Get In Tune With Third Parties: Finding the harmonies between Third Party Senders, Originators, and Customers. Marsha Jones President TPPPA Brent Siegel Vice President Argos Risk 1 1
AGENDA/OUTLINE Third-Party Sender vs. Third Party Payment Processors The current regulatory environment and the keys to compliance OPERATION CHOKEPOINT Effective onboarding practices - KYC, KYCC, and nested senders What to do if your TPS has a portfolio you are not comfortable with Effective operational focus and controls: daily, periodic and annual activities Servicing third party relationships Building a cross functional team - Identifying required resources and expertise 2 2
THIRD-PARTY SENDERS VS. THIRD-PARTY PAYMENT PROCESSORS 3 3
WHAT IS A TPPP? A Third-Party Payment Processor (TPPP) is a depository customer of a bank that processes payments for other companies (merchants) through its bank. TPPPs generally refers to processors that process ACH and/or remotely created checks (RCC). The bank does not have a contractual relationship with the TPPPs merchants. 4 4
WHAT IS A TPS? Third-Party Payment Processors are know as Third-Party Senders in the ACH Network. Third-Party Senders generally process both debits and credits. Virtually all Payroll Processors that provide direct deposit of payroll are Third-Party Senders. Payroll Processors are considered Third-Party Payment Processors outside of the ACH Network. 5 5
WHY ARE TPPP/TPS CONSIDERED HIGH RISK? The bank is responsible for all payments it processes through its routing number(s) and warrants the payments are compliant, legitimate and properly authorized. Because the bank does not have a direct relationship with the merchants, the bank must rely upon the TPPP to perform critical compliance tasks that the bank would otherwise do themselves if they had a direct relationship with the merchant. 6 6
WHY ARE TPPP/TPS CONSIDERED HIGH RISK? The bank must rely upon the TPPP to: Perform critical compliance obligations (BSA/AML, Regulation E, UDDAP, ACH Rules compliance, etc.) Do adequate due diligence to ensure that the merchant is not only complying with federal rules and regulations, but with applicable state laws, manage and monitor their merchants, and identify, report and address suspicious activity. 7 7
WHAT IS NESTED TPPP/TPS? A nested TPPP relationship is when one TPPP processes the payments of another TPPP. The primary TPPP does not have a contractual relationship with the merchant originating the payment. The bank does not have a contractual relationship with the nested TPPP. This relationship poses substantially greater risk. 8 8
OBLIGATIONS OF TPS UNDER NACHA RULES Must perform due diligence on merchants and perform annual reviews. Must have agreements with merchant that address requirements stipulated in NACHA Rules. Must set exposure limits for merchants. Must monitor origination and return volume over multiple settlement dates. Must ensure the merchant is aware of and complying with the rules. Must perform annual ACH Rules Compliance Audit. 9 9
REGULATORY ENVIRONMENT 10 10
RULES & REGULATIONS Consumer Protection Top of Agenda CFPB FTC Financial Fraud Task Force Consumer Protection Working Group Explosion of Regulatory Guidance FDIC OCC & FRB FinCEN Regulation and Rule Changes New NACHA Return Rates Restrictions on RCC 11 11
OPERATION CHOKE POINT 12 12
OPERATION CHOKE POINT Inter-agency Consumer Protection initiative lead by Department of Justice Financial Fraud Enforcement Task Force (2012) Inter-agency Information Sharing Targeting Fraud Against Consumers through Banks and Processors FIRREA Subpoenas Issued to Banks and Processors 3% Return Rate 13 13
IMPACTS Subpoenas At least 50 Banks and Processors Settlements (so far) Four Oaks Bank Consent Orders BSA, Reputation Risk Lost Bank Relationships Processors High Risk Merchants 14 14
CONGRESSIONAL RESPONSE House Oversight Committee Investigation and Hearings 850 pages of documents released House Financial Services Chairman Hensarling Letter to Regulators Subjectivity of Reputation Risk Bills to defund and stop OCP Hearings House Judiciary Hearing 15 15
SUIT AGAINST REGULATORS CFSA and Advance America FDIC, OCC and Federal Reserve Bank Lawsuit declares Regulators actively supporting DOJ to exert backroom pressure on banks to terminate relationships with legal payday lenders Agency action taken without observance of the procedures required by law and exceed statutory authority depriving targets of due process Clear attempt by federal agencies to circumvent the law through regulation/guidance 16 16
