On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
On August 20, the OCC issued Bulletin 2014-41, which announces a new “Merchant Processing” booklet of the Comptroller’s Handbook. This booklet replaces the booklet of the same name issued in December 2001 and provides updated guidance to examiners and bankers on assessing and managing the risks associated with merchant processing activities. Specific updates address: (i) the selection of third-party organizations and due diligence; (ii) technology service providers; (iii) on-site inspections, audits, and attestation engagements, including the “Statement on Standards for Attestation Engagement” (SSAE 16) and the “International Standard on Assurance Engagements” (ISAE 3402); (iv) data security standards in the payment card industry for merchants and processors; (v) the Member Alert to Control High-Risk Merchants (MATCH) list; (vi) BSA/AML compliance programs and appropriate policies, procedures, and processes to monitor and identify unusual activity; and (vii) appropriate capital for merchant processing activities.
On July 28, the FDIC issued FIL-41-2014 to clarify its supervisory approach to bank relationships with third-party payment processors (TPPPs). In short, the letter removes the FDIC’s list of examples of merchant categories from its existing guidance and informational article. That list, which identified potential “high-risk” businesses, including firearms and ammunition merchants, coin dealers, and payday lenders, among numerous others, has been scrutinized and challenged by members of Congress in recent months. The new guidance explains the “lists of examples of merchant categories have led to misunderstandings regarding the FDIC’s supervisory approach to TPPPs, creating the misperception that the listed examples of merchant categories were prohibited or discouraged.” The FDIC’s letter continues to defend the list as “illustrative of trends identified by the payments industry at the time the guidance and article were released” and reasserts that it is the FDIC’s policy that insured institutions that properly manage customer relationships are neither prohibited nor discouraged from providing services to any customer operating in compliance with applicable law.
On June 23, the DOJ released a transcript of a message delivered by Attorney General Eric Holder in which he pledged to continue investigations of financial institutions “that knowingly facilitate consumer scams, or that willfully look the other way in processing such fraudulent transactions.” These investigations are part of the DOJ’s “Operation Choke Point,” which has faced criticism from financial institutions and their advocates on Capitol Hill, and which payday lenders recently filed suit to halt. Opponents of the operation assert that the DOJ investigations, combined with guidance from prudential regulators, are targeting lawful businesses and cutting off their access to the financial system. In his remarks, the AG promised that the DOJ will not target “businesses operating within the bounds of the law,” but vowed to continue to pursue “a range of investigations into banks that illegally enable businesses to siphon billions of dollars from consumers’ bank accounts in exchange for significant fees.” Mr. Holder stated that he expects the DOJ to resolve some of these investigations in the coming months.
Eighth Circuit Holds Bank That Complied With Reasonable Security Procedures Not Responsible For Loss Of Funds From Fraudulent Payment
On June 11, the U.S. Court of Appeals for the Eighth Circuit held that under the Uniform Commercial Code a bank that complied with commercially reasonable security measures was not responsible for a customer’s loss resulting from a fraudulent payment. Choice Escrow & Land Title, LLC v. BancorpSouth Bank, No. 13-1879, 2014 WL 2598764 (8th Cir. Jun. 11, 2014). The customer sued the bank claiming that a $440,000 wire transfer from its account through the bank’s internet wire transfer system was fraudulently initiated by a third-party. The court explained that Article 4A of the Uniform Commercial Code permits a bank to take steps to protect itself from liability by implementing commercially reasonable security procedures, and if the bank complies with these procedures in good faith and in accordance with the customer’s instructions, the customer bears the risk of loss from a fraudulent payment order. The parties agreed that the bank complied with its security procedures in accepting the payment order that resulted in the loss for the customer, but disputed whether (i) the bank’s security procedures were commercially reasonable, (ii) the bank accepted the payment order in good faith, and (iii) the bank accepted the payment order in compliance with the customer’s written instructions. The court concluded that the bank’s security procedures, which included password protection, daily transfer limits, device authentication, and dual control, were commercially reasonable because the bank followed 2005 FFIEC guidelines and further enhanced its security to address threats not considered by that potentially outdated guidance. Moreover, the court held that the customer assumed the risk of failure of security procedures by declining some of those procedures. The court also held that in promptly executing a payment order that had cleared its commercially reasonable security procedures, and absent any independent reason to suspect the payment was fraudulent, the bank acted in good faith in processing the payment. Finally, the court determined that an inquiry from the customer as to whether it would be possible for the bank to stop foreign wire transfers did not constitute an instruction to the bank, and therefore the bank did not violate any written instruction from the customer. Based on these holdings, the court concluded that, under the UCC, the loss of funds from the customer’s account fall on the customer and not the bank.
