Compliance officers at financial institutions seeking insight on the Federal Deposit Insurance Corporation’s supervisory approach to banks' relationships with third-party payment processors will want to pay attention to recent speech given by FDIC acting general counsel Richard Osterman.
In a speech this month before the Subcommittee on Oversight and Investigations Committee on Financial Services, Osterman acknowledged the challenges and risks financial institutions face when engaging with third-party payment processors (TPPP), who “may have relationships with hundreds or even thousands of merchant clients for which they initiate transactions,” he said. “The vast majority of transactions passing through financial institutions and payment processors are legitimate transactions initiated by reputable merchants.”
Where a third party initiates a transaction that is not legitimate, however, the bank “can be held legally responsible for facilitating the activities and transactions of the TPPP,” Osterman warned. “As a financial regulator, the FDIC is responsible for ensuring that the financial institutions we supervise fully appreciate these risks, have policies and procedures in place to identify and monitor these risks, and take reasonable measures to manage and address these risks.”
The FDIC regularly reviews relationships between banks and TPPPs. “Our supervisory approach focuses on assessing whether financial institutions are adequately overseeing activities and transactions they process and appropriately managing and mitigating related risks,” Osterman said.
Financial institutions that will avoid criticism by the FDIC are those that properly manage their account relationships with TPPPs. “When we find that an institution is not properly managing its account relationships with TPPPs, the matter is discussed with bank management and noted in the institution's report of examination,” Osterman said. “If the deficiencies are not addressed, the bank may become the subject of an enforcement action to effect corrective action.”
In September 2013, the FDIC issued a Financial Institution Letter that clarifies and reminds financial institutions of the FDIC's policy and supervisory approach. “It states that financial institutions that properly manage relationships and effectively mitigate risks are neither prohibited nor discouraged from providing payment processing services to customers, regardless of the customers' business models, provided they are operating in compliance with applicable state and federal law,” Osterman said.
Broadly speaking, the FDIC's supervisory approach “focuses on assessing whether financial institutions are adequately overseeing activities and transactions they process and appropriately managing and mitigating related risks,” Osterman said. “Our supervisory efforts to communicate these risks to banks are intended to ensure institutions perform the due diligence, underwriting, and monitoring necessary to mitigate the risks to their institutions.”
In his speech Osterman also discussed the FDIC's interaction with the Justice Department’s consumer fraud initiative, Operation Choke Point.
In early 2013, the FDIC became aware that Justice Department was conducting an investigation into the use of banks and TPPPs to facilitate illegal and fraudulent activities. The Justice Department’s efforts were aimed at addressing potential illegal activity being processed through FDIC-supervised banks.
Thus, the FDIC had responsibility “to consider the legality of certain actions involving our institutions, as well as any potential risks such activities could pose for institutions we regulate,” Osterman said.
Accordingly, FDIC staff communicated and cooperated with the staff of the Justice Department involved in so-called “Operation Choke Point” based on an interest in the investigation into potential illegal activity involving FDIC-supervised institutions. FDIC attorneys' communication and cooperation with the Justice Department included requests for information about the investigation; discussions of legal theories and the application of banking laws; and the review of documents involving FDIC-supervised institutions obtained by DOJ in the course of its investigation.
“At all times, these attorneys worked for the FDIC and were performing their duties as lawyers for the FDIC in furtherance of the FDIC's mission,” Osterman said.
“The FDIC does not and should not make business decisions for the banks that we supervise. Indeed, each bank must decide the persons and entities with which it wants to have a customer or business relationship,” Osterman said. “The FDIC has stated very clearly and publicly that financial institutions that properly manage customer relationships and effectively mitigate risks are neither prohibited nor discouraged from providing payment processing services to customers, regardless of the customers’ business models, provided they are operating in compliance with applicable state and federal law.”