Executive Summary. Guidelines on Merchant and ISO Underwriting and Risk Monitoring MARCH 2014 COUNSEL DEVELOPED BY

Transcription

1 TM MARCH 2014 Guidelines on Merchant and ISO Underwriting and Risk Monitoring Executive Summary DEVELOPED BY COUNSEL Venable LLP Jeffrey D. Knowles Ellen Traupman Berge Leonard L. Gordon

2 ELECTRONIC TRANSACTIONS ASSOCIATION Overview The Electronic Transaction Association ( ETA ) Guidelines on Merchant and ISO Underwriting and Risk Monitoring provide guidance to ETA Members in three distinct areas: (1) Merchant Underwriting; (2) Risk Management of Merchant Accounts; and (3) Sponsoring and Monitoring of Independent Sales Organizations ( ISOs ). ETA developed these Guidelines through the participation of a volunteer working group representing thirty-eight ETA member companies led by Deana Rich of Rich Consulting. The working group contributed ideas, real-life examples, and key inputs toward developing the topics covered by the Guidelines and in-depth substance for each subject. The working group considered a variety of laws, regulations, and guidance in drafting the Guidelines, including materials issued by Visa/MasterCard, the Federal Trade Commission, the Federal Communications Commission, the Office of the Comptroller of the Currency ( OCC ), the Federal Deposit Insurance Corporation, the Financial Crimes Enforcement Network, and other agencies and organizations. The Guidelines are not meant as a substitute for any rules or requirements set in place by U.S. laws and regulations, the card networks, acquiring banks, or any other bodies governing the activities of any ETA Member using these Guidelines. Recommendations in these Guidelines are not meant to be exhaustive or required in each instance, but they are meant to assist ETA Members in addressing the risks and concerns identified herein. Each ETA Member should refer to legal or other counsel for complete guidance. General Purpose and Scope of Guidelines As stated in Part I of the Guidelines, the purpose of the Guidelines is to provide ETA Members effective strategies for underwriting merchant risk and mitigating merchant risk in the U.S. card acceptance ecosystem, including risks to consumers posed by merchants who engage in unfair or deceptive acts or practices, and for conducting due diligence and oversight of third parties (including ISOs) that may provide intermediary underwriting and risk management of merchants on behalf of ETA Members. The spirit of the Guidelines is to help ETA Members define their own policies and procedures and make sound decisions as they strive to ensure that they are not providing card acceptance for merchants or ISOs engaged in illegal or fraudulent acts that harm consumers and the payments industry Electronic Transactions Association. All rights reserved.

3 The Guidelines recognize that all ETA Members are different, just as all merchants are different (card present, card-not-present, type of industry, length of time in business, etc.). While the Guidelines use industry practices and norms (as submitted by the working group) to suggest minimum thresholds, each ETA Member must make its own determination about underwriting and risk management best suited to the individual characteristics of its merchant portfolios and business operations. Guidelines for Underwriting Merchant Accounts Part II of the Guidelines provides detailed recommendations and suggestions for drafting underwriting policies and procedures. Briefly put, ETA Members underwriting policies should set forth a statement of intent that explains the Member s goal for underwriting and a list of objectives that will assist the Member in reaching that goal. Policies and procedures for underwriting merchant accounts should include (1) standards for expected underwriting timeframes, (2) criteria that should require escalated approval to a manager or committee, (3) utilization of an exception notation, review, and documentation process that tracks exception requestors, approvals, declines, and the reasons therefor, (4) periodic reporting of requested exceptions, and (5) prohibited and restricted merchants as may be specified by the card brands, sponsoring banks, the ETA Member s own policies, and other factors. An underwriting policy or procedure should also set different underwriting levels for micro, small, medium, large, major, and mobile merchants, with appropriate underwriting recommendations for each type of level, along with considerations for certain types of merchants flagged as high risk or restricted. The Guidelines make specific recommendations for looking at a merchant s prior history, including suggestions for refund and chargeback ratio thresholds that, for some merchants, may flag an issue that needs to be reviewed more deeply. The Guidelines also discuss the use of reserves and clarifies that reserves should only be used as a tool to protect against the credit risk of a merchant. Thus, it is appropriate to take a reserve in circumstances when the merchant displays weak financial condition, but not as a risk mitigation tool for protection when the merchant sells a higher risk product or uses sales methods prone to higher levels of consumer complaints. ETA Members underwriting policies and procedures should contain a section that defines when and how merchants will be reviewed on a periodic basis based on dollar volume and number of transactions processed over a specific time frame. These periodic reviews should work to ensure that merchants businesses have not changed, and to ensure that sales transactions, chargebacks, and refunds are in line with what the processor expected Electronic Transactions Association. All rights reserved. 3

