KYCC Strategies for Managing Third-Party Payment Processor (TPPP) and Third-Party Sender (TPS) Risk

Transcription

1 KYCC Strategies for Managing Third-Party Payment Processor (TPPP) and Third-Party Sender (TPS) Risk Dan Frechtling SVP Marketing & Chief Product Officer April 20, 2015 Steve Clendaniel Director of Risk Consulting

2 KYCC strategies for TPPPs and TPSs KYCC: TPPP: TPS: Toyota Production System Know Your Customer s Customer Third Party Payment Processor Third Party Sender

3 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required

4 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required

5 Regulation has become competitive sport FRB FDIC OCC FTC CFPB In the US, we now have the regulatory Olympics. (SVP Payments for top 5 US bank) In 2014 US and European banks paid ~$65B in penalties, 40% greater than 2013, the previous high, according to BCG McKinsey estimates that senior executives spend about 20 to 25 percent of their time on regulatory matters Sources: Wall Street Journal, Dec 2014; Bankdirector.com, Jan 2015

6 Regulatory pressure is rising 2013 March October November 50+ Banks subpoenaed by the government to examine their risk management processes

7 and rising 2014 March April May June

8 and rising 2015 March April

9 Regulatory pressure is unavoidable This is the business that we ve chosen and these are the rules you must follow in order to be able to stay in the game. If we want to continue to grow and to prosper we have to get A s on your report card in terms of compliance. If you get anything less than that, they ll shut down your growth. It s just not optional. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015

10 Regulatory pressure is unpredictable It s almost a crap shoot, right? So anybody could come in, a new regulator that wasn t here last year, and say, That s not how I look at it, or you need to beef this up, or I saw this other institution do this. I m recommending this for you So there is some concern, but it s almost uncontrollable. Vice President, Risk Management and Compliance, Midsized Bank Source: G2 Web Services Research Study, March 2015

11 Regulatory pressure is examiner-driven it s more the human nature from an examiner, or a specific examiner, let s say, in their opinion or what they ve seen in their travels versus a new regulation coming out and being a total shock to us. Vice President, Compliance, Midsized Bank Source: G2 Web Services Research Study, March 2015

12 TPPP and TPS regulations are changing In an ever changing regulatory environment, especially TPPP being newer, is - are the regulators going to change their requirements? I think there s a black hole in banking, especially with examination, whereby examination procedures and guidance say one thing, but we re also held to best standards and practices. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015

13 TPPPs and TPSs can be opaque to banks The level of challenge with respect to any vendor relationship to which the banking regulators are requiring us to increasingly know, vet, and to fully understand what s going on in that vendor s black box. Those are sorts of things that keep you up at night. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015

14 TPPPs and TPSs may lose banking relationships 10 years ago, you linked up with a vendor and you sort of relied on them to do the things- you did your own due diligence but it wasn t nearly the same sort risk assessment process that you go through today. And what we see it evolving to is one that is even much, much more invasive for the vendor. You are going to have to discontinue certain relationships. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015

15 Entire categories of TPPPs and TPSs are at risk What has occurred is a lot of the very large institutions based on a lot of guidance from regulatory agencies have sort of de-risked their portfolio. And so a lot of them for instance don t do any clients that are money service business or third party payment processors because that s what it seemed like the regulators wanted and it s just easier, rather than trying to interpret, to just avoid it. EVP and CEO, Midsized Bank Source: G2 Web Services Research Study, March 2015

16 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required

17 Regulators have provided bulletins on TPPPs

18 FDIC and OCC offer guidance and a framework FDIC FIL FIL FIL OCC BULLETIN BULLETIN BULLETIN

19 All agree on principles: onboarding, ongoing

20 Guidelines: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Strategies: check growth goals, current and proposed structures, quality initiatives, efficiency improvements, employment practices are consistent with bank s philosophy Compliance: licenses, expertise, controls, status with regulators and similar organizations Financials: statements, trends, pending litigation, fee structures Reputation: complaints, years of experience, reference checks, SEC & regulatory filings, websites

21 Guidelines: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Principals: senior management, key employees, subcontractors Risk management: independence of audit function, policies for escalating audit findings, SOC reports, other standards (e.g. ISO) IS: SLAs and performance metrics, change management processes, ability to mitigate data breach vulnerabilities Resilience: disaster recovery and business continuity plans in event of service disruptions

