Originally posted on https://revisionlegal.com/saas/payment-facilitator-regulations/

Key regulations control the operation of any payment facilitator (payfac). Since e-commerce and software-as-a-service (SaaS) firms often contract with payfacs, it is important that they understand how these organizations are allowed to legally operate – the nuts and bolts of payment processing compliance that apply.

Consider the case of Allied Wallet. The payment facilitator and processor, along with three of its corporate officers, was charged with knowingly processing or assisting fraudulent payments for its clients. Allied Wallet and its officers signed a settlement with the Federal Trade Commission (FTC) in May 2019 that amounted to $110 million.

To know that your payfac relationship is completely above-board, first know what a payment facilitator is and the issues related to money transmission. Also take a look at some of the primary regulations payfacs face, such as those from the Financial Crimes Enforcement Network, Office of Foreign Assets Control, and USA PATRIOT Act.

In this article:

• What is a payment facilitator?
• What is the basis of payment facilitator regulations?
• What is money transmission?
• Implications of unlicensed money transmission for a payment facilitator
• How a payment facilitator can be targeted
• Payment facilitator regulations & requirements

What is a payment facilitator?

A payment facilitator is a company that offers an alternative to contracting with a traditional payment organization by assuming responsibility for the flow of funds in a buyer-seller relationship. Key similarities and differences between the operations of a payment facilitator and traditional acquirer are the following:

Payment facilitator

• Merchant services are provided by the acquirer.
• The payfac accepts and processes payments on behalf of merchants (called submerchants in this context), through a contract with an acquirer.
• A master merchant account is issued to the payfac by the acquirer.
• On behalf of the submerchants, payments (debit, credit, etc.) are accepted through the master merchant account.
• Submerchants receive funds from the credit card holder via direction of the payment facilitator.

Traditional acquirer

• Merchant services are provided by the acquirer.
• The merchant accepts and processes payments through a contract with an acquirer.
• A merchant account is issued directly to the merchant by the acquirer.
• Payments (debit, credit, etc.) are accepted through the merchant account.
• Merchants receive funds from the credit card holder via direction of the acquirer.

One primary reason that many merchants are choosing to work with payment facilitators is that the payment facilitator possesses and manages the master account, thus assuming substantial risk. Merchants will also choose a payment facilitator due the simplicity of setting up an account, typically occurring through a short application and underwriting evaluation.

Profit that a payment facilitator is able to achieve stems from lower costs for transaction processing. The payment facilitator takes care of initial underwriting, bear risks of underwriting, and sometimes facilitate merchant funding. They also handle customer service of their submerchants. In exchange for handling these aspects of the process and for purchasing acquirer services in volume, they are able to score lower-priced transaction processing.

What is the basis of payment facilitator regulations?

A number of different federal and state regulations have been applicable to electronic payment businesses and their customers since President Jimmy Carter signed the Electronic Fund Transfer Act in 1978.

The type of transaction and applicable amount of risk will determine how broadly an organization is subjected to regulations. There are regulations that control the transaction with the customer, as well as ones that apply to the sending of funds to merchants. When the goods or services that are being purchased are regulated, or when the merchants are in other nations, there are more extensive regulatory concerns.

Some of the chief regulatory governing bodies and concerns will be discussed below.

What is money transmission?

Money transmission is when an organization that accepts funds that are denominated in currency, or currency itself, transmits the funds, currency, or their value, through an electronic funds transfer network, a financial institution, or the Federal Reserve system.

A money transmitter license is required for any money transmission company by the federal government, along with 47 states and the District of Columbia. The US Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) issues the federal licenses. A money transmitter – whether a payment facilitator, third-party payment processor, or other organization – is a type of Money Services Business (MSB) under federal law.

It is necessary to get a money transmitter license as an MSB if a company provides money transfer services (at any level), or if it does over $1000 of transaction with one person on a single day, of the following types:

• Currency exchange or dealing
• Check cashing
• Money orders
• Traveler’s checks.

The requirements for a state money transmitter license differ from one state to another. In fact, the exact definition of money transmission varies between different states.

Minimum net worth, financial statements, and surety bonds are often needed in order for a third-party payment processor or payment facilitator to get licensed as a money transmitter. If a money transmitter operates without a license, they may be ordered to stop operating or could incur hefty fines.

