KYCC Strategies for Managing Third-Party Payment Processor (TPPP) and Third-Party Sender (TPS) Risk

59  Download (0)

Full text

(1)

Dan Frechtling

SVP Marketing & Chief Product Officer April 20, 2015

KYCC Strategies for Managing

Third-Party Payment Processor (TPPP)

and Third-Party Sender (TPS) Risk

Steve Clendaniel

Director of Risk Consulting

(2)

KYCC strategies for TPPPs and TPSs

Toyota Production System

KYCC:

TPPP:

TPS:

Third Party

Payment

Processor

Third Party

Sender

Know Your

Customer’s

Customer

(3)

• Risk officers face exceptional uncertainty

• Regulators have offered qualified guidance

• New tools present partial solutions

• An additional level of intelligence is required

(4)

• Risk officers face exceptional uncertainty

• Regulators have offered qualified guidance

• New tools present partial solutions

• An additional level of intelligence is required

(5)

Regulation has become competitive sport

“In the US, we now have the regulatory Olympics.”

(SVP Payments for top 5 US bank)

In 2014 US and European banks paid ~$65B in penalties, 40%

greater than 2013, the previous high, according to BCG

McKinsey estimates that senior executives spend about 20 to 25

percent of their time on regulatory matters

Sources: Wall Street Journal, Dec 2014; Bankdirector.com, Jan 2015

OCC FDIC

CFPB FTC

(6)

Regulatory pressure is rising…

50+ Banks subpoenaed by the government to examine their risk

management processes

2013

October

(7)

…and rising…

2014

April

May

June

(8)

…and rising

2015

(9)

Source: G2 Web Services Research Study, March 2015

Regulatory pressure is unavoidable

Executive Vice President and Chief Risk Officer, Midsized Bank

“This is the business that we’ve chosen and these are the rules you must follow in order to be able to stay in the game. If we want to continue to grow and to prosper we have to get A’s on your report card in terms of compliance. If you get anything less

than that, they’ll shut down your growth. It’s just not optional.”

(10)

Regulatory pressure is unpredictable

Source: G2 Web Services Research Study, March 2015

Vice President, Risk Management and Compliance, Midsized Bank

“It’s almost a crap shoot, right? So anybody could come in, a new regulator that wasn’t here last year, and say, ‘That’s

not how I look at it,’ or ‘you need to beef this up,’ or ‘I saw this other institution do this. I’m recommending this for you So there is some concern, but it’s almost uncontrollable.”

(11)

Regulatory pressure is examiner-driven

Source: G2 Web Services Research Study, March 2015

Vice President, Compliance, Midsized Bank

“…it’s more the human nature from an examiner, or a specific examiner, let’s say, in their opinion or what

they’ve seen in their travels versus a new regulation coming out and being a total shock to us.”

(12)

Source: G2 Web Services Research Study, March 2015

TPPP and TPS regulations are changing

Executive Vice President and Chief Risk Officer, Midsized Bank

“In an ever changing regulatory environment, especially TPPP being newer, is - are the regulators going to change their requirements? I think there’s a black hole

in banking, especially with examination, whereby examination procedures and guidance say one thing,

(13)

Source: G2 Web Services Research Study, March 2015

TPPPs and TPSs can be opaque to banks

Executive Vice President and Chief Risk Officer, Midsized Bank

“The level of challenge with respect to any vendor relationship… to which the banking regulators are

requiring us to increasingly know, vet, and to fully understand what’s going on in that vendor’s black box.

(14)

Source: G2 Web Services Research Study, March 2015

TPPPs and TPSs may lose banking

relationships

Executive Vice President and Chief Risk Officer, Midsized Bank

“10 years ago, you linked up with a vendor and you sort of relied on them to do the things- you did your own due

diligence – but it wasn’t nearly the same sort risk assessment process that you go through today. And what we see it evolving to is one that is even much, much more

invasive for the vendor. You are going to have to discontinue certain relationships.”

