FDIC Explains Processing Guidance
Regulator Says Banks Must Watch Merchants and Risky PaymentsMichael Benardo says federally regulated banks and credit unions can soon expect more scrutiny about the due diligence and background checks they conduct on third-parties, especially payments processors and merchants.
As head of the Federal Deposit Insurance Corp.'s Cyber-Fraud and Financial Crimes Section, part of the Division of Risk Management Supervision, Benardo says flagging high-risk merchants and thwarting questionable transactions is the responsibility of financial institutions. In New Guidance on Payments Processing, issued specifically to address risks posed by payments processors, the FDIC says transactions conducted for telemarketers, online businesses and others, pose unique security challenges and risks. Banking institutions must respond by conducting and demanding consistent and comprehensive monitoring.
"Institutions need to be on the lookout for a high rate of return on products," Benardo says during an interview with BankInfoSecurity's Tracy Kitten (http://www.bankinfosecurity.com/interviews.php?interviewID=1378). "In some of the cases we're investigating, we're seeing return rates of over 50 percent; that means more than half of the consumers who are buying products are returning them."
Processors are not conducting adequate due diligence, at least not across the board. "The payment processors themselves are not really verifying their merchant clients," Benardo says. "In fact, they are advertising, in some cases, that they like to take on high risk clients, so it's really then up to the bank to do the due diligence to understand who these merchant clients are whose transactions are flowing through that financial institution."
During the interview [transcript below], Benardo discusses:
- How the updated guidance will impact federal regulatory examinations;
- Possible penalties for non-compliance;
- How monitoring consumer complaints via social media can avoid public relations nightmares.
At the FDIC, Benardo oversees all aspects of fraud-related initiatives, including establishment of regulatory policies and procedures. He develops fraud-related supervisory programs, including examination techniques, and represents the FDIC on interagency working groups. Benardo has spent more than 20 years with the FDIC. Before joining the FDIC, he spent six years working in commercial banking.
Defining High-Risk
TRACY KITTEN: The FDIC has issued new guidance that outlines risk mitigation practices banks should follow when working with payment processors. High risk processors like those that handle transactions for telemarketers, online businesses, and other merchants require banks to conduct comprehensive due diligence and monitoring. Hi, I'm Tracy Kitten with Information Security Media Group. I'm here today with Michael Benardo, chief of the FDIC's Cyber-Fraud and Financial Crime Section within the division of risk management supervision who provides an overview of the FDIC's update guidance for payment processors and what it means for financial institutions.
Mike, can you tell us a little bit about why the FDIC has identified third-party payment processors as entities that pose increasing security and fraud risks, why are we seeing updated guidance now?
MICHAEL BENARDO: Sure, Tracy. Well during the past several years the FDIC has observed an increase on a number of deposit relationships between financial institutions and third-party payment processors and a correspondence increase on the risk associated with these relationships. The deposit relationships with payment processors can expose financial institutions to risks not present in typical commercial customer relationships. These include things like greater strategic credit, compliance, transaction, legal, and most importantly reputational risk. Back in 2008 the FDIC issued first guidance on payment processor relationships which outlined risk mitigation principles for this type of higher risk activity. Since that time we have seen an increase in this activity as I stated and we've learned more about this risk, so we felt it was important to update that guidance and reissue it as we did at the end of January.
KITTEN: Now the FDIC's new guidance notes specific security and fraud risks such as the increased probability to processors dealing with telemarketing and online merchants pose higher risks since they are often linked to consumer fraud and illegal activities. Can you tell us Mike what are some of the key security risks that have been identified by the FDIC?
BENARDO: Although many clients of payment processors are reputable merchants, we have seen an increasing number of relationships where their clients are considered high risk. These kinds of merchants use payment processors to charge consumers for questionable for fraudulent goods and services. They might engage in high pressure sales tactics, deceptive sales tactics, aggressive telemarketing, or enticing or misleading pop-up ads on websites. For example, consumers should be cautious when a website offers a free information and asks consumers to provide payment information to cover a small shipping and handling fee. In some instances, and without really proper disclosures, consumers agree to pay these fees and often find that their bank accounts are debited for more than the fee and they find themselves with costly plans without their knowledge or understanding. Other kinds of merchants that we've seen used these payment processors to initiate payments for the sales of product and services for things like online sale of tobacco products or internet gambling which both are illegal in this country.
Verifying Merchants and Reviewing Payments
KITTEN: Now payment processors must have effective steps in place Michael for verifying merchant identities and reviewing those merchant's businesses practices. How are most institutions currently evaluating those processing practices as parts of their vendor management programs?
