Electronic Transactions Association Guidelines on Merchant and ISO Underwriting and Risk Monitoring

Transcription

1 TM MARCH 2014 Electronic Transactions Association Guidelines on Merchant and ISO Underwriting and Risk Monitoring DEVELOPED BY COUNSEL Venable LLP Jeffrey D. Knowles Ellen Traupman Berge Leonard L. Gordon

2 Electronic Transactions Association Guidelines on Merchant and ISO Underwriting and Risk Monitoring These Guidelines on Merchant and ISO Underwriting and Risk Monitoring provide tools for the underwriting and risk management of merchants and independent sales organizations (ISOs), as developed by a working group consisting of risk professionals and other personnel from various ETA Member Companies. These Guidelines are not meant as a substitute for any rules or requirements set in place by U.S. laws and regulations, the card networks, acquiring banks, or any other bodies governing the activities of any ETA Member using these Guidelines. Recommendations in these Guidelines are not meant to be required in each instance, but they are meant to assist ETA Members in addressing the risks and concerns identified herein. Each ETA Member should refer to legal or other counsel for complete guidance by the Electronic Transactions Association. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the Electronic Transactions Association. i

3 TABLE OF CONTENTS 1. Introduction to the ETA Operational Guidelines Purpose and Scope of the Guidelines Objectives of the Guidelines Special Considerations for the Guidelines Laws, Regulations and Regulatory Guidelines Considered in these Guidelines Guidelines for Underwriting Merchant Accounts Purpose and Scope for Merchant Underwriting Guidelines Objectives for Merchant Underwriting Guidelines Special Considerations for Underwriting Guidelines Business Goal for Merchant Underwriting Objectives of Merchant Underwriting Activities that Support Merchant Underwriting Objectives Merchant Underwriting Policy Merchant Periodic Review Merchant Changes Monthly Management Reporting Merchants Requiring Enhanced Underwriting Due Diligence Enhanced Know Your Customer Review Enhanced Prior Processing Review Enhanced Financial Review Enhanced Understanding of Internet Merchants Enhanced Product Review Enhanced Review of Certain Marketing Practices Other Guidelines: Guidelines for Risk Management of Merchant Accounts Purpose and Scope for Merchant Risk Management Guidelines Objectives for Merchant Risk Management Guidelines Special Considerations for Merchant Risk Management Guidelines Business Goals for Merchant Risk Management The Objectives of Merchant Risk Management ii

4 4.6. Activities that Support Merchant Risk Management Goals Merchant Risk Management Policy Effective Tools and Strategies Team Communication Effective Tools and Strategies for Daily Exception Monitoring Effective Tools and Strategies for Monthly or Periodic Exceptions Chargeback Monitoring and Investigation Procedure Effective Tools and Strategies Effective Tools and Strategies for Investigating Exceptions Merchant Remediation Merchant Reserves Monthly Management Reporting Effective Tools and Strategies Risk Management for Merchants Requiring Enhanced Due Diligence Enhanced Due Diligence Process Performance Improvement Expectations Reputation Monitoring Secret Shopping Cardholder/Customer Interviews Chargeback Monitoring and Reporting to Card Schemes Enhanced Review of the Sales Processing Method Increased and Expanded Marketing Review Guidelines for Sponsoring and Monitoring of Independent Sales Organizations (ISOs) Purpose and Scope of Guidelines for Sponsoring and Monitoring ISOs Objectives for Guidelines for Sponsoring and Monitoring ISOs Special Considerations for Sponsoring and Monitoring ISOs Policy and Procedures for Sponsoring and Monitoring ISOs Effective Tools and Strategies for Due Diligence of ISOs ISO Training Program Examples Periodic Reviews Effective Tools for Monitoring ISOs and their Merchant Portfolios Remediation Conclusion...90 iii

5 Exhibit A: Quick Reference Guide to Applicable Laws and Regulations Exhibit B.1: Sample Processing Summary...92 Exhibit B.2: Sample Processing Summary...93 Exhibit C: Sample Basic Website Review Checklist...94 Exhibit D: Quick Reference Guide to Online Review Resources Exhibit E: Sample Bank Statement Summary...96 Exhibit F: Sample Financial Statement Analysis...97 Exhibit G.1: Sample Exposure Calculation...98 Exhibit G.2: Sample Exposure Calculation with Financial Analysis Exhibit G.3: Sample Exposure Calculation Exhibit G.4: Sample Exposure Calculation Exhibit H.1: Sample Periodic Merchant Review Exhibit H.2: Sample Periodic Merchant Review Exhibit H.3: Sample Periodic Merchant Review Exhibit I.1: Sample Six Month Trend Report Exhibit I.2: Sample Six Month Trend Report Exhibit I.3: Sample Six Month Trend Report Exhibit J: Quick Reference Guide Website Meta Tag Review Exhibit K: Sample ISO Score Card iv

6 1. Introduction to the ETA Operational Guidelines 1.1. Purpose and Scope of the Guidelines The purpose of the ETA Guidelines ( Guidelines ) is to develop and deliver recommended effective tools for mitigating risk for members of the Electronic Transaction Association (ETA) to have access to practices that have the potential to effectively mitigate merchant risk in the U.S. card acceptance ecosystem, depending on the particular situation and the ETA Member s circumstances. A working group consisting of risk professionals and other personnel from various ETA Member companies contributed to the development of these Guidelines. While, at a minimum, ETA Members are only required to follow the rules set in place by Card Schemes, applicable laws and regulations and their acquiring bank requirements, these Guidelines provide effective tools for the underwriting and risk management of merchants. They also provide effective tools for the due diligence and oversight of third parties, primarily ISOs, that may provide intermediary underwriting and risk management of merchants for banks and processors. When used as a guideline for your own underwriting and risk monitoring policies and procedures, these Guidelines could help eliminate prohibited and undesirable merchants from entering into or remaining in the card acceptance ecosystem. Above all, ETA Members should strive to ensure that they are not providing payments acceptance for merchants or ISOs that engage in fraudulent acts or practices that harm consumers and, ultimately, the card acceptance ecosystem. While these Guidelines serve as a set of guidelines, tools, and strategies that, through experience and research, have shown to mitigate risk, the transferability of any of these Guidelines to your organization or their usefulness will depend on your organization s unique structure, acquiring portfolio composition, and existing practices and processes. These Guidelines are intended to provide benchmarks for underwriting and risk management using suggestions made by members of the working group for practices that have consistently shown more favorable results for risk mitigation. While there are many diverse ways to achieve the objectives set forth in these Guidelines, this document is intended to be agile and evolve as ETA Members make future contributions and determine better processes for risk management. While not designed as a standard or requirement for ETA Members, these Guidelines can serve as a supplementary basis for self-assessment. ETA Members may also utilize other reasonable tools and strategies to address the risks and concerns identified in these Guidelines and to ensure compliance with applicable laws, rules, requirements and regulations. The U.S. card acceptance ecosystem changes rapidly and requires participants to constantly update and improve upon their policies and procedures. Accordingly, these Guidelines are a living document, which will be reviewed and updated by a select group consisting of risk professionals and other personnel from various ETA Member companies. ETA Members should direct comments or suggestions about these Guidelines to Guidelines@electran.org. Recommendations made in this document are intended for U.S.-based merchant oversight. These 2014 Electronic Transactions Association. All rights reserved. 1

7 Guidelines do not represent all risk mitagation practices that are being used or that may be used by ETA Members to effectively manage risk in the U.S. card acceptance ecosystem. Alternative ways to effectively mitigate such risk exist. For example, many ETA members likely have and use their own confidential and proprietary practices and processes to effectively mitigate such risk, and such confidential and proprietary practices and processes may not be reflected in this document. Likewise, it is not possible for these Guidelines to anticipate and answer all questions that may apply to your risk management practices. It is the spirit of these Guidelines, as well as the documented circumstances within them, that will help ETA Members make sound decisions and define their respective policies and procedures Objectives of the Guidelines These Guidelines identify thresholds, based on input from the working group, at which you may consider flagging prospective merchants for more in-depth underwriting and existing merchants or portfolios for review and potential action. While the thresholds may vary as is determined by individually-defined policy, each ETA Member in the card acceptance ecosystem should establish red flags or quantitative thresholds, based on varying parameters, for the underwriting and monitoring of merchant accounts. These flags may differ for card present, card-not-present and other merchant acceptance methods that present various levels of exposure to you or potential consumer harm. These flags and lines will not always dictate action; however, when you have identified a merchant for review based on the defined policies and thresholds, you should carefully notate the merchant s record or file to reflect the factors considered in the review and the basis for making a decision about, or actions taken with respect to, the merchant as suggested throughout this document Special Considerations for the Guidelines Review of a merchant should take in the totality of circumstances and does not necessarily require application decline or remedial action based on a single issue unless that issue violates a governing standard or your policy. For example, as long as there are not also unacceptable consumer complaints or out-of-market processing statistics for that merchant, you may decide to take no additional or adverse action and document the merchant record accordingly. However, if circumstances such as high chargeback or refund rates are combined with severe issues such as identified consumer deception, then it is recommended that you review the merchant for possible closure. Although the actions taken once a merchant has been flagged will vary by ETA Member, these Guidelines recommend factors and baseline thresholds established by the working group that you should consider. These considerations include determining the point at which a merchant with circumstances that are difficult or impossible to remediate should be terminated. There are also recommendations for the management of merchant reserves and determining when it is more appropriate to close a merchant account rather than mitigate anticipated exposure with reserves and/ or require changes in merchant practices or other circumstances that led to the issue under review. It is recognized that there are varying degrees of risks associated with different types of merchants and processing volumes. Consequently, it is appropriate to apply varying levels of scrutiny to merchants Electronic Transactions Association. All rights reserved.

8 based on the individual circumstances. This may range from basic due diligence for the merchant with an established low-risk profile to a thorough and detailed review for merchants deemed to present greater risks than established by processing volume alone, such as potential issues with the product itself, how the product is marketed, or the delay in the delivery of that product. In addition to requirements for protecting the card acceptance ecosystem and ETA Members from merchant fraud and transaction risk, there are regulatory and legal requirements for identification of merchants and of suspicious activities in order to prevent money laundering and terrorist funding activities. As an example, the USA Patriot Act of 2001 outlines minimum data collection requirements. As such, Merchant Identification and Know Your Customer (KYC) practices should be a priority in underwriting policies and procedures Laws, Regulations and Regulatory Guidelines Considered in these Guidelines A list of references for laws and regulations considered in the formation of these Guidelines has been included as Exhibit A. This list should not be viewed as an exclusive or comprehensive list of all applicable laws, regulations or guidelines that govern each ETA Member using these Guidelines, and you should refer to legal or other counsel for complete guidance. It should be noted that local- or statelevel regulations have not been considered for purposes of this document. With respect to higher-risk merchant verticals, Exhibit A includes certain laws, regulations, and consumer protection guidance, but ETA Members that work with these types of merchants should ensure it is aware of any other laws, regulations, and guidance applicable to the circumstances. Government agencies and private entities that have regulations or guidance that have been taken under consideration in the development of these Guidelines include: Visa MasterCard The Federal Trade Commission (FTC) The United States Federal Communication Commission (FCC) The Office of the Comptroller of the Currency (OCC) The Federal Deposit Insurance Corporation (FDIC) The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) The Internal Revenue Service (IRS) The United States Department of the Treasury The Office of Foreign Asset Control (OFAC) The Financial Crimes Enforcement Network (FinCEN) 2014 Electronic Transactions Association. All rights reserved. 3

