What are payment facilitators responsible for?
Payment facilitators – also known as Payfacs – operate in cooperation with acquiring banks, card networks, and the regulators who oversee the payments system. All of these entities share a responsibility to protect the security and safety of the payments ecosystem, and Payfacs are a unique operating category with their own associated requirements.
Where does Payfac responsibility come from?
The greatest challenge for a Payfac is the level of responsibility it must assume as part of enabling its submerchants to access this system. This includes liability for fraud and chargebacks incurred by its submerchants.
Government regulations laid out by the Bank Secrecy Act and the USA PATRIOT Act require businesses to follow certain practices to avoid facilitating criminal activity, even inadvertently. Together, these regulations form the backbone of anti-money laundering efforts in the U.S., and they govern how payments providers operate. The government regulations are supported by card brand rules that provide direction on Payfacs’ specific roles and responsibilities.
The Payfac must also protect the payments system against data breaches by maintaining a secure environment and ensuring that its submerchants are meeting their security responsibilities. This means that it must be certified as a Level 1 or Level 2 service provider according to the Payment Card Industry (PCI) Data Security Standard – a requirement known broadly as PCI compliance.
Finally, each sponsor has, at minimum, a set of requirements for its Payfacs that follows this legal and regulatory framework and then adds that sponsor’s unique set of requirements. Card brand rules require the sponsor to monitor the Payfac’s compliance with operating rules and regulations and ensure the Payfac’s due diligence when boarding and overseeing submerchants.
On top of the requirements placed on it by other entities, the Payfac may choose to be even more restrictive, for risk mitigation or other business reasons. The best example of this is the list of merchant types the Payfac chooses to serve. Many Payfacs dramatically reduce their risk by serving a single vertical or a few verticals that are inherently low-risk and that they understand extremely well.
What do these rules and regulations require Payfacs to do?
These roles fall primarily into a few categories:
Onboarding. When onboarding submerchants, Payfacs must perform the underwriting needed to verify that their customers are who they say they are, they are in the business they claim, they are not listed on the card networks’ Member Alert to Control High Risk Merchants (MATCH) and they are not sanctioned by the Office of Foreign Asset Control (OFAC) for ties to crime or terrorism. “Know Your Customer” (KYC) practices and OFAC screening are critical practices for Payfacs.
Transaction monitoring. Once the submerchants are onboarded, the work isn’t over. Payfacs are responsible to implement systems they can use to monitor their submerchants’ transaction activity to watch for suspicious behavior and report it if needed.
Payouts. Depending on the business arrangement, the Payfac may also be responsible for paying the submerchants and reconciling every day. Many Payfacs seek to control submerchant funding in a bid to better manage that experience.
Payfacs who wish to put themselves into the process must be prepared to take on the risk and compliance aspects of doing so. They must put appropriate processes and procedures, as well as accounting and compliance teams, into place.
This requires Payfacs to not only adhere to banking regulations and comply with card brands and government agencies such as FinCEN, but also abide by state-by-state licensing and regulations, and deal with tax and insurance implications. It also opens the potential of needing to adhere to money transmitter laws.
However, best-in-class sponsors have put together a payout structure to allow Payfacs to more easily comply with their responsibilities. For example, the sponsors often have payout APIs and/or an underlying banking structure to prevent the Payfac from owning the settlement funds, simplifying the process greatly. This is an essential part of the process.
Technology and Tools
While the many responsibilities of a Payfac may appear scary and certainly daunting, especially for a software company that has never owned payments operations, there are many tools that can help. A new class of technology has sprung up to simplify and automate these functions.
Payfacs can leverage a wide variety of payment gateways and tokenization providers that reduce PCI scope and provide rich functionality for almost any vertical focus.
Much like the way payment gateways originally bridged the technology gap between ecommerce merchants and processors starting in the ’90s, a Payfac middleware platform like Infinicept automates operations functions, without requiring the Payfac to spend 12-18 months developing custom tools.
The key components of a Payfac middleware platform include a flexible new account onboarding system that should have a white-labeled submerchant application, instant automated KYC, OFAC, MATCH and underwriting, a dashboard for manual review of exceptions, and provisioning of the processor and the gateway. These platforms must have an effective and compliant transaction monitoring system.
The Payfac also needs a back-office system for performing fee calculation, reporting, funding, chargeback and funding exception management, as well as a user-friendly submerchant portal for communicating all of these activities with the submerchant.