Regulations That Matter For Third-Party Payment … 2017 MAC Con...• A Third-Party Payment...
33
Regulations That Matter For Third-Party Payment Processors Jane Hennessy, Head of External Alliances, G2 Marsha Jones, President, TPPPA
Regulations That Matter For Third-Party Payment … 2017 MAC Con...• A Third-Party Payment Processor (TPPP) is a depository customer of a bank that processes payments, (debits and/or
Regulations That Matter For Third-Party Payment Processors
Jane Hennessy, Head of External Alliances, G2Marsha Jones, President, TPPPA
• A Third-Party Payment Processor (TPPP) is a depository customer of a bank that processes payments, (debits and/or credits,) on behalf of other companies through the TPPP’s bank.− Payroll Processors are considered Third-Party Payment Processors.
• TPPPs customarily referred to processors that process ACH and/or remotely created checks (RCC). However, it has become more broadly known as:− A party that has a contractual relationship with another company to process payments for
that company through the TPPP’s bank; and− The bank does not have a contractual relationship with the company initiating the payment.
• TPPPs are known as Third-Party Senders (TPS) under the NACHA Operating Rules (First defined in December 2004).
What is A Third-Party Payment Processor?
Earliest Guidance on TPPPs
OCC BULLETIN2006-39
• Risk Management Guidance: Automated Clearing House
• September 1, 2006• References
Third-Party Senders
OCC BULLETIN2008-12
• Risk Management Guidance: Payment Processors
• April 24, 2008
FIL-127-2008
• Guidance on Payment Processor Relationships
• November 7, 2008
• Many relationships with banks predated (sometimes by decades) the distinction TPPP or TPS.
• These relationships continued to be treated as direct originators of payments.• TPPPs were often not advised of their expanded compliance responsibilities,
primarily because the banks did not recognize the need to reclassify these relationships.
• TPPPs and banks historically focused on the credit, operational and fraud risks related to these relationships, consistent with direct merchants/originators.
A radical shift in policy,but what’s the impact to payments?
Presenter
Presentation Notes
Clearly there has been a shift in policy, but how will this impact regulations, specifically regulations that matter to Payment Processors be impacted?
• Unit within the Financial Fraud Enforcement Task Force• First meeting on February 10, 2012• Formed to “address several areas of concern, including payday lending
and other high-pressure telemarketing or Internet scams, business opportunity schemes, for-profit schools that engage in fraud or misrepresentation, and fraudulent third-party payment processors that facilitate payments on behalf of other fraudsters without the permission of the customer.”
• Members of the Consumer Protection Working Group included (among others):− FTC, CFPB, DOJ and other law enforcement, Bank Regulators, FinCEN, Various
States Attorneys General
Obama’s Policy: Consumer Protection Working Group
Presenter
Presentation Notes
Look back
• Supervisory Insights Summer 2011 — Managing Risk in Third-Party Payment Processor Relationships– 1st Publication of High Risk List
• FIL-3-2012, Payment Processor Relationships, Revised Guidance – References High Risk List
• FIL-43-2013, FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities
• FIL-41-2014, FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors – High Risk List Disappears
• FIL-5-2015, Statement on Providing Banking Services
FDIC Guidance: A Glimpse of a Shifting Policy
Presenter
Presentation Notes
The FDIC was an active proponent of Operation Choke Point and put the choke in Choke Point with its distribution of High Risk List that included both illicit and legal but high risk industries. Left banks with the impression that the list was a ”hit list” and caused banks to drop entire industry segments and payment processors out of fear of regulatory scrutiny and enforcement actions. 1st and 2nd Bullet points are outright assaults on third-party payment processing and disfavored industries 3rd Bullet “clarifies” FDICs policy related to engaging in high risk activities through guidance on a risk-based approach to compliance management 4th Bullet removes the “Hit List” and claims banks misunderstood its intent. It disappears from all reference on the internet 5th Bullet states FDIC policy that examiners cannot force banks to drop clients or programs without written approval from the regional office. These multiple guidance documents demonstrate the shift in policy inspired by the Consumer Protection Working Group and the pushback by the industry through lobbying and legal efforts. Reputation risk was paramount to this strategy and although the FDIC backed away from its aggressive stance, reputation risk was imprinted on the consciousness of the industry, particularly with banks. A shift in policy is not likely to create a wholesale shift in the strategies of bank boards, but will likely provide a cautious reconsideration and reentry by some into third-party payment processing with Best Practices being the Key to reentry.
