Regulatory Focus on Transparency and Accountability in the Payments Industry

September 28, 2016 2:00 pm, ET

Deana Rich

Rich Consulting

Andrew Bigart

Venable LLP

John L'Heureux

PerformLine, Inc.

2

MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing. We have members from Banks, ISOs,

Card Associations and others related to the risk management side of the industry. MAC’s mission is to strengthen the payment ecosystem through

ongoing education, communication and cooperation among acquirers, card brands and enforcement agencies.

https://www.macmember.org/

Today’s Agenda

• Introduction

• Review of Recent Developments

– Verdict and Sentencing in Jeremy Johnson Case

– CFPB and FTC Litigation against Payment Processors

– Panama Papers (and follow up enforcement)

– FinCEN’s Beneficial Ownership Rule

• Best Practices for Compliance

– Best Practices in Merchant Underwriting

– Lessons from Regulator Enforcement

– Preparing for Beneficial Ownership Rule

3

Introduction

4

Introduction

• The Federal Trade Commission (FTC), Consumer Financial

Protection Bureau (CFPB), and Department of Justice (DOJ)

continue to bring enforcement actions against payments

companies alleged to have facilitated fraud by providing services

to merchants engaged in conduct that harms consumers.

• Regulators are pressing banks, payment processors, and

independent sales organizations (ISOs) to both "know your

customer" and take steps to limit the use of legitimate financial

services for illicit purposes.

• With FinCEN’s beneficial ownership rule in place, payment

companies should begin reviewing their policies, procedures,

and internal controls to prepare for enhanced expectations of

transparency and accountability.

5

Recent Developments

6

Recent Developments – Jeremy Johnson Case

• In June 2011, a federal grand jury returned a criminal indictment

against Johnson and four associates alleging bank fraud, wire

fraud, money laundering, and other charges related to the

iWorks scheme.

– DOJ alleged that Johnson and the other defendants concocted a

conspiracy to form shell companies to apply for new merchant accounts

to continue processing credit card sales.

• In March 2016, the jury found Johnson guilty of 8 counts of

making false statements to a bank in connection with merchant

processing applications.

• On July 29, 2016, the judge sentenced Johnson to 11 years in

prison.

7

Recent Developments – Jeremy Johnson Case

• The DOJ indictment describes the defendants’ process of

“rebranding” iWorks products to be sold under new names on

websites created for the shell companies and their use of

“dummy” websites and other false information to have their

applications approved by Wells Fargo or its agents.

• The DOJ explained that the false statements in the merchant

account applications related to number of employees; other

currently/previously owned businesses; number of years in

business; owner/officer certification; web pages; website URLs,

passwords, and domain names; and months of merchant

statements from previous processing.

8

Recent Developments – CFPB and FTC Enforcement

• CFPB, the FTC, and other regulators are taking a broad view of

industries and activities.

• Potential targets for enforcement are not limited to companies

but also their principles, owners, and senior management.

• The activities of a company’s 3rd-party partners, whether

“upstream” or “downstream,” may expose the company to

enforcement based on the conduct of the 3rd-party partner.

• Many federal and state regulators, and state and federal legal

entities, are following a similar path for investigation and

potential enforcement.

9

• CFPB v. Intercept: CFPB filed a lawsuit in June 2016 in U.S. District

Court against Intercept and its President and CEO alleging Intercept

processed payments for many types of merchants despite

numerous red flags.

• CFPB v. Universal Debt & Payment Solutions (pending): CFPB

alleged that processors and ISOs enabled unlawful debt collection

scheme by ignoring due diligence and processing red flags.

• FTC v. Capital Payments (Bluefin) (Feb. 2016): FTC settled

charges with an ISO alleged to have facilitated the Tax Club scheme

(work at home businesses) by ignoring red flags (high chargebacks).

Settlement agreement imposes underwriting requirements,

monitoring requirements, and $2.6 million judgment.

10

Recent Developments – CFPB and FTC Enforcement

Recent Developments – Panama Papers

• Released in April 2016, the Panama Papers refer to more than 11

million documents from Panamanian law firm Mossack Fonseca

that have revealed wide-spread offshoring of funds by wealthy

individuals using identity-obscuring shell companies.

• The release of the Panama Papers has reinforced media and

regulator attention on the broader issues of transparency and

accountability in financial transactions.

• In August, the New York State Department of Financial Services

imposed a $180 million fine on Taiwan’s Mega International

Commercial Bank for anti-money laundering failures that

included links to the law firm at the center of the Panama Papers

scandal.

11

Recent Developments – Beneficial Ownership Rule

• In May 2016, FinCEN published its long-awaited rule requiring

financial institutions (FIs) to obtain beneficial ownership

information from their "legal entity" customers.

– FIs must obtain from "legal entity" customers the identity of (1) 25% or

greater beneficial owners; and, (2) a single individual with significant

control over the entity, taken together to mean "beneficial owner.“

– The rule does not apply to sole proprietors.

