We have a business customer that acts as a payment processor for other companies. They create remotely created checks and deposit them with our bank via remote deposit capture at their place of business. Recently, the number of returned items has increased massively, and we wish to terminate the relationship. We would like to determine the best time to terminate the relationship. What are the timeframes in which we would be liable as the depositing bank for returns through cash letters, adjustments with entry, and incoming collection claims without entry?

In our view, your bank could be liable for unauthorized remotely-created checks (RCCs) for at least one year from the date of the account closing (or freezing). If your bank terminated or froze the customer’s account today, paying banks would have one year from today to bring claims for violations of the RCC warranties in Regulation CC.

The Federal Reserve added special RCC transfer and presentment warranties in Regulation CC to incentivize depository banks to monitor their depositors by “shifting liability for unauthorized remotely created checks to the depositary bank.” Regulation CC establishes that your bank, as the depository bank, is liable for unauthorized RCCs to any paying bank, and it generally provides paying banks up to one year to make their warranty claims on RCCs. As noted by the Federal Reserve, these warranty claims are made “outside of the check collection process,” so the midnight deadline and other return deadlines made through the check collection process – for example, for cash letters, adjustments with entry, and incoming collection claims without entry – would be inapplicable.

Also, we do not believe that the three-year statute of limitations for warranty claims in the Illinois Uniform Commercial Code (Illinois UCC) would apply in this case. Illinois has not adopted the “model” UCC provisions that create warranty claims for RCCs, and we do not believe that a paying bank could make a warranty claim under the Illinois UCC against your bank. Instead, their potential warranty claims would arise under the Regulation CC provisions discussed above.

The federal banking agencies have issued a fair amount of guidance on the risks of providing deposit services for payment processors, particularly those that use RCCs. We have linked to some of those resources below, and you can find more on our Remotely Created Checks resources page at GoToIBA.com.

Finally, we strongly recommend that you review your bank’s agreement with the customer, which should address your bank’s rights for terminating or freezing the account and the period available for assessing chargebacks against the account. For assistance with this, you may wish to consult with your bank counsel.

For resources related to our guidance, please see:

Regulation CC, 12 CFR 229.38(g) (“Any action under this subpart may be brought in any United States district court, or in any other court of competent jurisdiction, and shall be brought within one year after the date of the occurrence of the violation involved.”)

Regulation CC, 12 CFR 229.34(b)(1) (“Transfer and presentment warranties with respect to a remotely created check. (1) A bank that transfers or presents a remotely created check and receives a settlement or other consideration warrants to the transferee bank, any subsequent collecting bank, and the paying bank that the person on whose account the remotely created check is drawn authorized the issuance of the check in the amount stated on the check and to the payee stated on the check. For purposes of this paragraph (b)(1), ‘account’ includes an account as defined in §229.2(a) as well as a credit or other arrangement that allows a person to draw checks that are payable by, through, or at a bank.”)

Regulation CC, 12 CFR 229.34(b)(2) (“(2) If a paying bank asserts a claim for breach of warranty under paragraph (b)(1) of this section, the warranting bank may defend by proving that the customer of the paying bank is precluded under UCC 4-406, as applicable, from asserting against the paying bank the unauthorized issuance of the check.”)

Regulation CC, Official Interpretations, Paragraph 34(b), Comment 3 (“A bank making the § 229.34(b) warranties may defend a claim asserting violation of the warranties by proving that the customer of the paying bank is precluded by UCC 4-406 from making a claim against the paying bank. This may be the case, for example, if the customer failed to discover the unauthorized remotely created check in a timely manner.”)

Final Rule, Regulation CC, 70 Fed. Reg. 71218, 71221 (November 28, 2005) (“Because the Board believes that finality of payment and the discharge of the underlying obligation are fundamental and valuable features of the check collection process, the final rule does not make any adjustments to the midnight deadline. Until otherwise established by agreement, banks must assert claims arising under transfer and presentment warranties for remotely created checks outside of the check collection process.”)

Federal Reserve Bank Services, Operations Resources, Warranty/Indemnity Claim (WIC) Associated with Unauthorized Remotely Created Checks (URCCs) (Warranty claims for unauthorized RCCs that are “more than 90 days old” are “not eligible for handling through adjustments channels.”)

Final Rule, Regulation CC, 70 Fed. Reg. 71218, 71220 (November 28, 2005) (“The purpose of the Board’s rule is to create an economic incentive for depositary banks to perform the requisite due diligence on their customers by shifting liability for unauthorized remotely created checks to the depositary bank.”)

FFIEC BSA/AML Examination Manual, Third-Party Payment Processors—Overview (“Third-party payment processors often use their commercial bank accounts to conduct payment processing for their merchant clients. For example, the processor may deposit into its account RCCs generated on behalf of a merchant client . . . . The increased use of RCCs by processor customers also raises the risk of fraudulent payments being processed through the processor’s bank account. . . . With respect to account monitoring, a bank should thoroughly investigate high levels of returns and should not accept high levels of returns on the basis that the processor has provided collateral or other security to the bank. High levels of RCCs and/or ACH debits returned for insufficient funds or as unauthorized can be an indication of fraud or suspicious activity. Therefore, return rate monitoring should not be limited to only unauthorized transactions, but include returns for other reasons that may warrant further review, such as unusually high rates of return for insufficient funds or other administrative reasons.”)

FDIC, Guidance on Payment Processor Relationships (July 2014) (“Financial institutions that initiate transactions for payment processors should implement systems to monitor for higher rates of returns or charge backs, which often are evidence of fraudulent activity. High levels of RCCs or ACH debits returned as unauthorized or due to insufficient funds can be an indication of fraud.”)

FinCEN Advisory, Risks Associated with Third-Party Payment Processors (October 22, 2012) (“Law enforcement has reported to FinCEN that recent increases in certain criminal activity have demonstrated that Payment Processors present a risk to the payment system by making it vulnerable to money laundering, identity theft, fraud schemes, and illicit transactions. Many Payment Processors provide legitimate payment transactions for reputable merchant clients. The risk profile of such entities, however, can vary significantly depending on the composition of their customer base. . . .”)