Chapter XIV. – Credit Card Issuing Rent-a-BINs
Rent-a-BIN Models and Structures
Responsibilities of Bank Management
Risks
Legal, Compliance, and Reputation Risks
Counterparty Risk
Funding Risk
Credit Risk
Operational Risk
Risk-Mitigating Controls
Policies
Due Diligence
In-House Expertise
Contracts
Financial Reporting
Covenants and Parameters
Access to Information
Materials and Program Control
Settlement Exposure Reserves (Collateral Protection)
Pricing
Ability to Terminate Contract
Audit
Contingency Planning
Ability to Cease Authorizations
Risk Measurement Systems
Partner's Other Relationships with the Bank
Capital
Accounting
Summary of Examination Goals – Credit Card Issuing Rent-a-BINs
XIV. Credit Card Issuing Rent-a-BINs
Banks are involved in many business lines that have varying competitive pressures and requirements for success. They are increasingly evaluating each line to determine whether it makes the most of the bank's strengths and is consistent with its strategic plans. As management considers these evaluations, it may decide to stop activities that are not profitable or that are too high-risk for its appetite in order to concentrate on activities that may be more profitable, that it and the bank may be better-suited for, or that are lower-risk. These types of evaluations have led to the development of many variants of the credit card lending model, one of which is a Rent-a-Bank Identification Number (BIN) arrangement. This chapter describes Rent-a-BIN (RAB) models and structures, highlights the risks of issuing RAB arrangements, and discusses risk-mitigating controls that management typically employs. Later sections of the chapter consider topics such as capital and accounting.
Rent-a-BIN Models and Structures
With a RAB arrangement, a bank allows one or more other entities to conduct credit card activities with or through one of the bank's BINs8, which is a number assigned by an Association to identify the bank for authorization, clearing, settlement, card issuing, or other processes. In return for allowing the use of its BIN, the bank receives a "rental" fee from that entity, hence the term Rent-a-BIN.
There are essentially two types of RAB arrangements: a credit card issuing RAB and an acquiring RAB. Each has a unique set of risks but both require the bank to have strong vendor-oversight programs. Acquiring RABs, which draw their names from the arrangement's feature of acquiring merchant contracts and cardholder transactions, are addressed in the Merchant Processing chapter, and issuing RABs, which draw their names from the arrangement's feature of issuing credit cards to consumers, are the focus of this chapter.
There are several common features among issuing RABs. In an issuing RAB arrangement a bank (as BIN owner) rents its right to offer credit cards that have the applicable Association's logo to a third party for a fee. The third party generally solicits prospective credit card customers and then provides approved applicants with a credit card. The bank is identified as the issuer of the card while the BIN-renter, or partner, and other sub-contracted participants may not necessarily be apparent to the cardholder. The bank retains its contract with the Association(s) because the Associations only allow insured depository institutions to issue credit cards under their brands. While the bank sheds itself of a majority of the day-to-day operational duties associated with operating the program in most cases, it always retains ultimate responsibility for the program based on its contract with the applicable Association and on it being the issuer of record.
Issuing RABs also have several aspects that vary from arrangement to arrangement. For example, the receivables are usually held by the BIN-renter (partner) or another party. In a few cases the bank might hold a small portion of the receivables or even a majority or all of the receivables. Securitization of the program's receivables (by whichever party has funded those receivables) may or may not be present. In most cases, the partner is unaffiliated with the bank. However, the partner may be an affiliate of the bank or a related interest of an insider of the bank, requiring an additional layer of review. Furthermore, some banks have arrangements with more than one partner for different credit card programs/BINs. Portfolio services such as collections, customer service, and processing, can be performed by the partner or by other third-parties (which, again, may or may not be affiliated with the bank). The bank could even perform select services or processes. In most cases the bank is an issuer only, but it is plausible that it could be both issuing and acquiring, which could complicate matters (refer to the Merchant Processing chapter for information on the acquiring business).
A bank might enter into an issuing RAB to reduce or to limit the level of receivables held on its balance sheet (thus reducing or limiting on-book credit risk) and/or to reduce or limit the operating burden on internal resources while still generating income from credit card activities. While issuing RAB arrangements can be effective means of meeting these goals, they pose a number of risks to the bank, and those risks can be substantial. Problems commonly arise when management is overly focused on apparent returns or cost savings or when it lacks sufficient knowledge about the risks involved with the card products offered, RAB activities, and/or third-party oversight.
A primary concern with RAB arrangements is that the bank may not have sufficient controls over the partner's (or the partner's agent's) actions, particularly solicitation, underwriting, and administration of the credit card relationships. The quality of services provided by the hundreds of third-parties in credit card and related industries, as well as their wherewithal to support the activities, varies widely. If the partner or its agents fail to abide by applicable laws, guidance, and regulations, or if the partner experiences financial difficulties, the bank could be exposed to operation and reputation risks that may result in fines or other monetary losses, funding or liquidity risks if the partner or other receivable-holders are not able to provide funding for new charges that they have committed to fund, and credit risk if the bank must fund the cardholder charges and retain the receivables on its balance sheet. Credit risk, whether from receivables voluntarily retained or that the bank is forced to retain, could be substantial if the bank has not had proper control over the partner's underwriting criteria and the partner solicited and accepted customers with riskier profiles than what the bank would normally accept.