4 The Guidelines also make recommendations for addressing merchant changes, from structural/ organizational changes to changes in business type or products sold, which may prompt further review. ETA Members should establish monthly reporting to management to ensure that an appropriate level of senior oversight of the daily activities within underwriting exists. Such monthly reporting should provide a high-level summary of matters that require management or senior-level attention. Types of reports include portfolio statistics, merchant annual/periodic reviews completed during the month, payment card industry (PCI) compliance statistics, and attrition reports. Part III of the Guidelines suggest practices for merchants that require enhanced due diligence, including higher risk merchants. Sponsoring higher risk merchants may require a more robust and knowledgeable staff that has the more in-depth understanding needed to review the marketing practices and programs of these merchants. The Guidelines discuss increased know your customer reviews to ensure that ETA Members know the principals and beneficial owners of these types of merchants and can identify the legitimacy of the merchants businesses. The Guidelines also recommend a review of such merchants prior processing and financial position, and suggests that ETA Members understand the merchants reasons for changing processors. The Guidelines provide additional review guidelines for specific processing methods, including Internet merchants, telemarketing and mail order merchants (MOTO), merchants engaged in mobile commerce, merchants that use affiliate marketing, and merchants that use negative option marketing programs (e.g., free trial programs and recurring billing programs), among other things. Guidelines for Risk Management of Merchant Accounts Part IV of the Guidelines addresses the risk management of merchant accounts, focusing on the overall activity of merchants, including refund statistics and marketing methods. Merchant risk management practices should seek to indicate when merchant activity should be flagged for review by the ETA Member and should emphasize the importance of examining merchants records. Briefly put, the objectives of merchant risk management are to (1) identify and investigate merchant activity that does not align with an ETA Member s expectations for that merchant; (2) identify and investigate activity that does not align with industry-established averages for general merchant processing and defined verticals; (3) ensure merchant compliance with card schemes; (4) support the identification of suspicious activities; and (5) identify anomalous activity and file reports with the Financial Crimes Enforcement Network, when appropriate. Each ETA Member s policies and procedures for merchant risk practices should clearly set out the Member s expectations for monitoring merchant activity. As noted in the Guidelines, such expec Electronic Transactions Association. All rights reserved.

5 tations should include: (1) ETA Member standards for expected review timeframes and merchant notification; (2) ETA Member standards regarding adverse actions to take during investigations (e.g., when funds should be held, etc.); (3) ETA Member approval authority for funds release or parameter changes; (4) circumstances requiring escalated approval; (5) exception notation format, review, and documentation process; and (6) establishment of periodic reporting of all requested exceptions. The Guidelines recommend that all departments and teams in an organization that focus on preventing financial loss and mitigation of fraud should meet on a regular basis and use clearly defined marketing channels. In addition, the Guidelines lay out suggestions for daily exception monitoring, including using the contents of merchant records to establish system flags to trigger exceptions; setting out merchant risk classification exceptions depending on whether the merchant is micro, mobile, restricted, or monitored; and the issuance and contents of daily exception reports. The Guidelines outline the factors that should be examined when reviewing the daily exception reports, including new merchant exceptions, approved dollar volume exceptions, volume increases/processing spikes exceptions, volume decreases/processing dips exceptions, batch activity exceptions, individual ticket/sale exceptions, foreign activity exceptions, authorization activity exceptions, abnormal transaction timeframe exceptions, merchant changes, refund/credit transaction exceptions, ACH reject exceptions, retrieval request exceptions, chargeback activity, and fraud prevention tool response exceptions. In addition to daily exception monitoring, the Guidelines also recommend the generation of monthly or other periodic reports for critical risk activity, which senior or more experienced risk management staff should review. These monthly/periodic reports should contain information on top processing volume, chargeback volume, and refund volume requests, reports by vertical merchants, restricted business type review, monthly excessive volume exceptions, and merchants with decreasing volume. The Guidelines set forth recommendations relating to chargeback monitoring, investigation procedures, merchant remediation, and merchant reserves as related to risk management. The Guidelines recommend that ETA Members establish monthly management reporting to ensure there is appropriate senior-level oversight of the daily activities within risk management. Types of recommended monthly management reports include: merchant exception monitoring, refund monitoring reporting, chargeback monitoring reporting, card scheme monitoring program merchants, losses, significant terminations, merchant reserve activity, merchant changes on significant accounts, secret shopping summary, and restricted merchant exception activity. Section V of the Guidelines addresses risk management strategies for those merchants that require enhanced due diligence. The Guidelines suggest that ETA Members should engage 2014 Electronic Transactions Association. All rights reserved. 5

