Presentation on theme: "A Point of View on Bank Secrecy Act/AML Issues for Mobile Payments"— Presentation transcript:
1 A Point of View on Bank Secrecy Act/AML Issues for Mobile Payments Law Seminars InternationalMobile Payment SystemsSeptember 9-10, 2013Andrew J. Lorentz, PartnerWashington, D.C. Office
2 Key issues and challenges AgendaPerspectiveKey issues and challengesEnforcement and regulatory trendsThanks. Great to here. 13th floor, 13th Street, at 13:30. Anybody notice? Why not Friday? It’s a thirteen this week…Started professional life in the intelligence business – 8 years in military and law enforcement intelligenceViews here shaped by over 5 years launching mobile payment solutions with clients – mostly not successful – or watching them shy away
3 FDIC Deposit Insurance Anti-Money Laundering Compliance Bank Secrecy ActFDIC Deposit InsuranceAnti-Money Laundering ComplianceData breach/securityState Privacy and Security StatutesOFACTruth in Savings ActTruth in Lending Act / Reg ZTruth in BillingElectronic Fund Transfer Act / Regulation EOFACReg DState Money Transmitter LawsUnfair, Deceptive or Abusive Acts and Practices LawsGift cardCard brand rulesDurbin AmendmentBank Secrecy Act/AML are only ONE PART of the maze – you have two days on these issues - apologies to the telecoms lawyers for the bank lawyer bias obvious in this chartIdentity-Theft Red FlagsRegulation DDRegulation IIReg CCRegulation BCheck 21Gramm-Leach-Bliley ActE-SIGN ActTISA/Reg DDFair Credit Reporting ActEscheatBusiness of banking / Deposit-Taking
4 Bank Secrecy Act/Anti-Money Laundering* Intent of the BSA/AML laws is to abate money launderingMajor Provisions3 R’s: Registration, Record-Keeping and ReportingRequires Anti-Money Laundering (“AML”) programs – the “Four Pillars”Criminalizes money laundering*(Lots) more (real) information on Paymentlawadvisor.comIgnoring state requirements – sometimes included in state MTLs, seem often to parallel Fed BSA rqmts – see David’s presentation on MTLThe “Four Pillars” of AML ComplianceInternal Controls: policies, procedures and controls reasonably designed to assure complianceDesignated compliance officerOngoing employee training programIndependent Review - audit function to monitor and test programs
5 Bank Secrecy Act/Anti-Money Laundering Applies to “financial institutions”Types most relevant to mobile:Banks and other depository institutionsMoney Service Businesses (“MSBs”)AML criminal prohibitions apply more broadlyMSB – characterization questions can be hard – are you one or not?Federal definitions narrower than state MTLs – Federal has narrower BSA/AML-only focus
6 BSA Compliance Summary Depository InstitutionsMoney TransmittersAgents of Money Transmitters*Providers of Prepaid AccessSellers of Prepaid AccessRegistrationXRecordsReportsSARsCTRsCMIRsOthersAML ProgramThese are the types of BSA entities we typically see in mobile payments solutionsOther than depositories, all are sub-types of “Money Services Businesses” (“MSBs”)BIG EXCEPTION: Carrier billing and carrier billing aggregators generally not caught – see David’s presentation on sweep of MTLs though* Principals and agents may allocate responsibility but both are responsible for compliance.
7 Dispro-portionate impact PERSPECTIVEDispro-portionate impactRisk-based – except for getting customers?Where roles unsettled – a game of compliance hot potatoOn small $ payments -- only one legal regime among many – single focus regulators and compliance, hits innovation hardestHigh stakes reputationally, criminal, conduct restrictions intrusiveDisproportionate to risks and return on investments in these controls ($450K to finance 9/11 attack – from 9/11 Commission ReportCompare to the real money laundering messes – see belowRisk based but with prescriptive parts – impact on customer acquisitionCompliance is pushed around among players – everybody hunkers down and doubles down – perversion of a risk-based regime that confuses picture further – why FinCEN was so concerned in the prepaid access rule to define the “provider of prepaid access” as the principal conduit of info to law enforcementAmusing – I thought every U.S. company with data worth having was a conduit of info to the USG now?
