An often-discussed, perceived barrier for companies on the journey to becoming payment facilitators is compliance. It’s the one area that everyone considering a strategic move into payments knows is a requirement but tries to avoid for as long as possible. Even the word compliance sounds cumbersome to some.
But the truth is, compliance is just a grouping of requirements that organizations who have the authority to process transactions need to adhere to for their protection and that of their customers. Earning the right to process hundreds of millions (or billions) of dollars in transactions should come with the responsibility to ensure companies are protecting themselves and those they process payments on behalf of from fraud and questionable practices.
Why We Have Compliance
Many of the policies that are standard today in the financial services industry are directly correlated to the rapid rise of digitization in payments that started in the 1990s. As it became easier to accept payments online at scale, the potential for risk increased proportionally. Card networks realized quickly that network-wide guidelines would need to serve as a protection for consumers and financial institutions from fraudsters eager to take advantage of little to no oversight.
Compliance Requirement #1: PCI-DSS Level 1
Because payment facilitators operate as mini-processors and can process transactions, underwrite sub-merchants, manage disputes, and make payouts on behalf of sub-merchants, they’re required to meet industry compliance standards.
PCI-DSS is an industry abbreviation for Payment Card Industry Data Security Standards. You can see why most people use the abbreviation “PCI compliance”. The levels refer to processing volume where Level 1 equals more than 300,000 transactions and Level 2 refers to a volume of less than 300,000. This set of standards governed by six goals focuses on:
- Network security through firewalls and unique passwords
- Cardholder protection via encrypted data
- Vulnerability management and maintenance
- Implementation of access control measures to restrict data access
- A regular schedule of monitoring and network testing
- Maintenance of a current information security policy
These six goals act as preliminary lines of defense policies against fraud and data breaches that any organization, regardless of size and complexity can succumb to.
Compliance requirement #2: KYC
Part of a thorough compliance program includes customer identity verification, more commonly knowns as KYC or Know Your Customer. Even with improved data security measures and awareness, criminals can pose as people they are not. By taking steps to verify the identity of new merchants during underwriting and onboarding, organizations have a secondary line of defense against illegal practices and can remain compliant.
Collection of standard data on new customers during the customer identification phase of KYC programming includes gathering the following basic information for each new merchant:
- Place and DOB
- ID number
Customer Due Diligence, however, can be a slightly more involved process because there are three levels of due diligence that require varying degrees of involvement.
For merchants who have low-risk profiles or low-value accounts, Basic Customer Due Diligence satisfies this secondary compliance requirement. For higher-risk merchants, say those with political affiliations that could be abused for money laundering, Enhanced Customer Due Diligence requires collection of additional identity verification materials, in some cases to be collected by a third party. To decide whether a potential merchant is high-risk, it’s important to consider customer risk factors like geographic location and the type of business a merchant conducts. Cash-intensive businesses present as high-risk, for example, because of the high potential for money laundering.
Upon completion of Customer Due Diligence, an Ongoing Monitoring program, which provides customer oversight, must be established in accordance with KYC. Organizations can decide the frequency by which they review merchant accounts for things like spikes in activity, unusual cross-border activities, presence of people from sanction lists, and negative media coverage. If irregularities are found during monitoring, it may be necessary to file a Suspicious Activity Report (SAR) to the Financial Crimes Enforcement Network (FinCEN).
Compliance requirement #3: AML Programs
Money Laundering through offshore companies and fraudulent record-keeping remain primary ways that criminals shelter and move illicit funds. Establishing and maintaining an Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) program means adherence to the following four pillars of AML:
- Dedicated personnel and staff: Selecting trusted, internal staff responsible for AML maintenance ensures accurate reporting and expertise.
- Internal controls: Risk assessments should be identified relating to products and services, customers serviced, and operations.
- Training: Merchant customers must determine a timeline for thorough training of new organizational employees.
- Independent Audit: A third-party audit can provide an unbiased report on the risk profile of customers and their associated products.
The benefits of remaining compliant far outweigh any associated costs. All financial services organizations share the responsibility to maintain the highest standards of compliance when conducting transactional business. Keeping sensitive data safe from fraudsters is possible by committing to a robust compliance program.