legal and regulatory track payments: getting and maintaining a bank relationship moderator: jennifer...

Legal and Regulatory Track

Payments: Getting and Maintaining a Bank Relationship Moderator: Jennifer Galloway, Jennifer Galloway, PA Panelists: Kirk Chewning, Strategic Link Consulting Mark Murphy, Sandberg Phoenix & von Gontard PCRick Eckman, Pepper HamiltonBlake Sims, Hudson Cook

Outline• OLA Payments best practices • ACH processing in the current

environment • Payments compliance and alternatives

OLA Payment Best Practices & Reporting

Presented By: Kirk Chewning

1.Lenders, processors and their agents shall develop and maintain timely postings of returns information

2.Lenders shall provide consumers an alternative to ACH debiting. These alternatives shall be provided both when the customer is current and in collection stages. Such alternatives may include paper check, debit card, money order, or other means.

3. All customers must have the right to rescind the loan and the ACH authorization within one (1) business day of the loan approval so long as the customer returns the funds within 24 hours of the rescission

4. Lenders will follow all NACHA presentment rules – one original presentment plus only two re-presentments on each original payment.

OLA Best Practices

5. Lenders will not process multiple ACH debit attempts to an individual loan on the same effective date (No ACH Split Payments) unless expressly authorized by (expressly requested by) the customer

6. Lenders shall charge only one NSF fee per original loan payment

7. All authorizations for recurring debits shall be secured in accordance with NACHA rules, the Electronic Funds Transfer Act and Regulation E. This shall include securing authorization for recurring debits in writing and signed or similarly authenticated by the consumer:

1. Authorization can be electronic2. Authorization must be retained and a copy provided to borrower3. Must include the five essential elements defined by NACHA rules

8. Lenders shall transfer PII data using TPS and TPP security protocols to ensure no inappropriate passing of data.

OLA Best Practices (Continued)

9. All parties will comply with the new NACHA Rule 2.3.4 which requires the ODFI to ensure that originators and third-party senders do not share account/routing numbers for the purpose of initiating debit entries that are not covered by the original authorization

10.Lenders shall not ACH debit a consumer unless they have a valid authorization with the proper ABA and account information. Lenders shall not use new bank account information that the merchant sourced from the marketplace on the consumer, or in other words, Lenders shall only debit consumers for the account listed on the valid authorization.

11.Lenders shall not use RCCs and RCPOs in their normal course of business unless formally requested and proper consumer authorization has been secured.

12. Lenders shall provide their payment processors and the sponsoring ODFI signed payment authorizations for all R10’s and R29’s returns within 24 hours of the request for such documentation.


13.Lenders shall provide Proof of Authorizations to be delivered to TPP within 24 business hours of the request

14. Lenders shall maintain all Proof of Authorization for all unauthorized transactions in a segregated manner and shall be be delivered to TPP within 4 business hours, upon request


RETURNS TESTS

General Guidance

Any merchant’s (lender’s) third party processor has the ultimate responsibility and authority to establish, monitor and adjudicate the rate of returns of all types and codes. The processor is the gateway to the ODFI bank partner and obligated to comply not only with federal regulatory standards but those established by NACHA. Notwithstanding this ultimate authority, both merchants (lenders) and processors are well advised to closely jointly monitor return rates of all types on a constant and continual basis. In the event a merchant’s processor or bank does not frequently, proactively provide return code analysis by ABA, merchants (lenders) should ask their processor to do so on a monthly basis, and to review those data with recommendations to control return rates under levels acceptable to NACHA.

Testing

Lenders/Merchants shall at a minimum test their portfolios monthly to generate the results of the previous month using the following tests on the next few pages. In the event that any merchant is out of the best practice realm they should work closely with their processor(s) and internal staff to correct lack of compliance swiftly. Regulators, Processors and other payment experts recommend daily and weekly review of these thresholds. They feel that not only will it make the relationship better with processors and ODFI but also make the product better for consumers and in some cases reduce default and fraud.

OLA Best Practices Return Testing

Test 1: Best Practice #15 - The total count of all returns (all codes) shall not be greater than 30% of total debits processed as computed by the effective dates of the corresponding debits.

Test 2: Best Practice #16 – The total count of all NSF Returns (R01 & R09) shall not be greater than 25% of total debits processed as computed by the effective dates of the corresponding debits.

