Payment Processing - AML Considerations in a Digital World

Third-party payment processors (TPPPs) are bank customers that provide payment-processing services to merchants and other business entities. They allow merchants to provide more payment methods to their customers by enabling merchants to receive payments without first setting up their own merchant account with a bank. Over the past decade, there has been a marked increase in global trade and online commerce accompanied by exponential growth of digital payments and the proliferation of digital payment service providers. Cutting-edge technologies, progressive regulatory regimes, and open banking has created an opportunity for payment processors to compete with banks, and at the same time, banks have sought to cash in on fee-based relationships. Additionally, online e-commerce businesses are also looking for opportunities to expand and streamline services by reducing platform fragmentation. They are attempting to simplify services for the full user experience by consolidating payment processes and launching cross-border facilities. The goal is to of achieve end-to-end control of the online purchase experience, reduce cost, and create increased revenue opportunities.

Considering this expansion and emerging growth opportunities, it is important to consider key financial crime risks in online payments, regulatory considerations, and opportunities to engage the industry. Even today, TPPP payments remain highly fragmented, with increased money-laundering risk due to high payment volumes, technological failures, fraud, growth in cybercrime, and incompatibilities between payment channels and digital platforms. Banking platforms are often too antiquated to fully monitor TPPPs, which may require bespoke financial crime risk management strategies due to diversified risk models. While there is no easy solution, it is key that processors and banks alike fully understand their respective regulatory and industry anti-money laundering (AML) compliance expectations and implement necessary controls.

Regulatory Refresher

The US AML regulatory environment remains highly complex, confusing, and fragmented. At a federal level, “any…person who engages as a business in the transmission of funds […] or any network of people who engage as a business in facilitating the transfer of money domestically or internationally outside of the conventional financial institutions system”¹ is a covered financial institution under the Bank Secrecy Act (BSA), is required to establish a risk-based AML program, and must register with the Financial Crimes Enforcement Network (FinCEN) as a Money Services Business (MSB). While TPPPs technically fall within the definition of money transmission, FinCEN stipulates four conditions establishing an exemption for payment processors:

1. The entity providing the service must facilitate the purchase of goods or services, or the payment of bills for goods or services (other than money transmission itself)

2. The entity must operate through clearance and settlement systems that admit only BSA-regulated financial institutions

3. The entity must provide the service pursuant to a formal agreement

4. The entity’s agreement must be at a minimum with the seller or creditor that provided the goods or services and receives the funds

Even if a TPPP believes it meets this exception under the BSA, a robust mitigation strategy strongly advises that payment processors work closely with legal counsel to assess their businesses against various state-level requirements. Every US state, except Montana, has a money transmitter license (MTL) requirement, which includes a requirement to establish an AML program. States take varying approaches with respect to the BSA exemption and applying what has been commonly referred to as the Agent of the Payee exception. This exception indicates that where a processor acts pursuant to a formal contract as an agent of a merchant, the processor is the effective beneficiary in a payment². In other words, entities may be exempt from obtaining MTLs in certain states, if they facilitate the purchase of goods or services, or the payment of bills for goods or services pursuant to a formal agreement with a creditor or seller. Ultimately, this is a fact-based analysis and should not be taken lightly—the ramifications of getting this analysis wrong could result in civil and even criminal penalties.

In addition, bank regulators expect banks to mitigate the risk that TPPPs present to their institutions³.  As a result, most banks require their TPPP partners to implement BSA-level financial crime programs, even if it is not required by regulation.

AML Program Expectations

I am a crypto processor. Am I exempt under the BSA? No!

Convertible Virtual Currency (CVC)⁴ payment processors are financial intermediaries that enable traditional merchants to accept CVC from customers in exchange for goods and services sold. The CVC payment processor may collect the CVC from the customer and then transmit currency or funds to the merchant, or vice versa. CVC payment processors are money transmitters and are not eligible for the payment processor exemption because they do not satisfy all the required conditions for the exemption. Why? CVC payment processors do not operate through clearance and settlement systems that admit only BSA-regulated financial institutions. In its 2019 Guidance, FinCEN stressed that this condition was critical, because BSA-regulated financial institutions have greater visibility into the complete pattern of activities of the buyer or debtor, on the one hand, and the seller or creditor, on the other hand. Having BSA-regulated financial institutions at either end of the clearance and settlement of transactions reduces the need to impose additional obligations on the payment processor.⁵

I’m exempt from the BSA with no AML program requirement. Not so fast!

