Maximizing the Benefits (and Minimizing the Risks) of Payment Orchestration

6 min

The payments industry continues to evolve in response to the demand for flexible, fast, and secure payment options. Innovations have included payment facilitation, push-to-card services, and real time payments, among others. One of the newer innovations—payment orchestration—enables merchants to access numerous payment processors through a single integration for purposes of simplifying front- and back-end processes while providing consumers with multiple payment options (cards, digital wallets, etc.). While payment orchestration offers benefits for merchants and consumers, providers of these services and merchants should take note of the potential for the service to be abused by bad actors seeking to hide evidence of their fraudulent and deceptive sales practices. From a regulatory perspective, innovations that lead to faster and broader payments may raise concerns of faster and broader fraud.

What Is Payment Orchestration?

Merchants—particularly larger ones or those with international sales—have realized the need to maintain multiple processing, acquirer, and gateway connections to ensure redundancy, cost efficiencies, currency options, and payment method flexibility. To address these needs, payment orchestration providers allow merchants to access dozens of payment integrations through a single, cloud-based interface. For example, a large merchant might establish card processing relationships with acquirers A, B, and C, while also contracting with numerous digital wallet providers and buy now, pay later providers. Managing these various relationships requires significant time and effort; payment orchestration helps merchants manage these various relationships (and sales volume) through a single integration.

In addition to providing a single integration, payment orchestration helps merchants manage volume and routing across various acquirers for purposes of maximizing acceptance rates, minimizing processing costs, and streamlining front- and back-office operations. This flexibility is attractive to larger merchants with significant processing volume or multinational corporations that maintain processing relationships in numerous regions and countries. Note, however, that payment orchestration is different from payment optimization, which involves efforts to enhance the likelihood of success of an individual payment transaction. Likewise, payment orchestration is different from "merchant of record" aggregation models, although both often focus on helping merchants manage the inherent challenges of cross-border payment processing.

What Are the Key Legal and Regulatory Issues for Payment Orchestration?

As payment orchestration has grown in popularity, little attention has been paid to the potential legal and regulatory risks involved in providing (or using) services that route payments volume across numerous acquirers. This core feature of payment orchestration—which offers numerous benefits—has the potential to be abused by merchants to hide evidence of fraud or other unlawful sales practices.

For many years, federal and state regulators, particularly the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and state attorneys general, have targeted banks, payment processors, payment facilitators, and other payments companies that have provided services to merchants engaged in fraud or other unlawful conduct. In bringing these actions, the government has focused on evidence that the defendant was aware of the merchant's bad actions, including evidence that the defendant ignored numerous warning signs of fraud or deceptive practices, such as high chargeback rates and consumer complaints. Law enforcement also has focused on "load balancing," defined as the practice of routing transaction volume across multiple merchant accounts to hide chargebacks and other red flags from card network or bank scrutiny.

In April 2023, for example, the FTC filed a complaint against Nexway, a purported "merchant of record" that opened multiple merchant accounts "to process consumer payments for third parties, [which] made it possible for its clients engaged in tech support scams to obtain furtive access to the credit card system and evade detection by the card brands for a longer period of time." In addition, Nexway engaged in "load balancing" to obfuscate chargebacks. The FTC has held payment processors liable under these types of circumstances for facilitating unlawful merchant activity. Most of these enforcement actions are resolved by consent decrees (i.e., settlement orders), which typically impose injunctive provisions that restrict the defendant's future processing conduct and require the defendant to cover the refund of any monetary penalties and other financial loss through chargeback liability, loss of reserve funds, loss of gross or net fees earned, and financial liability for the merchant's sales transactions. In the case of Nexway, the FTC obtained a court order against the company that included a total monetary judgment of $16.5 million (suspended in part for inability to pay) and imposed numerous requirements with respect to the future processing of transactions.

So, what does this all mean for payment orchestration? For merchants that use the service, it means that they should do so prudently and not abuse the services for purposes of masking deceptive sales practices. For sponsor banks and other acquirers, it means understanding whether and how merchants are using these services and then addressing the potential risks through updated compliance monitoring programs. And for providers of these services, it means designing the services from the outset to minimize potential risk of abuse by fraudulent merchants.

On this last point, providers of payment orchestration should take steps to ensure that their services are consistent with regulatory expectations for merchant underwriting, diligence, and monitoring. Providers of payment orchestration services are not necessarily subject to the same standards imposed on merchant acquirers by the card brands and regulators. On this point, providers may argue that they are merely providing services to help merchants manage their processing relationships and therefore have fewer obligations for how the merchants use the services. Providers would be prudent to note that payment processors, independent sales organizations, and payment facilitators have often learned the hard way that these types of arguments may carry little weight with law enforcement. From Operation Chokepoint to recent actions against chargeback mitigation services, federal law enforcement will seek to hold companies liable for providing services to merchants that they knew, or should have known, were engaged in fraudulent sales practices.

To manage these risks, providers of payment orchestration services should consider policies and procedures that address merchant onboarding, diligence, and monitoring. These policies and procedures might address areas such as permitted, prohibited, and restricted merchants and onboarding requirements for different industries (including, potentially, separate requirements based on expected merchant volume, risk, or other relevant parameters). Applications for services might capture information on the identity of the merchant and the business owner(s) (including beneficial owners), the merchant's type of business, the merchant's financial condition, the merchant's prior processing history, etc. Finally, as part of onboarding, the platform should perform at least basic reviews of each merchant for indicia of potential fraud or deceptive acts or practices.

Once a merchant is boarded, the platform may monitor the merchant's transactions, volume, chargebacks, and routing practices for efforts to obfuscate chargebacks or otherwise evade card brand scrutiny. This might include, for example, flagging a merchant that balances volume across multiple acquirers to stay below card brand chargeback limits. Fortunately, many payment orchestration providers are cognizant of these risks and have implemented machine learning, artificial intelligence, and other advanced techniques to monitor for and target fraudulent transactions. In fact, when done properly, payment orchestration may help mitigate fraud by tracking data across multiple payment rails.

In conclusion, the innovation of payment orchestration has the potential to provide numerous benefits for merchants and consumers. But these benefits can be realized fully only if the services are used responsibly. This means that merchants, merchant acquirers, and payment orchestration platforms must all work together to process transactions responsibly, consistent with card brand and regulatory expectations for compliance. Failing to take theses risks into consideration can result in potential regulatory scrutiny for merchants and providers of payment orchestration services.