In this episode Keith Barnett and Carlin McCrory welcome Marsha Jones from the Third Party Payment Processors Association to discuss a portion the ENABLERS Act, which proposes to update federal anti-money laundering laws to include payment processors within the definition of “financial institution.”
In this episode of The Crypto Exchange, Troutman Pepper attorneys Keith Barnett and Carlin McCrory welcome Marsha Jones from the Third Party Payment Processors Association to discuss a portion the ENABLERS Act, which proposes to update federal anti-money laundering laws to include payment processors within the definition of “financial institution.” The ENABLERS Act is co-sponsored by Representatives Joe Wilson (R-SC), Tom Malinowski (D-NJ), Maria Elvira Salazar (R-FL), Steve Cohen (D-TN), Abigail Spanberger (D-VA), and Richard Hudson (R-NC). Keith, Carlin, and Marsha discuss the significant ramifications that the ENABLERS Act will have on payments processors if it is passed. This is a must listen for payment processors, banks, and money transmitters!
The Crypto Exchange – S01 Ep03, A Conversation with Third Party Payment Processors Association President Marsha Jones
Recorded July 28, 2022
Carlin McCrory (00:05):
Welcome to another episode of The Crypto Exchange, a Troutman Pepper podcast, focusing on the world of digital assets and payments. As longtime leaders in the intersecting worlds of law, business and government relations, our lawyers can go beyond the buzzwords and headlines to make sense of the emerging legal and regulatory frameworks for operating in the digital asset and payments industries. I am Carlin McCrory, one of the hosts of the podcast and an associate at Troutman Pepper.
Before we jump into today's episode, let me remind you to visit and subscribe to our blog, consumerfinancialserviceslawmonitor.com, and don't forget to check out our other podcasts on troutman.com/podcast. We have episodes that focus on trends that drive enforcement activity, consumer financial services, the Fair Credit Reporting Act, cybersecurity, hot-button labor and employment law issues, and more. Make sure to subscribe to hear the latest episodes.
Today, I'm joined by my colleague Keith Barnett and special guest Marsha Jones from the Third Party Payment Processors Association to discuss payment processors and recent proposed updates to AML laws. Keith and Marsha, I'm looking forward to the discussion today.
Keith Barnett (01:31):
Thanks, Carlin. Appreciate it.
Marsha Jones (01:36):
Thank you, Carlin, and I appreciate the invite.
Carlin McCrory (01:37):
We're glad to have you Marsha. Marsha's background here as president of the Third Party Payment Processors Association, the TPPPA. She helped to establish the TPPPA, which formed in 2013, and led the effort to distinguish regulatory concerns related to third-party payment processing, as part of the effort to create industry best practices for payment processors and their banks. Marsha is a nationally recognized payments expert and has over 25 years in the banking and payments industry.
And now for a little bit about the TPPPA. The TPPPA is a not for-profit membership association. TPPPA members are payment processors, banks, and vendors that support third-party payment processing. The association advocates on behalf of third-party payment processors, their financial institutions, and the merchants and consumers who benefit from the payment processing system. Members must apply and be accepted into the association. All members agree to abide by a strict code of conduct.
Keith Barnett (02:45):
Thanks, Carlin. We appreciate the introduction. And once again, thank you Marsha for joining us. We appreciate having this discussion with you and all of your expertise. I'm going to start off by asking you a question generally about the proposed amendment to the anti-money laundering laws. In a nutshell, though, just by way of background for the listeners, what do payment processors do that you believe caused the authors of the proposed amendment to the AML laws to seek to include payment processors within the definition of financial institution? Now, for what it's worth, I'm not saying that you have to agree with the decision because I have a feeling I know what you think about this decision. If you could just give a high-level overview of what payment processors do for our audience.
Marsha Jones (03:33):
Thanks, Keith. I'd love to do that. Companies that offer payment processing come in a variety of different types with distinct kinds of risks associated with them based upon the activities that they engage in. Unfortunately, the distinctions are not necessarily obvious, so these companies get lumped into the broad category or the generic term of payment processor or third-party payment processor, which is not technically accurate. Third-party payment processors are a distinct form of payment processing in which the payment processor acts as a third-party service provider or an agent of the bank that sponsors the payment processor into the various networks, such as ACH, Visa and MasterCard. These particular activities are bank to bank and settlement of these payments occur at the Federal Reserve Bank.
A payment processor cannot participate in these activities without a sponsoring bank. Banks engage third-party payment processors to acquire and manage merchants, collect and format payment data, and transmit data between parties. However, all funds movement or settlement occurs bank to bank. In these third-party payment processor relationships, the highly regulated bank is ultimately responsible for rules compliance and regulatory obligations. The bank may push some of those obligations and responsibilities down to the payment processor, but that doesn't relieve the bank from its responsibilities. Therefore, a third-party payment processor is already operating under AML banking regulations. And these nuances are not necessarily obvious, which is likely the reason why the authors of the amendment mistakenly included third-party payment processors.