For purposes of this chapter, a simple structure will be used: the bank will be an issuer (and not an acquirer) and will generally be assumed to be contracting with one partner, and that partner will hold all card receivables as well as perform all servicing and processing for the portfolio. However, examiners should keep in mind that a bank may have more than one partner, that the partner might have relationships with more than one bank, that the bank may or may not retain the receivables, and that servicing may be performed by the partner, the bank, or another third-party. Examiners will need to review governing documents for issuing RAB arrangements (normally for those that are material or new) to ascertain the parties involved, the extent of each party's responsibilities, and how and to what degree failure of each party to meet its obligations may impact the bank, whether directly or indirectly. Examiners should also look for evidence identifying whether management has properly addressed the risks from each RAB arrangement.
Responsibilities of Bank Management
Management sometimes assumes that it does not have to carefully monitor the card portfolio, namely when the bank does not hold the receivables. However, in an issuing RAB arrangement, the bank is responsible for the program and its customer relationships regardless of where the receivables reside. Further, the performance of the accounts can substantially impact the risks to the bank. Another misconception is that if a contract is in place between the bank and the partner, the bank is sufficiently protected. Contracts, a necessary component of a successful RAB operation, may not always be iron-clad. For example, the partner's indemnification contribution is only as strong as its financial wherewithal. Further, in some situations the bank might step in and relieve the partner from some of its responsibilities under the contract, thus tainting the contract. As another example, even though the contract might call for the partner to reimburse fines, it is up to the bank to seek that reimbursement and it might elect not do so, perhaps to keep the third party viable or to avoid disruptions to the program. That is not to say that a partner could not also provide services or financial support beyond contract specifications.
Even though the bank might not be directly involved in solicitation, underwriting, and administration processes under the issuing RAB arrangement, it is still the legal owner of the card accounts and relationships. As the BIN-licensee, the bank is responsible to the Association(s) for transactions processed and/or cards issued with its BINs, and, thus, program oversight. Even though contracts between the bank and the partner might direct the partner to assume these and other responsibilities, regulatory agencies and, most likely, the Associations regard the bank as ultimately responsible for the program. Typically the Associations have nominal direct contact with the bank's third parties. Rather, the bank is responsible for managing the third-party relationships, ensuring the third party meets established standards, and looking to the partner for reimbursement or other support provided for in the contract between the bank and the partner. The Association(s) may look to the third party if the bank is unable to meet its obligations.
Rigorous and thorough oversight of issuing RAB arrangements is warranted for management to ensure the risks are appropriately controlled. Issuing RAB relationships should generally be subject to risk management, consumer protection, and other policies and practices consistent with those that would be used if the bank was issuing the cards directly. The assessment of controls, safeguards, and practices for RAB activities is factored into the Management component rating (and other component ratings as applicable).
Risks
Issuing RABs can be profitable ventures but do entail risks which, if not properly controlled, can quickly erode profitability and/or cause many other problems, some of which could be critical, for the bank. Because the bank does not usually hold the preponderance of the receivables and because third parties are typically conducting most of the portfolio services, the risks may not appear as straightforward as they are with a conventional credit card lending model. The frequency and level of each risk to a RAB bank is influenced by a number of factors, including, but not limited to, the type of card program, the bank's experience with the program or similar programs, and the third party's experience with similar activities. Poor planning, oversight, and control by management and inferior performance or service by the partner are usually the culprits that increase the risks.
Due to the risks involved, RAB arrangements warrant carefully-orchestrated, management-appointed safeguards and controls. Examiners should determine whether management, even if only considering establishing an arrangement, is fully aware of the risks involved. They should look for evidence that management has identified and documented the business's risks as well as the expertise and controls that will be required to manage those risks. A formal risk assessment may be warranted, particularly when proposed RAB activities will be of a substantial volume or would involve higher-risk characteristics, such as subprime lending or new products. Risks with an issuing-RAB arrangement include, but may not be limited to, legal, compliance, and reputation risks; counterparty risk; funding risk; credit risk; and operational risk.
Legal, Compliance, and Reputation Risks
Legal, compliance (consumer or otherwise), and reputation risks are prominent in issuing-RAB arrangements. These risks can be particularly substantial when subprime lending or other high-risk activities are involved. While these three risks often go hand-in-hand, they are not synonymous. These types of risks arise because the bank is responsible for the program, including actions taken (or inaction) by the third-parties involved. The bank cannot effectively detach itself from the credit card activity since the bank's name remains as the card issuer and the bank remains contracted with the Associations. Thus, errors and violations of law or of cardholder agreements, by the bank or its contracted parties, could expose the bank to substantial monetary loss through lawsuits, fines, or other financial burdens. Consumer compliance risks, which can easily translate into safety and soundness risks, can be exacerbated when the partner's (or its agents') employees interact directly with the bank's customers. For example, if marketing of the card program by the bank, the partner, or a third party is determined to be unfair or deceptive, the bank may be held responsible for any monetary penalties, reimbursements, and any other actions (such as shutting down the program) necessary to promptly address the concerns. As a result, risks to the bank's earnings and capital could ensue. The bank's reputation can also suffer by association with improper or abusive business practices conducted by the partner or its agents. Third parties' decisions may affect a bank's ability to establish new relationships or continue existing relationships, which could impact the bank's strategic objectives.
