks linked to payments processors.
Then, in September 2013, the FDIC issued a supervisory statement to address how banking regulators approach payment processing relationships with merchants engaged in "higher-risk" activities (see Mitigating Third-Party Risks).
During the July 17 Judiciary Committee hearing, Assistant Attorney General Stuart Delery offered background about Operation Choke Point.
"The strategy aims both to hold accountable those banks and processors who violate the law and to prevent access to the banking system by the many fraudulent merchants who had come to rely on the conscious assistance of banks and processors in facilitating their schemes," Delery testified.
The Justice Department has been working with various banking regulators to review suspicious activity linked to payments processors, he said. On April 25, a district court in North Carolina approved a settlement with Four Oaks Bank, which had allowed a third-party processor to originate approximately $2.4 billion in debit transactions for fraudulent merchants.
Four Oaks has been ordered to pay $1 million to the U.S. Treasury and to forfeit $200,000 to the U.S. Postal Inspection Service's Consumer Fraud Fund. The bank also is required to take steps to prevent future consumer fraud.
To date, Four Oaks is the only institution to have been penalized as a result of Operation Choke Point.