9 2. Guidelines for Underwriting Merchant Accounts 2.1. Purpose and Scope for Merchant Underwriting Guidelines This section is provided as a reference for ETA Members to use in the merchant underwriting process to help analyze the risks associated with a prospective merchant. While ETA Members are only required to comply with Card Schemes or applicable laws and regulations, the recommendations provided may be used to help you evaluate the types and degrees of exposure that different types of merchants present so that you can develop policies to determine whether risks posed by the merchant are acceptable or can be mitigated satisfactorily through conditions or restrictions, or whether the merchant should be declined. In keeping with overarching goals established by consumer protection laws and regulations that prohibit unfair or deceptive merchant marketing practices, these Guidelines for underwriting provide recommendations for greater focus on overall merchant activity, including data points such as chargebacks and refunds, as well as qualitative factors such as merchant advertising and marketing methods Objectives for Merchant Underwriting Guidelines The recommendations provided in this section are not all-inclusive and are presented as a set of examples of effective tools and strategies. These recommendations are meant to highlight indications of when merchant application circumstances may create additional requirements for review and emphasize the importance of noting the merchant record with the determination of that review. The need to perform increased scrutiny for specified merchant activities need not inherently mean that the merchant or activity presents unacceptable risk of harm to consumers or the ETA Member, or that the account should always be declined; increased scrutiny may simply indicate that the identified activity is outside of the typical parameters for approval of the merchant Special Considerations for Underwriting Guidelines Each ETA Member should establish its own segmented benchmark ratios that would provoke additional review or enhanced due diligence. The metrics suggested in this Section 2, as developed and discussed by the working group, should be considered absent more detailed, systematic statistical benchmarking that may be specified in your policy. Merchant circumstances should be viewed holistically. The existence of a particular merchant s historical metrics at or above a set benchmark should be weighted accordingly, influence the scope and depth of additional review or enhanced due diligence, and ultimately contribute to your decision to maintain or terminate a processing relationship with such merchant. At all times, underwriters should use their best judgment as it relates to the specific merchant and business type. The underwriter may request additional documentation and information or impose restrictions (e.g., processing caps, funding delays, lower chargeback or refund ratio thresholds, reserves, etc.), if necessary, for reasons including, but not limited to: an applicant s creditworthiness, financial condition, business model, or other combination of factors Electronic Transactions Association. All rights reserved.

10 However, if circumstances warrant additional due diligence and there are also unacceptable levels of consumer complaints, you should exercise caution. If further investigation reveals that the merchant may be engaging in practices that could be considered unfair, deceptive, or abusive to consumers, that merchant should be declined. Other actions, such as establishment of a merchant reserve, should not dissuade you from declining such merchants. Certain merchant types, sales methods or marketing practices may also require additional due diligence or registration as required by the Card Schemes and regulators. Registration, as well as data security, while not covered in depth in these Guidelines, should also be a focus of merchant underwriting as required by the Card Schemes and as appropriate based on your policies Business Goal for Merchant Underwriting Your Underwriting Policy should have a strong statement of intent that explains your goal for Underwriting. Your policy should also include objectives that are intended to help you achieve that goal, such as a list of MCCs and descriptions of the merchant industries for which you will (or will not) provide service. Special underwriting considerations that are appropriate based on your established business plan and goals should be noted. If your business plan includes providing payment acceptance services for merchants in certain industries, or that are using certain marketing practices to sell products and services to consumers that could present a higher level of risk to consumers and the card acceptance ecosystem, your Underwriting Policy should describe appropriate due diligence considerations. Focused recommendations for common types of merchants that fall into this category will be discussed in Section 3: Merchants Requiring Enhanced Underwriting Due Diligence. If your Underwriting Policy has been prepared for ISO use, then the policy should clearly outline your minimum requirements and expectations for the ISO s underwriting practices Objectives of Merchant Underwriting The Objectives of Merchant Underwriting are to: Determine and validate the identity of the merchant and the business owner(s) Determine and validate the type of business Ensure the merchant is a bona-fide business Determine that the merchant s financial condition is acceptable, according to your policy Determine the extent of risk that the merchant may pose; for example, possible fraud, credit, financial, compliance, regulatory, and/or reputational risk 2014 Electronic Transactions Association. All rights reserved. 5

11 2.6. Activities that Support Merchant Underwriting Objectives Activities that are recommended in support of your defined merchant underwriting and business objectives may include the following actions, which are described in further detail in this section of the guidelines: Determine that the merchant and its principals have acceptable credit and/or bank card processing histories Determine and confirm what products and services the merchant is selling Determine and confirm how the merchant is selling and distributing its products and services Determine if the merchant s background or method of doing business would preclude the merchant from being a customer 2.7. Merchant Underwriting Policy Merchant Underwriting policies and procedures should support your business goals, defining expectations for the merchant underwriting process. It is recommended to begin with proper and well documented approval authorities and approval exception processes, which could include the following: Standards for Underwriting Timeframes ETA Members should establish standards for expected underwriting timeframes that are appropriate based on merchant type, risk classification, and individual ETA Member policy Approving Authority Parameters Designated staff approving authority levels for funds release or parameter changes should include: Title and/or position, but not an individual s name Specify that approval notation is required on the merchant record Escalation Requirements Criteria that could require escalated approval to a manager or committee, such as: Dollar volume/number of transactions processed during a specific timeframe Exposure during a specific timeframe Electronic Transactions Association. All rights reserved.

12 Additional criteria needing escalated approval, which could include categories such as: Restricted MCC codes Restricted merchant types (e.g., merchants the processor has defined as higher risk) Restricted marketing method(s) employed (e.g., inbound or outbound telemarketing, online negative option marketing, etc.) Documentation Requirements ETA Members should have a designated exception notation format as well as designated review and documentation processes to ensure consistency in underwriting reviews and meeting requirements. Examples of the items which could be included in the process are: The name and title of the person requesting the exception (differentiate between sales representative, underwriter, and merchant) The reasons for the exception request The name and title of the person reviewing the request Notation of the exception on the merchant record with the reason for approval or decline It is recommended to use a standardized form for consistency of documentation Periodic Reporting of Exceptions to Policy Establishment of periodic reporting of all requested exceptions is recommended to be generated on a monthly basis. Examples of items that may be included in this reporting are listed below: Requestor name and title Reasons for decline, if applicable Exceptions approved Reviewing/approving individual, name, and title Conditions required for approval 2014 Electronic Transactions Association. All rights reserved. 7

13 Prohibited Merchants ETA Members should recognize that certain types of merchants carry more risk than others, or require specialized expertise to monitor activity and control risk. Each ETA Member should incorporate a list of Prohibited Merchants in its Underwriting Policy Minimum Prohibited Merchant Requirements The prohibited merchant list could contain: Card Scheme prohibited merchants Sponsor Bank prohibited merchants Processor prohibited merchants ETA Member prohibited merchants Illegal transactions, determined by jurisdiction This list is not meant to be all inclusive Prohibited Merchant Recommendations As defined in your business plan, the prohibited merchant list could also contain: Merchant types MCCs Sales methods Marketing methods Restricted Merchants ETA Members should recognize that certain types of merchants, while carrying more risk than others, may simply require specialized expertise to monitor activity and control risk. ETA Members should incorporate a list of Restricted Merchants in their Underwriting Policies Minimum Restricted Merchant Requirements The restricted merchant list could contain, by way of example: Card Scheme restricted merchants Sponsor Bank restricted merchants Processor restricted merchants ETA Member restricted merchants Electronic Transactions Association. All rights reserved.

14 Restricted Merchant Recommendations As defined in your business plan, the restricted merchant list could also include: Merchant types MCCs Sales methods Marketing methods Underwriting Risk Levels Underwriting Risk Levels should be defined to support an agile approach to underwriting that is adaptable to changing circumstances and constantly reflecting improvement. The underwriting risk levels within policies and procedures should be thoroughly defined based on Card Scheme and your own individual requirements and risk tolerance as best applied to your business plan or established merchant portfolio. The policy should be designed to have increasing levels of due diligence as the exposure increases; the recommendations included in these Guidelines provide examples of such increasing due diligence which should be adjusted in your policy as best fits your individual goals. All exceptions to defined policies should be well documented within the merchant record. Processing risk levels are typically determined by the dollar amount that a merchant will process or the specific type of exposure based on whether or not the card is present, delayed delivery, and other factors the merchant presents within a stated period. These Guidelines recommend a basic, minimum review for all merchants. Increased processing volumes and/or exposure risk levels as defined by your policy should require a more in-depth review, as well as higher approval authority levels. These Guidelines suggest processing level review criteria, which should be adjusted individually by each ETA Member as best fits each category defined by your policy. No processing should begin until a Merchant Agreement has been properly executed as defined by each ETA Member in accordance with Card Scheme requirements Defining Underwriting Risk Levels Risk Levels Defined by Merchant Demographics Each ETA Member should establish individual definitions for risk levels as appropriate for the defining characteristics of merchants within the portfolio. Factors that could be taken into consideration when establishing risk levels include: 2014 Electronic Transactions Association. All rights reserved. 9

15 Merchant processing volume, card acceptance method, and/or risk exposure: Micro and/or Mobile, Small, Medium, Large, and Major. Please note that although often found in the Micro category a mobile merchant may process in any category. Higher risk merchants requiring enhanced due diligence as defined by product type, MCC, prior performance issues, or other appropriate criteria as well as those merchants defined as High Risk by the Card Schemes Merchants who are approved but deemed in need of monitoring for a period of time often referred to as Watch List or Monitored Merchants Risk Levels Defined by Prior Processing Performance Assign performance-level criteria when prior processing exists that will increase the risk level, and therefore the depth of the review of the merchant, regardless of merchant processing volume or risk exposure. Below is an example of thresholds that could require greater due diligence during the underwriting process. Exhibit B provides examples of summary review for processing statistics. The numbers provided in this section as parameters are based on input from the working group for typical merchant processing performance. Some ETA Members may have concentrations in higher risk merchant types which, although processing in accordance with the ETA Member s expectations and in line with the business type, result in higher ratios than outlined here. In this case, the ETA Member should substitute its own numbers for those provided in the examples below as thresholds to better flag activity that may be cause for concern. It is recommended that a review should also take the number of items into account to determine statistical significance. As an example, one chargeback or refund out of three transactions (33%) should be evaluated based on the circumstances of the chargeback or refund; the merchant should not be declined solely based on the ratio. If there are mitigating circumstances which previously caused the merchant to perform in excess of the ratios defined as acceptable within your policy that are determined acceptable to you as an exception, based on the totality of the review of the circumstances, such exception should be well documented on the merchant record as previously described Electronic Transactions Association. All rights reserved.