In general, the bank and its credit card programs must remain compliant with laws, regulations, and guidance including, but not limited to, the Account Management and Loss Allowance Guidance for Credit Card Lending (AMG), consumer protection laws, and anti-money laundering laws. The AMG is generally applicable to all insured institutions that offer credit card programs, regardless of whether or not the receivables are held at the bank. Further, banks' obligations to comply with the Associations' standards are not limited by the receivables' place of residence.
The Associations are highly cognizant of their own reputations. If the card program demonstrates increasing or high risk, inadequate controls, or high volumes in relation to the bank's size and resources, the Associations may require the bank to put up additional capital or collateral for the card program, regardless of where the receivables reside and regardless of whether or not a RAB arrangement is involved. Abuses of a bank's Association membership (including of the by-laws and operating regulations thereof) by a partner or its agents could also cause the bank to lose its authority to issue cards under the Associations' brands. Such a loss could impact the bank's reputation, earnings, and liquidity; could ultimately translate into capital problems for the bank; and/or could require substantial revisions to the bank's strategic objectives.
Regulators may also require augmented capital levels. The necessary level of capital is based on a number of factors, as discussed later in this chapter.
Counterparty Risk
Counterparty risk, or default risk, is the risk that the partner will fail to perform on its contractual obligations. It often ties closely to performance of the card portfolio because the partner's earnings and, thus, capital maintenance, formation, and support, is frequently a product of income generated by and costs associated with the program. The partner usually retains most of the program's income and carries most of the costs when it holds most or all of the receivables.
The partner could fail to meet its obligations under the contract(s) governing the RAB arrangement. For example, the partner might fail to fund the receivables, pay the rental fee, comply with established financial covenants and/or portfolio parameters, or maintain sufficient collateral support. As a result, the bank could have to fund the receivables, potentially increasing its liquidity, credit, and other risks. The bank might not be able to offset its oversight, management, or other costs for the program, which could stress the bank's earnings performance and, consequently, capital.
Funding Risk
Funding risk stems from the bank's responsibility to ensure that settlement9 requirements are met. Funding risk, however, could be considered, in some respects, to be a by-product of counterparty risk. Usually the bank settles directly with the processor, whether or not the bank retains the receivables. Even if the partner or other third party is required by the RAB contract to fund settlement and/or may be able to settle directly with the processor, the bank is ultimately responsible to the Associations for ensuring settlement is met as it is the BIN-licensee and the issuer. Consequently, when funds available from the partner, which are usually influenced heavily by cardholder payments, cannot fully meet settlement requirements, the bank is looked upon to make up the difference.
Further, when the partner possesses the receivables, it could subsequently be selling those receivables via securitization. The securitization vehicle must be maintained whether or not the partner is able to fund or acquire the receivables and sell receivables to the securitization vehicle. Further, poor performance of the securitized portfolio could trigger cash capture or early amortization. In these cases, the trust will use incoming cardholder payments as applicable to fund spread accounts, pay off the investor certificates, and so forth. Since those funds will not be available to the partner to fund settlement, the bank could have to furnish funds.
Credit Risk
Credit risk remains at the bank for any receivables it retains. Credit risk also arises, albeit off-balance sheet or contingent, if receivables are held by the partner or another entity. Credit risk could shift to the bank if the receivables-holder cannot fulfill its financial obligations, such as settlement, and could be substantial if the bank has not properly controlled the partner's underwriting criteria and the partner has solicited accounts with risky profiles.
Operational Risk
Operational risk is generally defined as the risk of monetary loss resulting from inadequate or failed internal processes, people, and systems or from external events. Examples include fraud, business disruption, and poor execution of process management and can all have adverse impacts on the bank and its RAB programs. Comprehensive due diligence and contingency planning, including stand-in arrangements, can help limit the level of and impacts from operational risk.
Risk-Mitigating Controls
Practices and safeguards that management commonly implements to mitigate risks include, but are not limited to, instituting policy controls, performing due diligence procedures, establishing a comprehensive contract between the bank and the partner, and developing detailed contingency plans. Without proper safeguards in place, exposure could be substantial.
Policies
As part of being contractually responsible for and controlling the program, management normally establishes a thorough review and approval process for policies proposed or used by the partner. An effective RAB contract sets forth the bank's expectations regarding the partner's operating policies applicable to the program and provides bank management with the stated authority to periodically review the policies (both prior to and after implementation) to ensure the policies are consistent with the bank's standards and risk tolerances. Examiners should determine whether policy reviews are well-documented and whether a formal agreement process for program policies is used.
Examiners' attention should be directed to situations in which the bank's internal policies fail to specify a system for approving partners and an ongoing program to monitor the partner's financial condition and operating performance as well as portfolio performance. In general, a comprehensive policy designates the criteria for selecting partners, stipulates information that is required in the RAB contract, and addresses other items, such as limits per RAB relationship and concentration limits.
