In the age of the payment facilitator, merchant-vetting practices are taking on an even bigger role.
As the payment-facilitator model develops and finds favor among a new set of companies offering payments services to merchants, it shares one age-old element with traditional merchant services. That is the need to check out merchants to make sure they are authentic and to ensure the risk their transactions generate is appropriately managed.
Adherence to sound know-your-customer (KYC) best practices can yield quantifiable benefits that can help sustain the vitality of a merchant portfolio and perhaps reduce the exposure to regulatory intervention.
While independent sales organizations and acquirers are familiar with KYC and similar fraud-prevention measures like anti-money laundering regulations, many using the payment facilitator model may find it unfamiliar territory.
Payment facilitators, for example, may have clients who sign up submerchants. Not thoroughly knowing merchants and submerchants harbors peril for payment facilitators, and that’s one risk the Electronic Transactions Association hopes to alleviate. The ETA, a Washington-based trade group representing the merchant-acquiring industry (“Triumph And Challenge at the ETA,” July), expects to release a set of underwriting guidelines for payment facilitators soon.
The guidelines will be “a comprehensive document looking at the payment-facilitator model,” says Amy Zirkle, the ETA’s director of industry affairs.
A ‘Toolkit’
According to Visa Inc., a payment facilitator is a third-party agent that may sign a merchant agreement on behalf of an acquirer and receive settlement funds on behalf of a sponsored merchant. Facilitators enable large numbers of small merchants to quickly begin accepting payment cards via an expedited boarding process. The risk is that a merchant may not always be truthful about its history or intent.
Given the increasing interest in the payment-facilitator model and ongoing regulatory attention to the payments industry, the ETA intends to make the new guidelines available in coming weeks, says Zirkle.
The threat of regulation has especially lent urgency to the new guidelines, as regulators have targeted payments companies they see as conduits for fraudulent merchants.
The association updated its independent sales organization underwriting guidelines earlier this year. The payment-facilitator guidelines, as with the ISO guidelines, are being developed with an industry advisory group and consultants, Zirkle says.
The upcoming guidelines will include details about know-your-customer practices and how to ensure that due-diligence techniques are in place to prevent any bad actors from gaining access to a payment network, Zirkle says.
“It will be a toolkit to help those who aren’t as familiar with the payments arena,” Zirkle says, noting that some payment facilitators may be software developers and other organizations without extensive payments backgrounds.
Examples include details about how to conduct background checks, how to look for interrelated companies, and how to verify the true owners of a company, Zirkle says. The guidelines, she notes, are not a replacement for legal or regulatory requirements, or for requirements from the card networks.
A ‘Risk-Based Approach’
Though payment facilitators want to make it easy for merchants to sign up for their services, that doesn’t mean it’s a simple process, says Todd Ablowitz, president of Double Diamond Group LLC, a Centennial, Colo.-based consulting firm that is helping the ETA draw up the guidelines. Regulators have said that payment facilitators must vet their merchants, he says.
“It starts with designing policies and procedures,” Ablowitz says. “That is, having well-thought-out, best-practices-based policies and procedures that thoroughly vet merchants and submerchants using a risk-based approach.”
That approach undoubtedly aligns well with how regulators view the industry, especially in the years following such interventions as Operation Choke Point, an effort driven by the U.S. Department of Justice to remove bad merchants by targeting the payments companies that enable their transactions.
“Operation Choke Point forced everyone in the industry to take a look at their portfolios and who they were signing,” Marcus Smith, senior vice president of risk management at iPayment Holdings Inc., says. These reviews were not just at the macro level, but extended to each merchant.
New York City-based iPayment has used a risk-based approach for some time, Smith says. “Even before know-your-customer rules, we were just doing it from a risk-management perspective to know who we were dealing with,” he says.
Now, with the payment-facilitator model gaining popularity, the merchant-service industry is moving away from a view that might have seen less-qualified merchants placed with a payment facilitator, as was the case when Smith started in the industry.
