Associated risks with third-party payment processors
Third-party payment processors (TPPPs) need financial institutions in order to provide their financial services to retail merchants, but financial institutions hesitate to take them on due to the cost of monitoring and the higher risk of potential fraud. TPPPs provide important payment processing services for retail merchants and have the potential to earn significant fee income for financial institutions.
However, the risks associated with banking TPPPs must be offset by thorough initial and ongoing due diligence. A financial institution must implement prudent and comprehensive monitoring practices in order to quickly identify, report and, ultimately, minimize suspicious or fraudulent activity.
A TPPP needs a deposit relationship with a financial institution to process payments for its merchants. The merchant sends a list of payments needed to the TPPP, and the TPPP generates the payments and deposits them into the deposit account at the financial institution. Payments are typically created as credit card payments, ACH debits or remotely created checks, the latter of which are noted as the highest risk channels for fraud.
The risk of fraud increases when both the financial institution and the TPPP do not perform proper due diligence or monitoring of the related merchants. Less than reputable merchants may create unauthorized payments using consumer information obtained through telephone or internet transactions or engage in unfair sales and payment practices including misleading advertising.
The key to understanding the TPPP is not only monitoring the activity going through the financial institution but also understanding the merchants’ industries and activities. The TPPP has an obligation to understand its own merchants including beneficial ownership, type of retail business, and the volume and types of payments to be processed. Contracted merchants that are long-term and well-known clients of the TPPP have a lower risk of potential fraud. In contrast, frequent changes in the merchants list may reflect less reputable or unstable clients. Watch for frequent termination and creation of new “doing business as” titles under the same merchant name that may be red flags for potential shell companies.
Ongoing monitoring should review for these changes in the TPPP’s merchants list to determine whether the merchants are short-lived and frequently turned over or whether there are changes in the merchants’ type of business. Just a few years ago, TPPPs engaged primarily with merchants with a physical location that made it easy to follow the activity; however, times have changed and many merchants now conduct online business. Online access also increases risk when the merchant can expand into international business as well as online gaming operations.
The TPPP itself is obligated to conduct its own due diligence of its merchants. The thoroughness of the TPPP’s due diligence efforts will speak volumes about its concern for keeping activity above board. At a minimum, the TPPP should be able to provide the financial institution with its list of merchants, including any online lenders, and be able to identify those merchants that have the highest volume of activity, the overall nature of the merchants’ industries with special attention to those that are noted as higher-risk businesses, anticipated volume for each merchant as well as any seasonal trends and the types of payments processed by each merchant.
A financial institution should take the next step to monitor ongoing activity and investigate any red flags for potential suspicious activity. It should determine whether the merchants list received from the TPPP actually matches the merchants found within the actual transaction history of the account. The TPPP, along with its merchants list, should be periodically compared to the Office of Foreign Assets Control’s Specially Designated Nationals (SDN) list. In addition, a financial institution should conduct a review of public records for consumer complaints, negative news, or any potentially unfair practices or legal concerns for both the TPPP and its merchants. The risks associated with the TPPP may warrant an on-site visit as well.
Similar to other higher-risk transaction reviews, the financial institution should determine whether expected dollar and volume of transactions, including charge-backs and returned items in relation to the NACHA return limits, are reasonable and periodically request the merchants’ anticipated activity for the upcoming year. If the institution is only seeing a minimal amount of anticipated activity, there is a good chance that the TPPP holds accounts at other financial institutions. If the institution can’t see the whole picture, the chance for layering transactions and related suspicious activity is significantly higher.
It is imperative for the internal fraud department to review and investigate any fraud alerts. If the financial institution is using an automated surveillance system, it must ensure that the rules and parameters for alerts are reasonable to identify suspicious activity related to ACH, debit, credit card and other related types of transactions of the TPPP.
The financial institution should conclude its periodic review by clearly describing the overall assessment of the TPPP and its related activity with a global perspective of the merchant relationships. A conclusion should be documented for all accounts that are reviewed, with a sense for what is happening, why it is happening and whether the activity is reasonable or potentially suspicious.
TPPPs are important service providers that need financial institutions in order to maintain their business. Implementing the proper due diligence and monitoring practices make these entities less intimidating and quite manageable, and passing along the costs of periodic monitoring can generate fee income that may support the compliance costs to maintain these accounts.
In addition, once a financial institution gains an initial understanding of its TPPPs, it should feel more comfortable conducting enhanced due diligence and periodic monitoring on them.