(15)

Entire categories of TPPPs and TPSs

are at risk

Source: G2 Web Services Research Study, March 2015

EVP and CEO, Midsized Bank

“What has occurred is a lot of the very large institutions based on a lot of guidance from regulatory agencies have sort of de-risked their portfolio. And so a lot of them

for instance don’t do any clients that are money service business or third party payment processors because that’s what it seemed like the regulators wanted and it’s just easier, rather than trying to interpret, to just avoid it.”

(16)

• Risk officers face exceptional uncertainty

• Regulators have offered qualified guidance

• New tools present partial solutions

• An additional level of intelligence is required

(17)
(18)

FDIC and OCC offer guidance and a framework

OCC BULLETIN 2006-39 BULLETIN 2008-12 BULLETIN 2013-29 FDIC FIL-3-2012 FIL-44-2008 FIL-127-2008

(19)
(20)

Guidelines: Onboarding

“Conduct due diligence commensurate with the level of risk and complexity of the 3rd party relationship”

• Strategies: check growth goals, current and

proposed structures, quality initiatives, efficiency

improvements, employment practices are consistent with bank’s philosophy

• Compliance: licenses, expertise, controls, status with regulators and similar organizations

• Financials: statements, trends, pending litigation, fee structures

• Reputation: complaints, years of experience,

(21)

Guidelines: Onboarding

“Conduct due diligence commensurate with the level of risk and complexity of the 3rd party relationship”

• Principals: senior management, key employees, subcontractors

• Risk management: independence of audit function, policies for escalating audit findings, SOC reports, other standards (e.g. ISO)

• IS: SLAs and performance metrics, change

management processes, ability to mitigate data

breach vulnerabilities

• Resilience: disaster recovery and business continuity plans in event of service disruptions

(22)

Guidelines: Onboarding

“Conduct due diligence commensurate with the level of risk and complexity of the 3rd party relationship”

• Security: physical security, incident reporting • HR: training, succession planning, holding

employees accountable for compliance

• Subcontractors: geographic locations, due diligence and monitoring; conduct your own

diligence, look for legally-binding indemnification • Insurance: bond coverage for “dishonest acts,”

liability coverage for negligence, hazard insurance for disasters

(23)

Best practices: Onboarding

• Have a prohibited category list

• Check the merchant for fraudulent activity • Identify what the merchant is selling, beyond

MCC/NAICS/SIC code

• Analyze the merchant’s online history of risk • Analyze the merchant’s website for suspicious

activity or hidden goods

• Require the same due diligence of your

TPPPs with their customers

“Conduct due diligence commensurate with the level of risk and complexity of the 3rd party relationship”

(24)

Guidelines: Ongoing

“Performed periodically during the course of the relationship, particularly when considering a renewal of a contract.”

Onboarding Ongoing Compliance l l Financials l l Insurance l l IS l l Resilience l l Subcontractors l l Reputation l l Principals l l HR l Remediation l Agreements l Confidentiality l

(25)

Best practices: Ongoing

• Check for migration to prohibited categories • Persistently monitor the merchant for changes in

goods/services offered

• Monitor the merchant for fraudulent activity • Adjust your oversight based depend upon the

potential risks and the magnitude of the arrangement • Require Third Parties to monitor their merchants according to your standards, and request regular reports

“Performed periodically during the course of the relationship, particularly when considering a renewal of a contract.”

(26)

• Risk officers face exceptional uncertainty

• Regulators have offered qualified guidance

• New tools present partial solutions

– Onboarding

– Ongoing

• An additional level of intelligence is required

(27)

Risk Managers have responded by using

new tools

Identity Verification Transaction Monitoring Manual Credit/Asset Searches Onboarding Ongoing Manual spot Checks 3 4 1 2

(28)

• Risk officers face exceptional uncertainty

• Regulators have offered qualified guidance

• New tools present partial solutions

– Onboarding

– Ongoing

• An additional level of intelligence is required

(29)

1. Identity Verification Tools

 Good standard practice

 Complies with core BSA/AML guidance for due diligence & EDD  Recommended for compliance with CIP rule of Patriot Act

X Verification can be outmaneuvered by black hat applicants

X Most effective when applicants disclose information that can be verified

X “Only as good as the data store”: misses hidden merchant risk

“Many financial institutions do some kind of criminal

background check which is only as good as the data store which

they are checking against.”

