Please enable JavaScript to view the comments powered by Disqus.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

December 2, 2013

Keeping Out the Fraudsters: Who Plays the Role of Gatekeeper?

An excessive number of consumer complaints or returns and chargebacks—these are among several red flags that could indicate that a third-party payment processor is engaged in fraud. And who better to take notice of these red flags than financial institutions? That's the thinking of many regulators, including the Financial Crimes Enforcement Network (FinCEN) when it released its October 2012 advisory on risk associated with third-party payment processors. In that advisory, FinCEN stressed the importance of financial institutions performing due diligence and monitoring their third-party payment processors.

The role of financial institution as gatekeeper was a major topic at the Atlanta Fed's October 30 Executive Fraud Forum, where a panel of industry leaders discussed the evolving role of third -party payment processors in the retail payments space. Representatives from the U.S. Department of Justice's Consumer Protection Branch and U.S. Secret Service, while they recognized the benefits of payment processors, highlighted case studies demonstrating the need for institutions to adjust their due diligence and monitoring to recognize attendant risks. They also stressed the importance of collaboration between institutions and law enforcement agencies in protecting consumers and keeping fraudsters away from payment processing.

Judy Long, who is the executive vice president and chief operating officer at First Citizens National Bank, also noted the gatekeeping role that institutions have with regard to the payments networks. Because banks are highly regulated entities whose primary objective is safety and soundness, she noted, they are in the best position to be the underwriters of payment processors.

As part of her discussion, Long mentioned some important practices for financial institutions in managing payment processor relationships.

  • Because the board of directors plays a critical role in determining the institution's risk tolerance by approving its policies and procedures, it must make itself knowledgeable about the risk factors involved with third-party payment processors.
  • The institution should have as an integral part of its policies underwriting guidelines that set limits for customers.
  • The institution must monitor customers by examining return rates and consumer complaints, providing ongoing customer calling programs, and not just knowing its customer but also its customers' customers.
  • Agreements should clearly explain the terms and conditions for how the institution will conduct business with a customer. These agreements protect both the institution and its customers.

For more details on this topic, watch this interview with Judy Long. You can also view the presentations from the Executive Fraud Forum on the event webpage.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 7, 2010

Is KYC DOA? The tribulations of trying to know your customer

Based on recent nightly news coverage, it appears that armed robbery has entered a new era of "brazenness," as robbers seem to commit their crimes without the cover of a disguise, despite the growing omnipresence of security cameras. I seem to recall that in the good old days of TV westerns, the robbers always wore disguises—at least they covered their faces with bandanas. Unfortunately, in the world of cybercrime, the disguises are still a basic part of the uniform as bad actors go about the business of laundering money, financing terrorists, and committing general computer crimes.

Increasingly in the wake of the Sept. 11 attacks, the responsibility for wrestling with detecting criminal financial activity lies with banks, subject to the provisions of Section 326 of the Patriot Act. In essence, the Patriot Act extended the earlier requirements of the Bank Secrecy Act to place financial institutions in the center of a process to know more and more about their account holders. Generally described as the "Know Your Customer" (or KYC) provisions of the act, Section 326 requires financial institutions (now broadly defined to include everything from traditional banks to gambling casinos) to gather, record, and report a great deal of specific information about their business and consumer customers.

Customers have reacted to this heightened information-gathering process with some frustration, yet it is simply the consequence of the global village in which we now live. The standards for such information gathering are cataloged in the Customer Identification Program (CIP) requirements of the Patriot Act, but many institutions, in an effort to protect their bank's financial welfare and avoid criticism from regulators about adhering to the letter of the law only, have extended their programs into the area of customer due diligence (CDD). CDD embraces broader information gathering that may frequently seem intrusive to the customer. For example, CDD may ask customers to describe the nature of transactions flowing through their accounts so that the bank can establish a risk rating for the accounts. However, in today's reality of global cybercrime, have we come to the point where even extended CDD may not be sufficient?

The emergence of third parties in the payments arena
This question is accentuated by the increasing roles of third parties in the payments system. Many third parties are legitimately engaged in providing services and technology support to businesses and banks alike in order to facilitate a more efficient use of the payments system. For example, some companies offer ACH or electronic check origination services to smaller businesses that cannot easily afford the acquisition of in-house systems to accomplish certain payment functions. While it is reasonable to assume that a bank can perform due diligence reviews on such third parties, history has been a harsh teacher in revealing that the third party (the bank's customer) can be well intentioned, but some of the companies they provide services to (the customer's customer) may be less honorable. Consequently, we talk in the trade of the fact that banks must now know their customer's customer (KYCC).

It turns out that this is not an easy thing to do. Nor is it easy to tell their customer's customer how to do it. For instance, many of the customer's customers may be startup companies, entrepreneurs pursuing the dream, or relatively small niche businesses. Some such firms start legitimately and intentionally act innocently until such time that they are positioned to commit significant fraud. In other words, the robbery suspects in cyber space do wear bandanas and they do disguise themselves so that no one can make an easy determination in advance as to their trustworthiness. In fact, they do it so well that we must ask, "Is KYC dead on arrival?" in this modern world of payments.

It is increasingly apparent that the answer is, "No, KYC isn't dead, but neither is it enough." A good KYC plan is better than no plan and is needed to comply with the Patriot Act, but we cannot possibly expect such a plan to be foolproof. Instead, we need to anticipate the possibility of a rogue player and complement KYC with other controls. Ultimately, this means that noncard transaction processing systems need to begin to adopt many of the practices used in card systems, including data forensics to detect and address potentially fraudulent behavior before it happens or as soon after it happens as possible.

In addition, it may be time for the industry, working with regulators, to examine the growing importance and risk profiles of nonbank entities engaged in the payments space. Most of today's fraudsters fall outside of the regulatory purview of bank supervisors and examiners, leaving the field to agencies such as the Federal Trade Commission. In 1850, the Pinkerton Agency was formed to assist the government in finding and arresting bank robbers. Perhaps we need a modern-day cyber version of the Pinkertons, armed with powerful networked computers to reach out and oversee the operations of a bank's customer's customer on behalf of regulators and law enforcement bodies everywhere. At any rate, a fresh look at this topic couldn't hurt.

By Richard Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum

Take On Payments Search

Recent Posts