Payments Compliance 101 for VARs, Gateways, and ISVs

6 min

The payments industry evolves almost daily with the introduction of new technologies and shifting consumer preferences. While in the past there was a well-understood hierarchy of service providers, such as banks, processors, and independent sales organizations (ISOs), a new breed of technology companies, including value-added resellers (VARs), integrated software vendors (ISVs), gateways, and payment facilitators, are increasingly building payments technologies into their software platforms to compete more directly with traditional payments companies.

Expanding more directly into payments offers a number of benefits – enhanced revenue opportunities, expanded engagement with customers – but can also create potential legal and regulatory risks. This article highlights key legal and regulatory considerations and potential pitfalls for technology companies seeking to expand into traditional payment processing activities.

Merchant Onboarding, Underwriting, and Monitoring

Federal regulators often hold payments processors and ISOs liable for the fraudulent activities of their merchant clients. Any technology company seeking to enter the payments space more directly must understand, and implement appropriate controls for, this risk.

The starting point for compliance is the implementation of a compliance management system (CMS) that covers the technology company's operations, services, and compliance with applicable laws. Within this system, key areas of focus should cover merchant onboarding and due diligence, and ongoing monitoring responsibilities as dictated by contractual requirements with a processor or ISO, card network operating rules, and regulatory requirements.

As technology companies become more involved in offering payments services to merchants, regulators will expect these companies to implement compliance protocols similar to those used by processors and ISOs. At a minimum, regulators will expect a company with merchant relationships to engage in basic "Know Your Customer" activities, even if the company is not directly subject to federal anti-money laundering regulations. Next, any missed red flags in merchant due diligence could expose the ISV, VAR, or payment facilitator to business, reputational, and law enforcement risk.

Consumer protection law enforcement actions brought over the years by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), in particular, outline these red flags, which may include questionable business practices in the merchant's sales processes, incomplete or inaccurate application information, consumer complaints about the business, and results of a site visit, among many others.

Once a merchant is given access to the payments system, the technology company should keep a close watch on the merchant's activities. Banks, processors, and ISOs typically monitor processing metrics such as sales, refunds, and chargeback activity. While a VAR or ISV may not have access to such detail, today's regulatory environment demands that payments companies take a deeper look into each merchant's marketing and sales practices even after the merchant is up and running.

This review may involve a periodic check for web site changes, consumer complaints, and other signals that a merchant's business operations are different from what was expected. Regulators will expect VARs and ISVs to perform these types of checks, even if they are not required to do so contractually.

Fortunately, there is industry guidance available to help ISVs, VARs, and payment facilitators get up to speed quickly on regulatory expectations and best practices. In particular, the Electronic Transaction Association (ETA) has developed Guidelines on Merchant and ISO Underwriting and Risk Monitoring for its members in the payments industry, which serve as a comprehensive resource for those seeking tools and strategies for enhancing policies and procedures. ETA has also published Payment Facilitator Guidelines to help members in the fast-growing payments facilitation industry understand risks in emerging markets and business verticals most apt to use a payment facilitator model for their payment needs.

Payment facilitation, in particular, is a hot area in payments right now, especially within the VAR, ISV, and gateway industries. On one end of the spectrum, the payment facilitator model permitted by Visa and MasterCard allows registered facilitators to process transactions for known and vetted sub-merchants. Merchant aggregators essentially permit small businesses to accept credit and debit card transactions without having to set up their own merchant account. Instead, the merchants rely on the aggregator's merchant account to submit credit and debit transactions through the card networks. This requires the payment facilitator to enter into a sub-merchant agreement and perform screening and underwriting on each sub-merchant to ensure the merchant is engaged in lawful activity and compliance with card brand rules as well as the requirements of the acquirer.

On the other end of the spectrum, unauthorized transaction laundering or "factoring" involves the undisclosed processing of third-party transactions through a merchant account (normally to disguise unlawful conduct). Factoring, a form of money laundering, violates state or federal laws that prohibit money laundering, especially if the transactions being factored are linked to illegal activities.

Data and Privacy

Another area that has received significant regulatory scrutiny in recent years is data privacy and security. Electronic payments systems may allow merchants and payments processors to access sensitive consumer data, including employee information, social security numbers, tax identification numbers, and company sales data. Access to this information, and the ability to provide data analytics, is one of the "value propositions" that payments companies seek to offer to their merchants. Given this access to sensitive data, however, payments companies need to ensure they have robust data security and privacy programs in place.

This is of primary concern, as the Federal Trade Commission and the Consumer Financial Protection Bureau (CFPB) have turned their enforcement spotlight on data security practices, including in the payments industry. Last year, for example, the Consumer Financial Protection Bureau (CFPB) brought its first data security enforcement action against a payments processor (see In the matter of Dwolla, Inc.). The CFPB's order did not include any allegations of a data breach, or even a consumer complaint. The action was the result of a CFPB assessment of the inadequacy of the payments processor's data security measures.

A natural starting point for compliance is ensuring compliance with the Payment Card Industry Data Security Standard (PCI DSS), a requirement for companies that participate in the payments ecosystem (and, increasingly, a standard used in other industries). Nevertheless, PCI DSS alone may not satisfy a government inquiry into data security standards. The government will dig deeper to see whether the company had appropriate safeguards in place, to look for any deficiencies or areas for improvement highlighted by independent audits or assessments in years past, and to determine whether the company implemented steps to remediate any such deficiencies or areas for improvement.

* * * * * * * * * *

The payments industry has been under increasing scrutiny from federal and state regulators in the past few years. This scrutiny has put pressure on payments companies to implement appropriate risk monitoring and compliance policies and procedures. As VARs, ISVs, and gateways seek to expand into traditional payments areas, these companies must understand the potential risks and implement appropriate business models and internal controls to ensure compliance.