Examiners' attention should also be directed to cases in which policies (whether the bank's or the partner's) are not consistent with the scale of the activity and the risks it presents. Typically the bank does not diverge from its normal lending practices when participating in RAB relationships. But, if the bank significantly diverges from its normal lending practices, examiners should assess how management has ensured that any eased standards still result in an acceptable level of credit risk and that any elevated risks are appropriately addressed. Failure to adequately control policies used by the partner could result in compliance and legal risks to the bank. Further, it could cause the partner to take on more risk, including credit risk, than it can control, and that risk could fall back on the bank if the partner is unable to meet certain financial obligations.
Due Diligence
Risk exposures generally increase when the bank is contracting with a disreputable or inexperienced partner. As is the case for any third-party arrangement, selecting a competent, qualified, and reputable partner is essential to effectively managing the arrangement's risks. Examiners should look for evidence that the due diligence process is structured to identify qualitative and quantitative aspects, both financial and operational, of the partner and to assess the arrangement's consistency with the bank's strategic goals. To be effective, due diligence should occur before conducting business or contracting with the entity, and at appropriate intervals thereafter, such as when the contract is due for extension or renewal.
Facts should corroborate that, before entering into or re-negotiating a RAB agreement, management ensured that the prospective partner had adequate financial capacity, expertise, infrastructure, technology, and staffing to operate the program soundly. In general, a thorough due diligence process includes documentation of these items:
- Analysis of credible financial information on the entity as well as its principals to verify the entity's viability and capacity to absorb losses.
- Research of background information and reputations of the entity and its ownership. This process may include reviewing business reputation, complaints, and litigation (such as by checking references or contacting attorney generals' offices and Better Business Bureaus). The length of time the entity has been in business is also applicable.
- Performance of a first-hand, on-site evaluation of the entity's business operations, including its premises and relevant records, to ensure it has the proper facilities, equipment, personnel, and so forth.
- Review of the entity's management experience in implementing and supporting the proposed activity as well as other relevant qualifications.
- Evaluation of the entity's business resumption, continuity, recovery, and contingency plans.
- Assessment of the entity's reliance on and success at dealing with sub-contractors, and resolution of which sub-contractors management will conduct due diligence of.
- Determination of whether appropriate insurance coverage is in place.
- Assessment of whether the entity's culture, values, business style, and strategies fit with the bank's culture, values, business style, and strategies.
In-House Expertise
Because of the risks associated with issuing RABs and to ensure the RAB operates successfully, it is imperative that the bank devote knowledgeable staff to oversee the arrangement. Examiners should assess the board of directors' practices for identifying the bank positions needed and clearly assigning responsibility for overseeing the partner and its operations. They should determine whether the bank has provided adequate personnel and resources to fulfill its obligations in regards to the program and to monitor the partner's activities and portfolio performance. Examiners should look for proof that the bank's designated staff is knowledgeable and experienced with the processor, software programs, and other devices used by the partner and has legal and compliance expertise as well as accounting and technology expertise relevant to credit card lending. If the bank services the portfolio, proof should confirm whether it has adequate resources, expertise, infrastructures, and technology to appropriately provide the contracted services.
Contracts
Contractual responsibilities are fundamental to protecting the bank's interests and to determining the level and type of risks the arrangement brings to the bank. Effective contracts detail each party's responsibilities, specify what activities the partner is permitted to conduct, and are updated as needed. They also address the risk factors identified during the bank's risk assessment and due diligence processes. Normally, bank counsel reviews the proposed contract. Examiners should look for evidence that the contracts are structured to provide for the sound operation of the program as well as compliance with the Associations' standards. The level of protection offered by the contract could be questionable if the bank does not require the partner to consistently abide by its provisions, which normally cover, among other items:
- Financial reporting.
- Covenants and parameters.
- Access to information.
- Materials and program control.
- Settlement reserves (collateral protection).
- Pricing.
- Ability to terminate contract.
- Audit.
Financial reporting:
As noted, the bank is liable for meeting the settlement requirement daily but may look to the partner to supply settlement monies. Further, many RAB contracts contain indemnification provisions, but indemnification by the partner is only as strong as the financial wherewithal of the partner. A partner's financial situation could quickly become stressed, even to the point where it may file bankruptcy or become insolvent, possibly resulting in the bank having to retain the receivables if it had not been doing so already. The bank could possibly also end up having to cover costs, such as if fines or penalties have been imposed, if the partner cannot properly reimburse the bank according to governing contract provisions. As such, contract verbiage normally requires the partner to provide reliable financial information, including balance sheet, earnings, cash flow, and contingent liability information. Examiners' attention should be directed to situations in which the frequency of financial statement submission and review is not commensurate with the risk posed by the program and/or the partner. Partners are typically required to submit financial statements at least quarterly and audited financial statements annually. For higher-risk programs or higher-risk partners, more frequent submission and review may be required. Examiners should see proof that the board of directors has assigned responsibility both for evaluating the financial information and for reporting the findings to the board (or a designated committee) to competent employees. Contracts that require proper financial reporting practices can help the bank mitigate the risk of operating under a contract and program that is not fully supported by the financial wherewithal of the partner.