Test 3: Best Practices #17 – Lenders shall have an administration return code less than or equal to 4.0% of total debits processed as computed by the effective dates of the corresponding debits. Admin <= 4% (R02, R03, R04)

Test 4: Best Practice #18 - All R05, R07, R10, R29, and R51’s (negative chargeback returns) shall not to be greater than 0.5% of total debits processed as computed by the effective dates of the corresponding debits. (It is understood that NACHA’s current requirement is 1.0% or less than)

Test 5: Best Practices #19 – Lenders shall have a corrections (C Codes) of less than or equal to 0.40% of total debits processed as computed by the effective dates of the corresponding debits. Corrections <= 0.40% (any C code).

Return Test Rules


Test 6: Best Practice #20 - The total of all R01 and R09 (insufficient fund returns) shall be greater than 75% of the total returns for the merchant as computed by the effective dates of the corresponding debits.

Test 7: Best Practice #21 - Lenders shall review individual ABA numbers which have an extremely high return percentage of the total transactions processed during any given thirty day period. For any ABA numbers that represent greater than 1.5X the merchants average return % (ABA returns vs. ABA debits) and if the merchant submitted more than 15 returns per month with the said ABA then Lenders will take the following measures:

a) Closely evaluate the applicant pre-approval, risk management and underwriting means and methods being used in comparison the industry best practices and the state of the art methods available from third party providers of consumer data, and promptly institute such improved measures.

b) Discuss with the processor recommendations for controlling returns.c) In the event return rates do not fall into line with industry practices and NACHA

guidelines, the lender is advised to cease funding loans from any such ABA

Test 8: Best Practice #22 - Lenders shall review and promptly modify their approval and risk management practices for any individual ABA numbers for which more than 15 returns have been processed during the prior calendar month in order to ensure no single ABA number represents negative chargeback returns greater than 1.5% of total debits for said ABA as computed by the effective dates of the corresponding debits.


ACH Portfolio Test ReportSeptember 1, 2013 - September 30, 2013 Test 1: Best Practice #15 The total count of all returns (all codes) shall not be greater than 30% of total debits processed as computed by the effective dates of the corresponding debits. Test Results:

MERCHANT DEBITS RETURNSRETURNS_VS_DEB

ITS

ABC Company 75,056

9,728 13.0%

XYZ Company 76,808

10,644 13.9%

TOTAL

151,863

20,372 13.4% Test 2: Best Practice #16 The total count of all NSF Returns (R01 & R09) shall not be greater than 25% of total debits processed as computed by the effective dates of the corresponding debits. Test Results:

MERCHANT DEBITS RETURNSRETURNS_VS_DEB

ITS

ABC Company 75,056

8,085 10.8%

XYZ Company 76,808

8,683 11.3%

TOTAL

151,863

16,767 11.0%

Merchant Reporting Example - Return Testing

ACH Portfolio Test ReportSeptember 1, 2013 - September 30, 2013 Test 3: Best Practice #17 Lenders shall have an administration return code less than or equal to 4.0% of total debits processed as computed by the effective dates of the corresponding debits. Admin <= 4% (R02, R03, R04) Test Results:

MERCHANT DEBITS ADMIN R02 R03 R04ADMIN_VS_DE

BITSABC Company

75,056

777

703

64

10 1.04%

XYZ Company

76,808

997

887

96

14 1.30%

TOTAL

151,863 1,775

1,590

160

25 1.17%


Test 4: Best Practice #18 All R05, R07, R10, R29, and R51’s (negative chargeback returns) shall not to be greater than 0.5% of total debits processed as computed by the effective dates of the corresponding debits. (It is understood that NACHA’s current requirement is 1.0% or less than) Test Results: MERCHANT DEBITS NCB R05 R07 R10 R29 R51 NCB_VS_DEBITSABC Company

75,056

85 0 39 45.5 0 0 0.113%

XYZ Company 76,808

75 0 31.2 44.2 0 0 0.098%

TOTAL

151,863

160 0 70.2 89.7 0 0 0.105% Test 5: Best Practice #19 Lenders shall have a corrections (C Codes) of less than or equal to 0.40% of total debits processed as computed by the effective dates of the corresponding debits. Corrections <= 0.40% (any C code). Results No Correction codes found


Test 6: Best Practice #20 The total of all R01 and R09 (insufficient fund returns) shall be greater than 75% of the total returns for the merchant as computed by the effective dates of the corresponding debits. Test Results