8 Mobile Potential PERSPECTIVE Physical retail outlets of carriers Pre-existing customer relationshipsMore and better data (geo-location)Handset for authentication (“something you have”)Mobile PotentialTremendous promise of mobile to be less prone to abuse, add security to the system – here’s why
9 New Approaches Verification by carrier customer accounts Payfone’s “Mobile Authentication” leverages customer’s existing relationship with mobile carriers.Examples of aggregators exploiting that potential
10 New Approaches Prepaid accounts with mobile carriers Boku mobile carrier billing leverages SMS authentication for payments
11 Often both bank and MSB customer verification obligations triggered Customer AcquisitionOften both bank and MSB customer verification obligations triggeredBanks cannot formally rely on non-banks for CIP
12 Customer Acquisition Verification Requirements Must obtain identifying information when…What information?Depository institution“Formal banking relationship established to provide or engage in services….”Customer Identification Program (“CIP”) (name, address, ID #, DOB)Money TransmitterAML policy must provide for…“Verifying customer identification”Notice the money transmitter is the only type that remains “risk-based”Obligation to obtain this info creates friction in establishing accounts – no
13 Customer Acquisition Verification Requirements Must obtain identifying information when…What information?Provider of Prepaid AccessA “person” “obtains prepaid access under a prepaid program” [even closed loop if > $2,000 per “vehicle or device” per day]Name, address, ID #, DOB (same as CIP)Seller of Prepaid AccessA “person” “obtains prepaid access under a prepaid program,” orA “person” “obtains prepaid access to funds that exceed $10,000 during any one day”
14 EFFECTSMobile environment is challenging for customer acquisition and verificationSmall form factor may introduce an inefficient or awkward registration processInterface may not be optimized for mobileIncreased risk of abandoned accountsDisputes over ownership/use of customer information in new ecosystemAlready hard – BSA makes it harderInfo accessed, collected, etc. – tension between privacy, data rights and usage, and these ID verification obligationsIn ecosystem/deals, parties can find common ground in fraud control –
15 EFFECTS (Most) mobile payments solutions fit into defined boxes Prepaid, credit, debitMerchant aggregationBewilderment as to who does whatOverkill: Everybody is an MSB or acts like oneWhere does mobile carrier billing fit?Unpack solutions and you find very traditional stuffFlow of money into the solutions has not leveraged the huge carrier retail footprint – stuck with MTL and bank account inputsDressing up aggregation of sub-merchants – reaching more merchants important but not revolutionary (watch underwriting!)Some new stuff:Money transmitter at POS (PayPal with Discover)Expansion of carrier billing(?)But mostly just better interfaces, reporting, simpler POS experience for buyers and merchants
16 Enforcement and regulatory trends FDIC, FinCEN, DoJ, $15MM civil money penalty, “death penalty” (terminated FDIC insurance, revoked charter)Activities at issue were those of third party payment processor customers of bankBank failed to monitor and control RCC and ACH returnsFirst Bank of Delaware (Nov. 2012)Return rates total of 60%, unauthorized over 5 and 8% (NACHA guideline is 1% for shutdown, average for 2010 was .03%)
17 Enforcement and regulatory trends LessonsDuty to police customer and activities of customerCustomer’s customer… and so onEnforcement squeeze at bank level ripples down the compliance chain, to MSB customers of banks and beyondFirst Delaware part of a major enforcement sweep targeting payment processors and their banksRisks to banks and their officers (FIRREA liability)What we are seeing:Captive TPPPs/TPPPs that have same ownership as bad acting merchantse.g.. foreclosure and debt relief scams
18 Enforcement and regulatory trends FinCEN ANPRM on customer due diligence (CDD) (Mar. 5, 2012)Intended to “codify, clarify, consolidate, and strengthen existing CDD regulatory requirements and supervisory expectations, and establish a categorical requirement for financial institutions to identify beneficial ownership of their accountholders”Banks plus others covered – but not MSBs at this timeSo much for a risk-based regime?Bank risk committeesParallel development on regulatory side:Four parts to proposed rule:ID and verify (risk based verification) [FIRST DELAWARE]Understand nature of the account [FIRST DELAWARE]NEW!!! ID beneficial ownersMonitor [FIRST DELAWARE]Common dilemma: how to file a SAR with no customer information?
19 Enforcement and regulatory trends HSBC Holdings (Dec. 2012)“HSBC is being held accountable for stunning failures of oversight – and worse – that led the bank to permit narcotics traffickers and others to launder hundreds of millions of dollars through HSBC subsidiaries…The level of dysfunction at HSBC for many years was astonishing.”$1.921 billion in forfeiture and fines –largest BSA penalty everChanges to management, systemsMust submit to ongoing monitoring
20 Enforcement and regulatory trends Remind me why mobile payments are so risky?
21 Enforcement and regulatory trends Digital currency company that facilitated money launderingDid no verification of its customersAllowed account to account transfers; funding and cash out only through “exchangers” added more anonymity17 country takedown – “largest ever”Avowedly “illegal” activity200,000 U.S. users55 million transactionsLaundered $6 billionLiberty Reserve (May 2013)“Exchangers” were generally unlicensed money transmitters in Russia, Nigeria, Malaysia, and Vietnam
22 Enforcement and regulatory trends LessonsSrsly?*Don’t be a crookDon’t be an idiot – this activity was not in the regulatory grey zone*“Bitcoin” and “srsly” were both added to the Oxford Dictionaries Online on Aug. 28, Coincidence?
23 Enforcement and regulatory trends FinCEN Virtual Currency Guidance (March 2013)“Exchangers” and “administrators” of “convertible virtual currency” are money transmitters“Virtual currency” is a medium of exchange that operates like currency in some environments, but does not have all the attributes of real currency“Convertible virtual currency” has an equivalent value in real currency, or acts as a substitute for real currencyBitcoinSecondLifePer FinCEN, “prepaid” is access to “funds or the value of funds” and hence something cannot be both “virtual currency”’ and “prepaid access”Encourage self-serving distinctions: monkey with “exchange” rate – is that enough?Prefer to consider SUBSTANCE rather than window dressing