The Payments Challenge of 2008: Responsible Use of Alluring

Payments Alternatives

Utilities Payments ConferencePortland OR

October 23, 2008

Carol R. Van Cleef

Overview

• Seductiveness of payment alternatives

• Assessing the risks – legal, regulatory and other risks

• Determining ways to mitigate risks

• Addressing issues contractually and otherwise

• 7-step program for responsible use

The Seductiveness

• Expanding customer base with different needs• Multiple channels • Multiple strategies• Greater efficiency• Faster collections• Lower marginal costs• Fewer personnel issues• Convenience

Put Risks in Context

• Understand legal risks

• Define reputational issues

• Quantify financial risk

• Consider impact of latest developments

• Remember different risks for different solutions

Mitigate the Risks

• Developing appropriate policies, procedures and controls

• Oversight

• Training

• Audit– Internal operations– Partner

Impact of Latest Developments

• State licensing and regulation of payments providers

• Anti-money laundering compliance

• New NACHA initiatives

• Consumer regulations

• Law enforcement undertakings

• Other issues raised by earlier speakers

Historical Payments Methods

• Cash – in person at your office

• Check – in person or by mail

The Evolution: E-Payments• Technological breakthrough enabling financial

transactions to be performed electronically, avoiding long lines and other hassles

• Card based or digital• Channels - point-of-sale, telephone, internet,

kiosks, mobile devices (e.g. cell phones), wireless, Radio Frequency Identification Devices (RFID) and Near Field Communication (NFC))

• Multiple rails – ACH, ATM, Credit Card• Retail, corporate, wholesale

E-Payments Currently

• Telephone – Credit Card or ACH• Internet – ACH or credit card• Debit Card – Telephone or internet • Prepaid Card – In person, telephone,

internet• Remotely Created Checks• Electronic Payments, Electronic

Payments, Electronic Payments

Rapidly Evolving E-Payments

• Internet– Person to person– E-wallet/e-purse

• Mobile Payments

• Digital currencies

• Virtual worlds

E-Purse/E-Wallet• Popular in gambling community

– Usemywallet– Firepay– Neteller– PaySpark– Click to Pay– WebMoney

• Other uses including bill pay

• FATF Study

Virtual Worlds

• Exchange to convert real world currency

• Use ATMs to access real dollars directly from virtual world accounts.

• “ATM Cards tied to virtual world – a money launder’s dream”

• Gambling and other “vices”

• Bank failures

Common Characteristics of New Payments Providers

• By definition – many not banks• Traditional “money services businesses”

– Regulated– Unregulated

• Need access to banking system• Geographic boundaries not meaningful• Often multiple partners• Technology driven

Common Characteristics Of Newer Alternatives

• Speed• Anonymity• Security• Transfer functionality• Convenience• Geographically blind• Provide access to financial system• Cost effective delivery system

Legal Quagmire• Bank Secrecy Act and Implementing Regulations• Federal Criminal Statutes

– Money Laundering – Sections 1956, 1957, 1960– Terrorist Financing – Sections 2339A, 2339B, 2339C

• Office of Foreign Assets Control (OFAC) • State Licensing/AML Laws• Federal and state Unfair Trade and Deceptive

Practices Acts• Privacy and Data Protection Statutes• NACHA Rules and Network Rules• State and federal utility statutes and regs

Bank Secrecy Act• Financial Institutions

– Banks– Credit Union– MSBs– Processors ?– Utilities?

• AML Compliance Program Requirement• Reporting Requirements

– Suspicious Activity Reports– Currency Transaction Reports/8300s

• Recordkeeping– Funds Transfer Rule

• CIP and customer due diligence

MSB Status and Registration

• Status of Bill Payment– Authorized– Unauthorized

• FinCEN letter – gift card shop as agent

• Extent of precedence?

• Potential impact of new examination guidelines

Federal Criminal Statues

• Money Laundering– 18 U.S.C. Sections 1956 and 1957

• Conduct or attempt to conduct financial transaction involving the proceeds of Specified Unlawful Activity (“SUA”)

• Transport, transfer or transmit (or attempt) monetary instrument or funds into or out of US knowing instruments or funds involved are proceeds of SUA

• Conduct or attempt to conduct financial transaction with funds represented to be proceeds of SUA (“sting offense”)

• 200+ predicate offenses (SUA)

– 18 U.S.C. Section 1960• Money transmitting business illegal

– Unlicensed– Unregistered

• Transmission involving funds derived from or to be used for crime

Federal Criminal Statutes

• Terrorist Financing– 18 U.S.C. Section 2339C

• Collecting or providing funds to be used to carry out a terrorist act.

– 18 U.S.C. Section 2339B• Providing material support or resources to

designated terrorists or terrorist organizations.