Implications of unlicensed money transmission for a payment facilitator

Providers must figure out if they are conducting money transmission so they can potentially adjust their operations and mitigate risk. Regulatory risks can often be reduced through operational restructuring. Licensed money transmitters can be used as agents in order to access regulatory exemptions. The nature of the transaction flow will ultimately determine what makes sense for an individual provider.

As noted above, money transmission definitions vary state by state. However, it typically involves receiving funds so that they can be transmitted to some other individual or organization. Again, money transmitters must be registered with FinCEN, per the Bank Secrecy Act (BSA). When funds are received from or sent to any company or person within a state, a license is usually required for that state. Typically money transmission is involved with payment facilitators because the processor or acquirer will send them funds to send on to submerchants.

Payment facilitators may be able to be exempt from regulations if certain parameters are met. When there is a contract with the seller to use a clearance and settlement system that only includes BSA-regulated companies, FinCEN makes organizations exempt that are facilitating payments for applicable transactions. Usually it states within contracts between a payment facilitator and submerchants that the submerchants will send funds for transaction settlements.

When firms act as agents of the submerchants, they may also be exempt from money transmission licensure. The payment facilitator may be exempt in these cases through their provision of services to the submerchants. This state law is not present in all states, though, and states differ on exactly what is needed to get the exemption.

It is critical for a payment facilitator to know whether they need a money transmitter license since (except for exemptions) it is required by federal law. Plus, state law can expose organizations to possible criminal and civil liability.

How a payment facilitator can be targeted

Independent sales organizations (ISOs), payment processors, and others within the payments industry have been cited by the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC) for letting poorly performing merchants operate through their platforms. In fact, when a merchant is seen as potentially liable for fraudulent activity, an ISO and/or processor are sometimes named as codefendants, along with people at the ISO or processor who assisted with the deceptive processing.

In some cases, the CFPB and FTC have sought a damages award that is equivalent to the full transaction amount of the merchant, subtracting out just the refunds and chargebacks.

Payment facilitators can protect themselves against bad actors by doing the following:

1. Working to end any sales of counterfeit products that they see.
2. Putting systems into place that monitor the leadership of submerchants; their virtual and physical locations; and their legal names.
3. Tracking the returns and chargebacks throughout their whole systems, as well as related to types of submerchants and sales channels. When numbers of returns and chargebacks are high for particular areas, it may make sense to increase risk-monitoring and underwriting for those portions.

It is important for a payment facilitator to take these steps since criminal merchants can take advantage of them through a couple key tactics:

1. Creating a plethora of submerchant identities, so that their entire operation cannot be easily detected – and so that only pieces of it might be ceased.
2. Working with payment facilitators that seem to pay less careful attention to signs that deceptive practices could be occurring (such as bad online reviews, elevated returns, and elevated chargebacks).

Payment facilitator regulations & requirements

Different statues apply to different scenarios. However, we can look at some of the key payment facilitator regulations and other issues compliance professionals at payment facilitators face. Specific regulatory bodies and concerns of payment processing compliance to payfacs include the following:

1099-K’s: merchant tax reporting

To limit the difference between the complete income a person should report to the IRS and the amount they actually report, the IRS introduced Form 1099-K in 2011. Merchants (i.e., submerchants within payment facilitator relationships) must determine if funds are taxable income, with the Form 1099-K merely reporting funds movement.

The IRS requires that every merchant that processes 200 payments totaling $20,000 or more in a given year be issued a Form 1099-K by its payment facilitator, which should also submit a matching form to the tax agency. The complete transaction volume for the year must be listed on the form, along with the merchant’s name, address, and Tax ID.

Financial Crimes Enforcement Network

As indicated above, the Financial Crimes Enforcement Network (FinCEN) of the US Treasury Department is one of the key governing bodies that oversees payment facilitator regulations. The agency requires registration by any money service business (MSB). FinCEN fights financial crime through transaction collection and analysis, as well as through sharing that data.

For any payment facilitator that does have to register (i.e., that are not exempt – see above), it is necessary to take certain actions. When financial crime such as tax evasion or money laundering is suspected, a Suspicious Activity Report (SAR) must be filed with the agency.

As discussed briefly above as well, state registration may also be required for MSBs.

Office of Foreign Assets Control

The Under Secretary for Terrorism and Financial Intelligence, a position within the US Treasury Department, is in charge of the Office of Foreign Assets Control (OFAC). The rules established by OFAC must be followed when organizations conduct financial transactions in order to adhere with payment facilitator regulations.