MERCHANT RETURNS NSFNSF_VS_RETU

RNS ABC Company

9,728

8,085 83.1%

XYZ Company

10,644

8,683 81.6%

TOTAL 20,372

16,767 82.3%


Test 7: Best Practice #21 Lenders shall review individual ABA numbers which have an extremely high return percentage of the total transactions processed during any given thirty day period. For any ABA numbers that represent greater than 1.5X the merchants average return % (ABA returns vs. ABA debits) and if the merchant submitted more than 15 returns per month with the said ABA then Lenders will take the following measures: * Closely evaluate the applicant pre-approval, risk management and underwriting means and methods being used in comparison the industry best practices and the state of the art methods available from third party providers of consumer data, and promptly institute such improved measures. * Discuss with the processor recommendations for controlling returns. * In the event return rates do not fall into line with industry practices and NACHA guidelines, the lender is advised to cease funding loans from any such ABATest Results:MERCHANT ABA DEBITS RETURNS RETURNS_VS_DEBITS MERCH_AVE_X_150

ABC Company 75,056 9,728 13.0% 19.4%XYZ Company 76,808 10,644 13.9% 20.8%TOTAL 151,863 20,372 13.4% 20.1% ABA with 15 or more Returns for Test 7 MERCHANT ABA DEBITS RETURNS RETURNS_VS_DEBITS MERCH_AVE_X_150ABC Company 314074269 796 205 25.8% 22.4%ABC Company 226078036 613 178 29.0% 22.4%ABC Company 256074974 412 93 22.6% 22.4%


Test 8: Best Practice #22 Lenders shall review and promptly modify their approval and risk management practices for any individual ABA numbers for which more than 15 returns have been processed during the prior calendarmonth in order to ensure no single ABA number represents negative chargeback returns greater than 1.5% of total debits for said ABA as computed by the effective dates of the corresponding debits. MERCHANT ABA DEBITS RETURNS NCB NCB_VS_DEBITSABC Company 123556667 498 107 11 2.2%XYZ Company 344445556 256 46 4 1.6%Total 754 153 15 1.99%

ABA with 15 or more Returns for Test 8 - Lenders shall review and promptly modify their approval and risk management practices for any individual ABA numbers for which more than 15 returns have been processed during the prior calendar month in order order to ensure no single ABA number represents negative chargeback returns greater than 1.5% of total debits for said ABA as computed by the effective dates of the corresponding debits. MERCHANT ABA Debits Return NCB NCB_VS_DEBITSABC Company 253177049 304 62 7 2.3%ABC Company 063104668 149 26 3 2.0%ABC Company 021001088 107 20 2 1.9%


Questions?

Thank you

OLA Best Practices:

Payments A Closer Look

Presented by: Mark Murphy

Timely Postings

•Policies must prevent delay and/or incorrect application of payments.

•Payments must be posted upon receipt.

Payment Options

•The alternative must be provided when customer is current or in collection.

•Lenders must provide an alternative to ACH debiting.

•Alternatives may include: paper check, debit card, money order or other means.

Electronic Payment Authorization

•One Time Debits: Notice of amount and date required. Notice in loan agreement is sufficient.

•Recurring Debits: Written authorization required, containing amount or range of amounts, and dates. Paper or electronic form acceptable. Retain copy and give copy to consumer.

•Unauthorized Debits: Lenders and processors must ensure any unauthorized debit is quickly identified and reversed.

ReportingOur best fraud prevention tool: Reporting of current and prior loan activity that is Timely, Accurate and Complete.

•Report within 30 days after furnishing the negative information to the CRA.

•Furnisher has a duty to correct the information and thereafter furnish only complete and accurate information.

•Furnisher must reinvestigate, and must complete the investigation within 30 days.

•Furnisher must notify any CRA to which it furnished inaccurate information and provide any information necessary to correct

Repayment Options•The Consumer must be made aware of repayment options at the time they enter into the Loan.

•When a Lender learns that a Consumer is unable to repay at original terms, Members should offer repayment plans that provide flexibility based on Consumer’s circumstances.

Returns

•High rate of returns indicates failures in processes for obtaining proper authorizations, or may indicate incidents of fraud.

•Depository institutions may take action to close a Lender’s account due to high rate of returns, harming the Lender’s relationship with the depository institution and ability to process payments.

•Returns occur when a Consumer believes a debit is unauthorized and asks for the debit to be reversed.

Identifying and Dealing with Returns

•Stop processing any debits or credits for accounts when ACH Negative Return Codes appear. ACH Negative Return Code processing: R2, R3, R4, R5, R7, R8, R10, R16, R20, R29.

