When considering due diligence standards in payments relationships, banks and others may want to look beyond bank regulators, legal requirements, and NACHA rules to also include considerations developed out of the work of state attorneys general. During the last several years, state attorneys general have found their way into the payments risk management space as they have sought to inhibit merchants from evading taxes, promoting internet tobacco sales to minors, and other illegal behaviors. In their pursuit of wrongdoers, states have investigated the payments processors who aggregate and/or initiate ACH payments or remotely created checks, and the banks who accept these items through their account relationships as well. In doing so, these states have negotiated settlement agreements, which include due diligence policies for banks and payment processors. The results of these efforts may raise interesting questions as to whether or not existing regulatory guidance, NACHA rules, or legal requirements are sufficiently specific or clear standing alone.

One instance is instructive. Beginning in 2006, the states of California, Idaho, and New York began to investigate Internet tobacco sales activities in violation of various state laws. These investigations led to negotiated settlements with ECHO Inc., a payments processor, and with First Regional Bank, a California-based financial institution. These settlements included detailed requirements for the processor and the bank to perform due diligence on their customers (or, for the bank, their customers' customers). In particular, First Regional Bank was required to institute a "Tobacco Policy" under which the bank would perform specific steps to ensure it did not permit illegal tobacco sales activity to be facilitated using payments originated via its accounts. As an example, the bank's policy would include terminating accounts with any processor who failed to terminate processing for any customer who a) switched ACH activity to "demand drafts" (presumably focused on remotely created checks) once notified of a problem or b) offered "demand drafts" as a means to avoid ACH return scrutiny. This provision highlights a particular concern with illegal activity, including frauds, switching between ACH payments, and remotely created checks to avoid the network scrutiny instituted by the ACH operators and NACHA.

The efforts of the states, such as in the example above, raise potential questions about the specificity and clarity of the guidelines issued by the banking regulators, such as those issued by the OCC and FDIC with regard to payments processor relationships. The bank supervisors promote banks taking a risk-based view of due diligence requirements rather than prescribing specific actions. NACHA rules require commercially reasonable standards generally, suggest contracts should be in place with third-party senders, and make clear the ODFI bears the responsibility for the items it introduces into he ACH network but do not otherwise prescribe due diligence standards for processor relationships.

Subject to the principles-based standards described in supervisory guidance, NACHA rules, and other considerations, banks and even payments processors themselves might want to consider the standards included in state attorney general settlements in developing their own due diligence policies.

By Clifford S. Stanford, assistant vice president and director of the Retail Payments Risk Forum at the Atlanta Fed