Covenants and parameters:
Contracts normally contain financial covenants for the partner (such as capital requirements, liquidity expectations, and appropriate settlement reserve balances) as well as card portfolio parameters (such as growth restrictions and performance expectations). The partner is usually required to periodically report and certify compliance with the covenants and parameters, and the contract normally prescribes remedies in the event the covenants and/or parameters are violated. Examiners' attention should focus on situations in which management does not have access to and/or does not review reliable data to monitor and test compliance with the established covenants and parameters. Proper examiner attention should also be given to situations in which review of the partner's budgets and other projections is not occurring. Such reviews help to detect trends that might signal emerging problems with meeting the covenants and parameters in the future. Further, situations in which the partner has violated the covenants or parameters warrant review during the examination.
If the portfolio becomes stressed, the partner (if it holds the receivables) could experience reduced cash flows which may, in turn, affect its ability to meet settlement requirements and, thus, potentially require the bank to provide funding. Portfolio deterioration could lead to a weakening of the partner's overall financial condition since a substantial portion of its earnings performance usually depends on the portfolio. Further, portfolio deterioration could signal ineffective servicing and management of the portfolio by the partner or other contracted servicers and could eventually entice the partner to use overly aggressive collection or other questionable servicing techniques, which could exacerbate compliance and legal risks. If the partner does not maintain appropriate capital or other financial measures, it may not be able to make good on its indemnification obligations and may not be able to fund the receivables. Thus, if contracts do not establish financial covenants for the partner as well as portfolio performance parameters for the portfolio, the bank is left with the risk that the partner may not be able to properly perform its contracted obligations, such as purchasing receivables, paying the rental fee, and so forth.
Access to information:
To ensure that management can assess the partner's policies and practices for compliance with laws, rules, regulations, safe and sound business practices, and the Associations' rules, the contract ordinarily provides management with ready access to such policies and procedures. Examiners should confirm whether procedures have been established to notify the bank when service disruptions, security breaches, or other events pose risk to the bank or when the partner receives any consumer complaints or litigation notices related to the bank's program. If a contract does not provide for appropriate access to information, the bank may be at the risk of unknowingly being named in lawsuits or unknowingly having its customers' or other information breached. A lack of appropriate access could also inhibit the bank from promptly identifying any changes that the partner may have inappropriately made to its policies or operating procedures.
Materials and program control:
The agreements generally grant the bank pre-approval rights over all program materials (such as marketing materials and cardholder agreements). Pre-approval rights over plans to issue new products or to materially alter existing products are also typical control features. Further, review and approval of card fee structures prior to implementation is a critical function of bank management. The granting and exercise of all of these rights is necessary to ensure that the partner is not taking on inappropriate levels of risk that could ultimately impact the bank. Contracts that are structured to commit the bank to open or maintain any particular level or number of cards, accounts, or receivables could cause the bank or the partner to take on a greater level of risk than can be appropriately controlled.
Settlement exposure reserves (collateral protection):
The contract ordinarily requires the partner to provide some kind of security or protection against any settlement exposure that the bank might face if the partner is unable to settle through agreed-upon normal means. Normal means could include the partner wiring funds to the bank daily, an authorized debit of the partner's general operating account at the bank, or some other similar method. Security for the exposure if the partner is not able to settle via normal means frequently takes the form of a combination of two or more of the following options: a deposit account, a contingency reserve, a credit facility, or other mechanism. Some banks have required the partner to hold ten days of coverage in aggregate. In any case, the funds available to the bank should tie to a realistic, well-documented contingency plan. The portfolio's available credit (open-to-buy) position and trends in that position can point to potential future trends or worst-case exposures regarding settlement activity, and, thus, are important considerations for determining the adequacy of protection provided. Settlement exposure reserves frequently consist of two items:
- A Deposit Account - Many contracts call for the partner to provide for and maintain an adequate deposit to cover potential shortfalls that may occur in daily settlement. This deposit is normally separate from any operating accounts that the partner might have at the bank. Concern arises when the method for determining the necessary deposit amount has not been specified or controlled by the bank. The deposit is usually held at the bank, but, whatever the case, examiners should look for evidence that the bank has proper controls over the deposit, which may include a perfected first lien. The partner typically has outside financing, so without proper controls, the bank's lien could fall behind liens of the financier. The deposit is usually required to cover several days of settlement volume (for purchases, cash advances, and so forth). Some contracts call for coverage of three days of volume (when a contingency reserve or other reserve/protection source is also used). Each contract needs to be reviewed on a case-by-case basis in the context of the activities being conducted and of any additional support (or lack thereof) provided by other means. Effective calculations to determine the deposit consider items such as seasonal fluctuations, portfolio growth, and customer payment rates and are well-documented. Contract features also usually call for the partner to replenish the balance in the account within a very short period once the account is drawn on. Compliance with the deposit requirement is often included in covenant-monitoring reports. Failure by management to ensure the deposit is accurately calculated and sufficiently funded could lead to an inability to meet settlement needs without the bank providing funds.
