Today's Trends in Credit Regulation

The Regulatory Noose Tightens on Payment Processors and "High Risk" Merchants
By Thomas P. Quinn, Jr.

At some point over the last decade or so preparation for the holiday season - or at least retailer prompts to prepare - has started earlier and earlier. You would not know that Thanksgiving lies ahead of us on the calendar if you were to make a trip to a "big box retailer," many of whom already are proudly displaying rows of artificial Christmas trees. To me it seems a bit premature. Don't get me wrong, I generally love the holidays - they are a great way to spend time with family and friends and to recharge the batteries before heading into a new year. However, the one aspect of the season that I cannot stand is holiday shopping.

In recent years my wife has, like many, switched a great deal of her shopping from the real to the virtual world. That is fine with me. Trudging through a mall is just below root canal on my list of favorite activities. While most do not think about it, there actually is a fair amount that goes into making that purchase transaction happen.

Many times the purchase involves a "payment processor" - an entity that facilitates payments for retail merchants. Payment processors assist merchants by creating various forms of payment instruments to draw money from the consumer purchaser's deposit account to provide it to the merchant for the purchase. Often these payment transactions are in the form of an automated clearing house ("ACH") transaction that electronically debits funds from the consumer's account, or remotely created checks (sometimes called demand drafts) that result in a paper check drawn on the consumer's bank account with his / her authorization but without his / her signature.

Most payment processors conduct their business in a compliant manner. Some do not. And with bad actors comes regulation for the industry as a whole. The most recent regulatory action came in the form of FDIC Financial Institution Letter 43-2013, issued at the end of September. Because the FDIC does not have direct supervisory authority over the payment processors themselves, FIL 43-2013 takes aim at the financial institutions that maintain deposit accounts for such entities. It builds off of prior regulatory guidance (including FIL 3-2012, Payment Processor Relationships, Revised Guidance; Managing Risks in Third-Party Payment Processor Relationships, issued in the Summer 2011 Supervisory Insights Journal and FIL 127-2008, Guidance on Payment Processor Relationships) to set forth what the FDIC's supervisory approach will be when dealing with financial institutions that have deposit relationships with payment processors.

In the most recent guidance, the FDIC indicates that it is primarily concerned with payment processors that have relationships with merchants that are engaged in "higher risk activities." The FDIC defines activities considered to be "higher risk" as ones that display higher levels of consumer fraud and potentially illegal activities. In prior guidance, the FDIC has indicated that the merchant types the agency is most concerned with in this regard include credit repair services, debt consolidation and forgiveness programs, online gambling operations, online government grant or will-writing kits, payday or subprime loans, pornography, online tobacco or firearms sales, sweepstakes and magazine subscriptions. (See: Footnote 1 to FIL 3-2012.)

The regulators consider these types of businesses to be "higher risk" because they historically have had a higher-than-average rate of return or claims of unauthorized transactions and consumer complaints. Because the rules governing the creation of ACH and remotely created checks generally will lay the unauthorized transaction loss at the feet of the depository institution facilitating these payment instruments, the bank regulators want to ensure that any institution holding payment processor deposit accounts is adequately managing their risks.

To do so, the FDIC has underscored the need to do a thorough level of due diligence not only on the payment processor itself, but also its merchant client base. Specifically, the FDIC has indicated that financial institutions should:

  • Develop and implement a thorough approval program for payment processors, including background checks on the company itself and its principal owners and merchant clients.
  • Conduct risk assessments on the payment processor and its operations, with particular attention being paid to how it ascertains whether the merchants are operating in accordance with applicable law.
  • Monitor the performance of such accounts over time. An increase in charge backs or customer complaints should be considered a red flag warranting further action.

To the extent that a depository institution holds the deposit accounts of a merchant and provides payment processing services directly, it should apply these due diligence and monitoring principles to the merchant itself.

If you are a financial institution providing deposit relationships for merchants and payment processors you also will need to consider developing additional or different deposit documentation for use with merchants and payment processors. While regulated like any other financial product, much of a deposit relationship is a creature of contract with the requirements and consequences surrounding such a relationship being found in the terms and conditions provided at the point of deposit account application and opening (and generally forgotten soon thereafter).

For those in the credit space - particularly in the short-term loan market - you are not off the hook. The downstream impact of this regulation, with its focus on knowing the ultimate merchant who will receive the payment and how it conducts its business activities, is a form of indirect regulation on the industry. If you have experienced an abnormally high number of charge backs or customer complaints, a poor history at the Better Business Bureau (or other similar demerits in the business equivalent of your permanent record) it may become increasingly difficult to find a payment processor or financial institution to facilitate consumer payments.

Thomas P. Quinn, Jr. is a Partner of Hudson Cook, LLP, in the firm's Fall River, Massachusetts office. Tom can be reached at 774-365-4758 or by email at

Article Archive

2021   2020   2019   2018   2017   2016   2015   2014   2013   2012   2011   2010   2009