ACH and Third Party Payment Processors...Volume - ACH Volume Increases 2.4% in 3rd Quarter 2012 with...
Transcript of ACH and Third Party Payment Processors...Volume - ACH Volume Increases 2.4% in 3rd Quarter 2012 with...
ACH and Third Party Payment Processors
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 2
Definition of Third-Party Relationship
Entity with which financial institution has entered into a business relationship Facilitate customer access to bank services or
products Perform functions on the bank’s behalf
Bank or non-bank, affiliated or non-affiliated, regulated or non-regulated, domestic or foreign
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 3
Definition of Third-Party Payment Processor
What is a Third-Party Payment Processor or “Processor”? Depositor that uses its
banking relationship to process payments for its merchant clients
Benefits: Fee income Large deposit balances Capital injections
Concerns:
Merchant clients several entities removed
Nested or aggregator relationships
Merchant client activities
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 4
Financial Institution Responsibility
Board and management oversight tailored depending on the relationship The Board and management are
responsible for managing activities conducted through third parties as if the activity were conducted directly by the institution Indemnity agreement not enough
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 5
Risk Management Framework
Four Key Elements Risk Assessment Due Diligence Contract Structuring and Review Oversight
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 6
2012 FDIC Revised Guidance
on Payment Processor Relationships
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 7
FDIC Financial Institution Letter FIL-3-2012
January 31, 2012 FDIC releases Revised Guidance on
Payment Processor Relationships Replaces & updates 2008 Guidance on
Payment Processor Relationships (FIL-127-2008)
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 8
Specific Risks of Processors
Credit Risks Charge-backs from unauthorized transactions Regulation CC warranty
Operational Risk Compliance Risks Reputational Risks Financial institution tied to merchant clients
Legal Risk Class action lawsuits
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 9
Processor Red Flags
Targeting problem financial institutions in need of capital/earnings Smaller financial institutions with limited
resources for proper monitoring Processors with relationships at multiple
financial institutions at the same time Consumer complaints High Unauthorized Return Rates (URRs)
or returns/charge-backs
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 10
Financial Institution Protections
Due diligence (initially & ongoing) – Know Your Customer(‘s Customer) Policies & procedures for monitoring
(URRs/Returns, complaints, etc.) Be aware of potential Compliance Risks
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 11
Types of Payments
Types of Payments Remotely Created Checks (RCCs) Automated Clearinghouse Items (ACHs)
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 12
Remotely Created Checks
What are RCCs? Regular paper check that the Merchant
creates No consumer signature Consumer provides account number & bank
routing number, and merchant prints check Merchant submits for regular check
processing
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Remotely Created Check (example)
13
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 14
Risks of RCCs
Consumer complaints regarding unauthorized withdrawals from account
High volume – difficult to monitor High URRs and returns/charge-backs Unregulated environment
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 15
Basic ACH Terms
Parties – Originator, ODFI, ACH Operator, RDFI, Receiver. SEC Type – 23 Standard Entry Class Codes, such as WEB, TEL,
IAT, POP, RCK. Return Codes – R01-R83 Credit Risk – 2 banking days from processing to settlement. Debit Risk – 60 day returns from statement date. Direct Access – third party uses the ODFI routing number. Terminated Originator Database – kept by NACHA
Operator (FRB/other) RDFI
RDFI
RDFI
ODFI
Direct Originator
TPPPs
TPPP TPPP
“Nested” 8
Originator
TPPP
Originator
ACH Origination Process
ODFI – Originating Depository Institution RDFI – Receiving Depository Institution Originator – has a direct relationship with the Bank TPPP – third party payment processor (third-party sender) who has the relationship with Originators (merchant clients) and “nested” TPPP. “Nested” TPPP – a TPPP who processes for others and sends the files to the TPPP.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 17
Audit
NACHA Operating Rules and Guidelines published annually. Appendix Eight Audit required by December 31 each year. Note that this is an audit on following operating rules
by NACHA. Focused on if the transactions are processed
correctly. The audit needs to be independent by a qualified
individual.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 18
Risk Assessment
NACHA’s Risk Management and Assessment rule (effective 6/18/10) requires that all Participating DFIs conduct a risk assessment of their ACH activities and implement risk management programs based on the results of such assessments Requires overall review of the business of doing ACH Could include:
• Allowed and prohibited business lines • Contracts • Policies • Third party payment processor arrangements • Staffing • Limits (underwriting like a loan)
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 19
Risk Assessment
Risk Assessment Objectives: Determine risks/threats in ACH activities Determine overall inherent risk Review of the key control practices to limit those
risks Evaluate residual risk (risks vs. controls in place)
and determine if level is acceptable Test controls for effectiveness
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 20
What’s Changed
Fee Income – revenue source as net interest margins shrink. Federal Reserve Statistics – unauthorized returns (.03%),
returns rates (1.01%), and % forwarded to assets (8%). Volume - ACH Volume Increases 2.4% in 3rd Quarter 2012 with
4.11 billion transactions moving approximately $9.1 trillion. Fraud – PATCO ACH Fraud Ruling Reversed: Appeals Court
calls Bank’s Security ‘Commercially Unreasonable’ only log-in and password credentials. $500,000 drained from deposit accounts.
Risk - Third-Party Payment Providers (TPPP) in FIL-3-2012 and FIL-44-2008. Internet Banking Environment FIL 50-2011.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 21
Themes and Trends
No Board-approved policies/procedures Growth beyond financial institution’s
resources/abilities Increase in fee income short-lived due
to charge-backs Underestimate potential reputation risks
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 22
Red Flags
Transaction Volume Swings –Originators whose business or
occupation does not warrant the volume or nature of ACH activity
Outbound (known) illegal Internet gambling debit(s) for commercial client(s);
Originators whose origination activity suddenly exceeds projections/credit limits with no reasonable explanation for such.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 23
Red Flags
Originators (especially TPPPs) generating a high rate or high volume of invalid account returns, unauthorized returns, or other unauthorized transactions; R05 (Corp. Debit posted to consumer acct not authorized) / R07
(Authorization Revoked), R10 (Consumer advises not authorized), R29 (Corp advises not authorized) where return rate exceeds 1% (NACHA guideline).
R03 (No Acct.) / R04 (Invalid Acct.) if volumes exceed “normal”
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 24
Yellow Flags
R01 (NSF) / R09 (Uncollected funds) R02 (Acct. Closed) R08 & R52 (Payment stopped)
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 25
Questions?
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION 26
Thanks!
Pete Martino Field Supervisor
FDIC [email protected]