Learn about payments and the payment facilitator model from our team of experts
Understanding and Preparing for GARS Reviews
Complying with card network rules (and demonstrating that you are) is a critical part of doing business in payments. Whether you’re an acquirer, a Payfac, or an ISO, you have to have solid processes and procedures in place to proactively guard against risk.
A GARS review is one tool that is used to identify – and resolve – areas in a company’s operations where they’re out of compliance, leaving themselves and the payments system more vulnerable to risk.
What is GARS?
The acronym GARS stands for Global Acquirer Risk Standards. Visa publishes these standards as a supplement to their broader rules. They’re designed to help payments providers understand what they need to do to manage risk and protect the payments ecosystem, and to make sure their operations comply with the network’s requirements. They include a detailed framework for compliance as well as a self-assessment checklist.
Acquirers are required to adhere to GARS, and so are the providers that acquirers sponsor into the payments system – such as Payfacs and ISOs. Visa refers to these companies as third-party agents. Any of these entities could be subject to a GARS review.
GARS covers several areas across a provider’s business and operations, from merchant agreements to underwriting and onboarding, merchant funding and risk monitoring. The standards also provide requirements for how acquirers should manage the risk that comes from working with its third party agents.
When are GARS reviews conducted?
Visa requires GARS reviews in some cases, but companies can also request a review to assess their own operations.
Visa requires banks to undergo GARS reviews when they are planning to enter the acquiring space and begin sponsoring merchants. It also requires them again for any banks that decide they want to go a step further and enter the high-risk space. And finally, Visa can require a GARS review at its discretion, for example, if it has reason to believe an acquirer or agent is not compliant with the standards.
When Visa requests a review, the assessor will send a copy of the resulting report to Visa, and the company being assessed could be subject to penalties for noncompliance.
At the same time, an acquirer or agent could choose to request a review independently to determine its own state of compliance with GARS. The results of this type of review – which can be referred to as a “fitness review” – would not be reported to the card brand and findings would not result in any type of penalty.
For example, a Payfac could request a review as a proactive step to make sure their processes are “buttoned up.” The review would let that Payfac know where any compliance gaps are and what they need to do to close them.
How do you prepare for GARS reviews?
A company looking to conduct a GARS review – regardless of whether the assessment is a required GARS review or a voluntary fitness review – will contract with a Visa-approved assessor such as Infinicept to review their operations.
Preparation for a review begins with document collection. Entities that are undergoing GARS reviews will need to make sure that all of the documentation related to their policies and practices covered by GARS is complete and readily available.
They will also need to make their compliance staff available for questions from the assessor. They should be prepared to show the assessor their operations and, finally, they should be able to quickly provide any requested information about underwriting, risk monitoring and settlement. Being unable to easily produce information, such as a requested report, is likely to raise concerns.
The assessor might conduct the review on-site, but they can do so remotely as well. Once the assessor completes their review, they will create an initial report. The report will include any issues they identified and actions they recommend for remediating those issues.
Following the initial report (if performed as part of an official GARS review), the business must come up with a plan to resolve the issues and implement it. Then they must operate for 90 days with the resolution in place. The assessor will then be required to test and document whether the issues are successfully resolved before signing off on the completion of the review to Visa.
GARS reviews are an important part of reducing risk within the payments system. They help acquirers and agents make sure they are operating a secure, compliant environment and following industry best practices. Infinicept’s best-in-class team can help you identify gaps and stay complaint with our GARS review services.
Contact an expert at Infinicept to learn more about conducting GARS reviews.