Guy Huntington,

(30)

2. Manual Credit/Asset Searches

 Consolidates separate data sources into one platform  Valued by most regulators as highly credible sources  Provides a sense of control and rigor

X May produce better information about principals than merchants

X Quality of the review fluctuates based on analyst’s experience

X Lacks automated scoring that can speed underwriting

“Because it’s manual it’s

inconsistently applied.

Level of experience of the

evaluator varies. (the

process) is staff intensive”

Chief Risk Officer, Large Bank, Midwest

(31)

• Risk officers face exceptional uncertainty

• Regulators have offered qualified guidance

• New tools present partial solutions

– Onboarding

– Ongoing

• An additional level of intelligence is required

(32)

3. Transaction Monitoring

 Important and necessary for compliance with OCC’s CFR 21.11 & 2013-29, and FDIC’s FIL 44-2008 & FIL 3-2012

 Improving quality of data science means anomaly detection is faster and more accurate

 Alerts can provide evidence of suspicious activity or outright fraud

 Allows for triaging of suspicious transactions separate from normal transactions for further review

X Most effective after fraud has struck

X Miss leading indicators of fraud

X Outsmarted by black hat applicants

“All things being equal, preventative controls are always better than protective

controls”.

Source: G2 Web Services Research Study, March 2015

(33)

4. Manual Spot Checks

 Easy to start and modify, especially at low volumes  Simple to explain to auditors

 Fewer technical black boxes are involved

“There are manual reports that we look at. There’s a daily payment processing report and then we can

look at them monthly, quarterly or annually…it’s a very manual, labor

intensive process”.

Chief Risk Officer, Midsized Bank

X Are rarely conducted

X Require technology and training to spot changes

X Hard to detect deceptive marketing practices

X Lacks automated scoring that can speed

(34)

All four miss vital aspects of KYC

Missing: Hidden merchant risk

• Direct evidence of illegal activity, patterns of

fraud and compliance violations

• Links to illicit merchants, criminal fraud rings,

hidden websites

• Conducting business with many FIs

Missing: Automated scoring

• History of fraud, compliance missteps

• Technology-enabled analysts rather than

“labor”

• Predictions such as poor reputation with

consumers, leading indicators of future fraud

and compliance violations

(35)

Individual risk merchant risk

Source: Oregon State Research Study, May 2012

Survey of Dual Occupation Professionals:

Should US firms offer gifts to gain a foothold in a new market if this violated federal law?

• As engineers, 90% disagreed • As managers, 50% agreed

“When people switch hats, they often switch moral compasses.”

-Keith Leavitt, OSU faculty

(36)

Can hidden merchant patterns be detected?

Senior VP, 3rd Party Risk Mgt, Midsized Bank, Mid-Atlantic

“I doubt you can do this. It sounds good,

but the proof is in the pudding. Looking at

years of merchant history is a real

differentiator, a way of looking at the past

as indicator of future activity. Our bank is

not be able to dig as deep.”

(37)

• Risk officers face exceptional uncertainty

• Regulators have offered qualified guidance

• New tools present partial solutions

• An additional level of intelligence is required

– Key elements

– Implementation

(38)

Key elements of merchant intelligence

1. Underlying merchants

2. Historical connections

3. Predictive modeling

4. Instant quantification

5. Risk-based approach

6. Rich reporting

(39)

1. Underlying merchants must be submitted

• Banks must obtain

TPPP and TPS

portfolios

• In totality

• Each new boarded

customer

(40)

2. Merchant intel finds connections

• Random sample of many years

of merchant history data

• Historical data provides

access to deeper of level

connections so we can better

detect bad actors

• By using these known connections,

Data Science can make better

predictions of merchant violations

(41)