16 Suggested performance metrics could include: Refund to transaction percentage (%) for both dollar value and item count 4% for retail, card present merchants 8% for card not present merchants or card present future delivery Chargeback to transaction percentage (%) for both dollar value and item count >.05% for retail, card present merchants.30% -.70% for card not present merchants or card present future delivery Underwriting Strategies Using Merchant Risk Levels Micro and/or Mobile Merchants When establishing the criteria for this level it is recommended that you choose a very small processing amount and/or exposure amount for micro and/or mobile merchants based on your risk tolerance. Recommended review criteria for this level include: 1. Obtain a signed application/agreement with all sponsor bank required information a. Should include addresses of both merchant and principal locations b. Should include EIN or SSN as appropriate c. Obtain ABA/DDA for the settlement of funds 2. Obtain a signed personal guarantee when appropriate 3. Perform a MATCH, or similar, negative file check for each Card Scheme as appropriate 4. Perform an OFAC Specially Designated Nationals (SDN) check 5. Authenticate the merchant, through use of third-party resources, credit reports, in-house systems, or manual review as appropriate for business type based on your policy s definition 6. Research the entity to verify that the actual business matches the stated business (If the merchant has a high probability of not 2014 Electronic Transactions Association. All rights reserved. 11

17 Small Merchants processing this may be chosen to be completed after the first transaction is processed or when the merchant becomes classified as a small merchant) 7. Authenticate the merchant s location through use of thirdparty resources, in-house systems or manual review as defined by your policy: All physical locations relevant to the merchant s operations should be validated, such as: Retail Locations Corporate Offices Warehouses Third parties performing critical services should also be validated Fulfillment houses Call Centers Reasonable exceptions should be made as defined in your policy for entities such as universities or government agencies 8. At a minimum, the website review should ensure Card Scheme and individual ETA Member prohibitions do not exist prior to processing; and complete a full website review once processing has begun and the merchant moves to the Small Merchant category. A sample website checklist has been provided as Exhibit C. When establishing the criteria for this level it is recommended that you choose a lower processing amount and/or exposure for small merchants based on your risk tolerance. It is also recommended to define an appropriate average ticket at this level for the business size. For example, merchants processing one transaction per month for $5,000 may need to be assigned a higher risk level than a merchant with a monthly volume of $5,000 and an average ticket of $50. Recommended review criteria for this level include: 1. All items in Micro and/or Mobile process should be reviewed 2. Conduct a review of credit history and set a minimum condition below which the merchant will be declined Electronic Transactions Association. All rights reserved.

18 Medium Merchants 3. Complete review of website as required by the Card Schemes 4. Perform a review of the merchant location as appropriate for the merchant type, defined in your policy When establishing the criteria for this level, you should choose a medium processing amount and/or exposure as well as appropriate average ticket size for medium-sized merchants based on your risk tolerance. It is further recommended that if chargebacks are above.30% or a number defined by your policy (determined statistically significant); or credits are not appropriate for the industry, obtain the information required for Large merchant processing. Recommended review criteria for this level include: Large Merchants 1. All items in Small process should be reviewed 2. Should require three (3) months processing statements with acceptable processing history, which is further defined in Section discussion of prior processing evaluation 3. Should gain a better understanding of the merchant business and marketing methods 4. Should review online reputation tools such as social media, complaint forums and public action notices from sources such as those listed in Exhibit D 5. Should obtain the business license or equivalent as required by your policy When establishing the criteria for this level, you should choose a larger processing amount and/or exposure as well as appropriate average ticket size for large-sized merchants based on your risk tolerance. Recommended review criteria for this level include: 1. All items in Medium process should be reviewed 2. Equity Firms, Venture Capital Groups or other types of group ownership should be required to disclose individual ownership 3. A Physical Site Survey should be completed, not just an online review, 2014 Electronic Transactions Association. All rights reserved. 13

19 Major Merchants with reasonable exceptions excluded (e.g., major university, large publically traded companies, etc.) 4. You should conduct a review of the business commercial credit history 5. You should gain a thorough understanding of the merchant business, business practices, product and service offerings, and marketing methods which can often be better understood by reviewing the contract between the merchant and the cardholder, if applicable 6. You should review the most recent business bank statements, number of months determined by your policy, for activity that should be consistent with business and processing volumes Exhibit E has been provided as an example bank summary When establishing the criteria for this level, you should choose a processing amount and/or exposure that represents the top processing volumes for your portfolio for major merchants, as well as appropriate average ticket size for major merchants based on your risk tolerance. Frequently, merchants qualifying at this level may be publicly traded entities. Exhibit F has been provided as an example of financial statement summary information to analyze. Recommended review criteria for this level include: 1. All items in Large process should be reviewed 2. You should review two (2) years business tax returns 3. You should review the most recent business financial reports (P&L, Statement of Cash Flows and Balance Sheet), including the most recent year end and current YTD. 4. You should review two (2) years personal tax returns for guarantor(s), if applicable 5. You should review the current balance sheet for guarantor(s), if applicable 6. You should review business plans Restricted Merchants Merchants that have been designated as Restricted based on your policy should be reviewed with the criteria one level greater than the merchant s requested processing level. These merchants should also be reviewed using the additional due diligence Electronic Transactions Association. All rights reserved.

20 recommendations for higher risk merchants that are further detailed in Section 3 as appropriate based on the merchant s business type Merchant Watch List/Monitored Merchants Merchant Reserves It is recommended that each ETA Member s Underwriting Policy include circumstances under which the ETA Member will allow the underwriting department to approve merchants on a conditional (i.e., watched/monitored) basis. When merchants are conditionally approved, it is an effective practice to have a documented process in place for Risk Management, whether manual or systemic, that alerts the monitoring staff when those merchants have processed. This would ensure that whether or not a conditional merchant processes outside of accepted parameters, they will be reviewed. Reserves are a tool that should be used to protect against the credit and/or financial risk of a merchant. If the merchant s financial condition does not support its business in accordance with your policy, it is a sound practice to obtain reserves in lieu of declining the merchant for weak financials. Absent a weak financial condition, reserves should not be used in lieu of other requirements, including decline of the account, as a means to process for a merchant that sells a higher risk product or uses sales methods prone to higher levels of consumer complaints, both of which may cause consumer harm, chargebacks and subsequent Card Scheme or regulatory fines. While reserves may be used as a risk mitigation tool for protection during establishment of a trusted relationship, a pending investigation, or in an escalating risk situation, they should not be used as long-term protection for any ETA Member in circumstances where material factors exist which indicate the processor should decline the application, or terminate the merchant account, rather than continue to provide service. Reserves are typically calculated and collected based on exposure. Exhibit G contains example reserve calculations. The weaker the financial condition as defined by your policy, the more likely it is that reserves should be taken up front. Reserves should not be used as a way to accept merchants engaging in acts or practices that are unfair, deceptive, or abusive to consumers. In lieu of accepting the merchant with a reserve, these merchants should be denied the ability to process. Reserves should not be used as a mitigation tool in order to accept a merchant when Card Scheme or Regulatory fines are expected. Unless mitigating factors exist that are approved by your senior management and documented on the merchant record, that merchant should be declined during the underwriting process or closed if currently processing Electronic Transactions Association. All rights reserved. 15

21 2.8 Merchant Periodic Review Each ETA Member s Underwriting Policy should contain a section that defines the types of merchants that should be subject to periodic review (e.g., large and major merchants as defined by your individual policy, or merchants that otherwise pose certain levels of exposure to your portfolio). The Underwriting Policy should also specify when and how merchants will be reviewed on a periodic basis. The policy should define periodic review timeframes for merchants based on dollar volume and number of transactions processed or exposure over a specific timeframe. When performing the periodic review, each ETA Member should obtain updated documents commensurate with the merchant s processing level Periodic Review Effective Tools and Strategies Each ETA Member s policy should at minimum reflect review requirements established by the Card Schemes and is recommended to include the following: 1. You should obtain updated financial information when appropriate 2. You should ensure no changes have been made to the approved sales method or product 3. You should follow approval criteria set forth in the appropriate section of the underwriting policy 4. Reputation reviews of the business and principals should be completed, which may include online forum research 5. You should use a standard form to ensure consistency (Exhibit H has been provided as an example) 6. You should review current processing, as applicable, to ensure merchant is in good standing Periodic Review of Processing Performance Each ETA Member should indicate, in its policy, performance thresholds at which merchants should be flagged for review or assigned to an increased risk level. It is advisable to identify a merchant trending with issues prior to that merchant reaching the Card Scheme defined violation thresholds. An example of trend reporting has been provided in Exhibit I. The specific ratios provided in the subsections below are examples Six (6) Month Trending Review A Six (6) Month Trending Report should be generated, including the transaction numbers and dollars for sales, chargebacks, and refunds as well as any other information you deem pertinent to the performance of the merchant Electronic Transactions Association. All rights reserved.

22 Sales should be consistent (similar from month to month or show appropriate growth with no spikes unless seasonal or documented as approved on the merchant record) You should investigate a spike or drop in sales Six (6) Months Chargeback Activity Review The last six (6) months chargeback activity should be broken out by month to compare performance month to month. Each ETA Member should define thresholds requiring escalated review or action taken based on ratios of chargeback count and amount compared to transactions processed each month. Examples of ratios of the number of chargebacks to the number of sales that could require escalated review are: While it is ideal for a merchant to have a ratio less than 30 basis points (BPS), a merchant with a ratio of greater than 70 BPS is a higher risk merchant and should require enhanced due diligence If total number of chargebacks is below 25 transactions, a higher ratio may not be as alarming, but should be investigated when above 2.5% You should review any related MIDs that assessed cumulatively might result in violation of your policy Gamer sites, digital goods, online clothing sales, entertainment, etc. may have chargeback ratios that are higher than other merchant types; therefore, acceptable levels should be determined within your policy Six (6) Months Refund Activity Review The last six (6) months refund history should be broken out by month to compare performance month to month. Each ETA Member should define thresholds requiring escalated review or action taken based on ratios of refund count and amount compared to transactions processed each month. Examples of ratios of the number of refunds to the number of sales that could require escalated review are: For card not present or future delivery merchants: a refund ratio of < 5% and/or > 10%, may require increased review (The typical refund range for a higher due diligence merchant is generally between 5 and 10 percent.) Digital goods should have a refund ratio closer to 10% Card present should be <4% Credits on special order products may be an indicator of product issues 2014 Electronic Transactions Association. All rights reserved. 17

23 2.9 Merchant Changes Changes to account information or organizational structure for merchants should be reviewed to ensure changes are made in accordance with your policy, do not present additional risk exposure beyond what is acceptable to you, and do not require additional due diligence or have Card Scheme registration requirements that are beyond your defined policy. Each ETA Member s policy should outline merchant changes that may pose additional risk and contain procedures to be followed. Examples of changes that may prompt review include: Merchant DBA changes Ownership changes Any descriptor changes Changes to business type or product offerings Any phone number changes Website changes DDA changes Address changes Multiple address changes within a short period of time Reviews may be prompted by single, multiple or combined instances within assigned timeframes as defined by your policy Monthly Management Reporting The establishment of monthly management reporting is important to ensure that there is appropriate senior level oversight of the day-to-day activities within the underwriting department. Monthly reporting should provide a high-level summary regarding activity deemed to warrant management and/or senior-level attention, as based on each ETA Member s individual policy. ETA Members with large portfolios may wish to create separate levels of reporting requirements for respective management levels. It is recommended that, at a minimum, senior management should review reporting that is required to be presented up to the next level within the organization. Section discusses the detail of the reporting that is recommended for ETA Members who sponsor ISOs (Sponsored ISOs, sub-isos and agents when applicable will be jointly referred to as ISOs). The report types provided in Section for Portfolio Statistics are meant to represent typical management summary reporting available in the industry for your reference. Each ETA Member will determine what types of reporting are appropriate for individual use Electronic Transactions Association. All rights reserved.