– 18 U.S.C. Section 2339A• Providing material support to terrorist

Federal Sentencing Guidelines

• Ethically based compliance program

• Same elements as BSA/AML program

• Best defense is a good offense

• Mitigate sentence

2007 National Money Laundering Threat Assessment

“ Constant searching by criminals for new ways to launder and hide dirty money is evidence of our successful regulatory and law enforcement efforts to safeguard the banking system.”

The Threat From Within• McAfee Virtual Criminology Report 2006 • Organized crime’s tactics reminiscent of KGB’s

during Cold War• Targets top students from leading academic

institutions • Provide skills needed to commit high-tech crime

on a mass scale• Taking advantage of inadequate company security

procedures• New generation of cybercriminals sponsor

graduates

Who is Watching?• The Usual Suspects

– Secret Service– Drug Enforcement Administration– FBI– IRS– ICE– State/local law enforcement– CIA/ Intelligence community– Foreign law enforcement

• Federal Trade Commission• Criminals

Coordinated Efforts• SAR Review Teams

• Fusion Center

• Interagency Task Forces (e.g. Emerging Payments Systems, Payments Fraud)

• FATF

• ICE– Trade Transparency Unit

– Multi-agency targeting of MSBs

– Foreign Political Corruptions Task Force

– Bulk cash smuggling

– Human smuggling

Truth Stranger Than Fiction

• High profile governor and former prosecutor

• Sending wire in excess of $3k

• Tries to avoid giving information

• Bank reports activity as suspicious

• SAR Review team?

• The leaked SAR?

Licensing

• State-by-state

• States increasingly aggressive

• Key: who “touches” the money?

• Failure to be licensed may be a crime

• Difficult, expensive, time consuming

• Bank-products may be exempt

• Preemption? For whom?

Hot Topics for Regulators

• ACH

• Remotely created checks

• Stored Value/Prepaid Cards

• Unfair and Deceptive Practices

What Do the Regulators Want?• Adequacy of policies, procedures and processes• Effective identification and monitoring of high

risk customers using ACH transactions• Nature of bank’s ML and TF risks• Adequacy of suspicious activities monitoring and

reporting system• OCC Bulletin 2006-39

Mitigating ACH Risk • Effective solid customer due diligence (CDD)

– Strong program for “regular customers”– For TPSP include DD on Principals/Originators

• Effective risk based suspicious activity monitoring and reporting– Review TPSP program if “heavily reliant”– General guidelines for TPSP Agreement – Address originators with questionable or deceptive practices

• Match review of an application with the level of risk • Background check to support validity of Originator’s

business• Scrutinize international ACHs separately and more closely

Unfair and Deceptive Practices• OCC #2008-027 • Account relationships with certain payment

processors for telemarketers and direct telemarketers

• Regularly deposited large numbers of remotely created checks (RCCs)

• Substantial number of RCCs deposited were returned to bank by or on behalf of consumers – had not authorized the RCCs – did not receive adequate consideration in the

transaction.

Bank’s Failure• Bank engaged in unsafe or unsound practices

– Failure to conduct suitable due diligence on accounts even with reason to know high-risk customers posing significant legal, reputational and monetary risks to bank and monetary risk to consumers

– Failure to recognize and properly address risks posed by activities of payment processors and direct telemarketers

– Failure to monitor rates of return on RCCs deposited into accounts and to respond to allegations of consumer fraud from other banks and consumers

– Failure to follow Bank’s normal procedures for handling returned RCCs and implementation of a policy with effect of minimizing consumer complaints and scrutiny of Bank’s relationships with payment processors and direct telemarketers

OCC Bulletin 2008-12• Does not supercede 2006-39 ACH Bulletin• Proper initial due diligence, effective underwriting, and ongoing

account monitoring • Lack of appropriate controls to address risks may be viewed as

facilitating processor’s or its merchant client’s fraud or other unlawful activity

• If fraudulent or other improper activity identified, take immediate steps to address problem, including filing SAR when appropriate, terminating the bank’s relationship with the processor, or requiring processor to cease processing for merchant

• Vulnerable to money laundering, identity theft, fraud schemes, illicit transactions and transactions prohibited by the Office of Foreign Assets Control.

• Monitor merchant data, transaction volume, and charge-back history

Unfair and Deceptive Practices

• FTC fills the void

• Responds to consumer complaints– Unauthorized debits

– Advertised terms and conditions

– Poor identification/verification practices

• Cases

– QChex

– EDebit

Qchex• Internet-based check creation and delivery service• Consumer/business complaints• Debited bank accounts and fraudulent checks• No reasonable method for verifying sender’s identity• Federal Trade Commission required

• Micro-deposit verification• Financial institution verification

• Injunction

State Attorneys General

• Growing role• Following in the footsteps of FTC• Pennsylvania AG pursing case

– Bank continued to provide banking services to processor customer allegedly knowing of customer’s fraudulent activity

• Safety and soundness risk for banks?• Greater bank scrutiny of processor clients• More exposure for processor and bank

Looking Ahead

• US criticized for $3000 minimum

• Cross-border wires– Congressionally ordered FinCEN study– Submit funds transfer records to FinCEN– Private Sector Initiative

• Cross-border ACH– New ACH format – March 2009– OFAC

Prepaid andStored Value Cards

The Latest Challenge?

