FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities (Revised July 2014)

Summary:

The FDIC is clarifying its policy and supervisory approach related to facilitating payment processing services directly, or indirectly through a third party, for merchant customers engaged in higher-risk activities. Facilitating payment processing for merchant customers engaged in higher-risk activities can pose risks to financial institutions; however, those that properly manage these relationships and risks are neither prohibited nor discouraged from providing payment processing services to customers operating in compliance with applicable law. 

Statement of Applicability to Institutions With Total Assets Under $1 Billion: This Financial Institution Letter applies to all FDIC-supervised banks and savings associations, including community institutions. 

Highlights: 

• Financial institutions that provide payment processing services directly or indirectly for merchant customers engaged in higher-risk activities are expected to perform proper risk assessments, conduct due diligence to determine merchant customers are operating in accordance with applicable law, and maintain systems to monitor relationships over time.
• Proper management of relationships with merchant customers engaged in higher-risk activities is essential. Financial institutions need to assure themselves that they are not facilitating fraudulent or other illegal activity. Institutions could be exposed to financial or legal risk should the legality of activities be challenged.
• FDIC's examination focus is on assessing whether financial institutions are adequately overseeing activities and transactions they process and appropriately managing and mitigating risks. Financial institutions that have appropriate systems and controls will not be criticized for providing payment processing services to businesses operating in compliance with applicable law.

Continuation of FIL-43-2013

Distribution: 
FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing: 
Board of Directors, Senior Executive Officers, Chief Credit Officer, Chief Information Technology Officer, 
Bank Secrecy Act Officer

Note: 
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at http://www.fdic.gov/news/financial-institution-letters/2013/index.html . 

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html . 

Paper copies may be obtained via the FDIC's Public Information Center, 3501 Fairfax Drive, E 1002, Arlington, VA 22226 (877-275-3342 or 703 562 2200). 

Financial Institution Letters 
FIL-43-2013 
September 27, 2013 

FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities 
 

The FDIC is issuing this letter to clarify its policy and supervisory approach related to facilitating payment processing¹ services directly, or indirectly through a third party, for merchant customers engaged in higher-risk activities. Facilitating payment processing for merchant customers engaged in higher-risk activities can pose risks to financial institutions and requires due diligence and monitoring, as detailed in prior FDIC and interagency guidance and other information.² Financial institutions that properly manage these relationships and risks are neither prohibited nor discouraged from providing payment processing services to customers operating in compliance with applicable federal and state law. 

The FDIC and other agency guidance indicate that financial institutions that provide payment processing services directly or indirectly for merchants engaged in higher-risk activities are expected to perform proper risk assessments, conduct due diligence sufficient to ascertain that the merchants are operating in accordance with applicable law, and maintain appropriate systems to monitor these relationships over time. The proper management of relationships with merchant customers engaged in higher-risk activities is essential. Financial institutions need to assure themselves that they are not facilitating fraudulent or other illegal activity. Institutions could be exposed to financial or legal risk should the legality of activities be challenged. 

The FDIC is aware that some payment processors or merchants may target institutions that are unfamiliar with the related risks or that lack proper due diligence or controls to manage these risks. Thus financial institutions that engage or plan to engage in these activities should review this guidance. The focus of FDIC examinations is to assess whether financial institutions are adequately overseeing activities and transactions they process and appropriately managing and mitigating related risks. Those that are operating with the appropriate systems and controls will not be criticized for providing payment processing services to businesses operating in compliance with applicable law. 

Additional Related Topics:

• Guidance for Managing Third-Party Risk, FIL-44-2008;
• Guidance on Payment Processor Relationships, FIL-127-2009;
• Managing Risks in Third-Party Payment Processor Relationships, Supervisory Insights Journal, Summer 2011;
• Payment Processor Relationships, Revised Guidance, FIL-3-2012;
• FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual; and
• FFIEC Information Technology Hand book, Retail Payments Systems Booklet.