• Executive Order to Reduce Regulation• Requires agencies to appoint regulatory reform task forces led by
regulatory reform officers • Mandate to identify regulations that:
– Eliminate jobs or inhibit job creation – Are outdated, unnecessary or ineffective – Have costs that outweigh their benefits– Are inconsistent with regulatory reform initiatives– Derive from since-rescinded executive orders
• Initial reports are due within 90 days
Trump’s Policy: Reduce Regulation
Presenter
Presentation Notes
President Trump is looking to reduce regulation. Which is a nice idea, but regulations are supposed to implement laws passed by congress. Real regulatory reduction will require acts of congress, but enforcement of regulations and overly burdensome regulatory guidance, particularly guidance by consent order should be reduced at a federal level. Unfortunately, this is not likely to impact state enforcement of consumer protection, particularly those states that have more progressive administrations like the state of New York and California. Even more business friendly states will continue to enforce Consumer Protection and enjoy the ability to leverage the CFPA UDAAP provisions. Expect that states to fill in any gap left by a potentially “defanged” CFPB.
• Federal Regulations– BSA/AML– Consumer Protection
• State Laws– Consumer Protection
o State Attorneys General
– Money Transmitter Licensingo Emphasis is Consumer Protection
• Payment System Rules
Regulations That Will Continue to Matter
• Federal Trade Commission Act (“FTC Act”) 1914 – Unfair or Deceptive Acts or Practices
(“UDAP”) 1938
• Regulation E– Implementing Electronic Funds Transfer
Act (“EFTA”) 1978– Enforced by the CFPB (formerly by FRB
Board of Governors)
• Telemarketing Sales Rule (TSR)– Implementing the Telephone Consumer
Protection Act (1991)– Enforced by the FTC
• Consumer Financial Protection Act (“CFPA”) 2010– Unfair, Deceptive, or Abusive Acts or
Practices (“UDAAP”)– Enforced by CFPB and States
• Restore Online Shoppers Confidence Act — 2010– Enforced by the FTC violations are
Purpose of this slide is to demonstrate the longstanding and continually evolving consumer protection regulations. It is important to note that these all originated from laws passed by congress and then were delegated to regulatory agencies for enforcement. The corresponding regulations have the force of law and implement the laws approved by congress and signed by the president. Regulatory guidance, particularly guidance by consent order, tends to be more policy focused. For example, the FDIC guidance on third-party payment processing that came out during the onslaught of Operation Choke Point was related to the shift in policy with the Obama administration. The first UDAP as part of the FTC Act has been around since 1938, almost 80 years, protecting consumer from unfair or deceptive acts or practices. It is unlikely to go away under the Trump administration, although we may see a shift in enforcement activity. The FTC, unlike the CFPB is comprised of a 5 member commission that cannot have more than three people from the same political party, which is likely why it has withstood the test of time. Many expect that if the CFPB is not dissolved, that it will likely go through an overhaul that implements a commission based leadership. Regulation E was the first Consumer Protection regulations specifically related to the electronic transfer of funds has been around since the late 1970s. The Telephone Consumer Protection Act, which has implications to payments, has been around since early 1990s and prohibits some telemarketing practices and implemented the Do Not Call registry. It has been amended recently to restrict certain types of payments authorized over the telephone. Additionally, several consent orders against payment processors have been filed for violations of the TSR that predate the Obama administration, particularly related to debt settlement companies and charging up front fees. Restore Online Shoppers Confidence ACT - This Act, like the EFTA and the TCPA, demonstrates the evolution of technology in payments and addresses Internet purchases by consumers. It prohibits any post-transaction third party seller from charging any financial account in an Internet transaction unless it has disclosed clearly all material terms of the transaction and obtained the consumer's express informed consent to the charge. The seller must obtain the number of the account to be charged directly from the consumer. This practice is commonly referred to as data passing. As technology evolves, congress will continue to implement laws to protect consumers. Consumer protection will not go away with the Trump administration although we are likely to see a gradual shift in way regulations are enforced at a federal level.
• Anti-Money Laundering and Prevention of Terrorist Financing is Global Effort facilitated by multi-national cooperation
• Financial Action Task Force (FATF)– Inter-governmental body established in 1989– Develops Recommendations that are implemented by FATF Members (FATF 40)– Monitors Members adherence to Recommendations– US was recently reviewed and criticized for lack of progress related to
Beneficial Ownership (KYC)
• US AML/BSA and OFAC efforts will not diminish under Trump administration
Anti-Money Laundering and Terrorist Financing
Presenter
Presentation Notes
Money laundering enforcement is key to stopping the flow of funds from illegal activities with a large emphasis on drug proceeds. Additionally, the prevention of terrorist financing has been taken up in the same global efforts. The biggest changes to the BSA/AML regulations were implemented through the USA PATRIOT act during the Bush administration shortly after 911. Even if the Trump administration were predisposed to ease up on anit-money laundering and terrorist financing, it would not be able to back away from the global efforts without extreme consequences to the United States. Due Diligence efforts related to Knowing Your Customer and distinguishing beneficial ownership will only increase, particularly with the increased terrorists threats and the criticism of FATF.
