Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

What credit unions need to know about third-party payment processors

By: Jennifer Morrison, VP, Senior Risk Manager

Jennifer MorrisonSeptember 26, 2014 -- In previous issues of Solutions, I discussed the need for credit unions to create a culture of compliance for BSA/ALM. Last month I discussed the additional due diligence required when serving money services business (MSBs). This month, I want to share with you another high risk member group that requires enhanced due diligence - third-party payment processors.

What is a third-party payment processor?

Third-party payment processors (TPPPs), also known as “non-bank payment processors,” are members that provide payment-processing services to others, including individuals and entities that may or may not be members of your credit union.

With the expansion of the Internet, traditional brick-and-mortar payment system boundaries have been eliminated. Anyone with a scanner or smart phone can process share drafts. TPPPs include tax accountants, attorneys, physicians, and collection agencies that routinely process ACH debits and credits, remotely-created checks (RCC), and/or transmit remote deposit capture (RDC) images for processing payments associated with their business.

Where is the risk with TPPPs?

The traditional “know your member” is problematic when the payments being processed are for your member’s customers. TPPPs are therefore vulnerable to fraud schemes, identity theft, money laundering, and other illicit payment schemes. Not unlike Corporate One processing payments for our members, there is an implicit reliance on the member TPPP in this case to do an appropriate level of due diligence within their business practices to prevent illegal schemes and activity from flowing inadvertently through your credit union.

In addition, the TPPPs themselves may be conducting illicit schemes. While some may joke about the monthly ACH debit that seems to never end, the reality is that there are fraudulent tele-marketing schemes, for example, that start with a single telephone- or web-authorized ACH debit. The debits come month-after-month, and the consumer seems unable to stop them. The bellwether of this kind of behavior is when the volume of unauthorized returns from a particular member’s account exceeds the credit union’s average or exceeds the levels of ACH returns for your other business members.

Assessing TPPP risk

Credit unions must have its own BSA/AML and OFAC risk assessment. The first step in the risk assessment process is the identification of specific products, services, members, entities and geographic locations unique to the credit union. While attempts to launder money, finance terrorism, or conduct illegal activities through your credit union can emanate from any number of sources, historically there are some products, services, members, entities and geographic locations that have proven more vulnerable or more often abused than others. In particular, some products and services facilitate a higher degree of anonymity. The BSA/AML Examination Manual has identified as higher risk “services provided to third party payment processors or senders.” So going forward, it is probably wise for you to consider these members as higher risk too.

The second step of the risk assessment process requires that your credit union conduct due diligence on the data provided in step one. This due diligence should initially consider the 1) purpose of the account; 2) actual or anticipated activity in the account; 3) nature of the member’s business/occupation; 4) member’s location(s); and 5) the types of products and services used by the member.

Establishing an Enhanced Due Diligence (EDD) program

This baseline due diligence from a risk assessment is not sufficient for higher risk members, and an Enhanced Due Diligence (EDD) program must be followed when serving these members. Members that pose higher money laundering or terrorist financing risks present increased BSA/AML risk to credit unions. EDD for higher-risk members must incorporate an understanding of their anticipated transactions and a monitoring system that reduces the credit union’s reputation, compliance, and transaction risks. Higher-risk members and their transactions should be reviewed more closely at account opening and more frequently throughout the term of their membership. The U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) is telling credit unions like Corporate One that we have to take ownership of this risk when doing business with TPPPs.

EDD requires that the credit union consider obtaining the following information on the member both at the time the TPPP joins the credit union and throughout their membership:

  • Purpose of the account.
  • Source of funds and/or wealth.
  • Individuals with ownership or control over the account, such as beneficial owners, signatories, or guarantors.
  • Occupation or type of business (of customer or other individuals with ownership or control over the account).
  • Financial statements.
  • Banking references.
  • Domicile (where the business is organized).
  • Proximity of the member’s residence, place of employment, or place of business to the branch or branches the member uses.
  • Description of the member’s primary trade area and whether international transactions are expected to be routine.
  • Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers.
  • Explanations for changes in account activity.

On July 30, 2014, FinCEN released a Notice of Proposed Rulemaking (NPRM) to amend existing BSA regulations. The beneficial ownership NPRM seeks to clarify that “customer due diligence includes four core elements: identifying and verifying the identity of customers; identifying and verifying the beneficial owners of legal entity customers; understanding the nature and purpose of customer relationships; and conducting ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions.”

“The beneficial ownership requirement is intended to provide us with an important new tool to track down the real people behind companies that abuse our financial system to secretly move and launder their illicit gains,” said David S. Cohen, Under Secretary for Terrorism and Financial Intelligence. “Along with meeting our international commitments, this rule would make our financial system more transparent by exposing the activities of illicit actors who will no longer be able to hide behind their anonymity.”

TPPPs supply important services to their customers and require payment services in order to run a profitable organization. However, choosing to serve higher risk members like TPPPs brings upon a credit union additional compliance responsibilities. Our regulators are not suggesting that these important businesses are not important members of our communities. Rather, our regulators are reminding us of the risks present, and the EDD requirements imposed upon all financial institutions making the decision to provide products and services to TPPPs and other higher risk members.