On January 31, 2011, the FDIC released revised guidance on payment processor relationships, spelling out with a lot more specificity its expectations for banks’ relationships with payment processors.

We have summarized below some highlights of what was added to the guidance by the FDIC, and also provide a redline showing the changes from the FDIC’s prior guidance, released in 2008.  Of particular interest to many of our clients, the FDIC notes that some payment processors may target smaller community banks, based on a belief that they may be more willing to engage in higher-risk transactions in exchange for increased fee income and may lack the infrastructure to properly manage or control a third-party payment processor relationship.

Highlights of some additions to the guidance include the following (not an exhaustive list):

  • Financial institutions should ensure their contractual relationships with payment processors provide them with access to necessary information in a timely manner. Agreements should also protect financial institutions by providing for immediate account closure, contract termination, or similar action, and establish adequate reserve requirements to cover anticipated chargebacks.
  • Financial institutions should adequately oversee all transactions and activities that they process and appropriately manage and mitigate operational risks, BSA compliance, fraud risks, and consumer protection risks, among others.  Financial institutions cannot rely solely on  due diligence performed by the payment processor.
  • Financial institutions that fail to adequately manage relationships may be viewed as facilitating the payment processor’s or merchant’s fraudulent or unlawful activity, and thus may be liable for such acts or practices. (Italicized portion is new.)
  • Financial institutions should take reasonable steps to ensure they understand the type and level of complaints related to transactions that they process. Consumer complaints may be sent to the financial institution, as well as to the payment processor, the merchant, consumer advocacy groups, online complaint websites, or posted on blogs.
  • Financial institutions should determine if there are any external investigations of or legal actions against a processor or its owners and operators, during initial and ongoing due diligence.
  • Policies and procedures should outline the financial institution’s thresholds for unauthorized returns, the possible actions that can be taken against payment processors that exceed these standards, and methods for periodically reporting such activities to the financial institution’s board and senior management.
  • Financial institutions should be aware of nested processing relationships, and obtain data on the nested processor and its merchant clients. Risk is significantly elevated with such relationships because nested processor and aggregator relationships may be extremely difficult to monitor and control.
  • The more a financial institution relies on a processor for due diligence and monitoring of merchants without direct financial institution involvement and verification, the more important it is to have an independent review to ensure that the processor’s controls are sufficient and that contractual agreements between the financial institution and processor are honored.
  • Board-approved policies and programs should assess the financial institution’s risk tolerance for payment processing activity, verify the legitimacy of the payment processor’s business operations, determine the character of the payment processor’s ownership, and ensure ongoing monitoring of payment processor relationships for suspicious activity, among other things. (Italicized portion is new.)
  • Adequate routines and controls include sufficient staffing with the appropriate background and experience for managing third party payment processing relationships of the size and scope present at the institution, as well as strong oversight and monitoring by the board and senior management.