In October 2021, the OCC released new guidance concerning payment systems. This guidance incorporated new regulations promulgated in December 2020, imposing specific notice requirements on national banks and federal savings associations entering new or modified relationships with payment systems. By adopting these regulations, the OCC intends to protect national banks and federal savings associations from additional risks created by open-ended liability from membership in payment systems. National banks and savings associations may want to consider these rules because, while not apparent from the regulations, the term “payment systems” is designed to cover all financial market utilities including banks acting as both acquirers and issuers under the traditional card payment networks such as Visa, Mastercard, and Discover. Davenport Evans lawyers Keith Gauer and Kalen Frericks explain.
When joining a payment system or modifying existing relationships, banks must comply with certain notice requirements. If the new payment system exposes the bank to open-ended liability, the bank is required to give 30 days’ advance notice to its examiner-in-charge (“EIC”). If the payment system does not expose the bank to open-ended liability, the notice to the EIC can be provided 30 days after joining that payment system. The OCC describes open-ended liability as the liability from an unlimited risk of operational losses. These are losses that are caused by events other than defaults by other members of the payment system, such as a loss from a security breach, settlement delay, or information systems failure.
While these notice requirements may help to facilitate safe payment system membership entry, they also impose substantial regulatory burdens. Notices must demonstrate that the bank or savings association has identified and evaluated the risks posed by membership in the payment system and will measure, monitor, and control those risks during and after membership. If a bank’s ongoing review identifies safety and soundness concerns, the bank must notify its appropriate OCC supervisory office and take corrective actions to remediate the risk.
State banks may also wish to pay attention to the requirements for relationships with payment card networks. Significantly, the OCC’s regulations were implemented under the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) enacted in 2010. The Dodd-Frank Act applies to each federal supervisory banking agency. Although these newer regulations are specific to the OCC, other agencies, including the FDIC, could pass similar regulations in the future that would have broader application to state-chartered banks.