24 3. Merchants Requiring Enhanced Underwriting Due Diligence Certain types of merchants could require enhanced due diligence in addition to the strategies previously outlined for general merchant underwriting and in addition to the minimum requirements established by applicable laws and regulations and Card Schemes. Sponsoring these types of merchants often comes with additional due diligence requirements, monitoring, and staffing responsibilities, regardless of the processing level. Higher risk merchants are labor intensive, often requiring manual oversight by staff. Some higher risk merchant types have additional mandatory registration requirements with the Card Schemes. (Please note that registration is outside the scope of this document. To determine all circumstances when a merchant should be registered with the Card Schemes, please refer to the Card Scheme rules.) Sponsoring higher risk merchants typically requires a more robust and knowledgeable staff. It is best to have a staff that is experienced in card not present processing and has tenure in the industry. Underwriting departments should have teams that specialize in card not present and other higher risk merchant types. This same staff should have a more in-depth understanding of how to review websites, telemarketing scripts, higher risk marketing practices (e.g., negative option marketing), and other aspects of many higher risk merchants. Higher risk merchants also carry a higher probability of reputational risk. In some cases, there is a higher risk to the reputation of the card acceptance ecosystem for all players on the acquiring side as well as the cardholder. Due to this increased risk, this section describes enhanced diligence that should be taken when determining whether these higher risk merchants are acceptable to you. If the merchant type is deemed to be higher risk (by the Card Schemes or your individual policy), the extra steps listed below could be taken. In all cases where a higher risk merchant is considered for approval, direct conversation with the merchant is the effective strategy when performing the additional due diligence recommended in this section. 3.1 Enhanced Know Your Customer Review Know the Principals Owner/Principal Demographics Ensure the merchant owner demographics make sense according to the merchant and industry type Background Checks Background checks should be completed for owners of higher volume merchants or when ambiguous information is found 2014 Electronic Transactions Association. All rights reserved. 19

25 A legal review should be completed for High Risk accounts that could include the following: Lawsuits the merchant has filed, as well as lawsuits that have been filed against the merchant or its principals Federal or state law enforcement actions initiated against the merchant or its principals (including, without limitation, Federal Trade Commission or state attorney general actions) Complaints records filed with the Better Business Bureau, online complaint boards, and other such complaint repositories Social Media and other online reputation investigation should be used as a tool for research Understand the circumstances outlined in all blogs, complaints, etc. Review positive information as well to ensure the source of any negative information appears reputable and not an attempt to discredit the merchant Perform public records searches Beneficial Owners Additional care should be taken to ensure that beneficial, or red herring, owners are not being used in an attempt to camouflage the actual owners when setting up merchant accounts. Beneficial owners may be used in an attempt to conceal owners who may have been previously listed on MATCH or are under current scrutiny by regulatory or law enforcement agencies. Some types of beneficial owners include family members or other group affiliations (i.e. church, charity, school, etc.). When using online tools to search for linking information, the questions you could ask are listed below: Are they related? Do they live in the same area? Do they belong to similar organizations or attend the same school? Are they linked on social websites such as Facebook or LinkedIn? Perform searches on: Customer service numbers Contact phone number Cell phone number Electronic Transactions Association. All rights reserved.

26 3.1.2 Identify the Business Fax number that is sending the application if hard copy Contact person name All owner names & business names Addresses (business & personal) address & domain of if unique (i.e., not Yahoo, etc.) IP addresses, Footprint, Device ID Ensure the Legitimacy of the Business Search all phone numbers online Check if affiliated with other businesses A physical Site Survey should be conducted on High Risk merchants If social media and other online research tools are used in lieu of the physical Site Survey the merchant record should be well documented Online mapping (e.g., Google Maps) or satellite views should clearly show the business blackbookonlineinfo.org or other online resources can be used for further research An appropriate Site Survey or business verification should be conducted on thirdparty vendors performing critical operational services for the merchant, including but not limited to: Fulfillment houses Sales call centers 3.2 Enhanced Prior Processing Review Customer service call centers Reason for Processor Change Understand why the merchant is switching and ensure the explanation can be supported. For example, if high fees are the reason given, ensure the fees on the application are actually less than the previous ETA Member s; or, if the merchant has been placed on MATCH or another Card Scheme maintained negative database, understand why Prior Processing Statistics Prior processing statistics should be reviewed as defined in Section Electronic Transactions Association. All rights reserved. 21

27 3.3 Enhanced Financial Review As the exposure presented by a merchant increases, it becomes necessary to review the merchant to ensure it has a strong credit and financial condition. Financial reports should be reviewed as discussed further in Section to ensure they are adequate for the merchant s industry. Parameters such as, but not limited to, the quick ratio, acid test ratio, and defensive interval should be reviewed to ensure they are consistent with the industry type. 3.4 Enhanced Understanding of Internet Merchants E-Commerce Review A website review checklist has been included as Exhibit C. General website review: Goods and services should be consistent with application Business address and phone number should match the application Currency should be in US dollars All URLs associated with the business should be reviewed The country of record should be listed The Card Scheme logos should be properly displayed Billing Terms: You should review for negative option marketing You should ensure that the billing terms are accurately and completely displayed in a clear and conspicuous manner before consumers confirm the purchase There should be no pre-checked products or services All products and services billing terms should be explicitly agreed to by the consumer (e.g., nothing should be hidden in inconspicuous fine print) Checkbox/acceptance of offer terms and conditions should not be pre-checked You should review for secure check out page Delivery method Electronic Transactions Association. All rights reserved.

28 You should require notification of material changes and monitor delivery times on larger merchants through methods such as Secret Shopping (discussed in Section 5.4) Cancellation/Return/Refund policies You should ensure cancellation, return, and refund policies are clearly explained You should ensure business names and contact information listed matches the application information Customer Service/Contact Information Should be clearly and conspicuously displayed You should verify that phone numbers are in service and answered appropriately o The representative should answer in a timely manner o The business identified should be the appropriate business You should look for hidden web page content that may indicate the website is used for another purpose than indicated: You should review all links for compliance with underwriting guidelines You should examine empty space for hidden links/content (hover the mouse over empty spaces) You should review meta tags as shown in Exhibit J You should review website Who-Is or similar registration and Alexa data Non-US registrations should require increased scrutiny or due diligence It is a recommended practice to require the merchant to publicize nonpublic website registration information Mobile Commerce/ mwebsite Review Regardless of the screen size or character limitations, mobile websites should be reviewed under the same principles as non-mobile website, described above, as all requirements for clearly explaining offer and billing terms, etc. are the same. The merchant should account for screen size or other limitations when presenting offer terms or other disclosures. 3.5 Enhanced Product Review The product being sold is a key component to review of the merchant. Priority should be given to making sure that merchants are truthfully explaining the product. All merchants should adhere to 2014 Electronic Transactions Association. All rights reserved. 23

29 laws prohibiting unfair, deceptive, or abusive acts or practices (UDAAP) when describing the products they sell. Some products have more strict regulation than others, requiring adherence to laws such as the Telemarketing Sales Rule, the Mail or Telephone Order Merchandise Trade Regulation Rule, and/ or the Restore Online Shopper s Confidence Act. In addition, certain product types also have rules governing how they are marketed, including the Business Opportunity Rule Product Pricing The product pricing should be in line with the reasonable value of the product based on a review of competitor offerings (e.g., a Gucci purse offered for sale for $100 is clearly incorrect and may indicate fraud). Claims of free should truly be free with no hidden shipping charges or other fees, in accordance with the Federal Trade Commission s Guide Concerning Use of the Word Free and Similar Terms. Savings claims should be legitimate, substantiated, and realized by the consumer in a reasonable timeframe Consumer Dissatisfaction Risks The marketing should make sense for the intended target consumer It should be determined whether the product type inherently has a higher risk of consumer dissatisfaction Online searches of the business, all principals, and product names should be initially and continually performed Searches should include review for negative publicity Searches should include keywords such as scam or sucks Potential for Consumer Deceptive Practices Each ETA Member should review product and service offerings to assess the potential risk of unfair, deceptive, or abusive acts and practices defined unlawful by the FTC and UDAAP laws and should engage legal counsel as needed to assess these potential risks Membership/Continuity/Multi-Pay Offers Each ETA Member should ensure the terms of the sale are clearly defined Cross sells should be clearly identified and should be and presented concurrently with the original sale Upsells presented after the primary offer is accepted should be clearly identified and require direct consumer action to purchase All cross sells and upsells should be separately agreed to by the cardholder Electronic Transactions Association. All rights reserved.

30 3.6 Enhanced Review of Certain Marketing Practices Marketing is a key component to the understanding a consumer has of the product or service the merchant presented for purchase. Priority should be given to making sure that merchants are not using sales tactics that could be considered unfair, deceptive, or abusive acts and practices. All merchants should adhere to UDAAP laws. Some types of marketing have more strict regulation than others, requiring adherence to laws such as the Telemarketing Sales Rule, the Mail or Telephone Order Merchandise Trade Regulation Rule, and /or the Restore Online Shopper s Confidence Act. You should identify how the merchant markets If the product type or merchant type necessitates (i.e., the product or merchant poses a higher risk due to the processing methods or product type), you may seek an attestation or legal opinion letter stating that the merchant is following applicable laws; or have an attorney (of your choosing, if applicable) review the merchant s practices. However, if you obtain an attestation or legal opinion from the merchant, it should not be used in lieu of the proper diligence described throughout this document and more specifically identified in this Section 3. Some examples of merchant practices that may merit attestation include, but are not limited to: Gambling Tobacco sales Pharmaceutical sales Nutraceuticals sales Payday Lending Negative Option Marketing The Underwriting Policy should address when it is acceptable to approve a merchant using negative option marketing. Negative option marketing includes any marketing where the consumer s silence or failure to affirmatively act is treated by the merchant as acceptance of an offer. Common types of negative option marketing include free trial offers, continuity programs, and subscription plans. Merchants that use this marketing method do pose a greater risk of harm to the consumer and therefore the card acceptance ecosystem and as a result should be scrutinized more diligently during the underwriting process. Each ETA Member should consider the following recommended practices if accepting merchants using negative option marketing: Free and/or low-cost trials Should be a minimum number of days o The minimum number should be long enough to allow for the product to be shipped and used 2014 Electronic Transactions Association. All rights reserved. 25

31 o For example, 10 days is recommended as a minimum trial for digital goods; 14 days is recommended as a minimum for tangible goods Should begin after the product has been shipped Shipping and handling should not be billed as a separate transaction from the product/service Low-cost trial periods with deferred billing and/or shipping-only costs pose a higher risk and should be closely monitored Undisclosed recurring charges should not be allowed (the terms and conditions should be read to fully understand all fees, and recurring and other charges, as none should exist in the terms and conditions that are not clearly defined on the website as understood by the cardholder at the time of purchase) Opt-in options for additional products or enrollment in continuity should not have a pre-filled checkbox Any marketing or claims that could be considered deceptive, exaggerated, or unsupported should not be permitted. Legal counsel should be consulted when determining whether marketing or claims qualify as deceptive, exaggerated, or unsupported. A non-exhaustive list of examples is below. Too good to be true product Unreasonable guarantees Celebrity endorsements (should have proof of endorsement) False sense of urgency Fake blogs or articles News stories (It is an effective strategy to search the name of a periodical or a news media entity mentioned to ensure is it real) Testimonials (should have proof of occurrence) Health claims (should have substantiation such as clinical trials) o A third-party vendor should be used to provide substantiation if the product is a pharmaceutical or nutraceutical Back-end Offers, Up-sells or Cross-sells Should not allow third-party data pass Should ensure the descriptor is easy to understand from the cardholder s vantage point ETA Members should recommend that merchants use technology such as gateways and/or customer relationship management software (CRMs) that allow for merchant-defined fields to be assigned to the transaction to provide more data to assess performance of specific offers, affiliates, and/or other marketers. A non-exhaustive list of suggestions is below Electronic Transactions Association. All rights reserved.

