The Payments Forum at the Atlanta Fed hosted an afternoon event last week that brought in a diverse group of industry leaders to discuss trends driving recent product and service offerings and the reality of implementation. Based on audience questions during the last of three sessions and inquires at other conferences this year, it's clear the industry is stressed out about the takeaways from recent consent orders.

While I am not privy to the details behind the scenes of consent orders, I have had previous experience performing risk assessments, training on risk management, and sitting on the advisory panel for forming the Payments Risk Professional Accreditationicon denoting destination link is offsite. I have noticed from my engagements this year that payments stakeholders are increasingly concerned because they strive to be compliant and manage risk effectively but are confused on how to do so when there seem to be moving targets and new business models involving third parties. It might be good to review what it is about third parties that makes compliance more difficult. I'll paint the picture with the Four-Corner Payments Modelicon denoting destination link is offsite:

Infographic: Four-Corner Payments Model
Enlarge

The figure displays the clearing and settlement process for retail payments using a standard four-corner payments model. While the technical details of information and funds are different for each payment instrument or network, all retail payments follow a common set of participants and flow. These are also the minimum number of parties necessary to conduct true clearing and settlement. Keep in mind that all financial institutions must have a master account with the Federal Reserveicon denoting destination link is offsite or utilize a correspondent who has one to make this work.

The diagram reflects the general flow of transactions and participants. In many cases, other third parties or fintechs may facilitate one or more processing functions. Today, more financial institutions and payees engage fintechs and third-party service providers to act on their behalf rather than keeping all payment functions in-house, but many kinds of third parties can interject into the four-corner model.

Some scenarios of third-party and fintech subcategories include:

  • Business that acts on behalf of a financial institution to submit ACH files to the ACH operator (Federal Reserve or Electronic Payments Network)
  • Business that offers consumers a digital transaction account with a debit card
  • Business that runs fraud mitigation on incoming debit transactions
  • Financial institution that provides services to another financial institution for international wires and currency exchanges (correspondent)
  • Business that enables customers to send money abroad

If you are not on one of the corners of the four-corner model, then it's safe to say you are a third party. To get compliance responsibilities right, everyone needs to recognize where on this model the services of a third party sit.

The four-corner payments model is the foundation for applying laws, regulations, network rules, and risk management policies. Financial institutions cannot contract away their liabilities to third parties, so consent orders fall to the regulated institution. If third parties are present, contracts, service agreements, and risk assessments should clearly outline compliance expectations.

For more about third-party risk management practices, read this new guideicon denoting destination link is offsite issued May 3, 2024, by the Federal Reserve, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation.

Portrait photo of Jessica Washington
By Jessica Washington, AAP, assistant vice president in the Retail Payments Risk Forum at the Atlanta Fed