FEDERAL DEPOSIT INSURANCE CORPORATION
FEDERAL DEPOSIT INSURANCE CORPORATION 2
Definition of Third-Party
Relationship
Entity with which financial institution has
entered into a business relationship
Facilitate customer access to bank services or
products
Perform functions on the bank’s behalf
Bank or bank, affiliated or
non-affiliated, regulated or non-regulated,
domestic or foreign
Definition of Third-Party
Payment Processor
What is a Third-Party
Payment Processor
or “Processor”?
Depositor that uses its
banking relationship to
process payments for
its merchant clients
Benefits:
Fee income
Large deposit balances
Capital injections
Concerns:
Merchant clients several entities removed
Nested or aggregator relationships
Financial Institution
Responsibility
Board and management oversight tailored
depending on the relationship
The Board and management are
responsible for managing activities
conducted through third parties as if the
activity were conducted directly by the
institution
Risk Management
Framework
Four Key Elements
Risk Assessment
Due Diligence
Contract Structuring and Review
2012 FDIC Revised Guidance
on Payment Processor
FDIC Financial Institution
Letter FIL-3-2012
January 31, 2012
FDIC releases Revised Guidance on
Payment Processor Relationships
Replaces & updates 2008 Guidance on
Payment Processor Relationships
Specific Risks of
Processors
Credit Risks
Charge-backs from unauthorized transactions
Regulation CC warranty
Operational Risk
Compliance Risks
Reputational Risks
Financial institution tied to merchant clients
Legal Risk
Processor Red Flags
Targeting problem financial institutions in
need of capital/earnings
Smaller financial institutions with limited
resources for proper monitoring
Processors with relationships at multiple
financial institutions at the same time
Consumer complaints
High Unauthorized Return Rates (URRs)
or returns/charge-backs
Financial Institution
Protections
Due diligence (initially & ongoing) – Know
Your Customer(
‘s Customer
)
Policies & procedures for monitoring
(URRs/Returns, complaints, etc.)
Types of Payments
Types of Payments
Remotely Created Checks (RCCs)
Remotely Created Checks
What are RCCs?
Regular paper check that the Merchant
creates
No consumer signature
Consumer provides account number & bank
routing number, and merchant prints check
Merchant submits for regular check
processing
Risks of RCCs
Consumer complaints regarding unauthorized
withdrawals from account
High volume – difficult to monitor
High URRs and returns/charge-backs
Basic ACH Terms
Parties – Originator, ODFI, ACH Operator, RDFI, Receiver.
SEC Type – 23 Standard Entry Class Codes, such as WEB, TEL, IAT, POP, RCK.
Return Codes – R01-R83
Credit Risk – 2 banking days from processing to settlement.
Debit Risk – 60 day returns from statement date.
Direct Access – third party uses the ODFI routing number.
Operator (FRB/other) RDFI RDFI RDFI ODFI Direct Originator TPPPs TPPP TPPP “Nested” 8 Originator TPPP Originator
ACH Origination Process
ODFI – Originating Depository Institution RDFI – Receiving Depository Institution
Originator – has a direct relationship with the Bank
TPPP – third party payment processor (third-party sender) who has the relationship with Originators (merchant clients) and “nested” TPPP.
Audit
NACHA Operating Rules and Guidelines published
annually. Appendix Eight Audit required by
December 31 each year.
Note that this is an audit on following operating rules
by NACHA.
Focused on if the transactions are processed
correctly.
The audit needs to be independent by a qualified
individual.
FEDERAL DEPOSIT INSURANCE CORPORATION
FEDERAL DEPOSIT INSURANCE CORPORATION 18
Risk Assessment
NACHA’s Risk Management and Assessment rule (effective 6/18/10) requires that all Participating DFIs conduct a risk assessment of their ACH activities and implement risk management programs based on the results of such assessments
Requires overall review of the business of doing ACH
Could include:
• Allowed and prohibited business lines
• Contracts
• Policies
• Third party payment processor arrangements
• Staffing
FEDERAL DEPOSIT INSURANCE CORPORATION
FEDERAL DEPOSIT INSURANCE CORPORATION 19
Risk Assessment
Risk Assessment Objectives:
Determine risks/threats in ACH activities
Determine overall inherent risk
Review of the key control practices to limit those
risks
Evaluate residual risk (risks vs. controls in place)
and determine if level is acceptable
What’s Changed
Fee Income – revenue source as net interest margins shrink.
Federal Reserve Statistics – unauthorized returns (.03%), returns rates (1.01%), and % forwarded to assets (8%).
Volume - ACH Volume Increases 2.4% in 3rd Quarter 2012 with 4.11 billion transactions moving approximately $9.1 trillion.
Fraud – PATCO ACH Fraud Ruling Reversed: Appeals Court calls Bank’s Security ‘Commercially Unreasonable’ only log-in and password credentials. $500,000 drained from deposit
accounts.
Risk - Third-Party Payment Providers (TPPP) in FIL-3-2012 and FIL-44-2008. Internet Banking Environment FIL 50-2011.
Themes and Trends
No Board-approved policies/procedures
Growth beyond financial institution’s
resources/abilities
Increase in fee income short-lived due
to charge-backs
Red Flags
Transaction Volume Swings –Originators whose business or occupation does not warrant the volume or nature of ACH activity
Outbound (known) illegal Internet gambling debit(s) for commercial client(s);
Originators whose origination activity suddenly exceeds projections/credit limits with no reasonable explanation for such.
Red Flags
Originators (especially TPPPs) generating a high rate or high volume of invalid account returns, unauthorized returns, or
other unauthorized transactions;
R05 (Corp. Debit posted to consumer acct not authorized) / R07 (Authorization Revoked), R10 (Consumer advises not
authorized), R29 (Corp advises not authorized) where return rate exceeds 1% (NACHA guideline).
Yellow Flags
R01 (NSF) / R09 (Uncollected funds)
R02 (Acct. Closed)