- A Contingency Reserve - Contracts also frequently require the partner to fund and maintain (at the bank or at a third-party) an adequate contingency reserve (or similar instrument) for use if the partner is unable to fully replenish the deposit account. Like the deposit, a contingency reserve usually covers several days of settlement, although its coverage is ordinarily longer, such as around seven days. Contingency reserves also warrant review on a case-by-case basis. In lieu of a contingency reserve, some partners establish a credit facility to the benefit of the bank. An effective contingency reserve calculation (or credit facility or other instrument) considers items such as seasonal fluctuations, portfolio growth, and customer payment rates and is well-documented. If the contingency facility is at a third party, examiners should evaluate management's practices for periodically verifying the availability and liquidity of the funds. Contracts may call for the partner to replenish these secondary funding sources within a very short period in the event they are drawn on, although if the contingency reserves are being drawn on, the third party is likely under financial stress. Failure to ensure the availability of such funds or the adequacy of the required funding amount could lead to an inability to settle in the event the bank does not step forward with its own funds. Again, proper controls over the contingency instrument are critical.
Pricing:
Comprehensive contracts clearly depict the compensation structure, allow for periodic review and re-pricing of services, and identify which party is responsible for each expense incurred. If the partner or another entity holds the receivables, a bank essentially pays for perceived insulation from credit losses by foregoing higher compensation that would typically be associated with carrying the card portfolio on its books. Rather, in these cases, the partner typically retains most of the income generated by the portfolio and carries most of the expenses. Examiners should evaluate whether the bank's compensation is commensurate with the risks retained as well as with the costs incurred for monitoring and managing the arrangement.
Ineffective pricing structures could quickly erode the bank's profits. Therefore, examiners should determine whether, prior to entering into or re-negotiating a RAB contract, management performs detailed cost analyses of its expenses and tries to obtain information on comparable transactions. Because the responsibilities and card portfolios under each bank's arrangements are different, pricing structures are difficult to compare and vary from contract to contract. Some contracts specify tiered fee structures where the fee per account (the definition of account also varies from contract to contract) is reduced as the volume of accounts increases. For example, a contract might call for a dollar per account for the first 100,000 accounts, 75 cents per account for the next 200,000 accounts, and so forth10. Others use a flat monthly rate. Some contracts call for an upfront fee (or set-up fee) and/or establish a minimum fee per month. Whatever the case, examiners should expect pricing to adequately compensate the bank for its risks and costs.
Examiners should also expect that, throughout the life of the arrangement, management produces an income and cost statement for issuing RAB activities and properly budgets for its RAB activities. Effective statements display RAB fees or other related income received and all direct and indirect costs incurred. The bank might have to make a sizeable investment in the program to implement systems and personnel to appropriately run and monitor the program. And, it might not be a profitable venture for the bank if the RAB partner is unable to generate a sufficient volume of accounts or properly manage the program.
Examiners' attention should also be directed to situations in which management is not monitoring portfolio profitability, regardless of whether the bank holds the receivables. Portfolios that evidence deteriorating or negative earnings performance could signal improper management by the partner, existing or future stressed cash flows to the partner, or other impacts on the partner, all of which could potentially, albeit indirectly, result in safety and soundness risks to the bank.
Ability to terminate contract:
Comprehensive contracts address circumstances under which the bank can exit the agreement and set forth reasonable timeframes for such actions. For example, the bank normally has the ability to terminate the contract if the partner materially breaches the contract (usually after considering a reasonable cure opportunity). Timeframes for notification of intent to terminate should be commensurate with the risks and the reasons for termination. Contract language that requires the bank to incur substantial fees for terminating the contract for appropriate cause should be carefully analyzed. Contracts that do not provide the appropriate ability to terminate the contract leave the bank at the risk having to operate a program that could be unprofitable or that has substantial liquidity risks or other implications.
Audit:
The potential for serious or frequent violations and noncompliance exists when a bank's oversight program does not include appropriate audit features. As such, management normally retains the right to audit the partner (and its sub-contractors). Contract verbiage also normally requires the partner to provide its applicable internal and external audit reports, including the findings of financial and procedural audits and the partner's responses thereto, to bank management for review. If a contract does not provide for appropriate audit access, it leaves the bank at risk of failing to timely identify concerns or problems with the program and its operations. As a result, the bank could become subject to elevated legal, compliance, or other risks.
Examiners should look for proof that the bank's internal audit program incorporates a comprehensive review of bank management's supervision and oversight of the RAB relationships and activities as well as a review of each entity's adherence to contract provisions. The bank's internal audit program is normally expected to confirm that policies, procedures, and materials for the RAB activities have been properly approved by bank management and comply with laws, rules, and regulations. It ordinarily includes periodic on-site inspections of the partner as well as requires the partner to respond to and address issues identified by the internal audits. Examiners should also assess bank management's practices for conducting its own audits of the partner's processes, especially when the partner has not provided for appropriate audits. Examiners should verify whether internal audits assess how the program complies with applicable laws, regulations, and guidance and whether the internal audits are well-documented and readily available. Regulatory scrutiny and risk management expectations for certain practices will be greater for higher-risk portfolios and segments as well as for higher-risk partners.
