Payment Facilitators and Liability: With Flexibility Comes Card Scheme Responsibility

By Heather Mark, Director of Corporate Compliance and Security, TrustCommerce

The last two years have seen a surge of companies moving into the payment facilitator space. That in itself is not surprising. Becoming a payment facilitator offers tremendous flexibility and value for ISVs and VARs. The ability to facilitate payments for businesses without having to build and maintain a processing platform is an attractive avenue for many organizations.

With that flexibility, though, comes potentially significant liability. In addition to the legal ramifications of becoming a payment facilitator, the payment facilitator takes on responsibility for the actions of its submerchants under the card scheme operating regulations, as well.

In the Visa Core Operating Rules (§5.3.1.1) the language is very clear that the payment facilitator is “liable for all acts, omissions, Cardholder disputes, and other Cardholder customer service-related issues caused by the Payment Facilitators sponsored merchants.”

Similarly, the MasterCard rules state very explicitly that “The Payment Facilitator must ensure that each of its Submerchants complies with the standards applicable to Merchants.” (§7.8.2 ¶2).

That may sound fairly straightforward, but for companies that are new to payments, that list of “applicable standards” can be daunting. Following is a list of some of those standards with which payment facilitators may find the most challenge in monitoring and enforcing compliance.

Payment Card Industry Data Security Standard

The card scheme mandate that comes to mind most readily is compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Established as an industry-wide mandate in 2006, the PCI DSS requires all entities that store, process, or transmit data, or entities that could impact the security of a transaction (those that host a redirect to a payment page, for example) to maintain a minimum standard of security practices. Compliance with the PCI DSS can be challenging for very small merchants.

One avenue in managing this is to minimize the contact the submerchant has with cardholder data. But even that route takes significant planning and understanding of the flow of liability from the acquirer, to the payment facilitator, and finally to the submerchant, assuming the submerchant is large enough to absorb any potential non-compliance or breach fines and assessments.

Prohibited or Restricted Businesses and Items

One of the more overlooked requirements, though, centers on the sale of prohibited items. For example, Visa strictly prohibits payment facilitators from providing services to internet pharmacies and pharmacy referral sites, and outbound telemarketers.

Each acquirer has a list of products or services for which they will not process transactions. Typical items included on this list are illicit substances, counterfeit or stolen goods or products, debt collection services, gambling, fireworks, and adult products.

Other acquirers may restrict based upon the category of business. For example, some acquirers restrict the underwriting of money services businesses, or MSBs. Some acquirers may have a list that is more or less expansive, but all acquirers have a Prohibited or Restricted Business list.

In the payment facilitator model, the PF is ultimately responsible for monitoring its submerchant portfolio and enforcing compliance. In some instances, that may mean the termination of the submerchant account.

Violations of this mandate will certainly include fines or assessments from the card brands and, depending on the nature of the prohibited business, may draw regulatory enforcement actions, civil liabilities and potentially even criminal charges. Imagine being a payment facilitator that enabled a platform for exchanging stolen goods.

Anti-Money Laundering Compliance

That brings to mind an additional area of potential liability – complying with Anti-Money Laundering laws. All of the card schemes require their acquiring partners to maintain Anti-Money Laundering programs.

This requirement follows on the regulatory mandate imposed on banks by the federal government. This is often cascaded to third party agents and payment facilitators through contractual obligation. Payment facilitators must be able to sustain a reasonable belief that their submerchants are who they attest to be. That means performing “Know Your Customer” and OFAC checks.

In the era of increased beneficial ownership requirements, understanding the due diligence requirements, and the obligation to monitor for ownership changes and risk triggers, can make a significant difference to an entity looking to become a payment facilitator.

Some sponsors may work with the payment facilitator to share this function, but the payment facilitator needs to be aware of the requirement in order to ask about it and to understand exactly what the liability share looks like.

Setting out on the Right Road

In short, the payment facilitator model holds a lot of potential – both good and bad. One of the potential trade-offs for lowering the barrier to entry in the payment space is that bad actors can take advantage of that new platform. The best way to counter that is by being informed as to the liabilities and obligations associated with becoming a payment facilitator.

Fortunately, for each of the liabilities listed above there are solutions to help payment facilitators manage their liability. Ensuring that adequate research is done on the sponsoring acquirer and implementing appropriate controls to address potential liabilities can help put payment facilitators on the right road.

It’s important to note that this is by no means a comprehensive discussion of the regulatory liabilities facing payment facilitators. Organizations or individuals interested in that business model are strongly encouraged to seek advice from qualified legal counsel or regulatory consultants.