FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities (Revised July 2014)

Highlights: 

• Financial institutions that provide payment processing services directly or indirectly for merchant customers engaged in higher-risk activities are expected to perform proper risk assessments, conduct due diligence to determine merchant customers are operating in accordance with applicable law, and maintain systems to monitor relationships over time.
• Proper management of relationships with merchant customers engaged in higher-risk activities is essential. Financial institutions need to assure themselves that they are not facilitating fraudulent or other illegal activity. Institutions could be exposed to financial or legal risk should the legality of activities be challenged.
• FDIC's examination focus is on assessing whether financial institutions are adequately overseeing activities and transactions they process and appropriately managing and mitigating risks. Financial institutions that have appropriate systems and controls will not be criticized for providing payment processing services to businesses operating in compliance with applicable law.

Continuation of FIL-43-2013 

Distribution: 
FDIC-Supervised Banks (Commercial and Savings) 

Suggested Routing: 
Board of Directors, Senior Executive Officers, Chief Credit Officer, Chief Information Technology Officer, 
Bank Secrecy Act Officer 

Note: 
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at http://www.fdic.gov/news/financial-institution-letters/2013/index.html . 

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html . 

Paper copies may be obtained via the FDIC's Public Information Center, 3501 Fairfax Drive, E 1002, Arlington, VA 22226 (877-275-3342 or 703 562 2200). 

FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities 
 

The FDIC is issuing this letter to clarify its policy and supervisory approach related to facilitating payment processing 1services directly, or indirectly through a third party, for merchant customers engaged in higher-risk activities. Facilitating payment processing for merchant customers engaged in higher-risk activities can pose risks to financial institutions and requires due diligence and monitoring, as detailed in prior FDIC and interagency guidance and other information. 2Financial institutions that properly manage these relationships and risks are neither prohibited nor discouraged from providing payment processing services to customers operating in compliance with applicable federal and state law. 

The FDIC and other agency guidance indicate that financial institutions that provide payment processing services directly or indirectly for merchants engaged in higher-risk activities are expected to perform proper risk assessments, conduct due diligence sufficient to ascertain that the merchants are operating in accordance with applicable law, and maintain appropriate systems to monitor these relationships over time. The proper management of relationships with merchant customers engaged in higher-risk activities is essential. Financial institutions need to assure themselves that they are not facilitating fraudulent or other illegal activity. Institutions could be exposed to financial or legal risk should the legality of activities be challenged. 

The FDIC is aware that some payment processors or merchants may target institutions that are unfamiliar with the related risks or that lack proper due diligence or controls to manage these risks. Thus financial institutions that engage or plan to engage in these activities should review this guidance. The focus of FDIC examinations is to assess whether financial institutions are adequately overseeing activities and transactions they process and appropriately managing and mitigating related risks. Those that are operating with the appropriate systems and controls will not be criticized for providing payment processing services to businesses operating in compliance with applicable law.