6 in reputation monitoring of such merchants and should also engage in secret shopping to verify merchant compliance with card scheme requirements, merchant account conditions, and general consumer satisfaction practices. The Guidelines also recommend cardholder/customer interviews, chargeback monitoring and reporting to card schemes, increased understanding of the merchant s sales processing method, and increased and expanded marketing review. Guidelines for Sponsoring and Monitoring Independent Sales Organizations (ISOs) The ISO portion of the Guidelines (Part VI) is intended to provide strategies for active oversight of ISO portfolio in a manner that provides for earlier detection and mitigation of issues that may present loss exposure or consumer harm due to undesirable or prohibited merchant types or merchant operational, sales, or marketing practices. The guidelines are meant to assist ETA Members in identifying those ISOs (or those seeking sponsorship) who may be poorly managing merchants or facilitating undesirable or prohibited practices. The Guidelines discuss factors ETA Members should use to review ISOs, including information about an ISO s principals, background, financial stability, and method of doing business. The Guidelines also discusses examples of factors to consider and tools to use when reviewing an ISO portfolio and the ISO s business and marketing plans. ETA Members should ensure that ISOs have minimum required policies and procedures, and ETA Members should review and approve all existing or proposed ISO policies and procedures. Such policies may address matters like merchant solicitation, merchant acceptance criteria/credit policy, merchant depositing monitoring standards, etc. The Guidelines recommend that ETA Members have a formal training program in place for new ISOs, and it calls on ETA Members to conduct periodic reviews of ISOs to mirror the original due diligence process and note changes, as well as quarterly statistical reviews of the ISO s merchant portfolio performance. With respect to the monitoring of ISOs and their merchant portfolios, the Guidelines recommend that ETA Members perform some level of oversight over the daily functions of the ISO and monitor overall ISO metrics to help understand when a more intensive review of the ISO is required. It provides examples to illustrate circumstances that may require such review. It also provides examples of shadow monitoring including shadow underwriting, shadow transaction review, and shadow of merchant terminations to ensure the ISO is properly underwriting, monitoring, and terminating merchants. As part of this discussion, the Guidelines suggest that the ETA Member should be able to review files stored by the ISO directly through secure access to the ISO s system or a secure posting of underwriting and other documents Electronic Transactions Association. All rights reserved.

7 The Guidelines recommend monthly reporting on ISO portfolios and identification of monthto-month variations over at least a 6-month period to identify trends. It also provides lists of example reports that the ETA Member could review on an ongoing basis to understand the merchants in the ISO s portfolio, including reports segmented by card present/cardnot-present, retail/moto/ecommerce/mcommerce, MCC code, business type, and other criteria. The Guidelines provide examples of quantitative measures that can be used, on a monthly basis, to monitor ISO activity, including merchant application approval and decline ratios, pending application stats and trends, statistical concentrations of MCC codes assigned, and other factors. It also discusses reviewing processing volume, chargeback volume, and refund volume reports for merchants in the ISO s portfolio. The Guidelines addresses steps the ETA Member should take when it finds that an ISO is not adhering to the ETA Member s requirements, including remediation plans and related milestone assessments. According to the Guidelines, remediation strategies could include on-site audits, portfolio analysis, reduction in underwriting authorities, increased oversight or shadow monitoring of the ISO s underwriting process, and increased risk mitigation requirements for applicable merchants (such as settlement delays and merchant termination requirements). The Guidelines acknowledge termination of an ISO as an extreme measure, but suggest it is appropriate when the ISO is not remediating as agreed through the plan Electronic Transactions Association. All rights reserved. 7