– The information must be certified by an individual authorized by the

customer to open accounts.

• The new rule applies to FIs subject to Customer Identification

Procedures (CIP) (banks, brokers, or dealers in securities, mutual

funds, futures commission merchants, and introducing brokers),

and compliance is required by May 11, 2018.

12

Recent Developments – Beneficial Ownership Rule

• While the new regulations are referred to, colloquially, as the

"beneficial ownership rules," FinCEN repeatedly emphasized that

the rules are an important part of the "four core elements of

customer due diligence," as explained in the "supplementary

information" to the new regulations:

– Customer identification and verification;

– Beneficial ownership identification and verification;

– Understanding the nature and purpose of customer relationships to

develop a customer risk profile; and,

– Ongoing monitoring for reporting suspicious transactions and, on a risk

basis, maintaining and updating customer information.

13

Best Practices

14

Best Practices – Overview

• The developments summarized in this presentation serve as a

warning for every financial institution, payment processor, and

ISO to incorporate customer due diligence and monitoring into

their compliance policies and procedures.

• Whether fair or not, federal regulators expect payments

companies to understand their customer’s business and

corporate structure and take steps to limit the use of the

payments ecosystem for illicit purposes.

• The Johnson case, CFPB/FTC enforcement, the Panama Papers,

and FinCEN’s beneficial ownership rule have accelerated these

expectations, placing a greater emphasis on transparency and

accountability in the payments industry.

15

Working with highly regulated industries (Debt Collection)• Constantly monitoring your ecosystem to find out what's happening.

• Need the ability to drill down to discover things (known and unknown),

and a means to act on them.

− As a function of process - this is usually challenging but necessary

due to fragmentation of touchpoints.

Understanding consumer complaint trends• There is a relationship between the # of complaints a firm receives, the

probability of being fined, and the average fine.

• If you work with a company that is highly regulated in the consumer

finance space you need to understand these trends.

Global Payments Case

Best Practices – Understanding Your Portfolio Risk

16

Global Payments Case

Case studies - Impetus for Self-Regulation• Operational/risk/compliance pressure affect partners on the issuing side.

− “Regulation by enforcement" - similar to what we see in the Global Payments

case.

• Some of the major issuers had to quickly spin up ways to address compliance

pressure on their own diligence across many channels.

Sometimes this meant:− De-risking completely from certain channels.

− Filling gaps with process or efficiency via technology.

− Filing gaps with further or deeper analysis and oversight.

− Bringing in new data/attributes: Ex. speech analytics - 100% coverage of 3rd party collection vendors vs. sampling.

• These improvements took work; but have improved overall business efficiency and

profitability, meaning, businesses are:

− able to run their business faster

− better story to tell (internally/externally)

Best Practices – Understanding Your Portfolio Risk

Ignoring, being unaware of warning, trends & signals from different dimensions of your business

17

CFPB Monthly Complaint Report

Excerpt from August’s Report• Debt collection complaints represented

about 27 percent of complaints submitted in July 2016.

• Student loan complaints showed the greatest month-over-month percentage increase (18 percent).

Best Practices – Resources

http://www.consumerfinance.gov/data-research/research-reports/

What’s Inside• Complaint Vol.• Product Spotlight• Geographic Spotlight

18

Payday lending Continuity programs /membershipclubs

Credit repair Nutraceuticals / dietary supplements

Debt consolidation / debt reduction Government grants

Interest rate reduction Identity theft protection

Mortgage relief Medical discount plans

Telemarketing Online pharmaceuticals

“Free” and “risk free” trial offers Payment facilitators

Business opportunities / work-at-home

“As Seen on TV” Offers

Telephone upsells Buy-One-Get-One Free Offers

19

Best Practices – Understanding Your Portfolio Risk

Examples of High Risk Industries

Best Practices – Implement Underwriting Policies

• Policies should reflect payment card requirements, the processors’ business plan, the established merchant portfolio, and government and industry best practices.

• Examples of what to address:

– Permitted, prohibited, and restricted merchants (with clear procedures when making exceptions to policies).

– Application materials that capture information about the company and its owners (including beneficial owners).

– Review and evaluate third party reputation sources.

– Review merchant’s method of doing business (marketing channels, ads, website materials).

– Timeframes for reviewing and approving applications that are appropriate based on merchant type and risk.

– Approval authority parameters and escalation requirements.

– Documentation requirements for underwriting.

20

Best Practices – Implement Underwriting Policies

• Incorporate beneficial ownership into underwriting policies and

procedures.

– Although the beneficial ownership rule is technically limited to banks

and certain other FIs, payment processors and ISOs will be responsible

for its implementation.

– Acquiring banks will push beneficial ownership responsibilities down to

processors and ISOs as part of the merchant account opening process.

– Applying appropriate policies and procedures to verify beneficial owners

may require processors and ISOs to implement new software and

internal controls.

– Given the time it often takes to bring new technology on line, processors

and ISOs should begin taking steps now to prepare for May 2018, when

compliance with the beneficial ownership rule is mandated.