BENARDO: Well, let me just clarify something. This doesn't really follow under a vendor management program because the types of third-party payment processors this guidance specifically addresses are not considered vendors of the financial institution; they are customers of the financial institution. They are an entity that establishes a deposit relationship with the bank and then use that account to deposit transactions on behalf of the client merchants which are originating the transactions from sales as I described of goods and services. So the comment that payment processors must have effective steps in place for verifying merchant identities, I would agree that is what we would like to see, but what we've seen in these relationships is that they don't. The payment processors themselves are not really verifying their merchant clients. In fact, they are advertising in some cases that they like to take on high risk clients so it's really then up to the bank to do the due diligence to understand who these merchant clients are whose transactions are flowing through that financial institution.
KITTEN: Now the FDIC says that it expects institutions to oversee all transactions and activities that it processes, as well as to manage and mitigate operational risks, compliance with the bank secrecy act, fraud risks, and consumer protection risks. How with the FDIC monitor these activities and what penalties might banks face for inadequate due diligence?
BENARDO: Well, the FDIC would monitor how banks are doing this at our normal examination process. When we examine a financial institution we look at how they manage all kinds of risks. This is just one more risk added to that list. We would look to see that, and our examiners would look to see that the bank has got a program in place if they have these kinds of payment processor clients that they are effectively managing that risk, and if we find that they are not, we have the full array of appropriate supervisor responses that we could take against the financial institution who is not appropriately managing this risk. Those include things like formal and informal enforcement actions, cease and desist orders, as well as civil money penalties. Then in some cases, we've seen that because the bank may be viewed as a facilitator of these payments, which may be harming consumers, we could evoke such and file the federal trade commission act for unfair and deceptive practices and initiate civil money penalties against the bank for that as well.
Regulatory Scrutiny and Enforcement
KITTEN: Then, Mike, what is the timeline for updated risk management practices? What should banks be expected to implement and by when?
BENARDO: Well, this is a little different then say the authentication guidance that recently came out where we are expecting all financial institutions to comply with certain thresholds or benchmarks by a certain date. This is more something that we would expect financial institutions to already have in place. As I mentioned, we first issued guidance back in 2008 on this issue and financial institutions that have third-party payment processors as clients should already have processes, procedures, policies in place to monitor the risks associated with those relationships.
KITTEN: Now, going back to some of the things that are noted in the actual guidance. The guidance mentioned suspicious processors that often target community banks, since smaller institutions often lack the infrastructure to manage or control a third-party payment processor relationship. Mike, what practices or steps could smaller banks take to ensure they aren't exploited? Can you elaborate here?
BENARDO: Well, again, the number one step they can take is doing appropriate due diligence. If they are going to have a deposit relationship with a customer, they need to understand who that customer is and what kind of transactions they are going to be processing or putting through that account. As you've mentioned, we've seen that some of these payment processors the more illicit or deceptive ones have actually been tricking institutions into opening these accounts. In other words, they'll say that it is going to be one type of an account and then after a few months change the type of activity they are using the account for. They'll start depositing these checks, which are usually either remotely created checks or demand drafts or ACH payments into their account that ultimately go back and hit consumer's accounts. We've also seen that they types of companies are targeting problem institutions. That they are going out on various websites and figuring out which financial institutions are in troubled condition, you know either by looking to see which financial institutions are under a consent order or some sort of enforcement action with their regulator, or just looking at you know how they are performing at their profit and loss.
Then approaching those institutions because they think they may be desperate for money, or fee income, or even capital. We've seen in some cases where the third-party payment processors have promised a great abundance of fees via income for the institution with little risks, stating that they'll manage all the risks that they'll give for example, guarantee payment if an item is returned and then that is not always the case as we've seen.
Information Sharing?
KITTEN: How could financial institutions do more to share information? So, if they communicated with one another about some of these suspicious processors, now might that help to raise red flags?
BENARDO: Well, I think that is a great idea. I think that would help immensely because what we do see is as soon as one bank closes down a relationship that third-party payment processor still needs access to the banking system so immediately starts looking for another financial institution to bank with. Or in some cases what we've seen is that they already have two or three different accounts established so that they can quickly move between institutions if they need to. For example, if they are shut down by one. We also see that they just use multiple institutions sometimes to help try and hide their activity. Use one bank for a couple of months and then switch it to a different bank for example, or they'll move different merchant activity to different financial institutions to help keep down some of the red flags like the rates of returns and things like that. Although, I would add there are some challenges to financial institutions sharing information about this because what we've seen, our experience has been that these entities will quickly change their name, they'll quickly form new corporations and incorporate new LLCs and kind of really morph themselves fast to try to stay under the radar.