1 Merchant ID

1 Acquirer

1 URL

Connections: a case study

Over $1MM of fraudulent charges from a company offering

translation services

(42)

56 Merchant

IDs

32 Acquirers

83 Related URLs

Connections: findings

After network investigation was complete

(43)

Merchant relationship mapping

Charting relationships throughout the payment value chain

(44)

3. Merchant intel enables predictive modeling

Key data points: Public information

1. Blacklists and whitelists (OFAC, PEP, NABP, etc.)

2. Reputation data (aggregated from multiple sources)

Proprietary information

1. Historical data on merchants and individuals

2. Past fraud and content violations 3. Connections between individuals

and businesses

Data science predicts likelihood of compliance violations or fraud

(45)

Predictive modeling: case study

1. UK bank onboards Merchant X and

submitted portfolio for review

2. Vendor reports Merchant X as high

risk after detecting likelihood of past fraud (2 of 5 data points matched previous bad actor)

3. Merchant X instantly began

fraudulent activity, which was not immediately detected in transaction flow

3. UK bank terminated merchant,

limiting fraud to 2% of typical loss

Proprietary Data + Third Party Data =

99%

accurate predictions

that can reduce losses

Losses from Merchant X

Typical losses

Limited Fraud Losses

~£33,000

(46)

4. Merchant intel can yield instant quantification

Speed

• Most results <1 second

• Significantly reduces merchant onboarding time

• Works in conjunction with your existing core platform solution and enhances existing processes

• API provides seamless integration with in-house systems or 3rd party platforms (ex. Zoot)

• Portal log in to access reports

Integration

Choice

(47)

Applications a

month

Minutes per

applications

~ 10 full-time staff to review and process

Hours per

month

(48)

3,000 New Applications

Needs Review 420 Applications (14%) Prelim Approval 1,830 Applications (61%) Declined 750 Applications (25%)

(49)

Applications a

month

Minutes per

application

Hours per

month

93% time savings

(50)
(51)

Risk-based approach: case study

A US Bank faced additional scrutiny for

inadequate KYC/KYCC policies.

Risk managers lacked tools for effective

TPPP oversight, and TPPPs were not adhering

to regulations to the same degree the bank was.

(52)

Risk-based approach: solution

Predictive merchant scoring gave them a more

comprehensive risk profile of their TPPPs

and underlying merchants.

The bank created a holistic TPPP oversight

management program, including predictive

merchant risk tools as the main ingredient.

The bank received praise by both external and

internal auditors, and retained their merchant

relationships and associated revenues.

(53)

6. Merchant intel can be richly reported

• Quick snapshot of categories of risk in your portfolio

• Benchmarking data to compare portfolio to the broader industry • Continually evaluate your boarding process

(54)

Rich reporting: example

• Compare portfolio to rich database of risk information across the industry

• Helps to assess both positive and negative risk

(55)

Merchant intel for KYCC: summary

1. Underlying merchants

2. Historical connections

3. Predictive modeling

4. Instant quantification

5. Risk-based approach

6. Rich reporting

(56)

• Risk officers face exceptional uncertainty

• Regulators have offered qualified guidance

• New tools present partial solutions

• An additional level of intelligence is required

– Key elements

– Implementation

(57)

Implementation Tips

• Partner with TPPPs and TPSs on implementation

– Pass on investments in tools and analysts

– Encourage (stipulate) third parties to implement beneficial systems and processes

• Learn from regulatory and association best practices

– OCC and FDIC guidelines – CMS from TPPPA

– NACHA guidelines

• Build systems and processes incrementally

– Start with hosted web services

(58)

MERCHANT INTELLIGENCE FOR 3

RD

PARTIES

Reduce Regulatory Burden

Decrease Risk

(59)

Dan Frechtling

dfrechtling@g2webservices.com

Steve Clendaniel

sclendaniel@g2webservices.com

Thank you!

Figure

Updating...

References

Related subjects :