22 Guidelines: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Security: physical security, incident reporting HR: training, succession planning, holding employees accountable for compliance Subcontractors: geographic locations, due diligence and monitoring; conduct your own diligence, look for legally-binding indemnification Insurance: bond coverage for dishonest acts, liability coverage for negligence, hazard insurance for disasters

23 Best practices: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Have a prohibited category list Check the merchant for fraudulent activity Identify what the merchant is selling, beyond MCC/NAICS/SIC code Analyze the merchant s online history of risk Analyze the merchant s website for suspicious activity or hidden goods Require the same due diligence of your TPPPs with their customers

24 Guidelines: Ongoing Performed periodically during the course of the relationship, particularly when considering a renewal of a contract. Onboarding Ongoing Compliance Financials Insurance IS Resilience Subcontractors Reputation Principals HR Remediation Agreements Confidentiality

25 Best practices: Ongoing Performed periodically during the course of the relationship, particularly when considering a renewal of a contract. Check for migration to prohibited categories Persistently monitor the merchant for changes in goods/services offered Monitor the merchant for fraudulent activity Adjust your oversight based depend upon the potential risks and the magnitude of the arrangement Require Third Parties to monitor their merchants according to your standards, and request regular reports

26 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions Onboarding Ongoing An additional level of intelligence is required

27 Risk Managers have responded by using new tools Onboarding Ongoing 1 2 Identity Verification Manual Credit/Asset Searches 3 4 Transaction Monitoring Manual spot Checks

28 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions Onboarding Ongoing An additional level of intelligence is required

29 1. Identity Verification Tools Good standard practice Complies with core BSA/AML guidance for due diligence & EDD Recommended for compliance with CIP rule of Patriot Act Many financial institutions do some kind of criminal background check which is only as good as the data store which they are checking against. Guy Huntington, Identity Management expert X Verification can be outmaneuvered by black hat applicants X Most effective when applicants disclose information that can be verified X Only as good as the data store : misses hidden merchant risk

30 2. Manual Credit/Asset Searches Consolidates separate data sources into one platform Valued by most regulators as highly credible sources Provides a sense of control and rigor Because it s manual it s inconsistently applied. Level of experience of the evaluator varies. (the process) is staff intensive Chief Risk Officer, Large Bank, Midwest X May produce better information about principals than merchants X Quality of the review fluctuates based on analyst s experience X Lacks automated scoring that can speed underwriting

31 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions Onboarding Ongoing An additional level of intelligence is required

32 3. Transaction Monitoring Important and necessary for compliance with OCC s CFR & , and FDIC s FIL & FIL Improving quality of data science means anomaly detection is faster and more accurate Alerts can provide evidence of suspicious activity or outright fraud Allows for triaging of suspicious transactions separate from normal transactions for further review All things being equal, preventative controls are always better than protective controls. X Most effective after fraud has struck X Miss leading indicators of fraud X Outsmarted by black hat applicants Chief Risk Officer, Midsized Bank, Southeast Source: G2 Web Services Research Study, March 2015

33 4. Manual Spot Checks Easy to start and modify, especially at low volumes Simple to explain to auditors Fewer technical black boxes are involved There are manual reports that we look at. There s a daily payment processing report and then we can look at them monthly, quarterly or annually it s a very manual, labor intensive process. Chief Risk Officer, Midsized Bank X Are rarely conducted X Require technology and training to spot changes X Hard to detect deceptive marketing practices X Lacks automated scoring that can speed underwriting

34 All four miss vital aspects of KYC Missing: Hidden merchant risk Direct evidence of illegal activity, patterns of fraud and compliance violations Links to illicit merchants, criminal fraud rings, hidden websites Conducting business with many FIs Missing: Automated scoring History of fraud, compliance missteps Technology-enabled analysts rather than labor Predictions such as poor reputation with consumers, leading indicators of future fraud and compliance violations

35 Individual risk merchant risk Survey of Dual Occupation Professionals: Should US firms offer gifts to gain a foothold in a new market if this violated federal law? As engineers, 90% disagreed As managers, 50% agreed When people switch hats, they often switch moral compasses. -Keith Leavitt, OSU faculty Source: Oregon State Research Study, May 2012

