In our first article in this series on payment facilitation, we highlighted five key areas that a software company needs to address before incorporating card payments into its existing suite of software products and services. In this article we take a deeper dive into the first of those areas, the need to set up a legal, regulatory, and card brand compliance program. Payment facilitation, like merchant acquiring generally, is subject to various federal and state laws, regulations, and card brand requirements, in addition to compliance requirements pushed down by contract through the sponsor bank relationship.
For a software company, all of these requirements can be new and confusing. Many software companies are not subject to consumer or financial regulatory requirements – moving into payment facilitation opens up a whole new world of requirements that necessitate implementation of a formal compliance program. To help your company understand the rules of the road, and avoid making any wrong turns, this article provides an overview of the legal, regulatory, and card brand issues relevant to payment facilitation, along with suggested best practices for implementing a compliance program tailored for payment facilitation.
Understanding the Legal and Regulatory Framework
There are numerous federal, state, and card brand requirements that govern payments, or that may be pushed down to a payment facilitator by its sponsor bank. It is therefore critical for a software company that adds payment facilitation to its services to understand the legal, regulatory, and card brand landscape.
The following are just a few examples of the federal laws and regulations that are relevant to payment facilitation:
- BSA/AML – Under the Bank Secrecy Act (BSA), a company that engages in money transmission is required to comply with anti-money laundering program and reporting requirements.
- Credit Reporting – Any company that pulls credit reports on potential customers or reports information to credit bureaus is subject to the requirements of the Fair Credit Reporting Act (FCRA). In addition, a payments company that denies an application may be subject to adverse action reporting requirements.
- Recurring Payments – There are numerous federal laws, including the Electronic Fund Transfer Act (EFTA) and the Restore Online Shoppers' Confidence Act (ROSCA), that govern recurring billing, payment, and subscription services
There are also state laws applicable to payments, including, for example, those relating to money transmission licensing, merchant agreements, recurring payments, and credit card surcharging. In addition, California has implemented the California Consumer Privacy Act (CCPA), which imposes comprehensive data privacy requirements for companies operating or engaging with persons in California.
Finally, each of the card brands has published operating rules and regulations that provide hundreds of pages worth of requirements for merchant acquiring and processing activities. These rules govern such topics as merchant contracting, chargebacks, dispute resolution, and managing stored payment credentials.
Managing Risk Through Compliance Management
Many of the federal, state, and card brand requirements outlined above are likely to be new to a software company looking to incorporate payments into its products and services. Managing these requirements, and minimizing risk of violations, requires the implementation of a robust compliance program.
Implementing a Compliance Program. Compliance management is the process by which a company implements policies, procedures, and controls to manage its legal and regulatory requirements. The starting point for implementing a compliance program is the hiring (or training) of compliance personnel to manage the compliance function. In most cases, the appointment of a compliance officer is appropriate to ensure management oversight of the program. From there a company needs to adopt and implement written policies, procedures, and controls that set forth an enterprise-wide framework for managing legal and regulatory compliance. In terms of training, board members, management, and staff should receive appropriate training on a regular basis, covering compliance with federal financial and consumer protection laws. In addition, the company should implement a process for regular internal and external compliance audits to review operations for compliance with applicable legal requirements.
Merchant Due Diligence and Monitoring. Most software companies do not have compliance programs designed to address the unique challenges presented by payment facilitation, including risk underwriting, due diligence, and monitoring functions. As a payment facilitator, your company is responsible for underwriting and monitoring the submerchants that you bring into the payment system. These responsibilities are intended to protect the payments system from financial risk of loss and to guard against reputational and regulatory risk that may be caused by a submerchant's marketing or business practices. While some underwriting and monitoring functions may be automated, you may be limited in how much you can automate your risk management tools by your acquiring partner or the nature of your submerchants' lines of business.
Implementing a robust compliance program is not just about managing financial risk—federal and state regulators have been aggressive in bringing enforcement actions against payments companies that fail to adequately underwrite and manage their merchant portfolios. As noted in prior articles, the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), Department of Justice (DOJ), and state attorneys general continue to target payments companies alleged to have facilitated merchant fraud by providing the "means and instrumentalities" necessary for a merchant to extract money from consumer accounts. This scrutiny has led to numerous federal law enforcement actions against merchant acquirers and third-party processors.
Watch Out for Red Flags. In the enforcement actions brought against payments companies, the government has highlighted various common factors as evidence that the payments company was integrally involved in the merchant's fraudulent business conduct or ignored numerous warning signs that the merchant was engaged in fraud or deceptive practices. It is therefore critical for a payment facilitator's compliance program to monitor for and avoid engaging in any of the following types of conduct:
- Assisting a merchant in finding ways to structure its operations to defeat chargeback requests or monitoring systems.
- Transmitting funds on behalf of merchants where a review of the merchant's activities would have shown that the funds were obtained unlawfully.
- Encouraging merchants to evade payment card brand scrutiny, such as by opening multiple accounts and forwarding false applications.
- Failing to take action when a payment card brand places a merchant on a monitoring list.
- Encouraging merchants to use a payment mechanism that is less regulated or not subject to systemic monitoring.
- Ignoring or failing to investigate consumer complaints.
- Failure to monitor for and take action in response to state or federal investigations or enforcement actions involving merchants, including a merchant's failure to comply with a state or federal consent order.
Monitoring Card Brand and Legal Developments. Finally, a payment facilitator should keep a close eye on card brand rule updates and federal and state legal developments. From the legal perspective, an industry or merchant practice that is legal today may be an enforcement target tomorrow. And the card brands are active in updating their rules on a regular basis to implement additional requirements and best practices. Given this dynamic landscape, payment facilitators must stay vigilant in monitoring developments so that they can revise their policies and procedures as needed.
* * * * *
This is the second article in Venable's six-part series on payment facilitation for software companies. Stay tuned for future articles that take a deeper dive into the key issues that a software company should address before beginning payments facilitation.