Digital Payment Processors: Anti-Money Laundering Programs Integral to Security

By Hari Nanji

Anti-Money Laundering (AML) has long been a key regulatory process for commercial, consumer and investment banks to protect themselves from fraudulent transactions and/or the misuse of their processes for criminal activity, such as drug dealing, tax evasion, embezzlement and terrorist financing.

In the past few years we have seen an increase in the volume of digital payments. AML processes are now relevant and imperative for institutions that are non-traditional banks or financial services providers. Examples of digital payment providers include: Apple Passbook, Google Wallet, Square Wallet and PayPal.

More users are now opting to use their smartphones, tablets, laptops and PCs to make their payments using various online platforms. This has resulted in critical questions regarding a bank’s and/or the third party’s ability to protect customers and assets:

  1. Do we have appropriate security systems to allow adequate authentication of payee information?
  2. Do we have adequate systems to prevent fraud (both internally and externally)?
  3. Is there sufficient due diligence for the payments and source of funds (to prevent terrorist activities)?

The Federal Financial Institution Examination Council (FFIEC) has defined a non-bank or third-party payment processors as bank customers that provide payment-processing services to merchants and other business entities. Traditionally, processors contracted primarily with retailers with physical locations to process the retailers' transactions. These merchant transactions primarily included credit card payments but also covered automated clearing house (ACH) transactions. The National Automated Clearing House Association (NACHA) website remotely created checks (RCC), and debit and prepaid cards transactions. With the expansion of the Internet, retail borders have been eliminated. Processors now provide services to a variety of merchant accounts, including conventional retail and Internet-based establishments, prepaid travel, telemarketers and Internet gaming enterprises.

If digital payment companies are considered a non-bank or third-party payment processor, then the regulations make it clear that as part of its Risk Mitigation/Risk Management program, it should develop and maintain adequate policies, procedures and processes to address risks related to these relationships, such as performing a Know Your Customer (KYC) review, performing due diligence over its customers and ensuring it is a legitimate person(s). In addition, management should monitor its customer relationships for any unusual or suspicious activities. The FFIEC guidance states "if the bank determines a Suspicious Activity Report (SAR) is warranted, the Financial Crime Enforcement Network (FinCEN) has requested banks check the appropriate box on the SAR report to indicate the type of suspicious activity, and include the term payment processor, in both the narrative and the subject occupation portions of the SAR."

Failure to maintain adequate AML controls, including maintaining an up-to-date customer profile, with periodic KYC updates and due diligence reviews and/or failing to complete a SAR can lead to regulatory penalties, including fines and enforcement actions. It’s important for any organization that processes payments to evaluate its need for an AML program.

Hari Nanji is a Director in the Accounting and Finance Group at Accretive Solutions, focusing on the Financial Services sector. His core skillset includes regulatory risk analysis, internal controls assessment, senior management/board reporting and consumer banking regulations. Hari has extensive experience in corporate compliance quality assurance, compliance monitoring and testing, BSA/AML testing, risk identification and assessment and internal audit. He is a certified Chartered Accountant and is an active member with the Association of Chartered Accountant of United States (ACAUS) – Northern California Chapter.