32 Assign SKUs to specific product offers Track phone numbers to gauge sales/customer service performance Track source websites generating traffic Affiliate/Affiliate Network Marketing Affiliate marketing is a commonly used type of performance-based marketing for Internet merchants. In this model, merchants pay Affiliates (sometimes also referred to as Publishers ) for website traffic or sales generated by the Affiliate s own marketing efforts. Some merchants contract directly with individual Affiliates, while others contract with Affiliate Networks that manage groups of Affiliates working within the network. In the latter model, Affiliate Networks are responsible for compensating the individual Affiliates. Affiliates often use a variety of online and other advertising methods, including text messaging, , banner ads, search engine optimization (SEO), content marketing, and publishing of links on a blog or website owned by the affiliate. In some cases Affiliates publish reviews of the product they are marketing with links for purchasing. If a merchant accepts or uses Affiliate Marketing Programs, you should understand how the merchant selects its Affiliates, the types of marketing activities that the merchant allows its Affiliates to conduct, and whether and how the merchant monitors Affiliate marketing activities. Examples of some practices you might review with the merchant include the following: What specific steps does the merchant take to review the background and business practices of direct Affiliates? What contractual requirements or other controls does the Affiliate or Affiliate Network place on sub-affiliates? Does the merchant provide content for distribution by the Affiliate, or does it allow the Affiliate to create content? If the latter, does the merchant review Affiliate content before it is used? Does the merchant take steps to monitor Affiliate activity, such as by seeding marketing lists or using a web crawler service? Does the merchant have the right to terminate specific affiliates suspected or found to be engaging in unfair or deceptive marketing practices? Affiliate marketing activity may impact processing metrics. You should recommend that the merchant use technology such as gateways and/or customer relationship management tools (CRMs) that can assign data points to transactions to help in monitoring Affiliate performance. If possible, the ETA Member should also recommend that the merchant monitor Affiliate traffic based on: 2014 Electronic Transactions Association. All rights reserved. 27

33 Throughput/Volume Chargebacks Returns IP Address Tracking Telemarketing, including Mail Order/Telephone Order (MOTO) For merchants engaged in sales via telemarketing, you should review the merchant s policies and procedures for compliance with the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA), and other applicable laws and regulations. The following guidelines or other reasonable strategies identified by the ETA Member to address telemarketing and/or MOTO risks are recommended when underwriting any merchant engaged in telemarketing: You should review and understand all scripts to be used by sales reps You should review and understand all upsell scripts, if applicable You should review whether the merchant uses third-party verification of sales (by a person other than the sales representative) It is an effective tool for the verifier to ask if sales agent promised anything to the consumer that was not spoken of during the verification call You should be aware of specific requirements in the TSR or the TCPA applicable to certain types of merchants (e.g., merchants engaged in sales of debt relief products or services, or merchants that make outbound calls using a prerecorded voice message (i.e., robocalling ) It is a recommended practice to know and confirm the identities and reputation of third-party vendors providing services integral to the merchant s telemarketing business, such as: Customer service Fulfillment houses Return Processing 3.7 Other Guidelines: There are other effective tools and strategies that do not fit into the categories listed above, however, they should be followed. They are listed below in no particular order. You should know discount and other fees charged and should ensure consistency with industry/type Out-of-market fees charged to and accepted by a merchant may be an indicator of a High Risk merchant and should be investigated Electronic Transactions Association. All rights reserved.

34 Merchants operating in known high risk areas such as Utah; Las Vegas, NV; Brooklyn, NY; Dade and Broward counties, FL; and others that may be identified by the ETA Member should be reviewed with greater due diligence You should monitor law enforcement activity and industry publications for trends and/or patterns in higher risk merchant activity. Examples include but are not limited to: FTC Press Releases (individuals & Business Entities) MAC Alerts (individuals & Business Entities) Attorney General Cases Better Business Bureau alerts The ETA Member should maintain an internal negative database (sources outside of MATCH or 2014 Electronic Transactions Association. All rights reserved. 29

35 other Card Scheme-maintained negative databases) that may be searched by many different fields. 4. Guidelines for Risk Management of Merchant Accounts 4.1. Purpose and Scope for Merchant Risk Management Guidelines While ETA Members are only required to comply with Card Schemes and applicable laws and regulations, proper management of a merchant portfolio necessitates a strong focus on identifying and mitigating merchant activities deemed to pose risks and determining the nature and extent of the exposure that a risk presents. The following pages are guidelines to be used in the risk management of merchant portfolios. While traditionally the monitoring of daily processing statistics and chargeback activity has been accepted within the processing industry as the primary identification method for potential merchant fraud or unsatisfactory account performance, there is now a heightened regulatory focus on refunds issued as an additional measure of merchant performance and, consequently, consumer satisfaction. In keeping with overarching goals established as a result of regulations such as the Telemarketing Sales Rule (TSR) and the Unfair, Deceptive or Abusive Acts or Practices (UDAAP) provisions of the Dodd-Frank Act to ensure that merchants are fair and reasonable when dealing with consumers, these Guidelines for risk management provide recommendations for greater focus on overall merchant processing activity, including refund statistics, marketing methods and other potential indicators of consumer issues. Internal and external resources should provide reports on a daily basis that identify potential risks and/or fraud. In order to maintain a viable processing relationship, merchants should be questioned regarding exceptions to normal or expected transaction activity Objectives for Merchant Risk Management Guidelines The parameters provided in this section are not all inclusive and are presented as examples. These parameters are meant to serve as an indication of when merchant activity is recommended to be flagged for review by an ETA Member and emphasize the importance of noting the merchant record with the determination of that review. Flags for specified activity do not inherently mean that the merchant or the flagged event is bad or that the actions listed should be taken on the account; flags simply indicate that the identified activity is outside of the approved or typical parameters for the merchant, or otherwise indicate there is potential for a larger issue Special Considerations for Merchant Risk Management Guidelines It is particularly important to view merchant performance holistically and not focus on single exceptions. While you may be comfortable with one exception occurrence for a merchant, when that isolated event is viewed along with all other exception occurrences, higher risk marketing methods, negative indicators from Internet research, or other activity recommended to be reviewed, the totality of the merchant circumstances may be viewed with greater concern or warrant an escalated course of action. The goal of this section is to provide effective tools to help you understand the merchant Electronic Transactions Association. All rights reserved.

36 in its entirety. As with underwriting of merchant accounts, it is likewise important to establish an agile approach to risk management. As new fraud trends and high-risk activity related to credit card processing is identified across the industry, your policies and procedures, exception criteria, and periodic monitoring should be evaluated and adjusted accordingly, as appropriate based on your business plan and established risk tolerances. At all times, risk analysts should use their best judgment as it relates to the specific merchant and business type. The analysts may request additional information or impose restrictions (e.g., processing caps, delayed funding, lower chargeback or refund ratio thresholds, reserves, etc.) if necessary, for reasons including but not limited to: transaction processing activity (including daily processing, refunds, and dispute activity), changes to owner credit or business financial condition, changes to the business model or to the accepted risk level of the business model, or other combinations of factors. However, as clearly outlined by UDAAP requirements, if activity is flagged and there are also unacceptable levels of consumer complaints, then higher due diligence and potentially adverse action is more likely to be appropriate. If processing activity reaches a level of greater concern and investigation reveals that the merchant is engaging in practices that could be considered unfair, deceptive, or abusive to consumers, that merchant should be terminated. In those cases, the availability of mitigating actions such as establishing a reserve should not dissuade any ETA Member from terminating the merchant Business Goals for Merchant Risk Management Each ETA Member s Risk Management Policy should have a strong statement of intent that defines the ETA Member s individual goals for Risk Management. The policy should also include objectives that are intended to help the ETA Member achieve that goal, such as a list of MCCs and descriptions of the merchant industries for which the ETA Member will (or will not) provide service. Special risk management considerations that are appropriate for you based on your established business plan and risk tolerance should be identified. If you provide services to merchants that present a higher level of perceived risk to the card acceptance ecosystem, such as those described in Section 3: Merchants Requiring Enhanced Underwriting Due Diligence, then additional, appropriate due diligence considerations should be included in the policy and further described. If your Risk Management Policy has been prepared for use by ISOs, the policy should clearly outline your minimum requirements and expectations for the ISO s risk management practices The Objectives of Merchant Risk Management The objectives of merchant risk management should be to: Identify and investigate merchant activity that is anomalous to your expectations for the merchant Identify and investigate activity that is anomalous to industry norms for general merchant 2014 Electronic Transactions Association. All rights reserved. 31

37 processing and for defined verticals Ensure merchant compliance with Card Scheme requirements Support the identification of suspicious activities which may be related to money laundering or terrorist financing Identify anomalous activity and file a Suspicious Activity Report with the Financial Crimes Enforcement Network (FinCEN) or Bank, when appropriate 4.6. Activities that Support Merchant Risk Management Goals Activities that are recommended in support of merchant risk management and business goals and objectives may include the following, which will be described in further detail throughout this section of the Guidelines: Monitoring of merchant transaction activity to identify exceptions to the underwritten parameters; or exceptions to what is considered normal as defined by industry (based on MCC), merchant business vertical, or individual portfolio averages for the ETA Member. Particular focus should be given, but not limited, to unusual activity in: Sales Refunds Chargebacks ACH rejects Card present vs. card not present ratios Swipe vs. keyed ratios Authorization activity Average ticket Merchants should be questioned regarding identified exceptions You should understand the merchant s business and marketing practices in their entirety, including not only the transaction or product, but also any regulatory and/or consumer satisfaction implications Further investigation should be completed as deemed necessary Action should be taken based on findings up to and including merchant closure Electronic Transactions Association. All rights reserved.

38 You should notate merchant s records of all decisions and action taken 4.7. Merchant Risk Management Policy Effective Tools and Strategies Merchant Risk Management policies should establish your expectations for the process of monitoring merchant activity. As recommended for the merchant Underwriting Policy, the Risk Management Policy should include proper and well-documented approval authorities and escalated exception processes Standards for Risk Monitoring Timeframes Each ETA Member should establish expected timeframes for review and merchant notifications of review and/or adverse actions. Review is recommended to occur daily (working days) for transactions and at least monthly for the total merchant activity and trending Adverse Actions Each ETA Member should establish standards regarding adverse actions to take during investigations, which may include: When funds should be held during an investigation When an account should be temporarily suspended When an account should be terminated Approval Authority Parameters Designated staff approving authority levels for funds release or parameter changes should include: Title and/or position, but not an individual s name Funds release request and approval limits A requirement to specify approval notation on the merchant record Escalation Requirements Circumstances requiring escalated approval should be included. Examples of such circumstances are: Merchant parameter increases in dollar volume/number of transactions processed during a specific timeframe High seasonal volume 2014 Electronic Transactions Association. All rights reserved. 33

39 Funds released from merchant reserves Funds released from suspension MCC codes changes Merchant type changes Marketing methods changes Merchant bank account changes, including: Large merchants with bank account changes More changes than any established policy threshold within a specific timeframe Documentation Requirements Each ETA Member should have a designated exception notation format as well as designated review and documentation processes to ensure consistency in reviews and meeting requirements. It is recommended to use a standardized form for consistency of documentation. Examples of the items that could be included in the process and documented are: The name and title of the person requesting the exception (differentiate between sales representative, risk analyst, and merchant) The reasons for the exception request The name and title of the person reviewing the request Notation of the exception or change request on the merchant record with the reason for approval or decline Periodic Reporting of Exceptions to Policy Establishment of periodic reporting of all requested exceptions is recommended to be generated on a monthly frequency. Examples of the items this reporting could contain are listed below: Requestor name and title Reasons for decline, if applicable Exceptions approved Electronic Transactions Association. All rights reserved.

