Payment fraud and scams continue to capture the attention of federal regulators due to the risks arising from non- compliance related to third-party service provider (TPSP) failures and inadequate Bank Secrecy Act/Anti-Money Laundering (BSA/AML) programs. In June 2025, the agencies requested comments on potential areas for improvement and collaboration between financial institutions, consumers, and payment processors.
Threats are plentiful and varied. Bad actors use social engineering, phishing, business email compromise, romance and investment scams, and identity theft to target checks, wire transfers, and peer-to- peer payments. TPSPs may become victims of these schemes as well as experience service failures, outages, or data breaches that compromise customer information, impact your ability to process payments, and damage your marketplace reputation. Hackers gain unauthorized access to steal account and credit and debit card numbers. Tactics such as DDoS attacks, malware, and ransomware compromise networks. Employees and contractors may unknowingly or intentionally share sensitive information.
Moreover, the OCC Spring 2025 Semi Annual Risk Assessment noted that gaps in BSA/AML programs, and partnerships with fintechs lacking experience and technical expertise may also elevate payment fraud risks and raise Suspicious Activity Report (SAR) and Currency Transaction Report (CTR) filing obligations. BSA/AML compliance failure scenarios often include weak internal controls and monitoring systems; deficient independent audits; BSA or compliance officers who lack experience, authority or independence; outdated Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD); poor quality transaction monitoring data; overreliance on legacy systems; and insufficient financial resources.
Coupled with the March 2025 U.S. Treasury Department interim final rule removing the requirement to report beneficial ownership to the Financial Crimes Enforcement Network (FinCEN) and the potential for lax compliance with Reg E, Reg CC, and the Federal Trade Commission Act, banks can find it challenging to manage their payment fraud and BSA/AML risk profiles.
These examples emphasize the importance of strong internal controls and programs, coupled with robust TPSP risk management protocols to limit exposure to audit scrutiny, fines, and legal action. Board members should ensure such programs go beyond encryption, tokenization, and secure data storage, and seek a TPSP Service Level Agreement (SLA) that meets these best practices:
- Real-time fraud detection, machine learning, and multi-factor authentication (MFA) to prevent unauthorized transactions
- Uptime guarantees and disaster recovery plans for outages or other disruptions
- Corporate culture that prioritizes employee education and training
- Compliance with Payment Card Industry Data Security Standards (PCI DSS), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA)
- Defined routines to update systems and data handling processes to keep pace with regulatory changes and ensure data security and integrity
While the Board may delegate daily operational management to others, it is responsible for oversight to ensure the bank operates in a safe and sound manner, consistent with strategic goals, and in compliance with applicable laws and regulations.
We provide expert guidance on executing effective risk management practices that include oversight of TPSPs and BSA/AML programs. Contact Beth Behrend, CCBCO, CBAP at 616.975.4100 or beth. [email protected] or Mynesha Phifer at 734.302.4152 or m[email protected].