regulatory focus on transparency and accountability … presentation - regulatory... · regulatory...
TRANSCRIPT
Regulatory Focus on Transparency and Accountability in the Payments Industry
September 28, 2016 2:00 pm, ET
Deana Rich
Rich Consulting
Andrew Bigart
Venable LLP
John L'Heureux
PerformLine, Inc.
2
MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing. We have members from Banks, ISOs,
Card Associations and others related to the risk management side of the industry. MAC’s mission is to strengthen the payment ecosystem through
ongoing education, communication and cooperation among acquirers, card brands and enforcement agencies.
https://www.macmember.org/
Today’s Agenda
• Introduction
• Review of Recent Developments
– Verdict and Sentencing in Jeremy Johnson Case
– CFPB and FTC Litigation against Payment Processors
– Panama Papers (and follow up enforcement)
– FinCEN’s Beneficial Ownership Rule
• Best Practices for Compliance
– Best Practices in Merchant Underwriting
– Lessons from Regulator Enforcement
– Preparing for Beneficial Ownership Rule
3
Introduction
4
Introduction
• The Federal Trade Commission (FTC), Consumer Financial
Protection Bureau (CFPB), and Department of Justice (DOJ)
continue to bring enforcement actions against payments
companies alleged to have facilitated fraud by providing services
to merchants engaged in conduct that harms consumers.
• Regulators are pressing banks, payment processors, and
independent sales organizations (ISOs) to both "know your
customer" and take steps to limit the use of legitimate financial
services for illicit purposes.
• With FinCEN’s beneficial ownership rule in place, payment
companies should begin reviewing their policies, procedures,
and internal controls to prepare for enhanced expectations of
transparency and accountability.
5
Recent Developments
6
Recent Developments – Jeremy Johnson Case
• In June 2011, a federal grand jury returned a criminal indictment
against Johnson and four associates alleging bank fraud, wire
fraud, money laundering, and other charges related to the
iWorks scheme.
– DOJ alleged that Johnson and the other defendants concocted a
conspiracy to form shell companies to apply for new merchant accounts
to continue processing credit card sales.
• In March 2016, the jury found Johnson guilty of 8 counts of
making false statements to a bank in connection with merchant
processing applications.
• On July 29, 2016, the judge sentenced Johnson to 11 years in
prison.
7
Recent Developments – Jeremy Johnson Case
• The DOJ indictment describes the defendants’ process of
“rebranding” iWorks products to be sold under new names on
websites created for the shell companies and their use of
“dummy” websites and other false information to have their
applications approved by Wells Fargo or its agents.
• The DOJ explained that the false statements in the merchant
account applications related to number of employees; other
currently/previously owned businesses; number of years in
business; owner/officer certification; web pages; website URLs,
passwords, and domain names; and months of merchant
statements from previous processing.
8
Recent Developments – CFPB and FTC Enforcement
• CFPB, the FTC, and other regulators are taking a broad view of
industries and activities.
• Potential targets for enforcement are not limited to companies
but also their principles, owners, and senior management.
• The activities of a company’s 3rd-party partners, whether
“upstream” or “downstream,” may expose the company to
enforcement based on the conduct of the 3rd-party partner.
• Many federal and state regulators, and state and federal legal
entities, are following a similar path for investigation and
potential enforcement.
9
• CFPB v. Intercept: CFPB filed a lawsuit in June 2016 in U.S. District
Court against Intercept and its President and CEO alleging Intercept
processed payments for many types of merchants despite
numerous red flags.
• CFPB v. Universal Debt & Payment Solutions (pending): CFPB
alleged that processors and ISOs enabled unlawful debt collection
scheme by ignoring due diligence and processing red flags.
• FTC v. Capital Payments (Bluefin) (Feb. 2016): FTC settled
charges with an ISO alleged to have facilitated the Tax Club scheme
(work at home businesses) by ignoring red flags (high chargebacks).
Settlement agreement imposes underwriting requirements,
monitoring requirements, and $2.6 million judgment.
10
Recent Developments – CFPB and FTC Enforcement
Recent Developments – Panama Papers
• Released in April 2016, the Panama Papers refer to more than 11
million documents from Panamanian law firm Mossack Fonseca
that have revealed wide-spread offshoring of funds by wealthy
individuals using identity-obscuring shell companies.
• The release of the Panama Papers has reinforced media and
regulator attention on the broader issues of transparency and
accountability in financial transactions.
• In August, the New York State Department of Financial Services
imposed a $180 million fine on Taiwan’s Mega International
Commercial Bank for anti-money laundering failures that
included links to the law firm at the center of the Panama Papers
scandal.
11
Recent Developments – Beneficial Ownership Rule
• In May 2016, FinCEN published its long-awaited rule requiring
financial institutions (FIs) to obtain beneficial ownership
information from their "legal entity" customers.
– FIs must obtain from "legal entity" customers the identity of (1) 25% or
greater beneficial owners; and, (2) a single individual with significant
control over the entity, taken together to mean "beneficial owner.“
– The rule does not apply to sole proprietors.