40 4.8. Team Communication Reviewing/approving individual, name and title Conditions required for approval Funds released Other actions taken It is recommended that all departments/teams within your organization which are focused on prevention of financial loss and mitigation of fraud and illegal/prohibited activity should meet on a regular basis. Such teams may include underwriting, risk, compliance, chargeback and collections, if these processes are separately managed. During these meetings, the teams should share information on identified trends to support ongoing earlier detection and mitigation of potential issues. These teams should also perform joint post-mortem exercises on large losses or repeat loss patterns. In addition to regular team meetings, communication channels should be defined by each ETA Member as appropriate for business processes, which may include when: The original Underwriter should be included in a risk review Chargeback activity requires additional risk review, if managed separately Situations escalate as defined by your individual risk management policies and procedures Forms of communication may include: ing merchant account notes Providing copies of team activity and merchant trend reporting Providing copies of management reporting indicating fraud trends 4.9. Effective Tools and Strategies for Daily Exception Monitoring This section will provide suggestions for potential exception parameters that may be set in an exception-based system, including factors based on parameters such as volume, card acceptance method, geography, and MCC, among many others. The recommended practices in section 4.12 discuss how exceptions should be investigated, once generated. These recommendations are not meant to be an exhaustive list of potential exceptions, as individual portfolio or vertical characteristics often dictate specific triggers that may not be useful elsewhere. ETA Members may choose to include suggestions from this section, or may determine additional or 2014 Electronic Transactions Association. All rights reserved. 35

41 alternative exception criteria as best fits individual business needs The Merchant Record The merchant record should contain approved processing parameters and demographic information that may be used to establish system flags for anomalous activity. Flags that trigger exceptions may be set at many different levels. Some parameters may not be listed individually on the record, but may instead be calculated systemically based on a single approved parameter. For example, expected daily, weekly, or monthly processing averages can be determined from the approved annual volume or transaction count. Further calculations may be made based on established acceptable or average portfolio, MCC, vertical or other thresholds for different types of activity, such as refunds or chargebacks as a percent of overall activity. These Guidelines provide suggestions for defining exception triggers and flags and the resulting actions that may be taken by individual ETA Members. Non-merchant-specific parameters based on geography, MCC, sales method, etc. have been suggested, which may also be useful Merchant Risk Classification Exceptions Merchant Risk Classifications may be used to generate exceptions based on the existence of circumstances known to present higher risk in processing, or may also be used to increase the priority of the merchant parameter flags, as a higher merchant risk classification may result in a more restrictive exception tolerance for approved merchant parameters than the general merchant population, as discussed in further detail in Section 5: Risk Management For Merchants Requiring Enhanced Due Diligence. These suggested exceptions are highly subjective and specific to each ETA Member s individual portfolio; however, some examples of categories that may be used to create these types of exceptions include the following Micro and/or Mobile Merchants Monitoring Recommendations The underwriting on this merchant category is typically done in stages and as such should have more restrictive or time-sensitive flags to indicate the timing of the increased review of the merchant Restricted Merchants Monitoring Recommendations Restricted merchants should have thresholds set more strictly to monitor any deviation from the approved activity for the account, regardless of general system thresholds Merchant Watch List/Monitored Merchants Monitoring Recommendations Electronic Transactions Association. All rights reserved.

42 Merchants may be designated for close monitoring based on processing volumes, business type, marketing methods, cardholder complaints, or prior processing issues such as past refund or chargeback spikes by the underwriter as discussed in Section , or from prior risk investigations. While not technically defined as a restricted merchant, these merchants may be granted conditional processing requiring usage of various fraud control tools such as AVS, CVC2/CVV2, IP tracking, or affiliate monitoring; or require strict adherence to approved parameters. Similar to restricted merchants, monitored merchants should have closely set thresholds with less room for variance Other Risk Classification Criteria Recommendations Additional types of higher risk merchant classification that you may consider, as appropriate for your merchant portfolio, may include: Product Type Sales Method Marketing Method Merchant location (high-risk areas such as those suggested in Section 3.7.) Newly identified fraud trends that trigger a thorough systematic portfolio review to find existing merchants who may qualify Daily Exception Reports Effective Tools and Strategies Exception reports may be based on overall scoring or individual parameters, as determined appropriate by each ETA Member. Regardless of the basis for exception, the items generated should be reviewed and actioned daily. While the list below is not exhaustive, it contains suggestions of practices that may be used when monitoring transactions on a daily basis. ETA members may also take other reasonable steps to properly monitor daily exception reports so as to minimize risks. Exception review priority should be determined by each ETA Member and documented in risk policies and procedures New Merchant Exceptions Recommendations New merchants are generally considered to be those which have begun processing within the last 90 days; however, some ETA Members may choose to extend this to 180 days or more, as appropriate for the individual merchant portfolio and merchant risk classification. Additionally, you may choose to treat accounts that have been dormant for a period of time as new merchants for purposes of monitoring new processing activity after dormancy. New merchant activity should also be compared to the average processing activity for 2014 Electronic Transactions Association. All rights reserved. 37

43 the assigned MCC, or merchant vertical, if applicable. Types of exceptions that may be generated for new merchants include those based on: First deposit for a new merchant, as defined by the ETA Member First deposit in over three (3) months for a dormant merchant Transaction count and amount for new merchants exceeds established MCC averages for your portfolio Refunds processed by new merchants Declines received when a merchant first begins to process General Excessive Activity Visa Requirements Not all Visa requirements are listed below, however, Visa has established that beginning on the 31 st day after a merchant has begun processing, if a minimum of $5000 is processed weekly, reviews should be prompted by merchant activity that represents 150% or more of the established weekly average for: The number of transactions The dollar volume processed The average ticket The number of refunds processed The dollar volume of refunds processed The number of chargebacks received The dollar volume of chargebacks MasterCard Requirements Not all MasterCard requirements are listed; however, MasterCard has recommended that exception thresholds be set at a minimum of 150% for all approved and average parameters Approved Dollar Volume Exceptions Examples Dollar volume exceptions may be based on a certain percentage above your individually defined parameters. Some examples are: Electronic Transactions Association. All rights reserved.

44 Daily cumulative deposits should generate an exception at 150% of the expected average daily amount, based on approved monthly volume Individual batch deposits (if a merchant batches more than one time per day) should generate an exception at 150% of the expected average daily amount, based on approved monthly volume It is recommended to determine tiers for processing levels for closer monitoring of volume with respect to the individual merchant risk to the entire portfolio, for example: Larger merchant activity, as defined by each ETA Member s underwriting risk levels according to Section 2.7.4, should generate a daily exception when cumulative monthly sales volume reaches 90% of approved monthly volume o If the percentage (%) is reached in the first ¾ of the month the merchant should be more diligently reviewed o It is recommended that this threshold be set lower for higher risk merchants Smaller merchants representing less risk exposure should generate exceptions on a tiered basis when cumulative monthly sales volume reaches 100% - 200% of their approved volume as makes sense based on each ETA Member s individual portfolio, for example: o 100% for Medium volume merchants o 150% for Small volume merchants o 200% for Micro volume merchants Volume Increases/Processing Spikes Exception Examples Daily deposit amount exceeds expected amount based on approved monthly volume For recurring billing merchants, you may choose to inactivate this exception Month-to-date volume exceeds prior month s volume Month-to-date volume exceeds monthly average over the past 90 days Rolling 30-day volume Calculated as a measurement of the last 30 days processing volume compared to expected average monthly volume 2014 Electronic Transactions Association. All rights reserved. 39

45 Reflected as a percentage (%) of rolling 30-day volume/average monthly volume Volume Decreases/Processing Dips Exception Examples Rolling 30-day or month-end volume has decreased by 20% or more compared to the previous rolling 30-day period, month-end processing volume, or average monthly volume over the previous 90 days Calculated as a measurement of the last 30 days processing volume, reflected as a percentage (%) of the comparison parameter The first 15 days processing for the month has decreased from the prior month by 20% or more Volume has decreased by more than 25% from week to week Batch Activity Exception Examples Batch net amounts Zero net dollar batches Negative net dollar batches Changes to the frequency of merchant deposits Individual Ticket/Sale Exception Examples Based on Card Scheme recommendations, the activity described here is suggested to generate exceptions when the activity reaches 150% above the expected parameter as determined by underwriting, or at a different percentage that is appropriate for the risk tolerance of the ETA Member, as well as the merchant processing level and type. Tickets over maximum approved amount Individual ticket equal to or greater than an amount commensurate with each ETA Member s individual risk tolerance The exception trigger should be set as appropriate for the proportion of risk that the ticket size represents compared to the portfolio, total transactions and processing volume of the ETA Member; for example: o A larger ETA Member with more transaction volume and/or merchant accounts may set this at $10,000 o An ETA Member with a smaller portfolio and/or processing volumes may set this at $1, Electronic Transactions Association. All rights reserved.

46 Some ETA Members with less risk tolerance may choose to view all tickets processed that are greater than a predetermined dollar amount, regardless of whether that ticket is over the individual merchant s expected maximum Average ticket dollar amount is not as expected or is outside a tolerance established by the ETA Member It is common practice and recommended to include this parameter in the merchant record This parameter may be set to trigger based on monthly average, daily average, or batch average, as determined by the individual ETA Member The average count of tickets processed is not as expected or outside a tolerance established by the individual ETA Member The average count of tickets may be calculated based on the approved annual volume and average ticket This may be set at monthly average, daily average, or batch average, as determined by the individual ETA Member Multiple small-dollar transactions (recommended to be <$3) which are not within the merchant s approved parameters Excessive percentage of card present vs. card not present transactions, outside of the merchant s approved parameters Excessive percentage of keyed transactions outside of the merchant s approved parameters Multiple transactions from the same BIN This may be set at a % of the batch for those with a higher risk tolerance This may be set at a hard number, such as four, for those with a lower risk tolerance Multiple transactions from similar card numbers Same sale dollar amount transactions repeated in the same batch that is out of pattern for the merchant This may be set at a % of the batch for those with a higher risk tolerance This may be set at a hard number, such as four (4), for those with a lower 2014 Electronic Transactions Association. All rights reserved. 41

47 risk tolerance Foreign Activity Exception Examples Transactions on non-us issued cards that are out of pattern for the merchant It is recommended to set an expected percent (%) of foreign transactions or number of foreign cards in a batch on the merchant record Authorization Activity Exception Examples Forced authorizations/ticket-only transactions Authorization reversals Authorization activity with no captured sales Multiple transactions with the same authorization number Multiple authorizations for the same card and/or cardholder Total daily authorization count compared to account parameters Repeated declines on the same card number Note that Visa rules prohibit the retry of a recurring transaction if it receives a decline response Daily authorization declines exceeding parameters set for the industry It is common for recurring sales merchants to have decline ratios up to 30% and recommended to set that as the tolerance level unless additional risk factors exist It is not common for retail sales merchants to have greater than 5% decline ratios Attention should be given to high ratios of certain decline reasons determined by each ETA Member to be of concern within overall transaction declines o 10% Pick Up card as a reason for decline should be investigated as the merchant may be a victim of fraudulent card usage Abnormal Transaction Timeframes Exception Examples Unusual transaction times based on merchant s hours of business Electronic Transactions Association. All rights reserved.