21

Best Practices – Merchant Due Diligence

• Regulators expect payments companies to monitor for beneficial ownership

and attempts to factor or launder transactions using multiple and/or

unrelated merchant accounts.

• Best Practices

– Scrutinize requests to open multiple accounts.

– Obtain beneficial ownership information.

– Monitor accounts for relatedness (names, address, products, etc.)

• Monitor for Red Flags

– Use of dummy web sites.

– Opening multiple MIDs to load balance chargebacks.

– Splitting transactions: (1) sales (2) shipping (3) processing.

– Submitting merchant applications with nominee owners.

– Frequent movement between high risk banks/processors/ISOs.

– “Cascading” through multiple merchant accounts to resubmit declined

transactions.

22

Best Practices – Merchant Due Diligence

• CFPB v. Universal Debt & Payment Solutions (pending): CFPB

alleged that processors and ISOs enabled unlawful debt

collection scheme by ignoring underwriting red flags:

– Merchants were allegedly prohibited under card brand rules.

– Application materials suggested fraud (e.g., similar addresses between

different merchants).

– Merchant application showed individual had minimal income and

subprime credit score.

– Ignoring information related to MATCH listings.

– Poor BBB ratings.

23

Best Practices – Monitoring Your Portfolio

• Best Practices

– Monitor e-sales channels for compliance with representations

and with disclosure requirements.

– Monitor for changes in law and patterns in enforcement activity.

• Monitor for Red Flags/Change Management

– Merchant undergoes substantial changes during the processing

relationship.

– High chargeback rates / High return rates.

oMapping to other attributes.

– Sales figures out of line with processing expectations.

– Evidence of consumer harm.

24

Best Practices – Monitoring Your Portfolio

• CFPB v. Intercept: CFPB alleges that Intercept processed payments

for many merchants in the face of numerous red flags:

- Warnings from banks and consumers.

- High return rates.

- Law enforcement activity relating to its clients (including AMG

Services, Inc.).

- Created a program to artificially keep merchant return rates at or

just below 1%, thereby shielding the merchants from scrutiny for

excessive return rates (and so that Intercept could continue

processing and earning fees).

25

Best Practices - Compliance Management

• Implement a Compliance Management System (CMS)

– Covers the processor’s business operations.

– Sets management’s expectations for compliance with laws.

– Informs the board.

– Ensure operating responsibilities and legal requirements met.

– Monitor for and respond to complaints.

– Set forth a process for a regular, independent compliance audit.

– Take corrective action and update tools, systems, and materials

as necessary.

26

• Cultural considerations

– Compliance is really about excellence.

• Discovery

– Seek automation.

– Rule Management.

• Hard coded? Flexible?

• Taking Action

– Spotlight on Remediation.

o Self-Monitor – Commit to early detection and prevention of violations.

o Self-Reporting – Show a willingness to "do right."

o Remediation – Resolve issues in a timely and effective manner.

o Cooperation – Shows that the business is committed to remediating the

situation now and in the future.

27

Best Practices - Compliance Management

• Spotlight on Remediation

– What’s important

o Ability to discover.

o Touchpoints.

o Communication/SLAs.

– Proof – Telling the story

o Audits/Exams/FTC/CFPB.

o Document your actions

o Ability to explain the actions you took = success.

– Best practices

o Track all touchpoints in one place.

o Track comms | Tasks | Set & Track SLAs.

o ”Touch it once” per cycle.

o Spend more time acting instead of researching and requesting information.

28

Best Practices - Compliance Management

Best Practices – Resources

• CFPB, FTC, and DOJ enforcement actions

• MAC newsletters / conferences / webinars

• MAC partnership with the Electronic Retailing Association (ERA)

and the Electronic Retailing Self-Regulatory Program (ERSP)

– Review merchant marketing and sales practices in advance of boarding

for “unfair/deceptive” conduct

• ETA Guidelines on Merchant and ISO Underwriting and Risk Monitoring (Second Edition)

• ETA Guidelines on Payment Facilitator Underwriting and Risk Monitoring (Soon to be released)

29

Questions?

30

31

MAC Mission Statement

Strengthen the payment ecosystem through ongoing education, communication and

cooperation among acquirers, card brands and enforcement agencies.

Who we serve:Acquiring Bank

Acquiring Savings & Loan

Acquiring Credit Union

Gateway Provider

Internet Service Provider

ISO/MSP

Merchant Acquirer

Processor

Risk Management Professional

Your membership in MAC is an investment that should not be overlooked.

If you are not a member of MAC… JOIN TODAY!

https://www.macmember.org/

Regulatory Focus on Transparency and Accountability in the Payments Industry

Deana Rich

Rich Consulting

deanarich@deanarich.com

(818) 613-7627

Andrew Bigart

Venable LLP

aebigart@Venable.com

202-344-4323

John L'Heureux

PerformLine, Inc.

john@performline.com

302-743-3828

32