REVISED GUIDANCE FIL-41-2014 date July 28, 2014 FDIC Clarifies Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors Ensure adequate due diligence, underwriting and monitoring. Will not be criticized if following guidance. Encourages banks to serve their communities, will not prohibit or discourage banks for providing services to any customer operating in compliance with applicable law. Removes all reference to High Risk Merchant List 17 17
FINCEN ADVISORY FIN-2014-A007 dated August 11, 2014 BSA/AML shortcomings have triggered enforcement actions Seeks to highlight importance of strong BSA/AML compliance for senior management, leadership and owners of all financial institutions regardless of size or industry sector. Highlights general principals 18 18
ADVISORY PRINCIPLES BSA/AML compliance culture should ensure that: Leadership actively supports and understands compliance efforts Efforts not compromised by revenue interests Information is shared with various departments Adequate resources are devoted to compliance Compliance program is effective and tested by independent and competent party Leadership and staff understand purpose of BSA/AML efforts and how its reporting is used. 19 19
EFFECTIVE ON- BOARDING: KYC, KYCC, KYCCC, SENDERS AND NESTED SENDERS 20 20
EFFECTIVE COMPLIANCE MANAGEMENT SYSTEMS Clearly defined program Dedicated Compliance Officer with appropriate authority Thorough Due Diligence process Adequate systems to manage and monitor Suspicious activity monitoring and reporting Agreements Documentation Training 21 21
THREE EASY STEPS Investigate and Evaluate the Originator, Customer, Vendor KYC, KYCC, KYCCC, credit underwriting, mission criticality of the vendor Model The Transactional Risk Risk profile of PPD vs CCD vs BOC vs X9 Large credit, participated credit What if the vendor can t deliver? Monitor the business and the transaction Does the business health predict ACH/credit/vendor risk? 22 22
INVESTIGATE GATHER DATA 23 23
INVESTIGATE GATHER DATA Who is the customer? Banked: Collect Internal Data Statements, tax returns, financials, Not Banked External Data: Quality, Quantity, Consistency Credit-worthiness Would we loan them money? Industry Health Competitive Health Payment citizenship Legal Process 24 24
25 25 INVESTIGATE - TPS
INVESTIGATE DATA QUALITY 26 26
INVESTIGATE GATHER DATA Due Diligence Who is the customer? What is their business? Current business relationship? Deposit history, loan activity, general trends Does the transaction seem reasonable? What if the customer is not banked by your FI? What do you request? 27 27
INVESTIGATE - QUALITY Validation We found them Good Address, Good Name Validate the legitimacy of the business Validate the health of the business Can we state without a doubt the business is legit? 28 28
INVESTIGATE DATA QUANTITY 29 29
CREDIT SCORE INVESTIGATE QUANTITY How much data do we need? Enough so that one additional report will not change your decision Impact of Having More Data Points 100 66 75 80 83 85 87 88 90 50 33 25 20 16 14 12 11 10 0 1 2 3 4 5 6 7 8 9 10 CREDIT REPORTS Good Credit Firm Bad Credit Firm 30 30
INVESTIGATE DATA CONSISTENCY 31 31
INVESTIGATE CONSISTENCY What do you do when data is missing or understated? KEY BUSINESS METRICS BUSINESS NAME CONSISTENT PAYMENT AVERAGE TRADE LIMIT SIC CODE ADDRESS PAYMENT RISK HIGH CREDIT SIC CODE DESCRIPTION CREDIT RISK SCORE DAYS BEYOND TERM UNSECURED TRADE LIMIT YEARS IN BUSINESS BUSINESS HEALTH SCORE DAYS BEYOND TERM INDUSTRY NUMBER OF EMPLOYEES PHONE 32 32
33 33 INVESTIGATE - CONSISTENCY
INVESTIGATE CONSISTENCY Evaluate in Comparison Is this customer the riskiest? Least risky? 34 34
MODEL THE TRANSACTIONS 35 35
MODEL TRANSACTION RISK PEAK RISK Each ACH and RDC transaction has a risk profile PPD s are different from BOC s and POP s Prefunding impacts risk Each ACH transaction can be scored for risk Specific Risk based on SEC Specific Risk based on the Value of the transaction Specific Risk tied to that customer Specific Risk tied to the relationship ACH Transactions interact with other transactions in your book of business 36 36
37 37 RISKY TRANSACTIONS
MODEL THE EXPECTED RISK - SEC ACH RDC Risk Profile 38 38
39 39 MODEL THE EXPECTED RISK FREQUENCY
MODEL THE EXPECTED RISK EXPECTED VALUE (LIMIT) Eliminate the spread Limit of $100,000 for average transactions of $1,000 40 40
41 41 MODEL THE EXPECTED RISK RETURNS
42 42 MODEL THE EXPECTED RISK RELATIONSHIP
