KYCC Strategies for Managing Third-Party Payment Processor (TPPP) and Third-Party Sender (TPS) Risk

Similar documents
Managing TPPPs and TPSs in the Current Regulatory Environment

Get In Tune With Third Parties: Finding the harmonies between Third Party Senders, Originators, and Customers.

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect

Executive Fraud Forum October 30, 2013

GUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July 2014)

Identifying Key Risk Indicator

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Vendor Risk Management in the New Regulatory Environment. kpmg.com

White Paper on Financial Institution Vendor Management

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Know Your Customer & Know Your Customer s Customers (KYCC) BITS ACH Fraud Risk Subgroup Presented by George Thomas November 19, 2008

Risk Management of Outsourced Technology Services. November 28, 2000

Information Technology

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

one admin. one tool. Providing instant access to hundreds of industry leading verification tools.

Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management

VENDORINSIGHTU P D A T E

Third Party Payment Processors Job Aid

Payment Processor Relationships Revised Guidance

Compliance and Ethics at the Federal Reserve Bank of New York

Outsourcing Technology Services A Management Decision

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Knowing your customers and their customers and their customers and so on and so on

Credit Union Liability with Third-Party Processors

Risk Management of Remote Deposit Capture

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Validating Third Party Software Erica M. Torres, CRCM

THE UH OH MOMENT. Financial Services Enterprises Focus on Governance, Transparency and Supply Chain Risk

ACH Operations Bulletin #2-2013

EFT Industry and BSA/AML Dan Altman

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

OCC 98-3 OCC BULLETIN

O OCC BULLETIN OCC Automated Clearing House Activities. Risk Management Guidance

ANTI-MONEY LAUNDERING FOR LENDERS

Statement of Guidance: Outsourcing All Regulated Entities

A Cautionary Tale Plus Cross-Channel Risk

Any business relationship between a bank and another entity, by contract or otherwise

Fraud Risk Management Procedures

Growing Vendor Management

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

ACH Operations Bulletin #1-2014

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

You Can t Afford the Risks

Electronic Transactions Association Guidelines on Merchant and ISO Underwriting and Risk Monitoring

FDIC Updates Guidance on Payment Processor Relationships

Third-Party Sender Case Studies: ODFI Best Practices to Close the Gap An ACH Risk Management White Paper

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

Safer food supply chains why assessments are great news for your business

MARKET CONDUCT ASSESSMENT REPORT

C2 Financial Corporation Anti Money Laundering Program and Suspicious Activity Reporting (AML Program)

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

3 rd Party Risk Management is Broken Critical Vendors Should be Exam-Ready.

Navigating Vendor Management Issues in Today s Regulatory Environment

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

VENDOR MANAGEMENT. General Overview

The Role of Internal Audit in Risk Governance

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

THIRD PARTY PAYMENT PROVIDERS

Instructions for Completing the Information Technology Officer s Questionnaire

Vendor Management Best Practices

COMPLIANCE MANAGEMENT SYSTEM

Business Information Services. Product overview

Bank Secrecy Act, Anti-Money Laundering, and Office of Foreign Assets Control

Sample Financial institution Risk Management Policy 2011

Cloud Vendor Evaluation

INSIDER TRADING POLICY

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Vendor Management. Outsourcing Technology Services

VIRGINIA ASSOCIATION OF COMMUNITY BANKS

Attachment. OCC Guidance on Due Diligence Requirements in Determining Whether Securities Are Eligible for Investment

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

BANK EXAMINERS MANUAL FOR AML/CFT RBS EXAMINATION

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Payment Card Industry Data Security Standard

Enterprise Security Tactical Plan

Third-Party Cybersecurity and Data Loss Prevention

Transcription:

KYCC Strategies for Managing Third-Party Payment Processor (TPPP) and Third-Party Sender (TPS) Risk Dan Frechtling SVP Marketing & Chief Product Officer April 20, 2015 Steve Clendaniel Director of Risk Consulting

KYCC strategies for TPPPs and TPSs KYCC: TPPP: TPS: Toyota Production System Know Your Customer s Customer Third Party Payment Processor Third Party Sender

KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required

KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required

Regulation has become competitive sport FRB FDIC OCC FTC CFPB In the US, we now have the regulatory Olympics. (SVP Payments for top 5 US bank) In 2014 US and European banks paid ~$65B in penalties, 40% greater than 2013, the previous high, according to BCG McKinsey estimates that senior executives spend about 20 to 25 percent of their time on regulatory matters Sources: Wall Street Journal, Dec 2014; Bankdirector.com, Jan 2015

Regulatory pressure is rising 2013 March October November 50+ Banks subpoenaed by the government to examine their risk management processes

and rising 2014 March April May June

and rising 2015 March April

Regulatory pressure is unavoidable This is the business that we ve chosen and these are the rules you must follow in order to be able to stay in the game. If we want to continue to grow and to prosper we have to get A s on your report card in terms of compliance. If you get anything less than that, they ll shut down your growth. It s just not optional. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015

Regulatory pressure is unpredictable It s almost a crap shoot, right? So anybody could come in, a new regulator that wasn t here last year, and say, That s not how I look at it, or you need to beef this up, or I saw this other institution do this. I m recommending this for you So there is some concern, but it s almost uncontrollable. Vice President, Risk Management and Compliance, Midsized Bank Source: G2 Web Services Research Study, March 2015

Regulatory pressure is examiner-driven it s more the human nature from an examiner, or a specific examiner, let s say, in their opinion or what they ve seen in their travels versus a new regulation coming out and being a total shock to us. Vice President, Compliance, Midsized Bank Source: G2 Web Services Research Study, March 2015

TPPP and TPS regulations are changing In an ever changing regulatory environment, especially TPPP being newer, is - are the regulators going to change their requirements? I think there s a black hole in banking, especially with examination, whereby examination procedures and guidance say one thing, but we re also held to best standards and practices. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015

TPPPs and TPSs can be opaque to banks The level of challenge with respect to any vendor relationship to which the banking regulators are requiring us to increasingly know, vet, and to fully understand what s going on in that vendor s black box. Those are sorts of things that keep you up at night. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015

TPPPs and TPSs may lose banking relationships 10 years ago, you linked up with a vendor and you sort of relied on them to do the things- you did your own due diligence but it wasn t nearly the same sort risk assessment process that you go through today. And what we see it evolving to is one that is even much, much more invasive for the vendor. You are going to have to discontinue certain relationships. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015

Entire categories of TPPPs and TPSs are at risk What has occurred is a lot of the very large institutions based on a lot of guidance from regulatory agencies have sort of de-risked their portfolio. And so a lot of them for instance don t do any clients that are money service business or third party payment processors because that s what it seemed like the regulators wanted and it s just easier, rather than trying to interpret, to just avoid it. EVP and CEO, Midsized Bank Source: G2 Web Services Research Study, March 2015

KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required

Regulators have provided bulletins on TPPPs

FDIC and OCC offer guidance and a framework FDIC FIL-3-2012 FIL-44-2008 FIL-127-2008 OCC BULLETIN 2006-39 BULLETIN 2008-12 BULLETIN 2013-29

All agree on principles: onboarding, ongoing

Guidelines: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Strategies: check growth goals, current and proposed structures, quality initiatives, efficiency improvements, employment practices are consistent with bank s philosophy Compliance: licenses, expertise, controls, status with regulators and similar organizations Financials: statements, trends, pending litigation, fee structures Reputation: complaints, years of experience, reference checks, SEC & regulatory filings, websites

Guidelines: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Principals: senior management, key employees, subcontractors Risk management: independence of audit function, policies for escalating audit findings, SOC reports, other standards (e.g. ISO) IS: SLAs and performance metrics, change management processes, ability to mitigate data breach vulnerabilities Resilience: disaster recovery and business continuity plans in event of service disruptions

Guidelines: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Security: physical security, incident reporting HR: training, succession planning, holding employees accountable for compliance Subcontractors: geographic locations, due diligence and monitoring; conduct your own diligence, look for legally-binding indemnification Insurance: bond coverage for dishonest acts, liability coverage for negligence, hazard insurance for disasters