•For all R10 and R29 (Chargeback where customer flags as unauthorized):• Show ACH processor authentication and authorization documents, and• Ensure no additional transactions are completed on the account.

•Block any ABA number/bank with an extremely high return percentage, which in general is 30% or more of total debits. Only exception: Consumer proves that ABA or DDA at the ABA is a valid account, allow debits for only that situation.

Third-Party Payment Processors

& ComplianceRichard P. Eckman

Partner, Pepper Hamilton LLP

Third-Party Payment Processors

• TPPPs: What are they?• A deposit customer that uses its banking

relationship to process payments for merchant clients

• Merchant Clients• Legitimate?• High Risk• Illegal

Warning Signs/Red Flags• Consumer complaints (i.e., unauthorized,

misrepresented, merchant strong-armed consumer into providing account information

• High rates of unauthorized returns/charge backs• TPPPs have been targeting problem institutions

with the promise of income and capital• TPPP likely to use more than one financial

institution to process payments, and activity may periodically move among institutions

Enhanced Due Diligence

• Policies and procedures• Know your TPPPs’ customers• Develop a processor approval program that

extends beyond credit risk management• Perform background checks on TPPPs and

merchant clients• Authenticate the TPPPs business operations and

assess the risk level

Enhanced Due Diligence (cont.)

• Review promotional materials, including websites, to determine target clientele

• Identify processors’ major customers• Review corporate documentation• Visit business operations center• Review information of merchant clients; the

principle business activity; geographic location; and sales techniques

Ongoing Monitoring Systems• Monitoring high rates of return• Setting return rate thresholds• Setting transaction volume limits• Auditing third-party processors’ programs• Monitoring reserve adequacy• Monitoring consumer complaints about merchant

clients on internet blogs and industry databases• Developing contract language addressing access to

records, conditions requiring account closing, and reserve adequacy

Potential Supervisory Responses• May require the bank to terminate the relationship with

the high-risk TPP• Informal enforcement actions• Formal enforcement actions• Civil money penalties• Section 5 of the FTC Act

Unfair or Deceptive Practices?• A bank may be viewed as facilitating a TPPP’s or a

merchant’s fraudulent or unlawful activity• Section 5(a) of the FTC Act prohibits “unfair or

deceptive acts or practices affecting commerce” and applies to all persons engaged in commerce, including banks

• Authority under Section 8 of the FDI Act to take appropriate action when unfair or deceptive acts or practices are uncovered

Examining Guidance• Verify the bank’s due diligence and underwriting• Review the bank’s controls, policies and procedures

for high-risk accounts• If you find suspicious activity:

• Gather information to support your findings• Escalate findings to your superiors• Communicate to the bank the seriousness of potentially

facilitating consumer fraud• Encourage the bank to file a SAR and to contact law

enforcement

Red Flags• High return rates• Merchants selling questionable products and services• 100% refund policy• Prior civil, criminal and regulatory actions against

processor or its principals• Consumer and other bank complaints• Inquiries from law enforcement

A Simple Proposition• Mass-market scammers need access to payment systems

(RCCs, ACH, CC) to take consumers’ money. Without bank access there are no unauthorized withdrawals.

• Banks are stationary (no “whack-a-mole”), regulated and are concerned about reputational risk.

• Banks already are required to have systems in place to prevent criminals from accessing the banking system.

• Cutting off the scammers’ access to the payment systems is relatively efficient and fast, and protects consumers prospectively as we investigate.

Important Steps Forward• Guidance to banks from FDIC, OCC and FinCEN• United States v. First Bank of Delaware• Financial Fraud Enforcement Task Force/Consumer

Protection Branch efforts to choke off fraudsters’ access to payment systems (DOJ, FTC, FDIC-OIG, USPIS, FBI and others)

• May 21, 2013: FTIC Notice of Proposed Rulemaking would ban the use of RCCs in connection with telemarketing

Operation Choke Point, So Far• More than 50 subpoenas issued to banks and TPPPs• Several active and criminal investigations• Banks are self-disclosing problematic TPPP

relationships• Banks are terminating TPPP relationships and

scrutinizing scammer relationships• Internet payday lending – collateral benefits• Investigative support from USPIS, FBI, SIGTARP,

USSS

Regulatory Loophole• Treasury Department regulation amended in 2011

arguably excludes TPPPs from the definition of “money transmitter” and thus is not a Money Services Business (MSB)

