Expert Perspective: How Scary is Becoming a Payfac, Really?

As the co-CEO of Infinicept and a 25+ year risk and compliance payments veteran, Deana Rich has helped clients evaluate their risk exposure and develop risk management and underwriting programs to combat it. She talks about two primary types of exposure with her Payfac clients, she said.

The first type of exposure is credit risk: is the submerchant operationally viable? Rich gave the example of a submerchant selling custom furniture who takes payment up front. If that submerchant goes out of business before delivering the furniture, the customer will initiate a chargeback for non-delivery. The chargeback liability goes to the Payfac if the submerchant no longer exists.

This type of exposure can and should be evaluated during the underwriting process with a look at financial statements or other indicators of operational health, Rich said.

A second type is fraud risk: is the merchant is who they say they are, and whether are they selling what they say they are selling? While fraud risk is less straightforward to quantify, Payfacs can think about it in terms of probability, she said.

Rich cited the example of a Payfac that doesn’t specialize in any one market and is taking submerchant applications online. That Payfac has a higher probability of encountering identify theft and other fraud risks during underwriting than a Payfac serving a particular vertical, she said.

“There is a higher risk for the horizontal Payfac than there is for a Payfac selling software to doctors’ offices that costs $50,000 to install. If submerchants have to write that check before they can begin processing, there’s not a high risk of identity theft,” Rich said.

Dan Spalinger, Head of Global Advisory Services for Infinicept, agreed that the level of risk depends very much on the Payfac and the types of submerchants they are taking on.

“For Payfacs and software vendors looking to support low-risk industries, such as government entities, utilities, or schools, for example, their risk isn’t necessarily going to be with the financial status of the underlying entities. You wouldn’t be concerned about governments or schools just going away,” Spalinger said.

While risk may vary according to each Payfac’s business model, Melissa Sutherland advises all Payfacs to have a healthy respect for the volume – as well as the savvy – of bad actors looking to infiltrate payments systems. Sutherland is director of industry relations for LegitScript, a solutions provider that helps payments providers and other businesses mitigate risk, in part by vetting merchants and monitoring for transaction laundering.

Sophisticated criminal networks are looking for the easiest path to penetrate the ecosystem, which can mean targeting the least-prepared companies, Sutherland said.

“The volume of questionable actors in this space is underreported and underappreciated from a money movement perspective. The spectrum of people that want to do harm is considerable,” Sutherland continued.

Despite her firsthand knowledge of the criminal activity, she is not warning Payfacs away from the space. Instead, she says that participating in the system must be done wisely.

“Do it with a solid understanding of your constituents’ needs and the problems that you solve for them, partner with compliance companies who act as thought leaders, and surge forward,” she said.

“Don’t underestimate the volume of risk that’s out there. Prepare for it, plan for it, expect it, and deflect it, because you can. There are tools, people, and ways to deflect it,” Sutherland said.

While Rich agrees that Payfacs need to understand that fraud is a factor and they will likely experience some loss, taking on payments may not always be as risky as they think, she said.

“The risk really has to be evaluated based on the type of vertical they are entering,” she said. “You can say no to certain types of verticals, thereby reducing your risk. Sometimes people think the risk is much bigger than it is because they don’t understand the controls.”

Putting those controls into place will be critical, the experts all agreed. They include proper due diligence through KYC procedures on the front end, and transaction monitoring to stay on top of the submerchant activity.

“Know who you’re doing business with,” Rich said. “Make sure you know who they are, what they sell and how they’re selling it. Then, once they’re on board, make sure you monitor them to verify that they’re doing what they said they were going to do.”

Spalinger agreed. “It’s having the controls and monitoring in place so that if something does go wrong and your front-end onboarding processes fail, your back-end transactional risk monitoring processes are sufficient that whatever losses you incur are limited by those checks,” he said.

The first step for any company becoming a Payfacs is to understand their core competencies and what they want to be to their constituents in the marketplace, Sutherland said. Not all Payfacs have to offer everything to everyone.

“Once they have that clearly defined, I think the path to be or not to be a Payfacs becomes a lot less treacherous,” she said.

For companies that decide stepping into the payment facilitation role makes good business sense for them and adds value for their customers, the road to a safe, compliant environment is still very much an individualized process, which needs to be handled with help from those with experience managing risk in the Payfac space, our experts agreed.

“It’s a matter of understanding what you can do and what you can’t do and plugging in the capabilities of other partners in the industry if you can’t build everything in-house yourself,” Spalinger said.

No matter their approach to the problem, companies who take on the Payfac role need to do so with eyes open and risk mitigating infrastructure in place, Sutherland said.

“The core mission always has to be: serve the constituents with great products in a compliant environment,” she said.