Contingency Planning
Examiners should also direct their attention to arrangements for which all parties involved, including the bank, purchasers, servicers, and other affected parties, do not have proper contingency plans in place. The review should incorporate an assessment of how management normally reviews those types of plans, particularly for entities providing material services. The bank's plans normally involve transferring the program to another entity, funding the program internally, or shutting down the card program if the contract is terminated. Examiners should substantiate whether contingency plans are written and board-approved, identify specific actions the bank will take, and include appropriate information such as contact information for the parties involved. Concern is normally elevated when the plans only include activation after default has occurred and do not consider actions to be taken to lessen risk exposure as soon as indications of potential default by the partner have become apparent. For cases in which securitizations are used either by the bank, partner, or third party as the funding mechanism for the receivables, contingency planning takes on added elements of complexity. For example, the plan then needs to address the impact of potential events on the ability to continue to sell assets to the trust.
Comprehensive, well-thought out plans consider exposures in worst-case scenarios, such as the existing full open-to-buy exposure combined with the maximum time necessary to close accounts, as well as potential, more likely scenarios, such as those that consider the ability to reduce credit lines and close problem accounts. Without a sufficient contingency plan, the bank could find itself in a strained liquidity position, similar to an early-amortizing securitization.
Ability to Cease Authorizations
The ability to cease authorizations on the cards if the partner materially breaches the agreement or does not maintain adequate deposits, contingency reserves, or other required collateral is crucial. Contracts and cardholder agreements normally allow the bank to stop authorizations. If management does not have such authority with the processor, problems could arise. If a bank cannot shut down or limit authorizations in a timely manner, it increases its funding risk and may ultimately end up taking on credit risk that it may not be able to control. Even with the authority to cease authorizations, problems could arise regarding the Association membership, impacting the bank's aggregate risk position.
Risk Measurement Systems
Risk measurement systems to operate, monitor, and control issuing-RAB activities are critical components to the successful operation of such activities. Examiners should assess reports that management regularly receives to determine whether those reports enable management to gauge, in a timely and comprehensive manner, the risk posed by RAB activities. Management normally receives and reviews key management reports no less than monthly. The reports commonly include items such as the number and dollar volume of accounts, delinquency and charge-off volumes, over-limit data, customer service metrics, sales volumes, payment volumes, profitability, and any other relevant metrics needed to appropriately gauge risk. Concerns arise when appropriate segmentation methods are not incorporated and when management is not closely monitoring the trend and volume of available credit (open-to-buy) positions. The level of available credit coupled with normal or expected account usage can be an indicator of future potential settlement requirements. Reports reviewed by management also normally include information for measuring the partner's performance against that required by the contract. If securitization activities are associated with RAB activities, examiners should require that reporting on the securitization facilities and performance is incorporated. Monitoring the securitized pool by both the bank and the partner is particularly important when the partner relies heavily on securitization for funding. The bank could have to fund settlement if an early amortization is triggered. In addition, adverse impacts on the partner's financial wherewithal from poor performance in the securitized receivables could impact the partner's ability to cover its other assigned expenses, such as fines or cardholder reimbursements.
The level of detail and frequency of reporting funneled to the board is contingent on the size and risk profile of the operation in relation to the overall operations of the bank and its capital base. However, board reporting normally occurs no less frequently than quarterly and more frequently in certain instances, such as if concerns with the partner or portfolio are identified, if the arrangements involve higher-risk activities such as subprime lending, if the card portfolios involved are sizable compared to the bank's asset base and capital level, or if it is a new activity.
Partner's Other Relationships with the Bank
Concerns normally arise when management has not considered lending or other relationships that it has with the partner when analyzing the bank's total risk exposure or when each applicable area of the bank involved with the partner does not inform the other(s) about any adverse change in the partner's credit quality. For example, a partner's failure to make a loan payment likely points to emerging credit quality problems that may affect the partner's ability to meet settlement requirements or to fund the deposit and/or contingency reserve.
Lending to a partner essentially creates a conflict of interest that could result in management failing to take appropriate action against the partner when problems arise. For example, management might not want to discontinue marketing the card program because such an action might jeopardize repayment of the bank's loan to the partner. When management continues with a problem relationship, it often exacerbates the problems and increases subsequent losses. Examiners should look for evidence that management fully understands the total risk exposure when lending to a partner and carefully manages any such relationships to ensure any losses are minimized.
Capital
A bank must hold appropriate capital for all of its business lines, including issuing-RAB arrangements. Effective policies limit the bank's volume of issuing-RAB activity relative to the bank's capital, the bank's risk profile, and management's ability to monitor and control the risks. Examiners assess the records supporting the capital allocation for issuing-RAB activities.
Existing regulations do not assess a specific capital charge for the aspects of issuing-RAB activities that the bank may be carrying off balance sheet. But, regulators may require the bank to hold capital above the regulatory minimums when appropriate. In general, factors considered in determining the proper level of capital to hold include:
- Quality of the partner, including reputation, experience, and organizational culture.
- Bank's management expertise in the area of credit card operations and RABs.
- Quality of the RAB oversight program.
- Profitability of the RAB activities from both the bank's perspective and the portfolio's perspective.
