Legal (Compliance) Risk
Legal risk arises from failure to comply with statutory or regulatory obligations. It can result from a financial institution's failure to comply with the bylaws and contractual agreements established with the bankcard networks, clearing houses, and other counterparties with which it participates in processing, clearing, and settling retail payment transactions. Legal risk also arises if the rights and obligations of parties involved in a payment are subject to considerable uncertainty; for example, if the rights of the parties are not clear when a payment participant declares bankruptcy or if a court interprets an applicable law in an unexpected way. In addition, legal risk can occur when customer agreements or contracts do not clearly establish the roles, responsibilities, governing regulations or guidelines, and dispute resolution processes, particularly with regard to RDC. Legal disputes that delay or prevent the resolution of payment settlement can cause credit, liquidity, or reputation risks at individual institutions. Though unlikely, these disputes also can cause potential systemic risk to the payments system. Legal risk also arises from noncompliance with existing consumer protection statutes, regulations, and case law governing retail payment transactions (e.g., Gramm-Leach- Bliley Act or GLBA, Truth in Lending Act, Regulation CC, and Regulation E). Customer retail payment transaction records and corresponding account information are subject to the GLBA 501(b) provisions, and financial institutions must establish effective safeguards for protecting their customer information. The bylaws and agreements between clearing house participants and bankcard companies also include specific responsibilities and liabilities. Financial institutions and third-party service providers that do not comply with the appropriate bylaws and agreements of bankcard companies and clearing houses can be fined or lose their memberships. Thus, financial institutions should assess the risks of accepting such bylaws and agreements in their strategic planning process for new payment offerings. Given the rapidly changing landscape for electronic funds processing, it is paramount for a financial institution to pay close attention to changing legal and regulatory requirements, as well as new network rules that might create unexpected liability for the institution. As financial institutions enter into merchant card, ACH, and remote check processing arrangements with third-party service providers and originators, the institution should ensure that all such arrangements are governed by clearly written contracts which define outsourced responsibilities and liabilities. Financial institutions should carefully review contracts with third parties for outsourced services to ensure that they are not assuming the full risk of loss from failure of third parties to fulfill their contractual responsibilities. Contractual terms may further define responsibilities within the legal framework; and contracts between financial institutions, customers, and third-party service providers may further integrate risk-sharing responsibilities applicable to payments made through a specific clearing or settlement arrangement. In some cases, emerging product development may have insufficient case law to support a completely accurate analysis of the potential risk horizon. The convergence and interoperability of older, more traditional payment methods with newer technologically supported payments may create questions regarding the applicability of law and regulations governing both consumer protection and retail payment transactions. In most cases, older payment technologies for more mature retail payments (checks and credit cards) may co-exist with newer payments technologies requiring financial institutions to maintain several systems. The emergence of hybrid systems that incorporate older technologies with newer payments will require heightened review to mitigate and control legal risks. Hybrid systems and new payment technologies also increase the risk of money laundering as a result of increased volumes, transaction speed, and anonymity. Financial institutions should ensure that due diligence for new payment products or services fully evaluates the applicability of laws and regulations, regulatory guidance, and payment association rules from organizations such as NACHA, Visa, and MasterCard. Recent developments in payments over the ACH system raise legal questions regarding whether payments should be characterized as checks or electronic fund transfers. The same questions arise with respect to RDC and electronically created payment orders. As stated previously, in 2006 the Federal Reserve amended Regulation CC, shifting the liability for losses attributable to unauthorized RCCs to the depository financial institution where the check is first cashed or deposited. The liability creates an economic incentive for depository institutions to perform due diligence on the customers and RCCs. These amendments do not affect the rights of checking account customers, as they are not liable for unauthorized checks drawn on their accounts. The fact that a payment may take several different forms, both paper and electronic, during the course of processing and settlement, creates additional complexity. A payment transaction may be covered by check law, Regulation E, association or clearing house rules, or private agreement, depending on what form the payment takes. Financial institutions should understand the laws and rules that apply to payments they handle and understand the associated legal risks and liabilities they take on with respect to those payments.Bank Secrecy Act (BSA) The BSA requires financial institutions to have BSA/Anti-money laundering (AML) compliance programs and appropriate policies, procedures, and processes in place to monitor, identify unusual activity, and report suspicious activity. As such, all retail payment systems should be reviewed in terms of BSA/AML compliance requirements. The FFIEC BSA/AML Examination Manual includes examiner guidance and expectations for ACH and other payment systems that may require the collaboration of Operational, IT, and BSA examiners. This Booklet does not seek to replicate the guidance and expectations, however, and only a brief summary of this compliance risk is offered.44 Office of Foreign Assets Control (OFAC) OFAC administers and enforces economic sanction programs directed against countries and groups of individuals such as terrorists and narcotics traffickers. All U.S. persons and incorporated entities involved in a payment transaction (i.e., all U.S. citizens and permanent resident aliens, wherever located; all persons and entities within the U.S.; and all U.S. incorporated entities and their foreign branches) are subject to OFAC regulations.45 For domestic ACH transactions, the ODFI is responsible for verifying that the originator of the ACH instruction is not a blocked party and for making a good faith effort to determine that the originator is not transmitting blocked funds. The contract between the ODFI and its customer should clearly define the customers' responsibilities to verify that the originator is not a blocked party and to make a good faith effort to determine the originator is not transmitting blocked funds. For high risk originating customers, the ODFI may wish to request that originating customers provide an independent validation of its controls for preventing transmission of funds to blocked parties. The RDFI is responsible for verifying that the receiver of the ACH funds is not a blocked party. For domestic ACH transactions, if ODFIs receive batched transactions from their customers that do not include international ACH transactions, they are not responsible for un-batching transactions and ensuring that they do not process transactions in violation of OFAC's regulations. If the ODFI un-batches the transactions received from its customers, or receives batched international ACH transactions, it is responsible for screening as though it had made the initial batching. For outbound international ACH transactions, on the other hand, the ODFI cannot rely upon the RDFI for OFAC screening. For inbound international ACH transactions, the RDFI is responsible for compliance with OFAC regulations.