Know Your Customer: Third-Party Payment Processors - Transcript
Executive Fraud Forum
October 30, 2013
Judy Long, executive vice president and chief operating officer
First Citizens National Bank
Blake McDaniel: Hi. I'm Blake McDaniel with the Federal Reserve Bank of Atlanta. We're here at the Executive Fraud Forum with Judy Long, the executive vice president and chief operating officer of First Citizens National Bank.
You have a lot of experience in the risk space, and I want to ask you a few questions, in particular about third-party payment processors and the risk they pose to institutions. So, my first question I want to ask is, how do institutions go about determining their risk tolerance with regards to third-party payments processors, or other risky customers?
Judy Long: Blake, first I would like to preface my answers with, who better to do that than the financial institutions? Financial institutions are highly regulated. Our primary objective through strategic planning and objectives at the bank is safety and soundness. And as a result of that, we should be the underwriters, we should be the institutions that offer these services to processors. Yes, there's high risk within these processors, within some, but the risk tolerance of the bank has to be established through very effective board policies and procedures, and the policies and procedures of the bank will define what the risk appetite of the bank is, they will define who we will do business with, the types of businesses that we will do business with, the types of transactions that we should also process. So effective, board-approved policies and procedures, I think, and effective risk assessments [are] the very first challenge and yet the very first objective of any bank.
McDaniel: So that's really interesting. I think you mentioned a few very key points there, and I want to move into one of those—specifically, the due diligence around third-party payments processors, or risky customers, and what due diligence might be involved when you're looking at those third-party payments processors. So, beyond the policies, what effectively do financial institutions do?
Long: Know your customer! In our bank, or in any financial institution, know your customer is an extremely important guideline in our policy that is set by the financial institution. And within your policies, defining who you will do business with, who you won't do business with, and, as a part of that risk process, understanding not just in...onboarding a customer but then ongoing with that particular customer—continue to have interview processes with the customer, continue to monitor the customer. "Know your customer" is, in any institution, I think, a very effective policy to understand and know and to manage the overall risk of that relationship.
McDaniel: So, you're even looking beyond the third-party payments processors, in some cases to their customers.
Long: Absolutely. You've got to understand third-party processors and who their customers are. You've got to understand the types of processes and transactions that they're processing for customers. I think banks can get into situations that are out of their risk tolerances if they don't understand that business and they don't understand the customers of their customer. And maybe sometimes that's the business that we're in is not only knowing our customer but understanding and knowing their customers, and understanding and knowing the types of transactions they are processing—very critical to the whole process of managing risk.
McDaniel: So you mentioned knowing the transactions that the customers are processing, and I wanted to know what...you feel is an effective way to go about monitoring those transactions?
Long: Monitoring the transactions—it can be through reporting, it can be through the interview process with your customer. Once you onboard a customer, that's just the beginning of the relationship—and I use the word "relationship" because it is about a relationship. It's not about a one-time transaction. It's establishing a relationship with a high-quality customer, understanding that they're high quality, understanding that they meet those risk tolerances, and then it's a continuous, ongoing calling program with your customer. It's continuous monitoring of their transactions in terms of suspicious activity, unauthorized returns, complaints on the customer. So there are guidelines, but we always say within the financial institution world, "They set the guidelines, but the real risk is ours." So how we manage that risk, and how we manage that appropriately based on our risk appetite and the monitoring processes we put in place—it's very much a bank decision, as long as you're within the guidelines. But it needs to be a very closely followed relationship, particularly with high-risk originators.
McDaniel: So you really look at the guidelines, and then you sort of take those and then use your corporate culture to really mold your risk assessment and risk-monitoring practices.
Long: And I'm glad you used the word "corporate culture" because that's true. The corporate culture establishes the morals, the business ethics, that you're defining and doing business in. And when you're doing business with high-risk third-party processors, in the officer call program and in the relationship-building, it's understanding the business ethics, the corporate culture of that business. It's understanding as you're monitoring those transactions, and you begin to see a high rate of unauthorized returns—has something changed? That's a reason to go back out for a visit. And if I'm just doing payroll processing, yes, I've got to monitor, I've got to control. I've got the same procedures—but I don't have as high of a level of interaction between the call-in officer, the credit underwriting, the due diligence process, as I would if—depending on the limits of those files and depending on the relationship with that customer, and depending on the type of business and understanding the core values of the business.
McDaniel: It sounds like financial institutions have a lot on their plate with their high-risk processors.
Long: We have a lot on our plate—new regulation—sometimes we are concerned that we're being more reactive than proactive, but again we have to be proactive. You have to make a determination on the types of businesses that you're going to do business with. Your board has to make a lot of those decisions, based on the recommendation of management what our risk appetites are. So sometimes we have to go out and terminate the relationship...but I think we're the best at that because, again, we are highly regulated, we are safety and soundness as the number one objective. So, you've heard me say often within this interview: know your customer. It is critical. It is the component within a relationship that is extremely important after all the guidelines have been established. That is the basis for the relationship going forward between the bank and the customer. So, I would close, in summary: ...know your customer, know their business, and you'll do an OK job with third-party processors, or any other customer. That credit underwriting process—you would underwrite a third-party processor, you would underwrite a new account in your bank, I mean—there's an underlying process that's extremely important. So, just know your customer.
McDaniel: Well, thank you, Judy.
Long: You're welcome!