– The information must be certified by an individual authorized by the
customer to open accounts.
• The new rule applies to FIs subject to Customer Identification
Procedures (CIP) (banks, brokers, or dealers in securities, mutual
funds, futures commission merchants, and introducing brokers),
and compliance is required by May 11, 2018.
12
Recent Developments – Beneficial Ownership Rule
• While the new regulations are referred to, colloquially, as the
"beneficial ownership rules," FinCEN repeatedly emphasized that
the rules are an important part of the "four core elements of
customer due diligence," as explained in the "supplementary
information" to the new regulations:
– Customer identification and verification;
– Beneficial ownership identification and verification;
– Understanding the nature and purpose of customer relationships to
develop a customer risk profile; and,
– Ongoing monitoring for reporting suspicious transactions and, on a risk
basis, maintaining and updating customer information.
13
Best Practices
14
Best Practices – Overview
• The developments summarized in this presentation serve as a
warning for every financial institution, payment processor, and
ISO to incorporate customer due diligence and monitoring into
their compliance policies and procedures.
• Whether fair or not, federal regulators expect payments
companies to understand their customer’s business and
corporate structure and take steps to limit the use of the
payments ecosystem for illicit purposes.
• The Johnson case, CFPB/FTC enforcement, the Panama Papers,
and FinCEN’s beneficial ownership rule have accelerated these
expectations, placing a greater emphasis on transparency and
accountability in the payments industry.
15
Working with highly regulated industries (Debt Collection)• Constantly monitoring your ecosystem to find out what's happening.
• Need the ability to drill down to discover things (known and unknown),
and a means to act on them.
− As a function of process - this is usually challenging but necessary
due to fragmentation of touchpoints.
Understanding consumer complaint trends• There is a relationship between the # of complaints a firm receives, the
probability of being fined, and the average fine.
• If you work with a company that is highly regulated in the consumer
finance space you need to understand these trends.
Global Payments Case
Best Practices – Understanding Your Portfolio Risk
16
Global Payments Case
Case studies - Impetus for Self-Regulation• Operational/risk/compliance pressure affect partners on the issuing side.
− “Regulation by enforcement" - similar to what we see in the Global Payments
case.
• Some of the major issuers had to quickly spin up ways to address compliance
pressure on their own diligence across many channels.
Sometimes this meant:− De-risking completely from certain channels.
− Filling gaps with process or efficiency via technology.
− Filing gaps with further or deeper analysis and oversight.
− Bringing in new data/attributes: Ex. speech analytics - 100% coverage of 3rd party collection vendors vs. sampling.
• These improvements took work; but have improved overall business efficiency and
profitability, meaning, businesses are:
− able to run their business faster
− better story to tell (internally/externally)
Best Practices – Understanding Your Portfolio Risk
Ignoring, being unaware of warning, trends & signals from different dimensions of your business
17
CFPB Monthly Complaint Report
Excerpt from August’s Report• Debt collection complaints represented
about 27 percent of complaints submitted in July 2016.
• Student loan complaints showed the greatest month-over-month percentage increase (18 percent).
Best Practices – Resources
http://www.consumerfinance.gov/data-research/research-reports/
What’s Inside• Complaint Vol.• Product Spotlight• Geographic Spotlight
18
Payday lending Continuity programs /membershipclubs
Credit repair Nutraceuticals / dietary supplements
Debt consolidation / debt reduction Government grants
Interest rate reduction Identity theft protection
Mortgage relief Medical discount plans
Telemarketing Online pharmaceuticals
“Free” and “risk free” trial offers Payment facilitators
Business opportunities / work-at-home
“As Seen on TV” Offers
Telephone upsells Buy-One-Get-One Free Offers
19
Best Practices – Understanding Your Portfolio Risk
Examples of High Risk Industries
Best Practices – Implement Underwriting Policies
• Policies should reflect payment card requirements, the processors’ business plan, the established merchant portfolio, and government and industry best practices.
• Examples of what to address:
– Permitted, prohibited, and restricted merchants (with clear procedures when making exceptions to policies).
– Application materials that capture information about the company and its owners (including beneficial owners).
– Review and evaluate third party reputation sources.
– Review merchant’s method of doing business (marketing channels, ads, website materials).
– Timeframes for reviewing and approving applications that are appropriate based on merchant type and risk.
– Approval authority parameters and escalation requirements.
– Documentation requirements for underwriting.
20
Best Practices – Implement Underwriting Policies
• Incorporate beneficial ownership into underwriting policies and
procedures.
– Although the beneficial ownership rule is technically limited to banks
and certain other FIs, payment processors and ISOs will be responsible
for its implementation.
– Acquiring banks will push beneficial ownership responsibilities down to
processors and ISOs as part of the merchant account opening process.
– Applying appropriate policies and procedures to verify beneficial owners
may require processors and ISOs to implement new software and
internal controls.
