The FDIC said in revised guidance that processors, which typically hold deposit accounts at banks, are usually engaged in "legitimate payment transactions for reputable merchants." But processors that handle payments for online and telemarketing firms have a higher risk of ties to consumer fraud or other illegal activities, the agency warned.
"Given this variability of risk, payment processors must have effective processes for verifying their merchant clients' identities and reviewing their business practices," the FDIC said in a letter to the banks it supervises. "Payment processors that do not have such processes can pose elevated money laundering and fraud risk for financial institutions, as well as legal, reputational, and compliance risks if consumers are harmed."
Since banks lack a direct customer relationship with the merchants using a processor's services, monitoring risk associated with a payment process can be challenging, the guidance said.
The agency instructed banks to ensure due diligence of a payment processor before initiating a relationship, as well as ongoing monitoring.
"At a minimum, Board-approved policies and programs should assess the financial institution's risk tolerance for this type of activity, verify the legitimacy of the payment processor's business operations, determine the character of the payment processor's ownership, and ensure ongoing monitoring of payment processor relationships for suspicious activity, among other things,"
The FDIC said banks should be on the lookout for processors that use more than one financial institution to process merchant payments, as well as process that have business relationships with troubled financial institutions needing capital. An increase in consumer complaints about specific merchants used by a processor - which suggest unfair and deceptive practices - is also a red flag.
"Financial institutions should also determine, to the extent possible, if there are any external investigations of or legal actions against a processor or its owners and operators during initial and ongoing due diligence of payment processors," the guidance said.
