Earlier this month, First Bank of Delaware[FN1] was subjected to concurrent $15 million penalties by the Federal Deposit Insurance Corporation (FDIC) and the Financial Crimes Enforcement Network (FinCEN), along with a $15 million settlement with the Department of Justice (DOJ). The fines and penalties were in settlement of alleged violations of the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) laws and regulations. In addition to First Bank’s purported failures to implement adequate BSA/AML testing, training and compliance personnel, FinCEN’s Assessment of Civil Money Penalty (“FinCEN Assessment”) detailed First Bank’s apparent failures to institute internal controls to manage risks associated with third party payment processors and money services businesses (MSBs).
FN1. Prior to the FDIC and FinCEN’s announcement about First Bank, Bryn Mawr Trust Company had purchased certain assets and assumed deposit liabilities from First Bank. First Bank is no longer chartered by the Delaware Office of State Bank Commissioner and the FDIC terminated its deposit insurance.
The FinCEN Assessment serves as a good indicator of the red flags that should alert banks to potential money laundering risks presented by their to third party payment processor clients. In particular, the Assessment highlighted the following as potential BSA/AML trouble spots:
- Accepting processor clients (and granting them access to bank and credit card accounts) that have a history of violating the Federal Trade Commission Act;
- Not collecting sufficient information to anticipate processors’ normal range of activities, leading to an inability to anticipate heightened risk factors such as unusually high return rates;
- Failing to maintain files on processors’ own customers, including maintaining minimal customer information, financial disclosures, evidence of address verification, site visits, background checks, consumer complaint searches and other relevant due diligence information. (First Bank apparently processed almost $22 million in ACH transactions in 2010 for a single foreign-based MSB, which was a customer of the bank’s primary ACH third party payment processor client, without having any of the above information on the MSB.)
The Assessment also highlights the need to assess and monitor potential AML/BSA concerns inherent with high-risk MSBs, such as those located in High Intensity Drug Trafficking Areas and High Intensity Financial Crimes Areas, and that utilize remote deposit capture machines without oversight, offer prepaid cards to foreign persons, or process significant sales of foreign currency.
As noted by the Assessment, financial regulators have long recognized inherent BSA/AML risks associated with third party payment processors, having issued various industry and specific guidance, including the following:
- The Office of the Comptroller of the Currency’s (OCC) Bulletin OCC-2008-12: Payment Processors, Apr. 24, 2008;
- FDIC’s FIL-127-2008: Guidance on Payment Processor Relationships, Nov. 7, 2008;
- Federal Financial Institutions Examination Council (FFIEC), 2010 Bank Secrecy Act/Anti-Money Laundering Examination Manual, Third-Party Payment Processors—Overview, pp. 239-241;
- FinCEN’s FIN-2012-A010: Risk Associated with Third Party Payment Processors, Oct. 22, 2012.
Other regulatory guidance related to third party risks include:
- FDIC’s FIL-3-2012: Payment Processor Relationships, Revised Guidance, Jan. 31, 2012;
- FDIC’s FIL-44-2008: Third Party Risk, Guidance for Managing Third-Party Risk, June 6, 2008;
- FFIEC’s IT Examination Handbook, Outsourcing Technology Services, June 2004;
- FFIEC’s IT Examination Handbook, Supervision of Technology Service Providers, March 2003;
- Consumer Financial Protection Bureau’s (CFPB) Bulletin 2012-03: Service Providers, Apr. 13, 2012.