Even though TPPPs are not required to implement AML programs, it is still a criminal offense to facilitate laundering the proceeds of crime, regardless of compliance program regulatory requirements. The Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and FinCEN have repeatedly issued guidance regarding the risks, including the BSA/AML risks, associated with banking third-party processors⁶. FinCEN has also long warned that payment processors are used to place illegal funds directly into a financial institution using ACH credit transactions originating from foreign sources⁷. Accordingly, TPPPs should consider implementing robust AML programs to mitigate money laundering risk.

Additionally, even though TPPPs are not covered by the BSA, banks are covered financial institutions. As such, faced with significant regulatory scrutiny and guidance from federal bank regulators, most banks/bank partnerships require TPPPs to implement their own AML programs to mitigate the bank’s risk of doing business with the TPPP.

Key Stakeholder Considerations

Considerations for payment processors

Before establishing an AML program, payment processors should consider conducting a robust AML risk assessment. While not a regulatory requirement, bank partners may require the prospective TPPP clients to mitigate their own inherent risk and implement risk-based AML controls. Logically, without a risk assessment, it is difficult to determine if a TPPP has “risk-based controls.” While conducting a risk assessment may require an initial upfront investment, an informed assessment may prove more economical in the long run. The assessment will help a TPPP understand its risk profile and, therefore, inform the most appropriate, tailored controls to implement.

Considerations for Financial Institutions

Guidehouse recommends a robust due diligence process when onboarding new TPPP customers. The Federal Financial Institutional Examination Council (FFIEC) Manual on due diligence for TPPPs is a good place to start.

Equally as important is ensuring that banks have trained and experienced compliance professionals to: (1) assess the business model of the TPPP; (2) ensure that the TPPP is not conducting activity that is unlicensed/unregistered; and (3) understand how to assess and mitigate the inherent risk posed by the TPPP. As we previously noted, processors often have diverse and complicated business models that are difficult to assess. If not adequately vetted, banks may run the risk of onboarding a TPPP engaging in unlicensed/unregistered money transmission and not realize it. Therefore, hiring trained, experienced compliance professionals who can examine prospect TPPP clients is paramount. 

What Can Guidehouse do for you? 

Guidehouse can help payment processors and banks evaluate and enhance their financial crime risk management frameworks and controls related to the processing industry, including:

• AML and Office of Foreign Assets Control (OFAC) advisory

• AML and sanctions risk assessment methodology development, and/or review

• Transaction monitoring coverage assessment

• AML and sanctions gap analyses

• AML and OFAC program management outsourcing

• Know-your-customer and enhanced due diligence

• Strategic planning

• Risk management

• Vendor sourcing and governance

• Executive training

Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.

¹ 31 CFR § 5312(a)(2); 31 CFR § 1010.100 indicates that a money transmitter is a person who provides money transmission services or any other person engaged in the transfer of funds.
² Such states as New York, California, Texas, and Pennsylvania apply an agent of payee exception to money transmission requirements.
³ See: FFIEC Manual; Risk Associated with Third-Party Payment Processors, FinCEN Advisory FIN-2012-A010, October 22, 2012;  Risk Management Guidance: Payment Processors, OCC Bulletin 2008-12, April 24, 2008; Risk Management Guidance: Third-Party Relationships, OCC Bulletin 2013-29, October 30, 2013; FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors, FDIC FIL-41-2014, July 28, 2014; Payment Processor Relationships Revised Guidance, FDIC FIL-3-2012, January 31, 2012.
⁴ CVC is a type of virtual currency, often referred to as cryptocurrency, that either has an equivalent value in real currency or acts as a substitute for real currency (FIN-2013-G001).
⁵ See FinCEN Guidance: FIN-2019-G001.
⁶ See footnote 3.
⁷ See footnote 3.