The Green Sheet Online Edition

March 11, 2013 • Issue 13:03:01

Legal ease
Should ISOs have an AML policy?

By Adam Atlas
Attorney at Law

For better or for worse, financial services are ever more regulated. Examples of a considerable increase in regulation of bank and nonbank financial services include: an expansion of Bank Secrecy Act (BSA) regulations into prepaid issuing, enforced by the Financial Crimes Enforcement Network (FinCEN); the creation of the Consumer Financial Protection Bureau (CFPB); and state laws concerning escheatment and early termination fees.

Important public policy reasons prompted these new regulations, such as combating terrorism and money laundering, as well as protecting consumers from misleading service providers. The regulations, however, create increased costs of compliance for payment services.

Banks shouldering the burden

ISOs, as agents of banks, have traditionally been exempt from the more onerous portions of these legal compliance requirements, such as registration with FinCEN, maintenance of an anti money-laundering (AML) program, and reporting of suspicious activity or large currency transactions to FinCEN.

ISOs have not been actively involved in these compliance requirements because the banks that process for them have carried the regulatory burden. For example, before a merchant is accepted for processing with a given bank, the bank's underwriting department makes sure the merchant is not listed on the Specially Designated Nationals (SDN) list of the U.S. Treasury Department's Office of Foreign Assets Control (OFAC).

Even when a full-liability ISO places a merchant, the bank still puts the merchant through a BSA underwriting process over and above the financial underwriting with which ISOs are usually most concerned. As financial institutions, banks are held accountable by FinCEN and state regulators to statutes that require rigorous compliance programs in order to prevent the financial system from being abused by terrorists and money launderers.

The purpose of this article is to give ISOs sensitivity to AML compliance, as well as identify a handful of rules that may already be applicable to ISOs.

1. What is an AML policy? Such a policy is a set of internal rules, drafted for the unique model of a given business. The AML policy ensures that the business is not in breach of the BSA and that its business is protecting itself from being an unwitting facilitator of criminal activity, such as money laundering or the funding of terrorism. No two AML policies are identical, as each is drafted to the specific concerns of a single business.

2. Who needs an AML policy? The answer to this question is very much a moving target, which is a large reason why I chose this topic. The BSA is unequivocal that the following entities must have AML policies: the issuers, sellers or redeemers of money orders; the issuers, sellers or redeemers of travelers' checks; money transmitters; check cashers; currency exchanges; and the providers or sellers of prepaid access.

For some entities, like traditional over-the-counter cash money transmitters or currency exchanges, one may easily figure out if they are within the above categories. But, for a dot-com startup game with a credit system that is exchangeable in a virtual reality, that question is more difficult to answer.

Of all the clear categories identified by the BSA, providers and sellers of prepaid access is the category that comes closest to home for most ISOs. Not all ISOs are involved in prepaid access. However, those that are must consider whether they are subject to BSA regulation and whether they should, as a consequence, register with FinCEN and maintain an AML policy.

Note that even if your payment business is not required by law to have an AML policy, I still recommend you have some basic internal rules to diminish opportunities for criminals to take advantage of your business for illegal purposes. Payment Card Industry Data Security Standard compliance helps in that regard, but ISOs can imagine other policies that could help to insulate their operations from contamination.

3. Should my merchants be informed? Yes. Mer-chants are the front door to many payment services, such as money transmission, prepaid access, bill payment, etc. Each of these models may impose on the merchant some level of compliance. A number of these rules are new and still being digested by banks, which are subject to the highest levels of compliance in financial services.

For example, FinCEN's prepaid access rule, which imposes certain BSA requirements on providers and sellers of prepaid access, has immediate relevance to merchants who are in the business of selling prepaid cards. The providers of those programs should - and in fact must - take leadership in seeing that their sales channels are compliant with the rule. But it can't hurt for ISOs to increase their merchants' sensitivity to BSA requirements.

4. What if I'm not in compliance? Entities that require registration, licensing, an AML policy or other requirements as a result of financial services regulation, but who fail to comply with those requirements, face enormous potential fines (for example, $1,000 per transaction) and even jail time. This is on top of being a potential facilitator of criminal activity. Payment businesses are advised to undergo a risk assessment to see whether they are subject to the various federal or state laws that are becoming ever more numerous these days.

5. What's in store for ISOs? From the perspective of AML regulators, ISOs and processors fit loosely into a category known as third-party payment processors (TPPs). It's hard to put a precise definition on this term because it means different things to different people.

That said, it loosely brings together entities that process payments as third parties to the merchant, such as credit card acquiring processors and bill payment service providers. Talk within the AML community concerning TPPs may justify a reasonable expectation of increased regulatory oversight of these businesses in the coming months and years.

This provides all the more reason, then, for ISOs to become sensitized to AML compliance before they are obliged by law to do so.

Benefitting from the Amazon tax

On a tangential point, I highly recommend that ISOs question their acquiring processors as to their readiness for the potential of the Marketplace Fairness Act (also known as the Amazon tax) to become law within days or months. This federal law, if passed, would require online retailers to collect state sales tax.

This law may present revenue opportunities for acquiring banks, processors and ISOs that they may lose if they do not collaborate prior to the proposed law taking effect. Specifically, they have an opportunity to work with a tax lookup and remittance intermediary that may be able to share in basis points on the taxes collected. It's been a long time since ISOs have heard of new basis-point line items of revenue.

Each payment business is unique. Between two seemingly identical ISOs, considerable variations will exist in compliance requirements. ISOs should proceed with caution in taking on new roles in the payments industry in order to make sure they are not unwittingly running against the grain of the many rules regulating payment services.

For additional basic compliance information, please visit www.moneyservicesbusinesslaw.com.

What is FinCEN?

The following excerpt from the FinCEN website explains the agency's mission and some of the actions it takes to carry out its duties. For the complete description, please visit www.fincen.gov/about_fincen/wwd/index.html.

"FinCEN is a bureau of the U.S. Department of the Treasury. ... FinCEN's mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.

"FinCEN carries out its mission by receiving and maintaining financial transactions data; analyzing and disseminating that data for law enforcement purposes; and building global cooperation with counterpart organizations in other countries and with international bodies. FinCEN serves as the FIU [financial intelligence unit] for the United States and is one of more than 100 FIUs making up the Egmont Group, an international entity focused on information sharing and cooperation among FIUs. ... As one of the world's leading FIUs, FinCEN exchanges financial information with FIU counterparts around the world in support of U.S. and foreign financial crime investigations.

"The basic concept underlying FinCEN's core activities is 'follow the money.' The primary motive of criminals is financial gain, and they leave financial trails as they try to launder the proceeds of crimes or attempt to spend their ill-gotten profits. FinCEN partners with law enforcement at all levels of government and supports the nation's foreign policy and national security objectives."

In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law, at atlas@adamatlas.com, or at 514-842-0886.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.