SV 2

How Do Stored Value Cards Work?

Closed versus open systems Different functionalities Multiple parties Various roles and

responsibilities Different risks

Stored Value Regulation

• Federal – BSA – Bank/CU– Bank Product or Service– Regulated like any other bank product or

service– CTRs, SARs, aggregation– Bank examiners/examinations

• Nonbanks?

Other Applicable Federal Regulations

• OFAC – both bank and MSB

• Bank – rules that otherwise apply to bank product or service of that type

• FDIC insured – depends on records

• GLB privacy and data security

• Unfair and Deceptive Practices Act

FinCEN Interpretation

• FIN-2008-R005 (3/10/08): Whether Certain Reloadable Card Operations are Money Services Businesses

• 1.9 ATM network member-sponsored merchant and retail ATM locations

• 5700 member banks and credit unions• 140 million credit, debit, prepaid cards• Member sponsoring merchant or ATM owner

responsible

How Can The Cards Be Abused?

Fraud? Identity Theft? Means to Purchase Illicit Goods? Money Laundering? Terrorist Financing? Other?

Determining Risk Characteristics What is the function? What is the target audience? Is the cardholder’s identity known? Where can it be used and how? Can it be reloaded? How can it be reloaded? What is the source of funds? Does it have ATM access? Can it be used internationally?

The E-Gold Story: Chapter 1

• Online digital currency provider• Offshore but maintained US operations• Offered a bill pay solution• Digital exchangers accepted cash• Often implicated in criminal activity• Allegedly knew of criminals use - customer

complaints and criminal notification• Lots of data

E-Gold Continued

• Valid e-mail but no ID verification• “Obviously bogus and false” contact info• No “not for criminal purpose”• No training and written materials• Imposed value limits but little impact• No licenses, no MSB registration• Assets seized and forfeiture sought

Sigue

• Largest MSB fine/settlement (01/08)• Financial Crimes Enforcement Network• Department of Justice• Bad agents• AML not limited to detection and reporting

Sigue’s Potential Implications For Inperson Bill Pay

• Agent due diligence– Independent review– Credit and criminal background checks– Agents and 10% control parties

• Monitoring– More than structuring – More than detection of money laundering

• Customer due diligence– Enhanced identification of senders >$2000 per day– Enhanced due diligence of parties to aggregate transactions > $25,000/12 months– Enhanced identification of beneficiaries through Mexico agents > $950/day

Sigue’s Potential Implications

• Detection not enough; must prevent money laundering

• New definition of customer - for money transmitters only?

• Blocking transactions of “troublesome” customers• Real time OFAC screening of transactions• Agent training and compliance program reviews

Step 1: Know The Payment Alternative

• What is the business model• How do the funds flow?• Who “touches” your funds - before you do?• Is it PCI compliant (if applicable)?• Are there business partners? • Does it outsource any part of operations?• Does it maintain its own compliance function?

Step 2: Know Your Partner

• How large is the company• How many years has it been in buisness• Who owns/runs the company?• Conduct on-site due diligence• What’s on the internet - use Google• Check available and relevant lists• Consider same steps for partner’s partners

Step 3: Is It Legally Compliant?

• What laws apply to the model?• Has it complied with those laws?• Does state law require a license?• Is FinCEN registration necessary?• Has it been

– Subject of regulatory enforcement action?– Focus of criminal investigation?– Criticized by consumers?

Step 4: Clearly Define Roles and Responsibilities

• Understand your and your partners responsibilities under different laws

• Determine who will file 8300s/CTRs and SARs?

• Resolve responsiblity for privacy, data security and consumer disclosures

• Consider how technology is used

Step 5: Monitor, Monitor, Monitor

• Do not dismiss the potential for abuse

• Regularly review data for all types of compliance

• Identify unusual activity

• Have an action plan to react

Step 6: Good Contracts

• Address the issues/responsibilities• Clearly allocate the responsibilities• Review frequently • Do they reflect recent changes in technology,

current events, etc• Don’t hesitate to amend

Step 7: Don’t Assume

• Re-evaluate assumptions regularly, especially as model and use evolve

• Implement your own compliance program

• Update your program regularly and especially when new alternatives added

Conclusion

• More payment alternatives will emerge

• New and increasing challenges will arise

• More resources will be required to address these challenges

• But all (?) should benefit

FOR FURTHER INFORMATION

Carol R. Van CleefPartner

Patton Boggs LLP

2550 M Street, N.W.

Washington, D.C. 20037

202-508-6112

cvcleef@pattonboggs.com