Payment Processing Compliance Roadmap for 2017

3 min

With 2016 in the past, the payments industry is looking forward to what the New Year may have in store. If 2016 was defined by EMV, then 2017 may be the year that the payments industry builds on the potential of the "internet of things," mobile payments, and, of course, the FinTech revolution.

One thing we do know is that the government will continue to scrutinize the payments industry. Whether fair or not, payments companies are expected to understand their customer's business and ownership structure, and monitor their customer's transactions for signs of illegitimate activity. Although merchant fraud can never be eliminated, there are steps that a payments company can take to prepare for continued regulatory scrutiny. In this regard, the start of the year is the best time for payments companies to get their houses in order by reviewing their compliance policies and procedures. An ounce of prevention can go a long way to putting your company in the best position to capitalize on opportunities that arise in 2017.

Implement a Compliance Management System

A good starting point for regulatory compliance is the establishment of a compliance management system (CMS) that covers business operations and sets management's expectations for compliance with applicable laws. A CMS is the system through which a payments company establishes its compliance responsibilities; communicates those responsibilities to employees; ensures legal requirements and internal policies are incorporated into business processes; reviews operations to ensure responsibilities are carried out and legal requirements are met; and takes corrective action as necessary.

Review and Update Merchant Underwriting Policies and Procedures

For years, regulators have sought to hold financial institutions and payment processors liable for the fraudulent activities of their merchant clients. Federal regulators may continue to focus on missed "red flags" in merchant underwriting and transaction processing for some time to come.

To minimize these risks, payment processors should review their merchant underwriting policies and procedures to ensure they are conducting proper due diligence, both to avoid potential enforcement actions and as a matter of best practices to prevent fraud and misuse of their services. The Electronic Transaction Association (ETA) has developed voluntary Guidelines on Merchant and ISO Underwriting and Risk Monitoring for its members in the payments industry that serves as a comprehensive resource for those seeking new and improved tools and strategies for enhancing policies and procedures. ETA has also developed similar guidance for the fast-growing payments facilitation industry.

Re-evaluate and Deepen Risk Monitoring

Payment processors must monitor merchant activities on a regular basis for potential fraud and other risk. In June 2016, for example, the Consumer Financial Protection Bureau filed suit against a payment processor and its President and CEO for allegedly processing ACH withdrawals from consumer accounts by payday lenders and other financial services providers in the face of numerous red flags, including high return rates and warnings from banks and consumers. While the monitoring of sales, refunds, and chargeback activity is a must, payments companies should also take a deeper look into each merchant's marketing and sales practices even after the merchant is up and running.

Develop Third-Party Oversight, Management, and Training

Implement policies to oversee business relationships with service providers. If you work with sub-ISOs and sales agents, their actions (or failure to act) can come back to haunt you, as legal responsibility in the payment industry flows in all directions. In January 2016, for example, PayBasics, sales agents for an ISO, agreed to a judgment of $1.02 million to settle Federal Trade Commission allegations that it helped a merchant open and maintain merchant accounts for allegedly fraudulent sales activities. The next month, the payment processor in the case agreed to a $2.6 million judgment (also partially suspended).

* * * * * * * * * *

Taking these steps will put your company in a good position to take advantage of opportunities in 2017 – whatever they may be.