On July 28, 2014, in response to growing pressure from Congress and the banking industry, the Federal Deposit Insurance Corporation (FDIC) issued Financial Institution Letter 41-2014 to clarify its supervisory approach to insured depository institutions (IDIs) under its jurisdiction that have account relationships with third-party payment processors (TPPPs). This clarification resulted from the FDIC’s realization that several of its earlier issuances were being misunderstood by banks and FDIC examiners as discouraging, or even prohibiting, relationships with TPPPs that processed transactions for certain types of businesses, particularly those in the online lending industry.
Specifically, the misunderstanding targeted by the new FIL stems from three of the FDIC’s previous Financial Institution Letters, FILs 127-2008, 3-2012 and 43-2013, and its Summer 2011 Supervisory Insights (collectively, the “Guidance”). The primary purpose of the Guidance was to describe the risks associated with establishing TPPP relationships and to assist IDIs in implementing appropriate risk management practices. Listed within the Guidance were telemarketing and Internet merchant categories commonly associated by the payments industry with higher-risk activity that the FDIC intended simply to be illustrative of trends in the payments industry. However, in issuing FIL 41-2014, the FDIC explained that the listing had unfortunately created the misperception among IDIs that the merchant categories were to be avoided.
To counteract this misperception, the FDIC uses the new FIL to promote the principle that IDIs who properly manage customer relationships are neither prohibited nor discouraged from providing services to merchants operating in compliance with applicable law. To reinforce its point, the FDIC removed the lists of examples of merchant categories from the Guidance and asserted that IDIs who follow the Guidance, as now revised, will not face criticism for establishing and maintaining account relationships with TPPPs.
This FDIC action builds upon recent testimony by Acting General Counsel Richard J. Osterman, Jr. at a House subcommittee hearing on Supervision of Banks’ Relationships with TPPPs in which he endorsed the FDIC’s adoption of a supervisory approach that “focuses on assessing whether financial institutions are adequately overseeing activities and transactions they process and appropriately managing and mitigating related risks.” Foreshadowing the issuance of the new FIL, Osterman made a special point of emphasizing that the FDIC does not discourage or prohibit banks from providing payment processing services to customers as long as they “properly manage relationships and effectively mitigate risks.”
The new FIL also comes on the heels of a lawsuit filed against the federal banking agencies on June 6 by a national trade association of community-based short-term lenders. The lawsuit seeks declaratory and injunctive relief against each agency to set aside informal guidance documents, alleging that the agencies acted without observance of procedures required by law, exceeded their statutory authority, acted in an arbitrary and capricious manner and violated plaintiffs’ due process rights.
The FDIC stated that the industry was misunderstanding the lists of merchant categories as discouraged or prohibited, but it has been observed that some FDIC examiners communicated to IDIs that the merchant categories on the lists were “blacklisted.”
The FDIC’s clarification suggests that, in conjunction with the review of Operation Choke Point (an ongoing initiative of the U.S. Department of Justice that is investigating banks in the United States and the business they do with payment processors, payday lenders, and other companies believed to be at higher risk for fraud) by federal legislators and the testimony taken on the issue, its examiners will not view the lists of merchant categories as prohibited relationships for insured depository institutions, and examinations of TPPP relationships will focus on an IDI’s compliance with the Bank Secrecy Act/Anti-money Laundering (BSA/AML) systems required by the FDIC’s guidance.
However, the FDIC’s unofficial position appears to continue to be that, absent a robust BSA/AML system that manages the high risk of onboarding TPPPs that process for certain higher-risk industries that have high return rates, an IDI will likely face enforcement action for compliance failures.
Although the new FIL applies only to FDIC-supervised IDIs, there is little question that the other banking agencies are in policy alignment and should be treated accordingly. Furthermore, other regulatory agencies are targeting the TPPP industry, including the Consumer Financial Protection Bureau, which has issued Civil Investigative Demands involving TPPPs, and the Department of Justice, which is targeting TPPPs in Operation Choke Point, which continues, according to a recent statement by U.S. Attorney General Eric H. Holder Jr.
Pepper lawyers have been very active in defending clients who have been the focus of Operation Choke Point, and we represent the national trade association of third-party payment processors.