KITTEN: Now, talking about the way fraudulent activity is typically identified. Banks usually hear about it from consumers and the FDIC notes that banks should be mindful of the prevalence of consumer complaints and or the amount of returns or chargeback's. Mike, do you see most banks adequately tracking consumer complaints right now?
Monitoring Consumer Complaints
BENARDO: We do; and in situations where we have institutions that have third-party payment process relationships that are well managed, one of the things the bank is doing is monitoring for consumer complaints. That could be consumer complaints that come directly into that institution by phone or email or website, or it could be looking for other types of complaints like on some of the different complaint boards that are out there on blogs on the internet. It is quite easy for financial institution to just go and do a Google Search for their name and then the word complaint, and they might be surprised what pops up. They might find that some consumers who had felt like they had been wronged by a particular merchant have sort of followed this whole trail of the money that it went from merchant "A" to payment processor "B" to bank "C" and they sort of show this and they'll describe this whole transaction on a complaint that they post. They really do it in an effort to try to help others from becoming victims of something like this, but there is a lot of stuff out there on the internet that a financial institution could look at to understand how consumers are perceiving the transactions that are flowing through that [Indiscernible] and in some cases even that bank. That is why I said earlier that it could be a very big reputational risk problem. If a bank is perceived by consumers as helping facilitate nuisance, fraudulent, or illegal payments that could be a challenge for them to try to recuperate from.
The other thing that I think institutions really need to be on the look out for is that high rate of returns, because you know this is a type of activity where there is a lot of buyer's remorse or just refusal where the consumer feels like, oh I didn't really mean to buy this product. They pressured me into it, I want to return this and cancel this subscription. Or they say, this isn't at all what the person described to me, you know they were describing something of a certain quality and what I got in the mail was really junk, and so I am returning the merchandise and going to have the payment stopped. So there is a lot of return activity especially unauthorized returns that happens and banks should be on the look out for high volumes of that, and in some cases that we've been dealing with, we've seen return rates over fifty percent. That means half the people who are buying something are not happy with it.
KITTEN: And before we close Mike, I did want to ask a little bit about steps that institutions should take to help mitigate some of these risks. To mitigate processing risks, banks are expected to higher staff members that have background as well as experience with third-party processing management, and the FDIC notes that ongoing monitoring should be overseen by the bank's boards of directors as well as senior management. Now, given all of the conformance and regulatory initiatives to which financial institutions are now expected to adhere, what recommendations can you offer? How can banks work to fiscally budget it all in?
BENARDO: Well, I don't think that this will require a financial institution to hire specific people to deal with this issue. I think it is something that could be dealt with in the normal course of risk management for a financial institution. The financial institution letter that we just issued really enumerates all the different due diligence and underwriting standards that we expect an institution to undertake, and those include things like just identifying that there are third-party payment processor relationships to start, incorporating appropriate policies and procedures in place regarding those types of accounts. In other words, maybe they have a written policy that says what kinds of thresholds they are willing, what kind of risk of threshold they are willing to accept. And, of course, that is why we think that senior management and the board really should sign off on that; because they are stating what level of risk they are willing to accept.
It could include things like identifying major lines of businesses and volumes for the processor's customers, reviewing the processor's policies procedures to determine if they are adequate, reviewing corporate documentation of the processor just to make sure everything is in line there, and reviewing their processor's promotional materials, including their website to determine it's target clientele. With some of these payment processors, we've seen if you go to their website, it will say, in very clear letters right across the top, "We accept high-risk transactions," or things like "Have you been turned down by Visa and MasterCard? Come to us."
So, they very clearly market themselves to high-risk clients who want to, again, sort of fly under the radar. If a bank looked at that, and that takes five seconds to do, they could determine right then: "Hey, this processor is targeting high-risk activity. Do we really want that flowing through our bank?" Maybe the banks should consider going out and visiting the business operation center to make sure that it is legitimate and things are in order. Then, as I said, review for consumer complaints that might already be out there about a third-party payment processor. They could use Google as a place to start, to just look to see if there are complaints, check with the Better Business bureaus, things like that. Then, determine whether there is any conflict of interest between any insider of the institution and the payments processor, you know, just to make sure that everything is on the up-and-up; make sure that there is not a certain member or employee of the institution that is trying to bring this relationship to the bank; if there is, make sure that it is all done within an arm's length transaction. The ongoing monitoring that we would expect is also explained in the guidance letter -- things like monitoring for complaints, monitoring for especially high levels of returns, monitoring for any other kinds of suspicious activity, and filing suspicious activity reports when they think that there is something suspicious.