division of depositor and consumer protection banker teleconference series

Division of Depositor and Consumer ProtectionBanker Teleconference Series

Third-Party Compliance Risk ManagementTuesday, June 5, 2012

FEDERAL DEPOSIT INSURANCE CORPORATION2 FEDERAL DEPOSIT INSURANCE CORPORATION

Presenters

Luke Brown, Associate DirectorDCP Supervisory Policy

Victoria Pawelski, Senior Policy AnalystDCP Supervisory Policy

John Bowman, Senior Review ExaminerDCP Office of CRA and Compliance Examinations

Julie Tupper, Senior Compliance ExaminerDCP Dallas Regional Office


Agenda

Introduction 2008 FDIC Guidance on Managing Third-

Party Risk (FIL-44-2008) Third-Party Relationships: Compliance Risk

Management Examples 2012 FDIC Revised Guidance on Payment

Processor Relationships (FIL-3-2012) Questions and Answers


2008 FDIC Guidance on Managing Third-Party Risk


Definition of Third-Party Relationship

Entity with which financial institution has entered into a business relationship Facilitate customer access to bank services or

products Perform functions on the bank’s behalf

Bank or non-bank, affiliated or non-affiliated, regulated or non-regulated, domestic or foreign


Benefits/Risks

Benefits Strategic

Objectives Revenue Expertise Efficiencies Resources Access

Risks Legal Regulatory Financial Loss Reputation Loss of Customers


Financial Institution Responsibility

Board and management oversight tailored depending on the relationship

The institution, and its Board and management, are responsible for managing activities conducted through third parties as if the activity were conducted directly by the institution Indemnity agreement not enough


Types of Risk

Strategic Risk Reputation Risk Operational Risk Transaction Risk Credit Risk

Liquidity Risk Compliance Risk Legal Risk Other Risks


Risk Management Process

Is this a significant third-party relationship? Process tailored depending on the risks

identified, nature & significance of the relationship, scope & magnitude of the activity

Effective risk management process


Risk Management Framework

Four Key ElementsRisk AssessmentDue DiligenceContract Structuring and ReviewOversight


Third-Party Relationships: Compliance Risk

Management Examples


Compliance Risk Management Examples

Rent-A-BIN Debt Collection Prepaid Cards RESPA Section 8 Identity Theft Protection Programs Privacy


2012 FDIC Revised Guidance on Payment Processor

Relationships


FDIC Financial Institution Letter FIL-3-2012

January 31, 2012 FDIC releases Revised Guidance on

Payment Processor Relationships Replaces & updates 2008 Guidance on

Payment Processor Relationships (FIL-127-2008)


Definition of Third-Party Payment Processor

What is a Third-Party Payment Processor or “Processor”? Depositor that uses its

banking relationship to process payments for its merchant clients

Benefits: Fee income Large deposit balances Capital injections

Concerns: Merchant clients several

entities removed Nested or aggregator

relationships Merchant client activities


Main Risks of Processors

Credit Risks Charge-backs from unauthorized transactions Regulation CC warranty

Compliance Risks Reputational Risks

Financial institution tied to merchant clients Legal Risk

Class action lawsuits


Processor Red Flags

Targeting problem financial institutions in need of capital/earnings

Smaller financial institutions with limited resources for proper monitoring

Processors with relationships at multiple financial institutions at the same time

Consumer complaints High Unauthorized Return Rates (URRs)

or returns/charge-backs


Financial Institution Protections

Due diligence (initially & ongoing) – Know Your Customer

Policies & procedures for monitoring (URRs/Returns, complaints, etc.)

Be aware of potential Compliance Risks


Types of Payments

Types of Payments Remotely Created Checks (RCCs) Automated Clearinghouse Items (ACHs) Network-related payments


Remotely Created Checks

What are RCCs? Regular paper check that the Merchant

creates No consumer signature Consumer provides account number & bank

routing number, and merchant prints check Merchant submits for regular check

processing


Risks of RCCs

Merchant client can continue to draft checks Depository financial institution responsible to

paying financial institution under Regulation CC Section 229.34(d)

Consumer complaints regarding unauthorized withdrawals from account

High volume – difficult to monitor High URRs and returns/charge-backs Unregulated environment


ACH Use & Risks

How do processors use ACHs & what are the risks? Merchant uses account number to initiate an

electronic debit Visa/MasterCard & NACHA rules Unauthorized debits & charge-backs


Themes and Trends

No Board-approved policies/procedures Growth beyond financial institution’s

resources/abilities Increase in fee income short-lived due

to charge-backs Underestimate potential reputation risks


Questions and Answers


Thank YouThe information contained in this presentation is for informational purposes only and is provided as a public service and in an effort to enhance understanding of the statutes and regulations administered by the FDIC. It expresses the views and opinions of FDIC staff and is not binding on the FDIC, its Board of Directors, or any Board member, and any representation to the contrary is expressly disclaimed.

division of depositor and consumer protection banker teleconference series

Documents