Following hard on the heels of recent risk management actions taken by other federal agencies, the Office of the Comptroller of the Currency (OCC) has issued a thoroughly updated booklet on Merchant Processing, which forms a part of The Comptroller’s Handbook, its compendium of guidance for national banks and federal savings associations. The revised booklet, which replaces a 2001 publication, approaches relationships between banks and merchant payment processors with renewed intensity and caution.
As we reported in our Client Alert of August 5, the Federal Deposit Insurance Corporation reiterated its concern about payment processor relationships and clarified the importance of implementing appropriate risk management practices. Similarly, in our Client Alert of August 19, we noted that FinCEN is promoting a culture of compliance with the Bank Secrecy Act and related anti-money laundering laws and regulations (BSA/AML) through full engagement of bank leadership and comprehensive training of all personnel in the risks associated with customer relationships. It is no accident that the OCC’s focus on merchant processing arises against this backdrop.
The OCC uses the Merchant Processing booklet to present a comprehensive explanation of merchant payment processing and explain the array of risks associated with bank involvement in this line of business. Covering national banks and newly expanded to cover federal savings associations (collectively called “banks”), the booklet focuses on processing of card payments, as opposed to issuance of payment cards, with activities running the gamut from gathering merchant sales information to obtaining transaction authorization to collecting funds from the card-issuing bank to reimbursing the merchant. The OCC centers its concerns on the fact that merchant processing is a business of high volumes and low profit margins. It recognizes that processing a high volume of transactions carries special risks that must be managed by efficiently run departments employing appropriate cost controls.
Advising that the principles addressed in the booklet can apply to other forms of electronic payment, the OCC acknowledges that, while merchant processing traditionally was associated with retail card purchases, today’s technology has extended the activity’s reach to debit card purchases, reloadable cards, and other prepaid payment products, as well as electronic benefits transfer (EBT) transactions. In describing the fundamental structure of the electronic payment transaction industry, the OCC distinguishes between four-party networks and three-party networks. Four-party networks, which predominate largely because both Visa and MasterCard use this arrangement, consist of card issuers, acquirers that settle transactions with merchants, cardholders, and merchants. Three-party networks, in which the card issuer also is the merchant acquirer, is used by card companies that issue their own cards, authorize purchases, and settle with both consumers and merchants.
After describing the key merchant processing participants and detailing the operational framework, the booklet highlights the three primary risks associated with bank involvement in this activity. Strategic risk relates to consistency of merchant processing activities with the bank’s overall strategic goals, risk appetite, and business model, with particular attention to capital adequacy and capital allocation. Credit risk relates to creditworthiness of the merchant vis-à-vis the merchant’s financial ability to honor charge-backs from customers. Operational risk relates to readiness for processing card transactions for merchants, particularly the transmittal of sales information for collection and reimbursement as part of the settlement process.
Management of these primary risks, as well as compliance and reputation risk, lies at the core of the new booklet. The OCC leaves no doubt as to its expectations — a bank must “identify, measure, monitor, and control risk by implementing an effective risk management system appropriate for its size and the complexity of its operations.”
Intending the booklet to be a practical tool for banks, the OCC devotes the second half of the extensive introduction to surveying the elements that should be addressed by every risk management system. Of particular value is updated guidance on selection of third-party organizations and due diligence; selection and management of technology service providers; on-site inspections, audits, and attestation engagements, including the “Statement on Standards for Attestation Engagement” (SSAE 16) and the “International Standard on Assurance Engagements” (ISAE 3402); payment card industry data security standards; the member alert to control high-risk merchants (MATCH) list; compliance with BSA/AML requirements and methods for monitoring and identifying unusual activity; and appropriate capital for merchant processing activities.
The remainder of the booklet contains examination procedures, which detail how examiners will assess the effectiveness of a bank’s risk management system, concentrating on policies, processes, personnel, and control systems.
Issuance of an updated merchant processing booklet after 13 years of status quo, contemporaneous with related actions by other regulators, is an unmistakable signal that banks should dedicate serious attention and resources to this newest “hot button” concern.
While its affinity with everyday usage of credit by bank customers makes merchant processing a natural candidate as a profit center, the associated high volume of transactions obligates banks to enter the field cautiously and with robust systems to manage the heightened risks.