48 Unusual transactions based on seasonality of the merchant Merchant Changes Exception Examples Each ETA Member should define merchant changes that would require review by risk management staff, and whether the review should be done prior to change completion, or following completion for cursory review. The following types of merchant account changes are suggested to be carefully reviewed as they may indicate a beneficial owner or fraudulent account application information was provided. Particular attention should be paid to activity happening within 30 to 60 days of account opening or periods of dormancy of greater than 90 days. Merchant DBA Changes All Descriptor Changes Any Phone Number Changes Address Changes Website Changes DDA Changes Refund/Credit Transaction Exception Examples Refund exception tolerances may vary based on the different types of merchants using averages based on MCC, merchant verticals, portfolio demographics, etc. and should be determined by the individual ETA Member. Numbers provided in the examples below are for illustrative purposes and determined based on input from the working group across the industry. Refund percentages should be calculated on both the dollar volume and count of refund compared to transaction processing It is recommended to tier exception generation based on refund volume, merchant processing volume, and/or merchant risk classification, as applicable for the ETA Member, in order to keep monitoring of this activity efficient Examples of some possible tiered exception criteria are listed below. The ratios, dollars, and numbers of transactions should reflect each ETA Member s risk tolerance. Card Present Merchants 2014 Electronic Transactions Association. All rights reserved. 43

49 o 4% or greater ratios for both dollar volume and item count o Refund ratio exceeding 2% and daily total greater than $5,000 and daily count greater than 5 o Refund ratio exceeding 3% and daily total greater than $2,500 and daily count greater than 5 Card Not Present Merchants o 8% or greater ratios for both dollar volume and item count o Refund ratio exceeding 3% and daily total greater than $5,000 and daily count greater than 5 o Refund ratio exceeding 5% and daily total greater than $2,500 and daily count greater than 5 Refunds dollar amounts that are larger than the ETA Member s individual risk tolerance o Exceptions may be generated for a single item amount, or for the total amount in a batch/daily total o A more risk-tolerant ETA Member may set this at $5,000 o A less risk-tolerant ETA Member may set this at $500 Refunds with No Offsetting Sale o If possible, these should not be allowed to enter interchange Refunds issued subsequent to a chargeback on a single account Increasing refund activity after elevated chargeback issues Electronic Transactions Association. All rights reserved.

50 ACH Reject Exception Examples Review all ACH Rejects (debit or credit) note: this references ACH debits related to credit card processing not third-party ACH processing Daily Monthly Ratios Retrieval Request Exception Examples Daily, weekly, or month-to-date retrievals that exceed the ETA Member s predetermined percentage of the merchants processing volume or transaction count Retrieval requests for card not present merchants Retrieval requests with reason codes determined to be of concern Requests for a large-dollar transaction or total dollar amount of transaction(s) for a single day or batch that are out of the typical range for the merchant A larger ETA Member with more transaction volume and/or merchant accounts may set this at $5,000 An ETA Member with a smaller portfolio and/or processing volumes may set this at $ Chargeback Activity Exceptions Recommendations Chargeback dollar amounts that are larger than the ETA Member s risk tolerance Single chargeback Total daily amount of chargebacks Month-to-date cumulative chargeback totals A larger ETA Member with more processing volume and/or merchants may set this at $5,000 An ETA Member with less merchants and/or transaction volume may set this at $500 Examples of some possible tiered exception criteria based on monthly percentages can be found in Section Daily exception review is typically based on dollar volume. Examine the chargeback reason codes and supporting documentation to determine whether the concern is: 2014 Electronic Transactions Association. All rights reserved. 45

51 Financial Risk The merchant being able to cover activity Consumer fraud against the merchant (e.g., the merchant is a target of fraudulent card usage) Merchant fraud against the consumer (the merchant is billing the card without shipping or delivering the product; the merchant is making unauthorized charges to the consumer s account) Product quality Operational issues such as shipping or customer service Marketing issues such as potential misrepresentation to the consumer Fraud Prevention Tool Response Exceptions Address Verification Card Acceptor ID MC SecureCode/Verified By Visa Device authentication IP tracking Restrictions on ship to countries Effective Tools and Strategies for Monthly or Periodic Exceptions It is recommended that monthly or other periodic exception reporting for critical risk activity, as determined by each ETA Member, be generated for review by more senior or experienced risk staff. This may serve to identify activity which may not have been given high priority during daily exception review, but that taken as a whole over the longer timeframe becomes a concern, and may serve to summarize the monthly activity for the team and identify areas where training may be of benefit Top Processing Volume, Chargeback Volume, or Refund Volume Report Include cumulative totals for related or chained merchant accounts (i.e., one legal entity with 10 accounts that when combined are within the defined review group) When reviewing chain merchants, also review each location to ensure single location issues are not being hidden by other locations Documented review should take place using a standardized review format containing: Refunds (review the dollar, number, and percentages) month, prior month, YTD Electronic Transactions Association. All rights reserved.

52 Chargebacks (review the dollar, number, and percentages) month, prior month, YTD In-Depth product/service review Website review Social media review Consumer satisfaction review (Better Business Bureau, online complaint boards, etc.) Copy of periodic review (see Section 2.6.5) if available Reports by Merchant Vertical (MCC, Product Type, Agent/Agent Group) Each ETA Member should define verticals specific to its portfolio. ETA Members should establish thresholds for review and additional investigation appropriate for the industry vertical ETA Members should review the verticals on a six-month rolling basis and investigate significant increases and decreases Restricted Business Type Review Monthly Report It is recommended that merchant exceptions for restricted business type merchants be summarized at the end of the month for summary review by more senior-level risk management staff. Examples of restricted merchants could include: Furniture, flooring, travel, etc. (i.e., future delivery) The Processing Volume, Chargeback Volume, or Refund Volume that triggers the restricted merchants for review should be lower than that which triggered the notrestricted merchants Monthly Excessive Volume Exceptions Merchants that have larger processing volumes or exposure should be reviewed on a periodic basis. At a minimum, the review should be annual, but if the statistics demonstrate enhanced diligence is required, the review could occur as often as monthly. Such reviews may be scheduled semi-annually, quarterly, or monthly. If the merchant is also being reviewed as defined in Section for a periodic review, the two reviews could be combined Merchants with Decreasing Volume The purpose of this report is to monitor merchants with significantly decreasing (or stopped) volume that may not otherwise be detected through monitoring of daily activity Electronic Transactions Association. All rights reserved. 47

53 Monthly Report of the sales activity that has decreased by a predetermined percentage from the prior month Can be narrowed down to merchants processing over some larger amount per month as determined according to the ETA Member s risk policies Merchants who processed some predetermined volume in the prior month but had no processing in the report month Merchant Changes As recommended in Section , each ETA Member should define types of Merchant Account Changes that should be reviewed in a summary monthly report by more seniorlevel staff, particularly those made for merchants that represent greater exposure to the ETA Member. The review is recommended to be cursory and act as a second set of eyes on changes that occurred throughout the month. Particular attention should be paid to activity happening within 30 to 60 days of account opening or periods of dormancy of greater than 90 days, for activity such as: Merchant DBA changes All descriptor changes Any phone number changes Address changes Website changes DDA changes Monthly Refund Exception Effective Tools and Strategies General Refund Monitoring Recommendations Based on the increased scrutiny of merchants through UDAAP, it has become more important to monitor the refund ratios of all merchants. Regular monitoring of the ratios based on business and processing type averages along with consumer complaint boards and online blogs will give the ETA Member insight into the merchant. The ratios below are based on industry research and may be adjusted by each ETA Member to better reflect individual portfolios and merchants. Refund monitoring policies should be well documented to inform the analysts of the guidelines that should be followed. Merchants records should also be noted when it is acceptable that they are outside of the chosen parameters, including the degree of exceptions approved and the reasons why. The parameters below should be reviewed for both Electronic Transactions Association. All rights reserved.

54 the number of transactions as well the dollar volume of transactions in the given time period Refund Monthly Exception Thresholds Trending Reports should be reviewed at least monthly and should be reviewed more often for portfolios with merchants that could generate more consumer complaints Card Present Merchants 4% or greater ratios for both dollar volume and item count Refund ratio exceeding 3% ratios and Monthly total greater than $25, or more refunds Refund ratio exceeding 2% ratios and Monthly total greater than $50, or more refunds Card Not Present Merchants with 8% or Greater Refund Ratios 8% or greater ratios for both dollar volume and item count Refund ratio exceeding 5% ratios and Monthly total greater than $25, or more refunds Refund ratio exceeding 3% and Monthly total greater than $50, or more refunds Monthly Chargeback Exception Effective Tools and Strategies General Chargeback Monitoring Recommendations Based on the increased scrutiny of merchants as a result of UDAAP laws, it has become more important than ever to monitor the chargeback ratios of all merchants before they reach card brand monitoring levels. Monitoring the chargeback ratios 2014 Electronic Transactions Association. All rights reserved. 49

55 based on MCC and processing type averages along with consumer complaints and blogs will give the ETA Member insight into the merchant. The ratios below are based on input from the working group and may be adjusted by each ETA Member to better reflect individual portfolios and merchants. Each ETA Member should document its established thresholds to provide analysts with guidelines that should be followed. Merchant records should also be noted when activity exceeding established thresholds will continue to be allowed, including the degree of exception approved and the reasons why. The parameters below should be reviewed for both the number of transactions as well the dollar volume of transactions in the given time period Chargeback Reporting Threshold Examples Examples of some possible tiered exception criteria are: Chargeback ratio exceeding 2.50% and o 25 or more chargebacks Chargeback ratio exceeding 0.75% and o 75 or more chargebacks Chargeback Management Reporting A monthly report of top chargeback merchants is recommended to indicate individual or groups of related merchants that represent a large percentage of the ETA Member s portfolio s total chargeback volume in order to identify high chargeback volume accounts that may be within acceptable parameters but still should be reviewed based on the portion of the portfolio represented Should be calculated for both dollar amount and number of chargebacks Trending Reports should be reviewed at least monthly and more often for those merchants with more consumer complaints. An example has been provided as Exhibit I All chargeback reports should include both individual merchant accounts that meet the parameters and chained accounts grouped by legal entity or mutual ownership that also meet the parameters As previously stated, the recommendation is to remediate issues prior to the merchant reaching a chargeback activity level that qualifies the merchant for remediation programs defined by the Card Schemes. As such, each ETA Member should individually determine the appropriate thresholds by which to identify merchants within the ETA Member s portfolio that is lower than the defined thresholds for the Electronic Transactions Association. All rights reserved.

