Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Guidance on Payment Processor Relationships (Revised July 2014 and February 2026)

November 7, 2008

Amended as of 02/03/2026

On 02/03/2026, this FIL and attachment were revised to remove references to reputation risk.

 

Summary: The FDIC is issuing the attached guidance that describes potential risks associated with relationships with entities that process payments for telemarketers and other merchant clients. These types of relationships pose a higher risk and require additional due diligence and close monitoring. This guidance outlines risk management principles for this type of higher-risk activity. 

 

Highlights: 

  • Account relationships with entities that process payments for telemarketers and other merchant clients could expose financial institutions to increased strategic, credit, compliance, and transaction risks.
  • Account relationships with these higher-risk entities require careful due diligence and monitoring as well as prudent and effective underwriting.
  • Payment processors pose greater money laundering and fraud risk if they do not have an effective means of verifying their merchant clients' identities and business practices.
  • A financial institution should assess its risk tolerance for this type of activity as part of its risk management program and develop policies and procedures that address due diligence, underwriting, and ongoing monitoring of high-risk payment processor relationships for suspicious activity.
  • Financial institutions should be alert to consumer complaints that suggest a payment processor's merchant clients are inappropriately obtaining personal account information.
  • Financial institutions should act promptly when they believe fraudulent or improper activities have occurred related to a payment processor.

Distribution: 
FDIC-supervised Institutions 

Suggested Routing: 
Chief Executive Officer 
Executive Officers 
BSA Compliance Officer 

Note: 
FDIC financial institution letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/financial-institution-letters/2008/index.html.

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html.

Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200). 

 

Additional Related Topics:

  • Risk Management
  • FDIC Guidance for Managing Third-Party Risk (FIL 44-2008, June 2008)
  • FFIEC Handbook on Retail Payment Systems (March 2004)
  • FFIEC Handbook on Outsourcing Technology Services (June 2004)
  • FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual
FIL-127-2008

Attachment(s)

Guidance on Payment Processor Relationships

Contact(s)

Michael Benardo, Chief, Cyber Fraud and Financial Crimes Section, (202) 898-7319

Last Updated: February 3, 2026