On June 9, Darrell Issa (R-CA), Chairman of the House Oversight Committee, and Jim Jordan (R-OH), an Oversight subcommittee chairman, sent a letter to FDIC Chairman Martin Gruenberg that seeks information regarding the FDIC’s role in Operation Choke Point and calls into question prior FDIC staff statements about the agency’s role. The letter asserts that documents obtained from the DOJ and recently released by the committee demonstrate that, contrary to testimony provided by a senior FDIC staff member, the FDIC “has been intimately involved in Operation Choke Point since its inception.” The letter also criticizes FDIC guidance that institutions monitor and address risks associated with certain “high-risk merchants,” which, according to the FDIC, includes firearms and ammunition merchants, coin dealers, and payday lenders, among numerous others. The letter seeks information to help the committee better understand the FDIC’s role in Operation Choke Point and its justification for labeling certain businesses as “high-risk.” For example, the letter seeks (i) all documents and communications between the FDIC and the DOJ since January 1, 2011; (ii) all FDIC documents since that time that refer to the FDIC’s 2012 guidance regarding payment processor relationships; and (iii) all documents referring to risks created by financial institutions’ relationships with firearms or ammunition businesses, short-term lenders, and money services businesses.
On May 29, the House Oversight Committee released a staff report on Operation Choke Point, DOJ’s investigation of banks and payment processors purportedly designed to address perceived consumer fraud by blocking fraudsters’ access to the payment systems. The report provides the following “key findings”: (i) the operation was created by DOJ to “choke out” companies it considers to be “high risk” or otherwise objectionable, despite the fact that those companies are legal businesses; (ii) the operation has forced banks to terminate relationships with a wide variety of lawful and legitimate merchants; (iii) DOJ is aware of these impacts and has dismissed them; (iv) DOJ lacks adequate legal authority for the initiative; and (v) contrary to DOJ’s public statements, Operation Choke Point is primarily focused on the payday lending industry, particularly online lenders. The findings are based on documents provided to the committee by DOJ, including internal memoranda and other documents that, among other things, “acknowledge the program’s impact on legitimate merchants” and show that DOJ “has radically and unjustifiably expanded its [FIRREA] Section 951 authority.” The committee released the nearly 1,000 pages of supporting documents, which are available in two parts, here and here.
On May 22, House Financial Services Committee Chairman Jeb Hensarling (R-TX) sent letters to the Federal Reserve Board, the OCC, the FDIC, and the NCUA asking the regulators to explain their use of “reputational risk,” and citing Operation Choke Point as an example of the potential for “reputation risk” to become “a pretext for the advancement of political objectives, which can potentially subvert both safety and soundness and the rule of law.” Congressman Hensarling asked each regulator to explain (i) whether it consider reputation risk in its supervision of depositories, and, if so, to explain the legal basis for such consideration and why it is appropriate; (ii) what data are used to analyze reputational risk and why such data are not already accounted for under CAMELS; and (iii) whether a poor reputation risk rating could be sufficient to warrant recommending a change in a depository’s business practices notwithstanding strong ratings under CAMELS.
On April 8 the House Financial Services Committee held a hearing with the general counsels of the federal banking agencies regarding, among other things, Operation Choke Point, the federal enforcement operation reportedly intended to cut off from the banking system certain lenders and merchants allegedly engaged in unlawful activities. Numerous committee members from both sides of the aisle raised concerns about Operation Choke Point, as well as the federal government’s broader pressure on banks over their relationships with nonbank financial service providers, including money service businesses, nonbank lenders, and check cashers. Committee members asserted that the operation is impacting lawful nonbank financial service providers, who are losing access to the banking system and, in turn, are unable to offer needed services to the members’ constituents. The FDIC’s Richard Osterman repeatedly stated that Operation Choke Point is a DOJ operation and the FDIC’s participation is limited to providing certain information and resources upon request. Mr. Osterman also asserted that the FDIC is not attempting to, and does not intend to, prohibit banks from offering products or services to nonbank financial service providers operating within the law, and that the FDIC’s guidance is clear that banks are neither prohibited from nor encouraged to provide services to certain businesses, provided they properly manage their risk. Similarly, the OCC’s Amy Friend stated that the OCC wants to ensure that banks conduct due diligence and implement appropriate controls, but that the OCC is not prohibiting banks from offering services to lawful businesses. She stated the OCC has found that some banks have made a business decision to terminate relationships with some nonbank providers rather than implement additional controls.