- Any instances of breach of contract.
- Deterioration in the partner's financial condition.
- Type of program offered through the RAB arrangement because certain types of business, such as subprime lending, are inherently riskier.
- Portfolio balance as well as open-to-buy trends and exposures.
- Quality and reasonableness of contingency plans.
- Audit findings.
- Bank's risk profile, including the adequacy of capital to support its other business lines.
Some RAB banks that are not holding the receivables consider risk-weightings similar to those that would be in place if the receivables were still on the bank's books, adjusted for collateral or other protection available. Examiners should expect that any methodology used will be well-supported and thoroughly documented and tie to considerations such as, but not limited to, those identified in the prior bullet points.
Accounting
As discussed, issuing RAB arrangements can have various structures. In some cases, the bank may have even been retaining the receivables for quite some time and only later decided to move the receivables off its balance sheet. Examiners will normally look at management's documentation of the RAB structure(s), including bookkeeping entries used. Because the structures, operations, and bookkeeping entries for the arrangements vary based on the governing contracts, accounting consequences also vary. All it would take to bring a receivable within the scope of FAS 140, Accounting for Transfers and Servicing of Financial Assets and Extinguishments of Liabilities, is for the receivable to be an asset of the bank for even a brief moment before being transferred to the partner or another party. In this case, management will need to determine whether or not the transfer of the receivables qualifies for sale accounting under FAS 140. To ensure all applicable accounting guidance (FAS 140 and otherwise) is followed, examiners would normally expect (and confirm) that management has consulted with the bank's accountants.
Summary of Examination Goals – Credit Card Issuing Rent-a-BINs
Examiners must determine the extent of the bank's RAB activities as well as the level of risk that the activities pose to the bank. They must also determine whether the bank's capital level adequately covers the identified risk. Procedures for reviewing RAB arrangements are often similar to those procedures used to review other types of third-party arrangements. Examiners should review and assess:
- Applicable board and committee minutes, in coordination with the EIC.
- The bank's RAB policies to determine if they are comprehensive and that management is cognizant of the risks involved in such activities.
- Management's due diligence practices to determine whether this early line of defense against problematic relationships is effective.
- Staffing and resources to assess if the level is sufficient and qualifications are acceptable.
- The contract between the bank and the partner to determine if it is comprehensive and sufficiently limits the level of the risk that the bank assumes.
- Management's practices for testing and ensuring compliance with the contract to determine if emerging problems with the partner are promptly identified, thus allowing contract termination to be evoked timely when warranted.
- The marketing materials used for the program, including whether bank management exercises appropriate approval authority over such materials.
- The audit program to determine if it sufficiently encompasses issuing RAB activities.
- Deposit, contingency reserve, or other risk-mitigating funds/assets to determine if they are adequate, appropriately monitored, and readily available.
- Pricing structure and profitability data to assess whether fees received adequately compensate the bank and to identify any instances where portfolios might be unprofitable and, thus, appear to pose risk to both the partner and the bank.
- Contingency plans for thoroughness and reasonableness.
- Compliance with the AMG as well as any other applicable laws, regulations, or guidance.
In some cases, examiners should sample the partner's underwriting and other practices to compare them to established policies, laws, regulatory guidance, and other applicable devices. The use of or level of these types of review can be influenced by whether or not bank management is effectively reviewing and auditing such areas. If bank management is not properly reviewing the various areas, including underwriting and collections, then examination procedures will generally include expanded testing and review of the portfolio. Testing and portfolio review will also likely be expanded when higher-risk lending, such as subprime lending, or higher-risk partners are evident.
The following items might signal current or future elevated risk and warrant follow-up:
- Lack of appropriate RAB policies.
- Failure to appropriately monitor collateral protection, such as deposit and contingency reserve balances or other risk-mitigating devices.
- Unprofitable RAB operations.
- Unprofitable portfolios.
- Lawsuits or other complaints brought by cardholders.
- Compliance issues.
- Weak due diligence practices.
- Failure to properly monitor the partner's compliance with financial covenants and performance parameters.
- Failure to properly monitor performance of the portfolio.
- Failure to meet settlement requirements.
- Failure of the partner to provide open and timely communication with management.
- Weak understanding of the partner's activities and operations.
- Unfavorable correspondence from or to the Associations.
These lists are not exhaustive, and examiners must exercise discretion in determining the expanse and depth of review procedures to apply. If examiners identify significant concerns, they should expand procedures accordingly. In addition, examiners may limit the review as appropriate.
- 8
As mentioned in an earlier chapter, an ICA is a number assigned by MasterCard and is similar to a BIN that is issued by Visa. ICAs and BINs are collectively referred to as BINs in this manual. This chapter references arrangements involving the Associations; but, similar arrangements may be encountered with other networks going forward, particularly now that Discover and American Express are expanding their bankcard markets.
- 9
Settlement is the term used to refer to the exchange of the actual funds for the cardholder transactions and associated fees. The issuers normally remit funds, through the Associations, to the acquirer, and the acquirer pays the individual merchants. Settlement is discussed in the Merchant Processing chapter.
- 10
The fees cited here are for example purposes only and should not be construed to be typical or endorsed pricing.