– Given the time it often takes to bring new technology on line, processors
and ISOs should begin taking steps now to prepare for May 2018, when
compliance with the beneficial ownership rule is mandated.
21
Best Practices – Merchant Due Diligence
• Regulators expect payments companies to monitor for beneficial ownership
and attempts to factor or launder transactions using multiple and/or
unrelated merchant accounts.
• Best Practices
– Scrutinize requests to open multiple accounts.
– Obtain beneficial ownership information.
– Monitor accounts for relatedness (names, address, products, etc.)
• Monitor for Red Flags
– Use of dummy web sites.
– Opening multiple MIDs to load balance chargebacks.
– Splitting transactions: (1) sales (2) shipping (3) processing.
– Submitting merchant applications with nominee owners.
– Frequent movement between high risk banks/processors/ISOs.
– “Cascading” through multiple merchant accounts to resubmit declined
transactions.
22
Best Practices – Merchant Due Diligence
• CFPB v. Universal Debt & Payment Solutions (pending): CFPB
alleged that processors and ISOs enabled unlawful debt
collection scheme by ignoring underwriting red flags:
– Merchants were allegedly prohibited under card brand rules.
– Application materials suggested fraud (e.g., similar addresses between
different merchants).
– Merchant application showed individual had minimal income and
subprime credit score.
– Ignoring information related to MATCH listings.
– Poor BBB ratings.
23
Best Practices – Monitoring Your Portfolio
• Best Practices
– Monitor e-sales channels for compliance with representations
and with disclosure requirements.
– Monitor for changes in law and patterns in enforcement activity.
• Monitor for Red Flags/Change Management
– Merchant undergoes substantial changes during the processing
relationship.
– High chargeback rates / High return rates.
oMapping to other attributes.
– Sales figures out of line with processing expectations.
– Evidence of consumer harm.
24
Best Practices – Monitoring Your Portfolio
• CFPB v. Intercept: CFPB alleges that Intercept processed payments
for many merchants in the face of numerous red flags:
- Warnings from banks and consumers.
- High return rates.
- Law enforcement activity relating to its clients (including AMG
Services, Inc.).
- Created a program to artificially keep merchant return rates at or
just below 1%, thereby shielding the merchants from scrutiny for
excessive return rates (and so that Intercept could continue
processing and earning fees).
25
Best Practices - Compliance Management
• Implement a Compliance Management System (CMS)
– Covers the processor’s business operations.
– Sets management’s expectations for compliance with laws.
– Informs the board.
– Ensure operating responsibilities and legal requirements met.
– Monitor for and respond to complaints.
– Set forth a process for a regular, independent compliance audit.
– Take corrective action and update tools, systems, and materials
as necessary.
26
• Cultural considerations
– Compliance is really about excellence.
• Discovery
– Seek automation.
– Rule Management.
• Hard coded? Flexible?
• Taking Action
– Spotlight on Remediation.
o Self-Monitor – Commit to early detection and prevention of violations.
o Self-Reporting – Show a willingness to "do right."
o Remediation – Resolve issues in a timely and effective manner.
o Cooperation – Shows that the business is committed to remediating the
situation now and in the future.
27
Best Practices - Compliance Management
• Spotlight on Remediation
– What’s important
o Ability to discover.
o Touchpoints.
o Communication/SLAs.
– Proof – Telling the story
o Audits/Exams/FTC/CFPB.
o Document your actions
o Ability to explain the actions you took = success.
– Best practices
o Track all touchpoints in one place.
o Track comms | Tasks | Set & Track SLAs.
o ”Touch it once” per cycle.
o Spend more time acting instead of researching and requesting information.
28
Best Practices - Compliance Management
Best Practices – Resources
• CFPB, FTC, and DOJ enforcement actions
• MAC newsletters / conferences / webinars
• MAC partnership with the Electronic Retailing Association (ERA)
and the Electronic Retailing Self-Regulatory Program (ERSP)
– Review merchant marketing and sales practices in advance of boarding
for “unfair/deceptive” conduct
• ETA Guidelines on Merchant and ISO Underwriting and Risk Monitoring (Second Edition)
• ETA Guidelines on Payment Facilitator Underwriting and Risk Monitoring (Soon to be released)
29
Questions?
30
31
MAC Mission Statement
Strengthen the payment ecosystem through ongoing education, communication and
cooperation among acquirers, card brands and enforcement agencies.
Who we serve:Acquiring Bank
Acquiring Savings & Loan
Acquiring Credit Union
Gateway Provider
Internet Service Provider
ISO/MSP
Merchant Acquirer
Processor
Risk Management Professional
Your membership in MAC is an investment that should not be overlooked.
If you are not a member of MAC… JOIN TODAY!
https://www.macmember.org/
Regulatory Focus on Transparency and Accountability in the Payments Industry
Deana Rich
Rich Consulting
(818) 613-7627
Andrew Bigart
Venable LLP
202-344-4323
John L'Heureux
PerformLine, Inc.
302-743-3828
32