36 Can hidden merchant patterns be detected? I doubt you can do this. It sounds good, but the proof is in the pudding. Looking at years of merchant history is a real differentiator, a way of looking at the past as indicator of future activity. Our bank is not be able to dig as deep. Senior VP, 3rd Party Risk Mgt, Midsized Bank, Mid-Atlantic Source: G2 Web Services Research Study, March 2015

37 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required Key elements Implementation

38 Key elements of merchant intelligence 1. Underlying merchants 2. Historical connections 3. Predictive modeling 4. Instant quantification 5. Risk-based approach 6. Rich reporting

39 1. Underlying merchants must be submitted Banks must obtain TPPP and TPS portfolios In totality Each new boarded customer

40 2. Merchant intel finds connections Random sample of many years of merchant history data Historical data provides access to deeper of level connections so we can better detect bad actors By using these known connections, Data Science can make better predictions of merchant violations

41 Connections: a case study Over $1MM of fraudulent charges from a company offering translation services Merchant 1 URL 1 Merchant ID 1 Acquirer

42 Connections: findings After network investigation was complete Merchant 83 Related URLs 56 Merchant IDs 32 Acquirers

43 Merchant relationship mapping Charting relationships throughout the payment value chain 43

44 3. Merchant intel enables predictive modeling Key data points: Public information 1. Blacklists and whitelists (OFAC, PEP, NABP, etc.) 2. Reputation data (aggregated from multiple sources) Proprietary information 1. Historical data on merchants and individuals 2. Past fraud and content violations 3. Connections between individuals and businesses Data science predicts likelihood of compliance violations or fraud

45 Predictive modeling: case study 1. UK bank onboards Merchant X and submitted portfolio for review 2. Vendor reports Merchant X as high risk after detecting likelihood of past fraud (2 of 5 data points matched previous bad actor) 3. Merchant X instantly began fraudulent activity, which was not immediately detected in transaction flow Limited Fraud Losses 655 ~ 33, UK bank terminated merchant, limiting fraud to 2% of typical loss Losses from Merchant X Typical losses Proprietary Data + Third Party Data = 99% accurate predictions that can reduce losses

46 4. Merchant intel can yield instant quantification Examples: G2 Compass Score Argos Risk Score Speed Most results <1 second Significantly reduces merchant onboarding time Integration Works in conjunction with your existing core platform solution and enhances existing processes Choice API provides seamless integration with in-house systems or 3 rd party platforms (ex. Zoot) Portal log in to access reports

47 Instant quantification: case study Applications a month Minutes per applications Hours per month ~ 10 full-time staff to review and process

48 3,000 New Applications Prelim Approval 1,830 Applications (61%) Needs Review 420 Applications (14%) Declined 750 Applications (25%)

49 Instant quantification: results Applications a month Minutes per application Hours per month 93% time savings

50 5. Merchant intel powers a risk-based approach

51 Risk-based approach: case study A US Bank faced additional scrutiny for inadequate KYC/KYCC policies. Risk managers lacked tools for effective TPPP oversight, and TPPPs were not adhering to regulations to the same degree the bank was.

52 Risk-based approach: solution The bank created a holistic TPPP oversight management program, including predictive merchant risk tools as the main ingredient. Predictive merchant scoring gave them a more comprehensive risk profile of their TPPPs and underlying merchants. The bank received praise by both external and internal auditors, and retained their merchant relationships and associated revenues.

53 6. Merchant intel can be richly reported Quick snapshot of categories of risk in your portfolio Benchmarking data to compare portfolio to the broader industry Continually evaluate your boarding process

54 Rich reporting: example Compare portfolio to rich database of risk information across the industry Helps to assess both positive and negative risk

55 Merchant intel for KYCC: summary 1. Underlying merchants 2. Historical connections 3. Predictive modeling 4. Instant quantification 5. Risk-based approach 6. Rich reporting

56 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required Key elements Implementation

57 Implementation Tips Partner with TPPPs and TPSs on implementation Pass on investments in tools and analysts Encourage (stipulate) third parties to implement beneficial systems and processes Learn from regulatory and association best practices OCC and FDIC guidelines CMS from TPPPA NACHA guidelines Build systems and processes incrementally Start with hosted web services Then integrate into in-house platforms via APIs

58 MERCHANT INTELLIGENCE FOR 3 RD PARTIES Reduce Regulatory Burden Decrease Risk Decide Faster

59 Thank you! Dan Frechtling Steve Clendaniel