“Aggregators and payment facilitators are just that now,” he says. “They are facilitating entry into the market for smaller merchants that may not have the ability for all of the fraud tools or a budget for customer screening.”
Getting these merchants connected to, and transacting on, the payments system requires multiple sets of data. In addition to pulling a credit report and checking the terminated-merchant file, which lists merchants with canceled processing accounts, iPayment subscribes to a reputation-tracking service, which scours various Web sites to gauge how Internet users react to a merchant’s online presence.
IPayment collects a screenshot of the merchant’s Web site, too. And a merchant’s social-media posts are a factor, Smith says.
Larger ‘Red Flags’
Know-your-customer protocols have become so important that Troy, Mich.-based North American Bancard added integration with a KYC-specific vendor to its system, says Aliki Liadis-Hall, director of underwriting and compliance.
North American Bancard has a fully automated system that uses a rules-based approach to quarantine applications that do not meet its KYC—and other credit—criteria for approval, Liadis-Hall says.
“All of these enhancements through technology have vastly improved our ability to ensure that everything is caught and reviewed,” says Liadis-Hall, “where with manual processes the possibility of error was a constant concern.”
Most of the data North American Bancard relies on for its KYC inquiries is not subjective, she says, but the company has, at times, used social media and other non-traditional information to assist. “For example, while a Facebook page may not be used as an official site survey … if there are pictures of prohibited items or fraudulent behavior, it will be used to make a decision on an application,” Liadis-Hall says.
Evidence like that might trigger a more thorough review of the merchant application, as would any information that typically is included on the application, she says. “The more the applicant fights the requirements to identify beneficial ownership and validate the information, the larger the red flags become, which only elevates due diligence,” Liadis-Hall says.
For iPayment’s Smith, a trigger would be anything that requires additional verification. “It could be something as simple as a failure to put in the ZIP code,” he says.
‘Looking for Anomalies’
At North American Bancard, the dedication to ferreting out bad merchants extends even to the company’s existing merchant base. This includes a watchful eye for money-laundering practices. NAB created its first anti-money laundering policy three years ago, Liadis-Hall says, and since 2015 has put all new employees through AML training.
“The more each employee knows about how to identify [money laundering] and what to do in cases of suspicion, the better we can not only comply with regulations, but improve the quality of the financial behavior we allow through our systems,” Liadis-Hall says.
Such ongoing merchant monitoring is vital, says Ablowitz. “You’re looking at transactions, looking for anomalies, if chargebacks are too high,” he says. “It does not end with onboarding.”
IPayment also uses a risk-based approach to monitoring merchant activity. “Upon submission of the merchant application, we put the merchant profile in our system,” Smith says. “We bake that into our risk-management system, where we monitor all transactions on an exception-basis based on that profile.”
IPayment uses a portfolio-manage?ment group to monitor current merchants. A corporate name change or a change in the corporate entity, for example, could trigger the underwriting process all over again for a current merchant, Smith says.
Other triggers could include an increase in the average ticket size. “The investigator would look at the merchant’s Web site, look at their processing, and ultimately ask the merchant for an invoice,” Smith says. Upon receipt of that document, it would be shared with the portfolio-management group, which would attempt to document the change, he says. An average ticket increase might happen because of the addition of a higher-value product to the merchant’s inventory.
Having both an onboarding-review process and ongoing monitoring is paramount in a time when regulatory intervention is swift and can be costly.
That means for payment facilitators, and those competing with them, employing sound know-your-customer policies and procedures is a routine part of merchant services today. “The regulators are really like a dog with a bone,” Ablowitz says. “They are going to keep at it. They are only going to get more stringent.”
The counter to wider and more intrusive regulation is for organizations to have defensible, reliable, repeatable standards created by the industry itself—and then to follow them, Ablowitz says.
For payments companies, that means adopting more of a risk-based approach, says iPayment’s Smith. “As regulators start to understand our business, they will arrive at similar conclusions,” he says. “One that that will prevail is knowing your customer’s customer.”