In response to requests from members of Congress, and presumably banks and third-party processors, the FDIC issued a letter Sept. 27 clarifying its policy and supervisory approach for financial institutions that facilitate payment processing for higher-risk merchants.
The letter makes clear that financial institutions may facilitate payment processing services to legally compliant merchants if the institution manages the risks associated with such activities. To manage such risk, financial institutions must “perform proper risk assessments, conduct due diligence sufficient to ascertain that the merchants are operating in accordance with applicable law, and maintain appropriate systems to monitor these relationships over time.” Such efforts are for bankers to “assure themselves that they are not facilitating fraudulent or…illegal activity,” and thus not exposing themselves to financial or legal risk.
I am sure that all parties involved in payment processing activities appreciate the FDIC's formal sanctioning of such processing activities for insured financial institutions that follow the letter and other regulatory guidance by implementing a proper compliance management system for the merchant relationship. The letter does not prohibit relationships with higher-risk merchants by insured financial institutions. In fact, apart from footnotes to prior FDIC pronouncements, there is no mention in the letter of any reputation risk associated with processing activities for higher-risk merchants.
Unmentioned by the letter is the FDIC's reliance on the subjective standard involved with assessing reputational risk in connection with payment processing activities for higher-risk merchants. Instead the standard has shifted, appropriately, to more objective criteria, focusing solely on whether the merchant is operating in compliance with applicable law and whether appropriate compliance management systems exist. Banks, as well as third-party processors, have been enhancing their previously implemented controls to monitor merchants' compliance with applicable law to mitigate risks. They will certainly need to continue to do so in order to continue providing payment processing services to higher-risk merchants. Admittedly, all such instances predate the Sept. 27 letter. In short, does the letter foretell that the FDIC will apply a reasonable standard for a bank's compliance management system with respect to payment processing activities?
Although the letter specifically states that financial institutions operating with the appropriate systems and controls to oversee payment processing transactions will not be criticized during FDIC examinations, it is too early to determine the standard the FDIC will apply for a bank-level compliance management system to effectively monitor merchant relationships, including the initial due diligence performed on higher-risk merchants. I expect that banks and processors hope that the standard will be established at a level upon which reasonable minds can agree. However, I am aware of instances of FDIC personnel, all the way up to regional directors, advising banks under their supervision that they should not associate with certain businesses or else implement a CMS the scope of which would be tantamount to a prohibition of payment processing by the bank to higher-risk merchants.
The letter also leaves open the issue of how to assess whether operations by certain merchants are legal, such as the much-publicized activities of lenders. Regulators may approach complex legal issues, such as those involving certain lenders, with an existing frame of reference. Hopefully, the letter means that examiners will respect good-faith efforts by banks and processors to satisfy themselves that merchant conduct is legal, rather than what is currently happening whereby examiners expect banks and processors to guarantee how the courts will weigh in on such matters. While the letter provides some comfort for banks engaging in, or considering engaging in, payment processing activities with higher-risk merchants, it does not create a safe harbor. Banks will need to implement a compliance management system to oversee payment processing activities that the FDIC deems to be satisfactory with respect to determining the legality of a merchant's activities. Is it possible to do so? The footnotes to prior FDIC guidance make it seem like it is a hurdle that can be cleared. Yet many banks and processors currently have effective systems, including comprehensive initial diligence on merchants, as well as ongoing monitoring of the merchant's activities. Thus, the FDIC's standard is still unknown, particularly with respect to merchants deemed to be higher risk solely because third parties are questioning the legality of their operations.
Prior to Sept. 27, the FDIC had created a two-tier system of regulation. Bankers have told me of instances in which they have cut loose a customer at the FDIC's urging only to have that party establish accounts at the money center bank down the street. Moreover, the FDIC's public approval of payment processing services to higher-risk merchants may be diluted in the examination context. Examiners may determine that the payment processing activities have a potential negative impact on reputation risk, despite steps taken by the bank to mitigate risks associated with the activities. In this context, the FDIC has appeared to apply a different standard of reputation risk than its regulatory brethren.
Despite the unanswered questions, the letter provides a foothold for banks that provide payment processing activities to higher-risk merchants, particularly when questioned about such activities in the examination context.
Peter G. Weinstock leads the Financial Institutions Corporate and Regulatory practice at Hunton & Williams LLP.