• A payment processor that originates tens of millions of dollars of debit transactions against consumer bank accounts on behalf of Internet and telemarketing merchants may not be an MSB and may not be required to register with FinCEN or comply with the BSA

Payment AlternativesH. Blake Sims

Hudson Cook, LLP

Payment Alternatives

• Cards (debit, credit, prepaid)

• Check

• Remotely-created check (RCC)

• Electronic Payment Order (EPO)

• Revocable Wage Assignment

• Others: Direct Carrier Billing, Mobile Wallets

Payment Alternatives - Cards

• Credit/debit/prepaid cards

• Card company rules and PCI compliance

• Truncation (no more than the last 5 digits of a card number)

• Debit card payments are covered by Reg. E (cannot condition the extension of credit)

• Must run as a credit transaction for recurring payment because cannot hold PIN

Payment Alternatives – Debit Cards

• Single-initiated TEL entries

• Either record explicit oral authorization or provide, in advance of debit, written notice that confirms the oral authorization.

• Recurring TEL entries

• Must record explicit oral authorization and provide a written copy of the authorization.


Both Single/Recurring entries

• The authorization must be readily identifiable as an authorization and must have clear and readily understandable terms.

• Certain required minimum information must be included as part of the authorization (recommend scripts).

• Written notice confirming oral authorization must include, at a minimum, the pieces of information required to be included during the telephone call. Should disclose the method by which written notice will be provided if this option is used .

• You must clearly state during the telephone conversation that the consumer is authorizing a debit entry to his account. The customer must explicitly express consent. Silence is not express consent.


• EFTA penalties

• Actual Damages

• Statutory damages

• Individual action up to $1,000;

• Class action up to $1,000 for each plaintiff, and $500,000 or 1% of net worth, whichever is less

• Attorney fees

• Court costs

• Class actions

• Possibly punitive damages under state law

Payment Alternatives - Checks

• Articles 3 & 4 of the UCC and Reg. CC

• Electronic Check Clearing House Organization (ECCHO) – www.eccho.org

• Personal Checks (manual deposit, Check 21, BOC)

• Remotely-Created Checks (RCC)

• Telemarketing Sales Rule

• Requires authorization and printing of check

• Cannot BOC

• Reg. CC shifted bank warranties to depositor’s bank

http://www.eccho.org/

Payment Alternatives - Checks

• Electronic Payment Order (EPO)

• aka remotely-created electronic payment, e-check, or remotely-created payment order

• Requires authorization but no check printed

• Legal framework uncertain – do we apply check laws or EFTA?

• Reg. CC – not addressed

• Federal Reserve Operating Circular 3 – requires paper check; not eligible for check imaging, and Fed has no liability

• ECCHO Rules – not an “item” under rules

• May be deemed an EFT – CFPB interprets Reg. E

• Federal Reserve has created a working group to study

Payment Alternatives – Wage Assignment

• FTC Credit Practices Rule - 16 CFR part 444.

• Allowed if revocable “at will”

• Wage assignment should be clearly and conspicuously disclosed

• Wage assignment should NOT insinuate it is a garnishment

• Likely to draw close scrutiny from regulators

• OLA “Best Practices”

• State laws vary

Payment Alternatives – Others

• Direct Carrier Billing – consumers make a purchase and have the charge appear on a monthly wireless phone bill or deducted from their prepaid balance.

• Ex. BillToMobile, etc.

• FTC rules on “cramming”

• Mobile Wallets – singular payment application that allows consumers to save and manage a variety of payment methods in one place.

• Consumer payment credentials stored in a cloud-based vault

• Ex. GoogleWallet, etc.

Contact Information

H. Blake Sims

Hudson Cook, LLP

6005 Century Oaks Drive, Suite 500

Chattanooga, TN 37416

423.490.7563 (direct)

[email protected]

mailto:[email protected]

Legal Disclaimer

• These presentation is provided with the understanding that the presenters are not rendering legal advice or services.

• Laws are constantly changing, and each federal law, state law, and regulation should be checked by legal counsel for the most current version.

• We make no claims, promises, or guarantees about the accuracy, completeness, or adequacy of the information contained in this presentation.

• Do not act upon this information without seeking the advice of an attorney.

• This outline is intended to be informational. It does not provide legal advice.

• Neither your attendance nor the presenters answering a specific audience member question creates an attorney-client relationship

legal and regulatory track payments: getting and maintaining a bank relationship moderator: jennifer...

Documents