The Payments Challenge of 2008: Responsible Use of Alluring Payments Alternatives Utilities Payments...
-
Upload
brittney-tate -
Category
Documents
-
view
216 -
download
1
Transcript of The Payments Challenge of 2008: Responsible Use of Alluring Payments Alternatives Utilities Payments...
The Payments Challenge of 2008: Responsible Use of Alluring
Payments Alternatives
Utilities Payments ConferencePortland OR
October 23, 2008
Carol R. Van Cleef
Overview
• Seductiveness of payment alternatives
• Assessing the risks – legal, regulatory and other risks
• Determining ways to mitigate risks
• Addressing issues contractually and otherwise
• 7-step program for responsible use
The Seductiveness
• Expanding customer base with different needs• Multiple channels • Multiple strategies• Greater efficiency• Faster collections• Lower marginal costs• Fewer personnel issues• Convenience
Put Risks in Context
• Understand legal risks
• Define reputational issues
• Quantify financial risk
• Consider impact of latest developments
• Remember different risks for different solutions
Mitigate the Risks
• Developing appropriate policies, procedures and controls
• Oversight
• Training
• Audit– Internal operations– Partner
Impact of Latest Developments
• State licensing and regulation of payments providers
• Anti-money laundering compliance
• New NACHA initiatives
• Consumer regulations
• Law enforcement undertakings
• Other issues raised by earlier speakers
The Evolution: E-Payments• Technological breakthrough enabling financial
transactions to be performed electronically, avoiding long lines and other hassles
• Card based or digital• Channels - point-of-sale, telephone, internet,
kiosks, mobile devices (e.g. cell phones), wireless, Radio Frequency Identification Devices (RFID) and Near Field Communication (NFC))
• Multiple rails – ACH, ATM, Credit Card• Retail, corporate, wholesale
E-Payments Currently
• Telephone – Credit Card or ACH• Internet – ACH or credit card• Debit Card – Telephone or internet • Prepaid Card – In person, telephone,
internet• Remotely Created Checks• Electronic Payments, Electronic
Payments, Electronic Payments
Rapidly Evolving E-Payments
• Internet– Person to person– E-wallet/e-purse
• Mobile Payments
• Digital currencies
• Virtual worlds
E-Purse/E-Wallet• Popular in gambling community
– Usemywallet– Firepay– Neteller– PaySpark– Click to Pay– WebMoney
• Other uses including bill pay
• FATF Study
Virtual Worlds
• Exchange to convert real world currency
• Use ATMs to access real dollars directly from virtual world accounts.
• “ATM Cards tied to virtual world – a money launder’s dream”
• Gambling and other “vices”
• Bank failures
Common Characteristics of New Payments Providers
• By definition – many not banks• Traditional “money services businesses”
– Regulated– Unregulated
• Need access to banking system• Geographic boundaries not meaningful• Often multiple partners• Technology driven
Common Characteristics Of Newer Alternatives
• Speed• Anonymity• Security• Transfer functionality• Convenience• Geographically blind• Provide access to financial system• Cost effective delivery system
Legal Quagmire• Bank Secrecy Act and Implementing Regulations• Federal Criminal Statutes
– Money Laundering – Sections 1956, 1957, 1960– Terrorist Financing – Sections 2339A, 2339B, 2339C
• Office of Foreign Assets Control (OFAC) • State Licensing/AML Laws• Federal and state Unfair Trade and Deceptive
Practices Acts• Privacy and Data Protection Statutes• NACHA Rules and Network Rules• State and federal utility statutes and regs
Bank Secrecy Act• Financial Institutions
– Banks– Credit Union– MSBs– Processors ?– Utilities?
• AML Compliance Program Requirement• Reporting Requirements
– Suspicious Activity Reports– Currency Transaction Reports/8300s
• Recordkeeping– Funds Transfer Rule
• CIP and customer due diligence
MSB Status and Registration
• Status of Bill Payment– Authorized– Unauthorized
• FinCEN letter – gift card shop as agent
• Extent of precedence?
• Potential impact of new examination guidelines
Federal Criminal Statues
• Money Laundering– 18 U.S.C. Sections 1956 and 1957
• Conduct or attempt to conduct financial transaction involving the proceeds of Specified Unlawful Activity (“SUA”)
• Transport, transfer or transmit (or attempt) monetary instrument or funds into or out of US knowing instruments or funds involved are proceeds of SUA
• Conduct or attempt to conduct financial transaction with funds represented to be proceeds of SUA (“sting offense”)
• 200+ predicate offenses (SUA)
– 18 U.S.C. Section 1960• Money transmitting business illegal
– Unlicensed– Unregistered
• Transmission involving funds derived from or to be used for crime
Federal Criminal Statutes
• Terrorist Financing– 18 U.S.C. Section 2339C
• Collecting or providing funds to be used to carry out a terrorist act.