Keith Barnett (05:20):
Now, in your comment, you say mistakenly. We already know, or at least some of us already know, that money transmitters are already included within the definition of financial institution under the current AML laws. And I believe that sometimes people conflate the terms money transmitter and payment processor. They see them as one and the same, but we know that's not the case. Could you tell the audience what the differences are, at least the primary differences between payment processors on the one hand and money transmitters on the other hand?
Marsha Jones (05:50):
Sure. We talked a little about the payment processors, but I want to put it into the context of the AML laws and regulations. The purpose of AML laws is to ensure that all types of entities that move money between parties are required to adhere to AML regulations. Its definition of financial institutions include banks as well as broker dealers, casinos, money service businesses or MSBs, and others. And then MSBs are a further subcategory of entities that fall under financial institutions and include money transmitters, currency dealers or exchangers, check cashers or issuers of traveler's checks, money orders or stored value.
MSBs are required to register with FinCEN and adhere to MSB requirements. But true third-party payment processors are exempt from MSB requirements because they are operating under the US banking AML requirements. The money transmitters are a subset of MSBs and do not always operate through banks and the US banking system, but all are part of the payment activities occur outside the US banking system and bank regulatory compliance. So these companies must adhere to FinCEN's MSB requirements and must register with FinCEN as an MSB.
So to recap it, under US AML laws and regulations, third-party payment processors fall under bank requirements and money transmitters fall under MSB requirements. So hopefully, this makes it more clear that there's no need for third-party payment processors to be included in the category of MSB as this would not only be a redundant regulatory requirements, but could actually cause compliance issues for the bank sponsoring the payments into the various payments networks.
Keith Barnett (07:43):
That's interesting. Then what will payment processors be required to do if the laws are amended to define them as a financial institution, that they're not currently required to do in their role as a payment processor and not an MSB or a financial institution?
Marsha Jones (08:01):
That's a really good question. Under US AML laws, all financial institutions are required to file suspicious activity reports, or SARs for short, to FinCEN. And these serve as a crime fighting tool for law enforcement agencies. So should the amendment be passed, third-party payment processors would fall under two US AML regulatory requirements, those of banks and those of MSBs. And then the most significant issue that would come of this is, who would be responsible for filing these suspicious activity reports to FinCEN, the bank or the third-party payment processor?
Now, this presents several issues. First, duplicate reporting by both could confuse and even thwart the efforts of law enforcement in their use of SAR reporting, which was one of the reasons that this amendment was proposed in the first place. And then second, the bank that is sponsoring the payment processor and its merchants into the payment system is currently responsible for reporting suspicious activity for the merchants that they sponsor into the network. And they need to be informed as suspicious activity in their programs for their own sake, through their own monitoring efforts, which are shared by the third-party payment processor. So if the third-party payment processor reports suspicious activity directly to FinCEN, they cannot share that information with the bank because SARs are intended to be kept private and secret. And then the bank needs to be informed of those activities that they're sponsoring. So this is precisely why FinCEN already has a payment processor exemption in its regulations.
Keith Barnett (09:48):
And Marsha, you just mentioned the payment processor exemption. Some people may not know what that is. So by way of background, the payment processor exemption is a federal law that specifically states that payment processors are not money services businesses under US law, under federal law, as long as four big things are met, which we could talk about in a later podcast, or you all could reach out to us to find out what these four things are. But the bottom line here is, there is a payment processor exemption. This exemption applies to third-party payment processors. And because payment processors are not money services businesses under federal law, they are not financial institutions that are required to fill out SARs, as Marsha mentioned. They're not required to have a BSA or an AML policy, and they're not required to have a BSA or AML compliance employee.
So then a question that I have, or we have, for Congress is, how can you reconcile the contradiction between existing law stating that a payment processors are not money services businesses and then the proposed amendment to the BSA AML laws that will say that payment processors are financial institutions, and hence, money services business that must comply with a set of regulations, which payment processors do not have to follow? So it's just confusing. All the way around, it's contradictory, which leads me to my next question. Marsha, do you believe that a law requiring payment processors to comply with the AML laws will affect the payment processors relationships with their banks? And if so, how?
Marsha Jones (11:34):
It could actually have a devastating impact to the banking relationships with third-party payment processors and all the downstream merchants and ultimately the consumers that they serve as well. So as we discussed, having two separate regulatory regimes will confuse and or thwart the bank's oversight of the payment processing programs that they're responsible for. In addition, if third-party payment processors are to be considered separately as MSBs, many banks will quit these programs, as they are not willing to accept the risks of MSBs. And that's in part because a lot of the activities of MSBs happen outside of the banking system, so the banks can't monitor and fulfill their requirements to report suspicious activity reports.
