Portals and Rails


Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.

December 02, 2013

Keeping Out the Fraudsters: Who Plays the Role of Gatekeeper?

An excessive number of consumer complaints or returns and chargebacks—these are among several red flags that could indicate that a third-party payment processor is engaged in fraud. And who better to take notice of these red flags than financial institutions? That's the thinking of many regulators, including the Financial Crimes Enforcement Network (FinCEN) when it released its October 2012 advisory on risk associated with third-party payment processors. In that advisory, FinCEN stressed the importance of financial institutions performing due diligence and monitoring their third-party payment processors.

The role of financial institution as gatekeeper was a major topic at the Atlanta Fed's October 30 Executive Fraud Forum, where a panel of industry leaders discussed the evolving role of third -party payment processors in the retail payments space. Representatives from the U.S. Department of Justice's Consumer Protection Branch and U.S. Secret Service, while they recognized the benefits of payment processors, highlighted case studies demonstrating the need for institutions to adjust their due diligence and monitoring to recognize attendant risks. They also stressed the importance of collaboration between institutions and law enforcement agencies in protecting consumers and keeping fraudsters away from payment processing.

Judy Long, who is the executive vice president and chief operating officer at First Citizens National Bank, also noted the gatekeeping role that institutions have with regard to the payments networks. Because banks are highly regulated entities whose primary objective is safety and soundness, she noted, they are in the best position to be the underwriters of payment processors.

As part of her discussion, Long mentioned some important practices for financial institutions in managing payment processor relationships.

  • Because the board of directors plays a critical role in determining the institution's risk tolerance by approving its policies and procedures, it must make itself knowledgeable about the risk factors involved with third-party payment processors.
  • The institution should have as an integral part of its policies underwriting guidelines that set limits for customers.
  • The institution must monitor customers by examining return rates and consumer complaints, providing ongoing customer calling programs, and not just knowing its customer but also its customers' customers.
  • Agreements should clearly explain the terms and conditions for how the institution will conduct business with a customer. These agreements protect both the institution and its customers.

For more details on this topic, watch this interview with Judy Long. You can also view the presentations from the Executive Fraud Forum on the event webpage.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 2, 2013 in KYC, third-party service provider | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Keeping Out the Fraudsters: Who Plays the Role of Gatekeeper?:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 22, 2011

Third-party service provider risk and the Unfair and Deceptive Acts and Practices rule

Financial institutions and other financial service providers commonly provide products and services through arrangements with third parties. When appropriately managed, third-party relationships can enhance competitiveness and diversification of goods and services. However, these third-party arrangements, absent adequate risk management controls, can expose companies to reputational, operational, and compliance risks.

One possible measurement of a financial institution's reputational risk is how well the institution complies with the Unfair and Deceptive Acts and Practices (UDAP, or Regulation AA). While UDAP applies more specifically to credit card issuers and consumers regarding disclosure rules and restrictions on lender practices, it can also apply to third parties when a financial institution outsources functions of its card programs—for example, credit or stored value.

Increased use of third-party arrangements in consumer products
The Federal Deposit Insurance Corporation (FDIC) recently examined how financial institutions have used third-party providers to roll out new and innovative products and services during the current economic challenges. The FDIC released its findings in the Supervisory Insights Winter 2010 newsletter, which revealed that financial institutions are increasingly relying on third-party vendors. Specifically, over 60 percent of credit card programs that financial institutions offer are the assets of third parties. Additionally, of the 19 percent of financial institutions surveyed that offered stored-value cards, 94 percent involved a third-party service provider.

Costly lessons for violating UDAP
Noncompliance with UDAP generally occurs when a financial institution outsources the development and administration of a new credit card product to a third party unfamiliar with the necessary disclosure requirements regarding finance charges and fees, for example. Complaints alleging UDAP violations generally stem from credit card marketing products released by a financial institution’s third party vendor. These types of practices can potentially expose a financial institution to a host of legal and regulatory sanctions.

Recent enforcement actions against financial institutions that have violated UDAP due to poor oversight of third-party service providers have proven costly. If a financial institution insufficiently supervises a third-party vendor engaging in acts that meet the standards for deception—for example, the third party knowingly uses representations or omissions likely to mislead a consumer—it could face enforcement action.

Incorporating UDAP risk into an existing vendor-management risk tool kit
Data security is certainly an integral aspect of managing third-party service provider risk, but it is only one part of the picture. By also including UDAP risk management in their tool kits, financial institutions can better position themselves to manage their overall risk in relation to third-party service providers.

In recent years, the FDIC and the Board of Governors of the Federal Reserve System released joint guidance on the need for a financial institution to include UDAP risks with regard to third-party service providers. Some of the key components the guidance identifies are maintaining awareness of the risks associated with outsourcing, establishing controls over such relationships, exercising proper due diligence when identifying, selecting, and maintaining a third party, and creating comprehensive written contracts.

The joint guidance recommends that the financial institutions relying on third-party service providers maintain UDAP compliance by paying close attention to the service providers' card program promotional materials, advertisements, claims, and representations that could mislead a target audience regarding the cost, availability, or terms of the product or service.

Taking the needed precautions
By outsourcing to a partner, a financial institution places a great deal of trust in that provider, but that's no excuse for poor due diligence and oversight, which could readily lead to violations of the UDAP. The financial institution successfully monitoring its UDAP compliance specifically tailors its approach to the third party with which it has a relationship.

Financial service providers must look beyond the data protection measures of third-party service providers to ensure they are also in compliance with UDAP requirements.

Photo of Ana Cavazos-WrightBy Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

February 22, 2011 in third-party service provider, Unfair and Deceptive Acts and Practices (UDAP) | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Third-party service provider risk and the Unfair and Deceptive Acts and Practices rule:


Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts

December 2014

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      



Powered by TypePad