– 18 U.S.C. Section 2339B• Providing material support or resources to
designated terrorists or terrorist organizations.
– 18 U.S.C. Section 2339A• Providing material support to terrorist
Federal Sentencing Guidelines
• Ethically based compliance program
• Same elements as BSA/AML program
• Best defense is a good offense
• Mitigate sentence
2007 National Money Laundering Threat Assessment
“ Constant searching by criminals for new ways to launder and hide dirty money is evidence of our successful regulatory and law enforcement efforts to safeguard the banking system.”
The Threat From Within• McAfee Virtual Criminology Report 2006 • Organized crime’s tactics reminiscent of KGB’s
during Cold War• Targets top students from leading academic
institutions • Provide skills needed to commit high-tech crime
on a mass scale• Taking advantage of inadequate company security
procedures• New generation of cybercriminals sponsor
graduates
Who is Watching?• The Usual Suspects
– Secret Service– Drug Enforcement Administration– FBI– IRS– ICE– State/local law enforcement– CIA/ Intelligence community– Foreign law enforcement
• Federal Trade Commission• Criminals
Coordinated Efforts• SAR Review Teams
• Fusion Center
• Interagency Task Forces (e.g. Emerging Payments Systems, Payments Fraud)
• FATF
• ICE– Trade Transparency Unit
– Multi-agency targeting of MSBs
– Foreign Political Corruptions Task Force
– Bulk cash smuggling
– Human smuggling
Truth Stranger Than Fiction
• High profile governor and former prosecutor
• Sending wire in excess of $3k
• Tries to avoid giving information
• Bank reports activity as suspicious
• SAR Review team?
• The leaked SAR?
Licensing
• State-by-state
• States increasingly aggressive
• Key: who “touches” the money?
• Failure to be licensed may be a crime
• Difficult, expensive, time consuming
• Bank-products may be exempt
• Preemption? For whom?
Hot Topics for Regulators
• ACH
• Remotely created checks
• Stored Value/Prepaid Cards
• Unfair and Deceptive Practices
What Do the Regulators Want?• Adequacy of policies, procedures and processes• Effective identification and monitoring of high
risk customers using ACH transactions• Nature of bank’s ML and TF risks• Adequacy of suspicious activities monitoring and
reporting system• OCC Bulletin 2006-39
Mitigating ACH Risk • Effective solid customer due diligence (CDD)
– Strong program for “regular customers”– For TPSP include DD on Principals/Originators
• Effective risk based suspicious activity monitoring and reporting– Review TPSP program if “heavily reliant”– General guidelines for TPSP Agreement – Address originators with questionable or deceptive practices
• Match review of an application with the level of risk • Background check to support validity of Originator’s
business• Scrutinize international ACHs separately and more closely
Unfair and Deceptive Practices• OCC #2008-027 • Account relationships with certain payment
processors for telemarketers and direct telemarketers
• Regularly deposited large numbers of remotely created checks (RCCs)
• Substantial number of RCCs deposited were returned to bank by or on behalf of consumers – had not authorized the RCCs – did not receive adequate consideration in the
transaction.
Bank’s Failure• Bank engaged in unsafe or unsound practices
– Failure to conduct suitable due diligence on accounts even with reason to know high-risk customers posing significant legal, reputational and monetary risks to bank and monetary risk to consumers
– Failure to recognize and properly address risks posed by activities of payment processors and direct telemarketers
– Failure to monitor rates of return on RCCs deposited into accounts and to respond to allegations of consumer fraud from other banks and consumers
– Failure to follow Bank’s normal procedures for handling returned RCCs and implementation of a policy with effect of minimizing consumer complaints and scrutiny of Bank’s relationships with payment processors and direct telemarketers
OCC Bulletin 2008-12• Does not supercede 2006-39 ACH Bulletin• Proper initial due diligence, effective underwriting, and ongoing
account monitoring • Lack of appropriate controls to address risks may be viewed as
facilitating processor’s or its merchant client’s fraud or other unlawful activity
• If fraudulent or other improper activity identified, take immediate steps to address problem, including filing SAR when appropriate, terminating the bank’s relationship with the processor, or requiring processor to cease processing for merchant
• Vulnerable to money laundering, identity theft, fraud schemes, illicit transactions and transactions prohibited by the Office of Foreign Assets Control.
• Monitor merchant data, transaction volume, and charge-back history
Unfair and Deceptive Practices
• FTC fills the void
• Responds to consumer complaints– Unauthorized debits
– Advertised terms and conditions
– Poor identification/verification practices
• Cases
– QChex
– EDebit
Qchex• Internet-based check creation and delivery service• Consumer/business complaints• Debited bank accounts and fraudulent checks• No reasonable method for verifying sender’s identity• Federal Trade Commission required
• Micro-deposit verification• Financial institution verification
• Injunction
State Attorneys General
• Growing role• Following in the footsteps of FTC• Pennsylvania AG pursing case
– Bank continued to provide banking services to processor customer allegedly knowing of customer’s fraudulent activity
• Safety and soundness risk for banks?• Greater bank scrutiny of processor clients• More exposure for processor and bank
Looking Ahead
• US criticized for $3000 minimum
• Cross-border wires– Congressionally ordered FinCEN study– Submit funds transfer records to FinCEN– Private Sector Initiative
• Cross-border ACH– New ACH format – March 2009– OFAC
How Do Stored Value Cards Work?