WHAT DO YOU DO WHEN YOUR THIRD PARTY HAS A PORTFOLIO YOU ARE NOT COMFORTABLE WITH? 43 43
EVALUATE THE BUSINESS Disqualify Enhanced Due Diligence Restricted Business By Code X High Risk Transaction Type X Portfolio Position #1 in Risk X Business Credit Low Score X Business Payment Low Score X Lawsuits, Liens, Litigation X X Business Credit Moderate X Unknown Business Type X Transaction Type Large Value X Executive Changes X 44 44
INVESTIGATE - HRI MSB s Consumer Financial Services Payday Lenders Short Term Lenders Cash Advance Lenders Title Lenders/Title Pawns Pay Equity Loans Deferred Payment Loans Consumer Credit Counselors (typically forprofit) Consumer Collection Agencies Debt Consolidation Lenders Financial Planners Bi-Weekly Loan Payment Processors Mortgage, installment, student, etc. Consumer Finance Providers Tax Preparation Firms International Activity 3 rd Party Payment Processors Gaming Industry Cash Intensive Businesses Jewelry, pawn, antiques, consignment, convenience, scrap, etc. Medical Marijuana Firearms Dealers Tobacco Wholesalers 45 45
INVESTIGATE RISKY INDUSTRIES 46 46
47 47 INVESTIGATE MSB S
INVESTIGATE - NEC SIC Code 9999 AJ Couch Johnson, Johnson, and Johnson Morrisen Hospitality Applewood Street Corporation White Star Min Extanium Hyper Rock, LLC JB & JD & D WLE Corporation Curt Wonder Corporation G U L R Inc. 48 48
RISK STANDARDS Data Point Credit Downgrades Legal Other Bank Business TRIGGERING EVENTS Low Risk to Moderate Risk Moderate to High Risk Small Claims Tax Liens Lawsuits Corporate Lawsuits Government Regulatory Actions Loan Defaults, Overdrafts Notify Supervisor Escalate Monitor Activity based on Value Escalate Escalate Escalate Staffing Changes Senior Executives Based on Position News Risk Related (i.e. Target) Implement Fraud Plans DO YOU HAVE AGREEMENTS THAT ALLOW FOR SANCTIONS INCLUDING FIRING? 49 49
OPERATIONS, CONTROLS, ACTIVITIES, AND SERVICING THE THIRD PARTY 50 50
OPERATIONS, CONTROLS, ACTIVITIES AND SERVICING THE THIRD PARTY Effective operational focus and controls: daily, periodic and annual activities Servicing third party relationships 51 51
OPERATIONS, CONTROLS Daily Activities Monitor the Business Monitor the Transactions Respond to Changes 52 52
FACT: AN ANNUAL REVIEW IS NOT MONITORING You need surveillance, not a snapshot. 53 53
EVALUATE THE BUSINESS AND THE TRANSACTIONS ALERTS 54 54
PERIODIC ACTIVITIES Review of Credit worthiness Comparison to prior period Monthly, Quarterly Ask for a list of clients 55 55
OPERATIONS, CONTROLS. Respond to Changes Lawsuits and Legal Processes Risk Profile Changes Corporate Staffing Bankruptcy 56 56
Risk Assessment ANNUAL ACTIVITIES Update required documentation Is the customer still credit worthy Is their business still what you thought it was Any major changes in finances, leadership, products, legal process 57 57
INVESTIGATE - BACKFILLING Evaluation Totals Evaluate your existing book of business Total Customer Accounts 1057 Account highlights: Foreclosed properties - new owners 3 Inactive corp 4 Bankrupt Company 1 Money Service Businesses 1 Need additional info 70 Residential address 9 Unable to find 78 UPS PO Box 3 Total 166 58 58
EVALUATE THE BUSINESS AND THE TRANSACTION 59 59
EVALUATE THE BUSINESS AND THE TRANSACTION Credit Score Years in Business Employees Payment Records Past Due Records Vendor Payment Volatility Amount of Legal Process Days Beyond Terms Percentage of Slow Pays Trade References Business Health Timely Payments High Credit Offered Multiple Trade References Lawsuits, Liens, Litigation Poor Industry trends Challenging Geography Declining Business Scores Payment Consistency Timely Payments Increased Credit Offered Trade References Low Past Dues Legal Process Filings Days Beyond Terms More Slow Payments Fewer Trade References Terms Consistency Payment Trends Increased Credit offered More References Fewer Past Dues Slow Payments Increased slow or negative payment activity Fewer Trade References ACH Risk Origination volume Frequency SEC type SEC Return Rates Industry Risk Class Temporal Risk Multiple Settlements ACH Risk Index Average Volume Peak Risk 60 60
BUILDING A CROSS FUNCTIONAL TEAM 61 61
CROSS FUNCTIONAL TEAM Credit Deposit/Treasury Management/Operations IT Compliance/BSA/AML Sales and Marketing 62 62
CONTACT THE PRESENTERS CONTACT PHONE Brent Siegel, Vice President (952) 314-2095 EMAIL bsiegel@argosrisk.com LOCATION 4600 W 77 th Street, Suite 375 Edina, MN 55435 Visit us at www.argosrisk.com 63 63