On February 26, Senators Jeff Merkley (D-OR), Elizabeth Warren (D-MA), and other Democratic Senators, together with Representatives Elijah Cummings (D-MD), Maxine Waters (D-CA), and other Democratic House members, sent a letter to Attorney General Eric Holder encouraging the DOJ to “continue a vigorous review of potential payment fraud, anti-money-laundering violations, and other illegal conduct involving payments by banks and third-party payment processors.” The lawmakers highlighted a number of specific issues on which the DOJ should focus: (i) know-your-customer obligations, which they believe should include a review of whether a lender holds all required state licenses and follows state lending laws; (ii) use of lead generators, including those that auction consumer data; (iii) high rates of returned, contested, or otherwise failed debits or the regular use of remotely created checks, which they state may indicate payment fraud; and (iv) lenders’ failure to incorporate or maintain a business presence in the U.S., which they assert can be indicative of fraud and other payment system violations, including money-laundering.
On November 21, CFPB Director Richard Cordray delivered remarks at The Clearing House Annual Conference, including a review of the CFPB’s efforts to resolve concerns raised by the mortgage market through adoption of new mortgage rules and the objective of evenhanded oversight that is not dependent on charter choice or regulator. Mr. Cordray placed particular emphasis on the CFPB’s ability and efforts to “level the playing field” through its nonbank supervision program.
Notably, Director Cordray raised questions about recent efforts by other regulators and law enforcement authorities to investigate and take action against nonbank entities, like online payday lenders, by focusing on how these nonbanks get paid through bank payment systems. Cordray cautioned that, “[t]he focus of these . . . actions may create burdens that fall disproportionately on individual banks that are participants in the payment systems” and that the referenced approach “may not be the most efficient or effective approach.” Rather, Director Cordray suggested that further attention should be given to “how [payment] systems are designed and how they function for all of the institutions that participate in them.” The Director also expressed interest in working with the Clearing House to improve the CFPB’s understanding of using enhanced computer analytics and communications to identify patterns in payment systems, which he stated would better enable the CFPB to “identify and enforce the law against illegitimate firms that are otherwise able to reduce their own costs by hitching a free ride on the payments system,” as well as to consider necessary changes in law or practice.
On September 27, the FDIC issued Financial Institution Letter FIL-43-2013, which is intended to clarify the FDIC’s policy and supervisory approach related to financial institutions that facilitate payment processing services—directly or through a third party—for merchant customers engaged in “higher-risk activities.” The letter states that banks that perform these services for merchants engaged in activities that “tend to display a higher incidence of consumer fraud or potentially illegal activities” are expected to perform proper risk assessments, conduct due diligence to determine the merchants are operating in accordance with applicable law, and maintain systems to monitor the relationships with payment processors and merchants. Institutions that properly manage payment processing relationships and risks are not prohibited or discouraged from providing such services to businesses operating in compliance with applicable law. The FDIC intends to assess whether institutions are adequately overseeing these activities and addressing related risks. The FDIC’s statement follows concerns raised by certain banks, their representatives in Congress, and third-party payment processors about the scope of the governmental scrutiny of online lenders, payment processors, and their relationships with banks.
On October 3, the CFPB announced an enforcement action against a leading debt-settlement payment processor and its President/CEO for allegedly assisting clients in the debt-settlement industry charge and collect millions of dollars in unlawful fees since October 2010. According to the complaint, the defendants “knew or consciously avoided knowing” that the company’s services were used to charge illegal upfront fees in violation of the Telemarketing Sales Rule to more than 11,000 consumers across multiple states. The defendants agreed to a consent order that will: (i) prohibit the company from processing payments for debt-settlement companies and for members of the related mortgage-settlement industry going forward; (ii) subject the parties to regular monitoring by and reporting to the CFPB, as well as recordkeeping requirements; and (iii) mandate a civil money penalty of $1.376 million. On the date announced, Deputy Director Steve Antonakes remarked that the action should send a message that the CFPB is “working to ensure federal consumer laws are being followed at every stage of the process, including taking action against those who unlawfully facilitate illegal conduct of others.”
On September 17, FDIC Chairman Martin Gruenberg responded to a letter sent recently by Republican members of the House of Representatives, in which the members objected to the agency’s approach toward online lending and the banks that process payments on behalf of online lenders. In his response letter, Chairman Gruenberg explains the FDIC’s approach to the issue, describes the challenges for banks who do business with online lenders and third party payment processors, and promises “ a Financial Institution Letter . . . to make it clear that the FDIC’s focus is the proper management of the banks’ relationships with their customers, particularly those engaged in higher risk activities, and not underlying activities that are permissible under state and federal law.”
Last week, a group of 31 Republican House Members reportedly submitted a letter to the DOJ and FDIC accusing the agencies of “intimidating some community banks and third party payment processors with threats of heightened regulatory scrutiny unless they cease doing business with online lenders.” According to reports, the letter argues that the government’s actions effectively cut off access to lawful, short-term, high-interest loans available online. Several prominent online lenders have reportedly ceased their lending operations in response to similar pressure from state regulators.