Closed versus open systems Different functionalities Multiple parties Various roles and
responsibilities Different risks
Stored Value Regulation
• Federal – BSA – Bank/CU– Bank Product or Service– Regulated like any other bank product or
service– CTRs, SARs, aggregation– Bank examiners/examinations
• Nonbanks?
Other Applicable Federal Regulations
• OFAC – both bank and MSB
• Bank – rules that otherwise apply to bank product or service of that type
• FDIC insured – depends on records
• GLB privacy and data security
• Unfair and Deceptive Practices Act
FinCEN Interpretation
• FIN-2008-R005 (3/10/08): Whether Certain Reloadable Card Operations are Money Services Businesses
• 1.9 ATM network member-sponsored merchant and retail ATM locations
• 5700 member banks and credit unions• 140 million credit, debit, prepaid cards• Member sponsoring merchant or ATM owner
responsible
How Can The Cards Be Abused?
Fraud? Identity Theft? Means to Purchase Illicit Goods? Money Laundering? Terrorist Financing? Other?
Determining Risk Characteristics What is the function? What is the target audience? Is the cardholder’s identity known? Where can it be used and how? Can it be reloaded? How can it be reloaded? What is the source of funds? Does it have ATM access? Can it be used internationally?
The E-Gold Story: Chapter 1
• Online digital currency provider• Offshore but maintained US operations• Offered a bill pay solution• Digital exchangers accepted cash• Often implicated in criminal activity• Allegedly knew of criminals use - customer
complaints and criminal notification• Lots of data
E-Gold Continued
• Valid e-mail but no ID verification• “Obviously bogus and false” contact info• No “not for criminal purpose”• No training and written materials• Imposed value limits but little impact• No licenses, no MSB registration• Assets seized and forfeiture sought
Sigue
• Largest MSB fine/settlement (01/08)• Financial Crimes Enforcement Network• Department of Justice• Bad agents• AML not limited to detection and reporting
Sigue’s Potential Implications For Inperson Bill Pay
• Agent due diligence– Independent review– Credit and criminal background checks– Agents and 10% control parties
• Monitoring– More than structuring – More than detection of money laundering
• Customer due diligence– Enhanced identification of senders >$2000 per day– Enhanced due diligence of parties to aggregate transactions > $25,000/12 months– Enhanced identification of beneficiaries through Mexico agents > $950/day
Sigue’s Potential Implications
• Detection not enough; must prevent money laundering
• New definition of customer - for money transmitters only?
• Blocking transactions of “troublesome” customers• Real time OFAC screening of transactions• Agent training and compliance program reviews
Step 1: Know The Payment Alternative
• What is the business model• How do the funds flow?• Who “touches” your funds - before you do?• Is it PCI compliant (if applicable)?• Are there business partners? • Does it outsource any part of operations?• Does it maintain its own compliance function?
Step 2: Know Your Partner
• How large is the company• How many years has it been in buisness• Who owns/runs the company?• Conduct on-site due diligence• What’s on the internet - use Google• Check available and relevant lists• Consider same steps for partner’s partners
Step 3: Is It Legally Compliant?
• What laws apply to the model?• Has it complied with those laws?• Does state law require a license?• Is FinCEN registration necessary?• Has it been
– Subject of regulatory enforcement action?– Focus of criminal investigation?– Criticized by consumers?
Step 4: Clearly Define Roles and Responsibilities
• Understand your and your partners responsibilities under different laws
• Determine who will file 8300s/CTRs and SARs?
• Resolve responsiblity for privacy, data security and consumer disclosures
• Consider how technology is used
Step 5: Monitor, Monitor, Monitor
• Do not dismiss the potential for abuse
• Regularly review data for all types of compliance
• Identify unusual activity
• Have an action plan to react
Step 6: Good Contracts
• Address the issues/responsibilities• Clearly allocate the responsibilities• Review frequently • Do they reflect recent changes in technology,
current events, etc• Don’t hesitate to amend
Step 7: Don’t Assume
• Re-evaluate assumptions regularly, especially as model and use evolve
• Implement your own compliance program
• Update your program regularly and especially when new alternatives added
Conclusion
• More payment alternatives will emerge
• New and increasing challenges will arise
• More resources will be required to address these challenges
• But all (?) should benefit
FOR FURTHER INFORMATION
Carol R. Van CleefPartner
Patton Boggs LLP
2550 M Street, N.W.
Washington, D.C. 20037
202-508-6112