Best practices: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Have a prohibited category list Check the merchant for fraudulent activity Identify what the merchant is selling, beyond MCC/NAICS/SIC code Analyze the merchant s online history of risk Analyze the merchant s website for suspicious activity or hidden goods Require the same due diligence of your TPPPs with their customers

Guidelines: Ongoing Performed periodically during the course of the relationship, particularly when considering a renewal of a contract. Onboarding Ongoing Compliance Financials Insurance IS Resilience Subcontractors Reputation Principals HR Remediation Agreements Confidentiality

Best practices: Ongoing Performed periodically during the course of the relationship, particularly when considering a renewal of a contract. Check for migration to prohibited categories Persistently monitor the merchant for changes in goods/services offered Monitor the merchant for fraudulent activity Adjust your oversight based depend upon the potential risks and the magnitude of the arrangement Require Third Parties to monitor their merchants according to your standards, and request regular reports

KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions Onboarding Ongoing An additional level of intelligence is required

Risk Managers have responded by using new tools Onboarding Ongoing 1 2 Identity Verification Manual Credit/Asset Searches 3 4 Transaction Monitoring Manual spot Checks

KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions Onboarding Ongoing An additional level of intelligence is required

1. Identity Verification Tools Good standard practice Complies with core BSA/AML guidance for due diligence & EDD Recommended for compliance with CIP rule of Patriot Act Many financial institutions do some kind of criminal background check which is only as good as the data store which they are checking against. Guy Huntington, Identity Management expert X Verification can be outmaneuvered by black hat applicants X Most effective when applicants disclose information that can be verified X Only as good as the data store : misses hidden merchant risk

2. Manual Credit/Asset Searches Consolidates separate data sources into one platform Valued by most regulators as highly credible sources Provides a sense of control and rigor Because it s manual it s inconsistently applied. Level of experience of the evaluator varies. (the process) is staff intensive Chief Risk Officer, Large Bank, Midwest X May produce better information about principals than merchants X Quality of the review fluctuates based on analyst s experience X Lacks automated scoring that can speed underwriting

KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions Onboarding Ongoing An additional level of intelligence is required

3. Transaction Monitoring Important and necessary for compliance with OCC s CFR 21.11 & 2013-29, and FDIC s FIL 44-2008 & FIL 3-2012 Improving quality of data science means anomaly detection is faster and more accurate Alerts can provide evidence of suspicious activity or outright fraud Allows for triaging of suspicious transactions separate from normal transactions for further review All things being equal, preventative controls are always better than protective controls. X Most effective after fraud has struck X Miss leading indicators of fraud X Outsmarted by black hat applicants Chief Risk Officer, Midsized Bank, Southeast Source: G2 Web Services Research Study, March 2015

4. Manual Spot Checks Easy to start and modify, especially at low volumes Simple to explain to auditors Fewer technical black boxes are involved There are manual reports that we look at. There s a daily payment processing report and then we can look at them monthly, quarterly or annually it s a very manual, labor intensive process. Chief Risk Officer, Midsized Bank X Are rarely conducted X Require technology and training to spot changes X Hard to detect deceptive marketing practices X Lacks automated scoring that can speed underwriting

All four miss vital aspects of KYC Missing: Hidden merchant risk Direct evidence of illegal activity, patterns of fraud and compliance violations Links to illicit merchants, criminal fraud rings, hidden websites Conducting business with many FIs Missing: Automated scoring History of fraud, compliance missteps Technology-enabled analysts rather than labor Predictions such as poor reputation with consumers, leading indicators of future fraud and compliance violations

Individual risk merchant risk Survey of Dual Occupation Professionals: Should US firms offer gifts to gain a foothold in a new market if this violated federal law? As engineers, 90% disagreed As managers, 50% agreed When people switch hats, they often switch moral compasses. -Keith Leavitt, OSU faculty Source: Oregon State Research Study, May 2012

Can hidden merchant patterns be detected? I doubt you can do this. It sounds good, but the proof is in the pudding. Looking at years of merchant history is a real differentiator, a way of looking at the past as indicator of future activity. Our bank is not be able to dig as deep. Senior VP, 3rd Party Risk Mgt, Midsized Bank, Mid-Atlantic Source: G2 Web Services Research Study, March 2015

KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required Key elements Implementation

Key elements of merchant intelligence 1. Underlying merchants 2. Historical connections 3. Predictive modeling 4. Instant quantification 5. Risk-based approach 6. Rich reporting

1. Underlying merchants must be submitted Banks must obtain TPPP and TPS portfolios In totality Each new boarded customer

2. Merchant intel finds connections Random sample of many years of merchant history data Historical data provides access to deeper of level connections so we can better detect bad actors By using these known connections, Data Science can make better predictions of merchant violations

Connections: a case study Over $1MM of fraudulent charges from a company offering translation services Merchant 1 URL 1 Merchant ID 1 Acquirer

Connections: findings After network investigation was complete Merchant 83 Related URLs 56 Merchant IDs 32 Acquirers

Merchant relationship mapping Charting relationships throughout the payment value chain 43

3. Merchant intel enables predictive modeling Key data points: Public information 1. Blacklists and whitelists (OFAC, PEP, NABP, etc.) 2. Reputation data (aggregated from multiple sources) Proprietary information 1. Historical data on merchants and individuals 2. Past fraud and content violations 3. Connections between individuals and businesses Data science predicts likelihood of compliance violations or fraud

Predictive modeling: case study 1. UK bank onboards Merchant X and submitted portfolio for review 2. Vendor reports Merchant X as high risk after detecting likelihood of past fraud (2 of 5 data points matched previous bad actor) 3. Merchant X instantly began fraudulent activity, which was not immediately detected in transaction flow Limited Fraud Losses 655 ~ 33,000 3. UK bank terminated merchant, limiting fraud to 2% of typical loss Losses from Merchant X Typical losses Proprietary Data + Third Party Data = 99% accurate predictions that can reduce losses

4. Merchant intel can yield instant quantification Examples: G2 Compass Score Argos Risk Score Speed Most results <1 second Significantly reduces merchant onboarding time Integration Works in conjunction with your existing core platform solution and enhances existing processes Choice API provides seamless integration with in-house systems or 3 rd party platforms (ex. Zoot) Portal log in to access reports

Instant quantification: case study Applications a month Minutes per applications Hours per month ~ 10 full-time staff to review and process

3,000 New Applications Prelim Approval 1,830 Applications (61%) Needs Review 420 Applications (14%) Declined 750 Applications (25%)

Instant quantification: results Applications a month Minutes per application Hours per month 93% time savings

5. Merchant intel powers a risk-based approach

Risk-based approach: case study A US Bank faced additional scrutiny for inadequate KYC/KYCC policies. Risk managers lacked tools for effective TPPP oversight, and TPPPs were not adhering to regulations to the same degree the bank was.

Risk-based approach: solution The bank created a holistic TPPP oversight management program, including predictive merchant risk tools as the main ingredient. Predictive merchant scoring gave them a more comprehensive risk profile of their TPPPs and underlying merchants. The bank received praise by both external and internal auditors, and retained their merchant relationships and associated revenues.

6. Merchant intel can be richly reported Quick snapshot of categories of risk in your portfolio Benchmarking data to compare portfolio to the broader industry Continually evaluate your boarding process

Rich reporting: example Compare portfolio to rich database of risk information across the industry Helps to assess both positive and negative risk

Merchant intel for KYCC: summary 1. Underlying merchants 2. Historical connections 3. Predictive modeling 4. Instant quantification 5. Risk-based approach 6. Rich reporting

KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required Key elements Implementation

Implementation Tips Partner with TPPPs and TPSs on implementation Pass on investments in tools and analysts Encourage (stipulate) third parties to implement beneficial systems and processes Learn from regulatory and association best practices OCC and FDIC guidelines CMS from TPPPA NACHA guidelines Build systems and processes incrementally Start with hosted web services Then integrate into in-house platforms via APIs

MERCHANT INTELLIGENCE FOR 3 RD PARTIES Reduce Regulatory Burden Decrease Risk Decide Faster

Thank you! Dan Frechtling dfrechtling@g2webservices.com Steve Clendaniel sclendaniel@g2webservices.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information