Dan Frechtling
SVP Marketing & Chief Product Officer April 20, 2015
KYCC Strategies for Managing
Third-Party Payment Processor (TPPP)
and Third-Party Sender (TPS) Risk
Steve Clendaniel
Director of Risk ConsultingKYCC strategies for TPPPs and TPSs
Toyota Production SystemKYCC:
TPPP:
TPS:
Third Party
Payment
Processor
Third Party
Sender
Know Your
Customer’s
Customer
• Risk officers face exceptional uncertainty
• Regulators have offered qualified guidance
• New tools present partial solutions
• An additional level of intelligence is required
• Risk officers face exceptional uncertainty
• Regulators have offered qualified guidance
• New tools present partial solutions
• An additional level of intelligence is required
Regulation has become competitive sport
“In the US, we now have the regulatory Olympics.”
(SVP Payments for top 5 US bank)
In 2014 US and European banks paid ~$65B in penalties, 40%
greater than 2013, the previous high, according to BCG
McKinsey estimates that senior executives spend about 20 to 25
percent of their time on regulatory matters
Sources: Wall Street Journal, Dec 2014; Bankdirector.com, Jan 2015
OCC FDIC
CFPB FTC
Regulatory pressure is rising…
50+ Banks subpoenaed by the government to examine their risk
management processes
2013
October
…and rising…
2014
April
May
June
…and rising
2015
Source: G2 Web Services Research Study, March 2015
Regulatory pressure is unavoidable
Executive Vice President and Chief Risk Officer, Midsized Bank
“This is the business that we’ve chosen and these are the rules you must follow in order to be able to stay in the game. If we want to continue to grow and to prosper we have to get A’s on your report card in terms of compliance. If you get anything less
than that, they’ll shut down your growth. It’s just not optional.”
Regulatory pressure is unpredictable
Source: G2 Web Services Research Study, March 2015
Vice President, Risk Management and Compliance, Midsized Bank
“It’s almost a crap shoot, right? So anybody could come in, a new regulator that wasn’t here last year, and say, ‘That’s
not how I look at it,’ or ‘you need to beef this up,’ or ‘I saw this other institution do this. I’m recommending this for you So there is some concern, but it’s almost uncontrollable.”
Regulatory pressure is examiner-driven
Source: G2 Web Services Research Study, March 2015
Vice President, Compliance, Midsized Bank
“…it’s more the human nature from an examiner, or a specific examiner, let’s say, in their opinion or what
they’ve seen in their travels versus a new regulation coming out and being a total shock to us.”
Source: G2 Web Services Research Study, March 2015
TPPP and TPS regulations are changing
Executive Vice President and Chief Risk Officer, Midsized Bank
“In an ever changing regulatory environment, especially TPPP being newer, is - are the regulators going to change their requirements? I think there’s a black hole
in banking, especially with examination, whereby examination procedures and guidance say one thing,
Source: G2 Web Services Research Study, March 2015
TPPPs and TPSs can be opaque to banks
Executive Vice President and Chief Risk Officer, Midsized Bank
“The level of challenge with respect to any vendor relationship… to which the banking regulators are
requiring us to increasingly know, vet, and to fully understand what’s going on in that vendor’s black box.
Source: G2 Web Services Research Study, March 2015
TPPPs and TPSs may lose banking
relationships
Executive Vice President and Chief Risk Officer, Midsized Bank
“10 years ago, you linked up with a vendor and you sort of relied on them to do the things- you did your own due
diligence – but it wasn’t nearly the same sort risk assessment process that you go through today. And what we see it evolving to is one that is even much, much more
invasive for the vendor. You are going to have to discontinue certain relationships.”
Entire categories of TPPPs and TPSs
are at risk
Source: G2 Web Services Research Study, March 2015
EVP and CEO, Midsized Bank
“What has occurred is a lot of the very large institutions based on a lot of guidance from regulatory agencies have sort of de-risked their portfolio. And so a lot of them
for instance don’t do any clients that are money service business or third party payment processors because that’s what it seemed like the regulators wanted and it’s just easier, rather than trying to interpret, to just avoid it.”
