A Payment Facilitator’s Guide to Staying Out of Regulatory Crosshairs

Edward A. Marshall

The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) have increasingly targeted actors in the payments industry—including processors and independent sales organizations (ISOs)—for allowing “bad” merchants into, or to remain in, the payments ecosystem.

Indeed, when regulators identify significant consumer injury resulting from a merchant’s deceptive practices, it is not uncommon for the merchant’s payment processor and/or ISO to be named as a codefendant in an ensuing enforcement action—along with individuals at the processor or ISO who facilitated the merchant’s processing activity.

And the stakes for those defendants could not be higher. Frequently, the FTC and the CFPB will seek to have the merchant’s entire transaction volume—minus only chargebacks and refunds—imposed on the processor or ISO as a damages award.

To date, payment facilitators have largely avoided legal challenges associated with their submerchants’ processing activities. That, of course, is a good thing. Ideally, it reflects the emerging sector’s fidelity to solid underwriting and risk monitoring policies that have kept bad actors away from the payments infrastructure.

But the crushing cost associated with defending against regulatory enforcement actions, and the potentially dire legal consequences of being found liable for a submerchant’s unfair or deceptive practices, counsels in favor of adopting a proactive approach to avoiding regulatory scrutiny. All good things, unfortunately, come to an end.

To do that, payment facilitators need to appreciate that the payment facilitator model will be exploited by bad actors seeking to escape the increasingly arduous underwriting and risk-monitoring policies being adopted at the processor and ISO level. And these bad actors will do that in at least two ways.

First, they will gravitate towards payment facilitators that develop a reputation for employing more relaxed underwriting standards or for being inattentive to warning signs of submerchant fraud (e.g., high chargeback ratios, high returns, and negative online reviews).

And second, they will try to divvy up their processing activity across a multitude of submerchant identities—hoping to keep the totality of their enterprise from being easily identified, all while securing “fallback” processing channels if one or more submerchant accounts are shut down due to suspicious activity.

No underwriting or risk-monitoring system will entirely succeed at preventing those attempts at payment facilitator exploitation. After all, given the relative size of submerchant accounts, it is only rational for payment facilitators’ underwriting and risk monitoring systems to be less robust than those of processors or ISOs (which are evaluating merchants with processing volumes orders of magnitude greater than what payment facilitators are likely to see at the submerchant level).

But there are practical steps a payment facilitator can take to avoid that exploitation, and thus, reduce the risk of regulatory enforcement actions or other legal challenges.

First, payment facilitators can monitor the chargeback ratios and return rates in their entire portfolio, as well as those portions of that portfolio originating from specific sales channels or submerchant types.

If a particular sales channel or submerchant vertical seems to generate consistently higher levels of suspicious chargeback or return activity, then payment facilitators may wish to evaluate enhanced underwriting and risk-monitoring activity in those spaces.

Second, payment facilitators should implement systems to track submerchant identities, principals, and locations (both physical and virtual). Perhaps the greatest risk posed by the payment facilitator model is its vulnerability to having a bad merchant actor disguise its enterprise as a plethora of submerchants.

And, given the aggregate harm that such a “diffused” merchant could inflict on consumers, that risk is arguably the one most likely to invite a regulatory response. Although payment facilitators cannot be expected to ferret out all such schemes, implementing systems that identify multiple submerchants associated with the same principals, websites, or physical locations can be an effective countermeasure against the diffusion of significant merchant fraud across a range of submerchant accounts.

And third, payment facilitators should pay particularly close attention to counterfeit activity. Having submerchants hock counterfeit wares may be unlikely to invite intense FTC or CFPB scrutiny—consumers, after all, will most likely know what they’re getting when designer products are sold by obscure online sellers for a fraction of the retail cost.

But there has been a noteworthy trend in recent months of trademark holders seeking injunctive relief against submerchants selling knockoffs of their products through payment facilitators or online marketplaces. Because the assets freezes issued by the courts can prohibit anyone from transferring funds to the submerchants, they can impose a significant compliance burden on payment facilitators.

And, if payment facilitators find themselves unable to promptly comply with court directives, such actions can threaten the ongoing viability of the payment facilitator’s relationship with its processor.

Edward A. Marshall is a partner at Arnall Golden Gregory LLP, in Atlanta, Georgia, where he co-chairs the firm’s payment systems team. He also serves as a member of the ETA’s Risk, Fraud & Security Committee and co-chairs the payment systems litigation subcommittee of the American Bar Association Section of Litigation.