Of special concern to payment processing compliance is that a payment facilitator has to be sure unlawful activities stated in the rules are not occurring, and that entities with which business cannot be conducted are blacklisted. Procedures must be created and enforced that prohibit such issues. OFAC has a list of specially designed nationals, organizations and people with whom businesses and individuals operating in the US cannot do business.

Bank Secrecy Act & USA PATRIOT Act

Any financial firm in the United States must identify and block any efforts at money laundering, per the Bank Secrecy Act of 1970 (BSA). The BSA mandates that the board of directors of any regulated institution must create an Anti-Money Laundering (AML) program as part of its compliance efforts.

Since the original passage and signing of the bill, there have been a few updates to the BSA. The USA PATRIOT Act of 2001 made the most extensive changes. The PATRIOT Act made it necessary for financial institutions to perform identity verifications for all its customers, as a defense against terrorist funding. Any activity that might be terrorism must be submitted to the federal government.

Customer Identification Programs (CIP) must be created by payment facilitators and other financial institutions, per the PATRIOT Act. The Know Your Customer (KYC) rules, which control the way that the company receives, stores, and reports customer information, are put to action within the CIP. Terrorist funding, money laundering, financial fraud, and identify theft are all mitigated by the KYC protocols, which also help to achieve BSA compliance. Despite the challenge of payment facilitator regulations, the hope is that they help to prevent the above threats to legitimate financial operations.

PCI responsibilities of payment facilitators

Finally, let’s look at Payment Card Industry (PCI) compliance and how it influences the behavior of software as a service (SaaS) companies. This aspect of payment processing compliance is somewhat interesting in that it is industry-governed. It is of grave concern for e-commerce, and in some ways especially so for payment facilitators, third-party payment processors, and similar firms.

Credit card information security programs are deeply intertwined with the decisions and actions of the PCI Security Standards Council. Representatives of Visa, MasterCard, Discover Financial Services, American Express, and JCB International head the council. The decisions made by the council help to maintain the security and validity of credit and debit payments. The central set of rules under PCI is the Payment Card Industry Data Security Standard (PCI DSS). Any company that sends, processes, or retains cardholder data must meet the requirements of the standard. The card networks and acquirers enforce payment processing compliance, as well as compliance with data transmission and storage stipulations.

Essentially, PCI is about investing appropriately in safeguards across a broad spectrum so that payments – and the information which they contain – can be handled with appropriate care. Service providers such as payment facilitators must meet PCI parameters, and merchants must follow those rules as well. ControlScan VP of Market Strategy Chris Bucolo noted that the need for compliance by all parties means that payfacs have to come at PCI compliance from two different angles. They have to make certain that they themselves are compliant, and they also must be certain that merchants are above-board related to the standards.

Bucolo stated, “It’s very clear that the PCI buck stops at the payment facilitator.”

An organization has to figure out how it might be at risk from a security perspective by conducting assessments of its operations. They have to take action when they see anything that might make card data vulnerable. Finally, they have to submit reports.

For a software as a service example, Bucolo provided the example of real estate companies collecting their homeowners’ association payments through software from a SaaS business. In order for the real estate firm to reduce its compliance scope as a submerchant, the software it uses is integrated with a payment facilitator, which manages the collection of fees from the consumers.

The payment facilitator is the one that handles the processes of the app. The submerchant can basically stand behind that technology. Because the app is controlled by the payfac, “[the submerchant] typically should just have a limited number of things to be concerned with,” said Bucolo. In other words, the issues related to payment processing compliance are offloaded to a great degree.

Conclusion

Understanding payment facilitator regulations helps illuminate your own concerns as an e-commerce or SaaS company. While the requirements for payfacs differ greatly from case to case (especially based on their location, but also other parameters), the rules are stringent. There are exemptions in some cases, but when organizations are noncompliant, potential civil and criminal repercussions are substantial.

Knowing what you can about payment processing compliance is helpful, but it will not ultimately protect you from state and federal regulators. Are you concerned about your compliance needs related to your payment facilitator relationship? At Revision Legal, we protect businesses that thrive online, and understand the connections between law, technology, and business. Contact our Internet Attorneys with the form on this page or call us at 855-473-8474.