• Risk officers face exceptional uncertainty
• Regulators have offered qualified guidance
• New tools present partial solutions
• An additional level of intelligence is required
FDIC and OCC offer guidance and a framework
OCC BULLETIN 2006-39 BULLETIN 2008-12 BULLETIN 2013-29 FDIC FIL-3-2012 FIL-44-2008 FIL-127-2008Guidelines: Onboarding
“Conduct due diligence commensurate with the level of risk and complexity of the 3rd party relationship”
• Strategies: check growth goals, current and
proposed structures, quality initiatives, efficiency
improvements, employment practices are consistent with bank’s philosophy
• Compliance: licenses, expertise, controls, status with regulators and similar organizations
• Financials: statements, trends, pending litigation, fee structures
• Reputation: complaints, years of experience,
Guidelines: Onboarding
“Conduct due diligence commensurate with the level of risk and complexity of the 3rd party relationship”
• Principals: senior management, key employees, subcontractors
• Risk management: independence of audit function, policies for escalating audit findings, SOC reports, other standards (e.g. ISO)
• IS: SLAs and performance metrics, change
management processes, ability to mitigate data
breach vulnerabilities
• Resilience: disaster recovery and business continuity plans in event of service disruptions
Guidelines: Onboarding
“Conduct due diligence commensurate with the level of risk and complexity of the 3rd party relationship”
• Security: physical security, incident reporting • HR: training, succession planning, holding
employees accountable for compliance
• Subcontractors: geographic locations, due diligence and monitoring; conduct your own
diligence, look for legally-binding indemnification • Insurance: bond coverage for “dishonest acts,”
liability coverage for negligence, hazard insurance for disasters
Best practices: Onboarding
• Have a prohibited category list
• Check the merchant for fraudulent activity • Identify what the merchant is selling, beyond
MCC/NAICS/SIC code
• Analyze the merchant’s online history of risk • Analyze the merchant’s website for suspicious
activity or hidden goods
• Require the same due diligence of your
TPPPs with their customers
“Conduct due diligence commensurate with the level of risk and complexity of the 3rd party relationship”
Guidelines: Ongoing
“Performed periodically during the course of the relationship, particularly when considering a renewal of a contract.”
Onboarding Ongoing Compliance l l Financials l l Insurance l l IS l l Resilience l l Subcontractors l l Reputation l l Principals l l HR l Remediation l Agreements l Confidentiality l
Best practices: Ongoing
• Check for migration to prohibited categories • Persistently monitor the merchant for changes in
goods/services offered
• Monitor the merchant for fraudulent activity • Adjust your oversight based depend upon the
potential risks and the magnitude of the arrangement • Require Third Parties to monitor their merchants according to your standards, and request regular reports
“Performed periodically during the course of the relationship, particularly when considering a renewal of a contract.”
• Risk officers face exceptional uncertainty
• Regulators have offered qualified guidance
• New tools present partial solutions
– Onboarding
– Ongoing
• An additional level of intelligence is required
Risk Managers have responded by using
new tools
Identity Verification Transaction Monitoring Manual Credit/Asset Searches Onboarding Ongoing Manual spot Checks 3 4 1 2• Risk officers face exceptional uncertainty
• Regulators have offered qualified guidance
• New tools present partial solutions
– Onboarding
– Ongoing
• An additional level of intelligence is required
1. Identity Verification Tools
Good standard practice
Complies with core BSA/AML guidance for due diligence & EDD Recommended for compliance with CIP rule of Patriot Act
X Verification can be outmaneuvered by black hat applicants
X Most effective when applicants disclose information that can be verified
X “Only as good as the data store”: misses hidden merchant risk
“Many financial institutions do some kind of criminal
background check which is only as good as the data store which
they are checking against.”
Guy Huntington,
2. Manual Credit/Asset Searches
Consolidates separate data sources into one platform Valued by most regulators as highly credible sources Provides a sense of control and rigor
X May produce better information about principals than merchants
X Quality of the review fluctuates based on analyst’s experience
X Lacks automated scoring that can speed underwriting
“Because it’s manual it’s
inconsistently applied.
Level of experience of the
evaluator varies. (the
process) is staff intensive”
Chief Risk Officer, Large Bank, Midwest
• Risk officers face exceptional uncertainty
• Regulators have offered qualified guidance
• New tools present partial solutions
– Onboarding
– Ongoing
• An additional level of intelligence is required
3. Transaction Monitoring
Important and necessary for compliance with OCC’s CFR 21.11 & 2013-29, and FDIC’s FIL 44-2008 & FIL 3-2012
Improving quality of data science means anomaly detection is faster and more accurate
Alerts can provide evidence of suspicious activity or outright fraud
Allows for triaging of suspicious transactions separate from normal transactions for further review
X Most effective after fraud has struck
X Miss leading indicators of fraud
X Outsmarted by black hat applicants
“All things being equal, preventative controls are always better than protective
controls”.
Source: G2 Web Services Research Study, March 2015
4. Manual Spot Checks
Easy to start and modify, especially at low volumes Simple to explain to auditors
Fewer technical black boxes are involved
“There are manual reports that we look at. There’s a daily payment processing report and then we can
look at them monthly, quarterly or annually…it’s a very manual, labor
intensive process”.
Chief Risk Officer, Midsized Bank
X Are rarely conducted
X Require technology and training to spot changes
X Hard to detect deceptive marketing practices
X Lacks automated scoring that can speed
All four miss vital aspects of KYC
Missing: Hidden merchant risk
• Direct evidence of illegal activity, patterns of
fraud and compliance violations
• Links to illicit merchants, criminal fraud rings,
hidden websites
• Conducting business with many FIs
Missing: Automated scoring
• History of fraud, compliance missteps
• Technology-enabled analysts rather than
“labor”
• Predictions such as poor reputation with
consumers, leading indicators of future fraud
and compliance violations
Individual risk merchant risk
Source: Oregon State Research Study, May 2012
Survey of Dual Occupation Professionals:
Should US firms offer gifts to gain a foothold in a new market if this violated federal law?