So de-risking MSBs in the past and the present has caused significant issues for companies that rely upon banks to implement their program, or even to get a loan or have a checking account. This would have a devastating impact on the third-party payment processors directly and indirectly. It would impact all those downstream merchants and the consumers who rely more and more particularly after the pandemic to purchase goods and services and utilizing electronic payment processing to sell and purchase those goods and services.
Keith Barnett (12:57):
Thanks. And one of the things that we mentioned earlier, Marsha, was that financial institutions under the AML statute must have a compliance person who makes sure that the financial institution complies with the AML laws. Now, the Nacha rules, which payment processors do follow, do not require payment processors in their roles as third-party senders to have a compliance person. And payment processors who follow the AML blueprint now do not have that requirement. At least, I consider that to be an additional financial burden on payment processors, generally third-party payment processors specifically. Do you consider that additional financial burden on a payment processor to be significant if they are required to comply with the AML laws? You don't have to limit it to the compliance person example that I provided, there might be other areas. But my point here is, there are costs to unnecessary compliance, and I just wanted you to talk a little bit more about that.
Marsha Jones (14:00):
It brings up that commercially reasonable piece where you have the staff that you need based on the size and the complexity of the business that you have. So while AML statues don't specifically require a compliance function for a third-party payment processor, CFPB, a DOJ guidance, does anticipate the company should have some form of compliance function. And we agree, but it's generally tailored to the complexity of the business and the things that the business is doing.
However, if the bank is not overseeing the complex regulatory requirements related to AML, these companies will be required to hire people with an equivalent level of experience, which are hard to find, hard to train, and it would significantly increase the cost of the programs. And it would be redundant for third-party payment processing because the banks are supporting that part of the compliance function, and significantly increase the cost of compliance. And when you increase the cost of compliance and increase the cost of payment processing, which is passed on to merchants, and then merchants need to tack on cost to consumers, and they're ultimately impacted. And I can say, right now, we're not excited about having any further cost in the goods and services we have, particularly if they're unnecessary or redundant.
Keith Barnett (15:30):
Right. So we've been dealing with inflation. So you're basically saying that this law or an amendment to the AML laws has the potential to have a trickle down effect to us, the consumers, because someone's going to have to pay for this added compliance. Is that right?
Marsha Jones (15:48):
Absolutely. And it doesn't just apply to AML laws. It's all of the other laws, that anytime they put unnecessary or overburden requirements in place, it creates a financial burden. And the best way to reduce financial burden, which consumers ultimately bear, as we know, is to avoid unnecessary duplicative and or redundant compliance obligations.
In the case of this proposed legislation, the categories other than third-party payment processors should probably be included, but I'm not an expert in that area. But third-party payment processors should absolutely be removed. Including third-party payment processors does not address the concerns of the authors of this legislation. In fact, it could thwart it with duplicate and confusing, suspicious activity reports. And it not only causes a financial burden, but may also confuse and even thwart the sponsoring bank's AML programs and even create further issues for law enforcement related to receiving suspicious activity reports for their investigations.
Keith Barnett (16:57):
All right. That sounds like a lot. It sounds like a lot of thought should have been given to this amendment. Sometimes I think our legislators feel like they just tack things on, that might be a little bit harmless, but winds up having a rippling effect that they probably do not anticipate. But Marsha, do you have any thoughts as to what resources are currently available to payment processors to provide them with guidance on how to comply with AML laws and just generally be compliant?
Marsha Jones (17:26):
Of course, the Third Party Payment Processors Association, we believe, is an excellent resource. The association was formed to advocate for the third-party payment processing industry and to create industry best practices for the banks and the third-party payment processors. We also provide a great deal of trading, and many of which, in partnership with Troutman Pepper and Keith, to our members to keep them informed of their responsibilities and to provide them additional guidance.
So we created best practices, we call them the TPPP compliance management system. The control framework that is built into that is designed to have our members implement programs that share the requirements between the bank and the payment processor to keep both in compliance and to support the bank's efforts with their complex regulatory concerns, and this includes ML. The control framework also instructs banks on how to conduct due diligence and ongoing monitoring of their third-party payment processors. And it helps payment processors to also have rigorous programs in place to be able to conduct due diligence of their merchants and create adequate monitoring to address some of the concerns that these members of Congress have today.
Keith Barnett (18:53):
All right. Sounds great. Thank you, Marsha.
Marsha Jones (18:55):
No problem. I appreciate you having me here.
Carlin McCrory (18:58):
Well, thank you so much, Keith and Marsha, for an informative podcast today. And thank you to our audience for listening to today's episode. Don't forget to visit our blog, consumerfinancialserviceslawmonitor.com, and subscribe so you can get the latest updates. Please make sure to also subscribe to this podcast via Apple Podcasts, Google Play, Stitcher, or whatever platform you use. We look forward to seeing you next time.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.