• Joint efforts of FTC, DOJ, FinCEN and States• Alleges willfully failing to maintain an effective anti-money laundering
program and aiding and abetting wire fraud against consumers• Included both Anti-Money Laundering and Consumer Protection violations
UDAP and TSR• $586MM forfeited in FTC/DOJ Action• $184MM in FinCEN penalties
Insights from Western Union Action
Presenter
Presentation Notes
Several significant insights with this action that address core compliance principles related to anti-money laundering and consumer protection. Joint agency efforts Money Laundering AND Consumer Protection Violations Consumer protection included both violations of the FTC Act (UDAP) and the Telemarketing Sales Rule State and Federal Efforts Interesting the action was filed on January 20th (same day as the passing of the baton), however it is highly probable that this action would still have occurred under the new administration. The laws related to this action predate the Obama administration. The violations in this complaint would have been rigorously enforced under the Trump administration but probably with less active participation of the DOJ. BSA/AML – USA Patriot Act - 2002 FTC Act (UDAP) – 1938 TSR - 1991
• BSA/AML/OFAC and Consumer Protection Regulations predated the Obama Administration
• Due Diligence and Know Your Customer element to both• Both expect monitoring of merchants for suspicious activity on an
ongoing basis• FinCEN, FTC, Bank Regulators and State enforcements will continue with
or without a CFPB• Best practices are designed to address core compliance obligations that
transcend administrations and shifting policy
Conclusion: Stay the Course
Presenter
Presentation Notes
So in conclusion, much of the regulation that are applicable to payments predated the Obama Administration, some by decades. The core compliance requirements of Anti-Money Laundering, Preventing Terrorist Financing and Consumer Protection that relate to the safety of our country and the care of our citizens will not go away. I Poor compliance management leads to reputation risk. Even high-risk legal industries are allowable if the processor and bank can support their compliance management systems and demonstrate that they Know Their Customers and have tools and programs in place to effectively monitor their customers and support their policies. Yes, the administration has changed and the shift in policy will have an impact, however, federal policy does not impact the states. States will fill the gap. Regulations implement laws made by congress. The regulations cannot simply go away without the laws being changed. The message is to stay the course and maintain good compliance management systems and utilize tools to support your efforts. To protect your reputation and the reputation of your banks. Next Jane from G2 Web Services will share some case studies and how reputation monitoring tools can support banks and payment processors in their core responsibilities.
“Character is like a tree and reputation like a shadow. The shadow is what we think of it; the tree is the real thing.”
Abraham Lincoln
Case Studies
What Happened• Convinced millions she was “psychic”• Solicited the sick and the
financially desperate• Governments around the world, for
decades, tried shutting her down• The indifference of the payment
processor and at least one bank allowed money laundering and mail fraud to occur
Case of Maria Duval
Send in money and through
Duval’s psychic abilities…
Start seeing improvements in
your future
Duval’s Mail Scam
Victim’s of Maria Duval
WHAT HAPPENED
• CommerceWest Bank charged with ignoring clear warning signs that one of its third-party payment processors — V Internet — was committing consumer fraud
• V Internet operated a network of websites offering payday loans
• Over 750,000 Remotely Created Checks created and deposited totaling $22MM in unauthorized debits
• Resulted in $4.9MM settlement for CommerceWest Bank
Another case from 2014 reinforces the need to understand all of the businesses that your customer is involved with and to monitor them for consumer complaints as a signal of wrongdoing. In this case, CommerceWest Bank was charged with “ignoring clear warning signs” that one of its third-party payment processors - V Internet – was committing consumer fraud. V Internet owner Gareth Long operated a network of websites including fastloanfast.com, fastloan4me.com and loan4utoday.com that appeared to offer consumer access to payday loans in exchange for a $30 enrollment fee. According to the indictment from the Department of Justice, Long debited accounts from consumers who had never visited these websites and had never authorized these payments. As a payment processor, Long had access to customer financial information from transactions he had processed, and he used this information to create and deposit over 750,000 Remotely Created Checks totaling more than $22MM without customers’ authorization16
“Fastloanfast stole $30 dollars out of my account without me asking for their services or ever going to their website (which along with their phone # does not work). Truthfully do not know if this is the only time. Also their check process customer service # 866-678-3482 is just a voicemail box that is full.”
“This is a payday loan company and they withdrew from my account $30.00 for a loan which I did not apply for or authorize this withdrawal.”
“I checked my bank statement today and saw a $30 charge that I DID NOT Authorize! I will be talking to my bank in the morning!”