• As engineers, 90% disagreed • As managers, 50% agreed
“When people switch hats, they often switch moral compasses.”
-Keith Leavitt, OSU faculty
Can hidden merchant patterns be detected?
Senior VP, 3rd Party Risk Mgt, Midsized Bank, Mid-Atlantic
“I doubt you can do this. It sounds good,
but the proof is in the pudding. Looking at
years of merchant history is a real
differentiator, a way of looking at the past
as indicator of future activity. Our bank is
not be able to dig as deep.”
• Risk officers face exceptional uncertainty
• Regulators have offered qualified guidance
• New tools present partial solutions
• An additional level of intelligence is required
– Key elements
– Implementation
Key elements of merchant intelligence
1. Underlying merchants
2. Historical connections
3. Predictive modeling
4. Instant quantification
5. Risk-based approach
6. Rich reporting
1. Underlying merchants must be submitted
• Banks must obtain
TPPP and TPS
portfolios
• In totality
• Each new boarded
customer
2. Merchant intel finds connections
• Random sample of many years
of merchant history data
• Historical data provides
access to deeper of level
connections so we can better
detect bad actors
• By using these known connections,
Data Science can make better
predictions of merchant violations
1 Merchant ID
1 Acquirer
1 URL
Connections: a case study
Over $1MM of fraudulent charges from a company offering
translation services
56 Merchant
IDs
32 Acquirers
83 Related URLs
Connections: findings
After network investigation was complete
Merchant relationship mapping
Charting relationships throughout the payment value chain
3. Merchant intel enables predictive modeling
Key data points: Public information
1. Blacklists and whitelists (OFAC, PEP, NABP, etc.)
2. Reputation data (aggregated from multiple sources)
Proprietary information
1. Historical data on merchants and individuals
2. Past fraud and content violations 3. Connections between individuals
and businesses
Data science predicts likelihood of compliance violations or fraud
Predictive modeling: case study
1. UK bank onboards Merchant X andsubmitted portfolio for review
2. Vendor reports Merchant X as high
risk after detecting likelihood of past fraud (2 of 5 data points matched previous bad actor)
3. Merchant X instantly began
fraudulent activity, which was not immediately detected in transaction flow
3. UK bank terminated merchant,
limiting fraud to 2% of typical loss
Proprietary Data + Third Party Data =
99%
accurate predictions
that can reduce losses
Losses from Merchant X
Typical losses
Limited Fraud Losses
~£33,000
4. Merchant intel can yield instant quantification
Speed
• Most results <1 second• Significantly reduces merchant onboarding time
• Works in conjunction with your existing core platform solution and enhances existing processes
• API provides seamless integration with in-house systems or 3rd party platforms (ex. Zoot)
• Portal log in to access reports
Integration
Choice
Applications a
month
Minutes per
applications
~ 10 full-time staff to review and process
Hours per
month
3,000 New Applications
Needs Review 420 Applications (14%) Prelim Approval 1,830 Applications (61%) Declined 750 Applications (25%)Applications a
month
Minutes per
application
Hours per
month
93% time savings
Risk-based approach: case study
A US Bank faced additional scrutiny for
inadequate KYC/KYCC policies.
Risk managers lacked tools for effective
TPPP oversight, and TPPPs were not adhering
to regulations to the same degree the bank was.
Risk-based approach: solution
Predictive merchant scoring gave them a more
comprehensive risk profile of their TPPPs
and underlying merchants.
The bank created a holistic TPPP oversight
management program, including predictive
merchant risk tools as the main ingredient.
The bank received praise by both external and
internal auditors, and retained their merchant
relationships and associated revenues.
6. Merchant intel can be richly reported
• Quick snapshot of categories of risk in your portfolio
• Benchmarking data to compare portfolio to the broader industry • Continually evaluate your boarding process
Rich reporting: example
• Compare portfolio to rich database of risk information across the industry
• Helps to assess both positive and negative risk
Merchant intel for KYCC: summary
1. Underlying merchants
2. Historical connections
3. Predictive modeling
4. Instant quantification
5. Risk-based approach
6. Rich reporting
• Risk officers face exceptional uncertainty
• Regulators have offered qualified guidance
• New tools present partial solutions
• An additional level of intelligence is required
– Key elements
– Implementation
Implementation Tips
• Partner with TPPPs and TPSs on implementation
– Pass on investments in tools and analysts
– Encourage (stipulate) third parties to implement beneficial systems and processes
• Learn from regulatory and association best practices
– OCC and FDIC guidelines – CMS from TPPPA
– NACHA guidelines
• Build systems and processes incrementally
– Start with hosted web services