Hundreds of Consumer Complaints on Ripoff Report
• Bank is unaware of reputation issues of their customers and their customers’ customers
• Information gaps interfere with monitoring
• Regulators increasingly focused on reputation issues
Challenges G2 Solution
Reputation Monitoring
Using multiple sources create a holistic approach
Examples from a US Bank
Results Impact
• Several customers with poor ratings and/or CFPB complaints
• Ongoing monitoring
• Review ratings and CFPB complaints
• Exit relationships with poor reputation or reputational changes
• Reduce probability of regulatory fines
425 Complaint Board Complaints
176 CFPB Complaints
193 Ripoff Report
Complaints
Outcome for US Bank
Presenter
Presentation Notes
DOJ Civil Suit against Four Oaks Bank: *Texas TPPP debited consumer accounts without authorization *Bank executives turned a blind eye to repeated complaints that processor allowed payday lenders to rack up hi fees and interest on loans paid off *Also TPPP conducting online gambling � http://www.wral.com/government-accuses-four-oaks-bank-of-turning-blind-eye-to-illegal-activity/13285954/#W9AEjcEQISbcxHDf.99
• This business customer was the best-selling author of a book on Afghanistan
• The authors were entrepreneurs, offering security services ranging from consulting to provision of heavily armed bodyguards
• But there was a cloud hanging over their operations
• Did selling the book amount to profiting off of past misdeeds?
*The best selling going on here is that of Advantage Publishing and Marketing services
After pleading guilty to conspiracy and a scheme to defraud the US
government in Afghanistan, the authors opened an account to accept
payments for their book, speaking tours, and consultancy
telling their version of events
Past Wrongdoing
Bank concerned about…
• CFPB expanding UDAAP laws• States enforcing Dodd-Frank• States’ own UDAP laws
...and the risk of law-breaking clients
Bank is able to…• act on this alert• investigate other suspect businesses • avoid regulator penalties
G2 finds Injunction from TX Attorney General
US FI Discovers Client Violating Consumer Protection Laws
Presenter
Presentation Notes
*US banks are attentive to the regulatory actions of the CFPB, the expanding definition of what is considered UDAAP (Unfair, Deceptive, or Abusive Acts and Practices), and the liability banks face for ignoring reports of UDAAP activity. *One of the reasons clients choose G2 is to avoid servicing businesses that harm consumers. Banks that serve businesses that breach UDAAP laws risk consent orders and other legal penalties *G2 can provide published reports of unlawful activity conducted by businesses in client bank portfolios. In this case, an appliance seller in Texas was misleading shoppers, including the elderly, disabled and veterans. *G2’s information allowed the bank to investigate the business and terminate its account. Note: Dodd-Frank Title X established CFPB under Consumer Financial Protection Act of 2010, giving it authority to to administer, enforce, and otherwise implement federal consumer financial laws. Under Dodd-Frank section 1042, state AGs or regulators can bring civil actions to enforce Dodd-Frank Title 10
• “The Wrath of Conn’s: The Appliance Store That Ignored The Times”
• New CEO − “Ultimately, at the end of the day, the only way to
grow our business is to have a great name and a great reputation.”
State AGs abhor a vacuum, and will fill the void opened by a retreat of the CFPB
“A well-functioning FTC, in conjunction with state authorities, can handle consumer protection and anticompetitive issues.”
Mark Jamison, on Trump transition team assigned to FCC
California, Virginia, Oregon, and Texas AGs, as well as banking regulators in fourteen states, are already partnering with the CFPB on sharing complaint information. Director Cordray urged “every attorney general to take advantage of this technology.”
CFPB Monitor, Feb 26, 2014
Under Dodd-Frank Section 1042, a state AG or regulator is authorized to bring a civil action to enforce provisions of Dodd-Frank Title 10
“History has demonstrated that states, not the federal government, have the requisite knowledge and experience to effectively regulate nondepositoryfinancial service providers and guard against predatory and abusive practices.”
NY DFS Superintendent Maria T. Vullo
“[State AGs] have been going after financial services industries in the name of protecting consumers and there’s been really no pushback on the federal side…The federal government might not like it, but it won’t stop them.”
• Pinpoint business customers with declining reputation or negative news hits
• Consult multiple leading sources of consumer complaints
• Check over 100,000 unique sources of negative news
Holistic Reputation Monitoring
• Regularly review features of consumer products and services. Evaluate product features and promotional materials and determine if any terms fall within the broad definition of UDAAP.
• Evaluate new products for features that could be misunderstood or ones that have been omitted.
• Evaluate written and oral methods of communicating product features to consumers.• Review third-party service provider agreements to develop a clear understanding of
the services surrounding the service being provided.• Review all bank policies and procedures for practices that suggest unfair, deceptive or
abusive practices.• Create a consumer-friendly culture within your organization.• Evaluate customer complaints for signs of more systemic problems.