56 Card Schemes Card Scheme Risk Monitoring Program Merchants Merchants that are currently in Card Scheme risk monitoring programs should be closely monitored by senior risk management staff with monthly status reporting and month over month status and statistical changes reviewed. Fraud Monitoring Programs Chargeback Monitoring Programs Reputation Monitoring Programs Chargeback Monitoring and Investigation Procedure Effective Tools and Strategies Based on the established importance within these Guidelines for mitigation of chargeback issues, the intent of this section is to provide guidance for ways to review and action chargeback exceptions. These recommendations are appropriate for the management of both the daily chargeback exceptions in Section , and for the merchants included in the monthly or periodic management reporting in Sections Following these recommended practices should help ensure that unmitigated chargeback issues do not create undue harm to consumers or the card acceptance ecosystem Chargeback Monitoring Team It is recommended to establish dedicated investigators to monitor chargebacks separately from transaction monitoring. If such monitoring is of a higher risk portfolio, ensure the investigators are tenured. An ETA Member that generates less than 5,000 chargebacks per month across its entire portfolio may not need to separate the function from the risk monitoring and loss prevention department A well-defined communication structure between risk analysts and chargeback analysts should be created as defined in Section 4.8. Chargeback exceptions as defined in should be monitored daily by the established team or individual(s) Monthly or periodic reporting for chargebacks outlined in section should be monitored by this team Chargeback Activity Monthly Projections You should project what the month-end chargeback count and amount will be based on activity received month to date ((dollar or items received/ days elapsed)*(total days in month)) 2014 Electronic Transactions Association. All rights reserved. 51

57 You should compare the projected chargeback count and amount against average monthly transaction count and amount to determine potential chargeback ratios You should compare the month to date and projected month end chargeback count, amount and ratios to the prior month You should compare a trending of the last six (6) months as defined in Exhibit I Chargeback Detail Review Recommendations You should identify truly fraudulent card usage vs. merchant error vs. merchant engaging in UDAAP law violations You should review the chargeback reason codes Fraud Operational Issues Customer dissatisfaction with product You should review the chargeback supporting documentation Look for potential consumer deception claims Is the product at issue approved for the account? Effective Tools and Strategies for Investigating Exceptions The Purpose of Investigation ETA Members should determine whether factors that systemically have flagged an account for review indicate a likely risk of financial loss for you or the processing of illegal or prohibited transactions by the merchant, including by the merchant s use of potentially deceptive marketing practices. Activities that support this purpose include: Verification that transactions are submitted in accordance with Card Scheme rules Determination and mitigation of fraudulent card usage Determination and elimination of consumer deceptive practices Verification that the merchant s current financial condition remains as expected or is further sufficient to cover excepted activity Electronic Transactions Association. All rights reserved.

58 Documenting the Investigation It is a recommended practice that decisions made regarding the activity be documented as to the thought process when action is taken. Although it is not necessary to document when no action is taken, an effective tool is to document when there are repeated exceptions for the same type of item and no action is taken. This may become very important when reviewing anomalous chargebacks or refunds. If a merchant has continually high or anomalous statistics and no action is taken, the merchant record should be clearly noted as to why no action is necessary Investigation Basics All merchants meeting exception criteria based on identified thresholds or who are designated for monitoring should be investigated to determine whether the activity presents risk of financial loss to the organization or whether the possibility of illegal, prohibited, or deceptive practices exists. Investigations may vary in scope depending on the type of exception flagged and additional information discovered. Investigation Activities may include Increase of scope beyond identified exception review to include a holistic review of the merchant Contact with the merchant Request transaction supporting documentation whether the investigation is for a sale, refund, or chargeback Interview the merchant regarding the exceptions identified o o Do not suggest scenarios when discussing the exception with the merchant Ask open-ended questions Verification of card/cardholder details with Issuing Banks Reviewing the merchant sales methods How products/services are marketed (Refer to Section 5.4 for specifically identified high-risk marketing methods and how to review) Secret shopping (Refer to Section 5.4) 2014 Electronic Transactions Association. All rights reserved. 53

59 Reviewing the merchant s usage of common fraud prevention response tools, which may include: Address Verification Card Acceptor ID MC SecureCode/Verified By Visa Device authentication IP tracking Restrictions on ship to countries The following is a non-comprehensive list of example actions that could be taken following investigation: Require the merchant to issue a refund Place the merchant on increased monitoring for future occurrences Hold funds from the excepted activity Suspend the merchant s ability to process refunds Require the merchant to change its website Require the merchant to discontinue the sale of a specific product Require the merchant to open a separate merchant account Implement daily discount of merchant account fees Implement ongoing deposit delays Other actions that may be required to mitigate the exception risk Merchant Remediation Each ETA Member should gauge whether the issues requiring remediation can be fixed. For example, if the issue is an inherent product and/or service issue, it may not be able to be corrected. But, if the issue is customer service related, then upgraded systems, training, or additions to the merchant s staff may help remediate the issue. An example of timeframes for remediation would be to review the progress in 30-day intervals with a goal to see improvement within 60 days (depending on the issue). Some issues may be corrected within 90 days. It should be expected that the majority of issues should Electronic Transactions Association. All rights reserved.

60 be corrected within six (6) months. ETA Members should consider termination of a merchant if an issue cannot be corrected within six (6) months Merchant Reserves While reserves may be used as protection in an escalating risk situation, they should not be used as the sole determinate in whether to keep a merchant open or to close the merchant. As a recommended practice, reserves should be used if the financial condition of the merchant is tenuous and/or if the loss potential due to the future service nature of the product is high should the merchant go out of business. Reserves are typically calculated and collected based on exposure. Exhibit G.1 contains example reserve calculations. Reserves should not be used as a way to manage merchants engaging in acts or practices that an ETA Member feels are or that legal counsel considers potentially unfair, deceptive, or abusive to consumers. In lieu of allowing any such merchant to process with a reserve, the merchant should be denied the ability to continue to process. Reserves should not be used as mitigation to approve or keep a merchant when large fines are expected. That merchant should be closed immediately. Note: it is acceptable and an industry standard risk mitigation practice to implement a reserve during an investigation to determine the severity of the issues. Once the severity has been determined and the exposure is understood, the reserves and decisions to continue processing should be managed as discussed in this section. Investigators should use their best judgment as it relates to the appropriate implementation and management of reserves. Each ETA Member should provide guidelines for establishing and maintaining proper reserve levels based on measurable criteria. An example reserve calculation is provided as Exhibit C. Interim or long-term reserves may be warranted for many of the situations described in these risk management guidelines or for additional exceptions to approved account activity; however, the reserve should not be the sole tool used to mitigate risk. While as a business practice merchants should be monitored closely to ensure that additional conditions are being met and improvement is shown, periodic reviews of merchant reserves should be scheduled as defined by each ETA Member within its risk policies. Examples of situations where investigation may warrant the use of a longer term reserve could include: Merchant is experiencing a volume spike as a result of business growth that has been validated as legitimate business but is not supported by financial review without a measure of security for the ETA Member Merchant begins selling an item with a higher ticket or begins accepting wholesale orders that are satisfactorily investigated, and the merchant is granted conditional approval to continue the activity with the implementation of a reserve 2014 Electronic Transactions Association. All rights reserved. 55

61 Merchant with unusual transaction activity is determined to have been a victim of fraudulent card usage that is expected to cause an increase in refunds or chargebacks, in which case fraud prevention tools and practices are recommended to be required to mitigate future occurrences Merchant experiences a verifiable, short-term (not exceeding one to two months) increase in refunds processed or chargebacks received, and investigation determines that the factors causing the chargebacks have minimal consumer impact may be mitigated through merchant education and improvement in operating processes or implementation of fraud prevention practices or tools Unexpected high sales of a product that becomes back-ordered temporarily (e.g., because a TV celebrity promotes the product and there is a run on the item) Temporary third-party vendor issues as a result of performance not meeting contracted service levels, which may be mitigated by a change in vendor such as outsourced customer service or fulfillment services Monthly Management Reporting Effective Tools and Strategies The establishment of monthly management reporting is important to ensure that there is appropriate senior-level oversight of the day-to-day activities within risk management. Monthly reporting should provide a high-level summary regarding activity deemed by each ETA Member to warrant management and/or senior-level attention. ETA Members with large portfolios may wish to create separate levels of reporting requirements for respective management levels Electronic Transactions Association. All rights reserved.

62 It is recommended that, at minimum, senior management reviews reporting that is required to be presented up to the next-level organization. Section discusses the detail of the risk management reporting that is recommended for ETA Members who sponsor ISOs (including sponsored ISOs, sub- ISOs, and agents when applicable). The report types provided in this section are meant to represent typical management summary reporting available in the industry for reference by ETA Members. Each ETA Member should determine what types of reporting are appropriate for individual use. 5. Risk Management for Merchants Requiring Enhanced Due Diligence Merchants requiring enhanced due diligence, which are also known as higher risk (HR) merchants, are manual and labor intensive, as they may require additional monitoring and staffing responsibilities. Some HR merchant types have additional mandatory registration requirements with the Card Schemes (Please note that registration is outside the scope of this document. To determine all circumstances when a merchant should be registered with the Card Schemes please refer to the Card Scheme rules.) Sponsoring HR merchants typically requires a more robust and knowledgeable staff. Higher risk merchants also carry a higher probability of reputational risk and in some cases there is a higher risk to the card acceptance ecosystem, for all players on the acquiring side as well as the cardholder. Due to this increased risk, this next section describes extra diligence that should be taken in addition to the minimum requirements prescribed by Card Schemes and applicable laws and regulations. 5.1 Enhanced Due Diligence Process In addition to the effective strategies outlined in this Section 5, the recommended practices discussed in Section 3.0 for underwriting of merchants requiring enhanced due diligence apply here as well. When reviewing higher risk merchants in these categories, it is an effective risk mitigation practice to investigate fully, notate the merchant file completely, and take action concretely. If a merchant does not take the requested corrective action in the requested amount of time, the merchant account should be closed. It is not a recommended practice to increase reserves or charge fees to offset the lack of corrective action. 5.2 Performance Improvement Expectations It is appropriate to expect that the merchant take corrective action within 30 days after you request action, with the resulting improvement in processing statistics to be seen within three (3) months and no longer than six (6) months after the request. It is recommended to close a merchant account if sufficient improvement is not seen within these guidelines. When reviewing the effects of the corrective actions taken by a merchant, you should see, at a minimum, an improvement in: Chargebacks Refunds 2014 Electronic Transactions Association. All rights reserved. 57

63 Customer Complaints Once improved, the merchant should remain on your watch list for at least six (6) months. 5.3 Reputation Monitoring A plethora of information is available online for reviewing consumer perception regarding a merchant. This is an easy tool for investigating merchants, particularly those representing potential higher risk due to marketing or sales methods, product type, or operational issues. Examples of types of online resources: Consumer complaint boards Better Business Bureau (BBB) Online Searches may be performed using keywords related to the merchant account, including: Legal Name/DBA Product or service name Merchant account descriptor Website URL Phone numbers addresses 5.4 Secret Shopping Secret shopping is a tool that may be used at your discretion as a verification method to ensure merchant compliance with Card Scheme requirements and merchant account conditions and that general consumer satisfaction practices are in place. With secret shopping, random purchases are made to assess the products or services received and ensure they are as described on the merchant application. The product should then be returned (or the service cancelled) and the return and refund process evaluated for ease of use and quality of customer service. All findings should be analyzed and clearly documented in the merchant file. This process could help ensure the product is as described and that no deceptive advertising exists. This process could also ensure that the amount charged matched what was indicated and that no additional fees were charged. The return process could ensure that the consumer is being treated fairly and receiving the refunds promised. The secret shopper experience should then be compared to the social media research findings and other website review findings. The combination of these review types could assist in determining the Electronic Transactions Association. All rights reserved.

64 overall risk presented to the cardholder and the card acceptance ecosystem by the merchant. A reserve should not be used in lieu of closing a merchant with negative secret shopping results Cardholder/Customer Interviews The cardholder contact information received from the merchant during transaction validation should be compared to information found online to ensure consistency. When interviewing the cardholder, ask open-ended questions; do not suggest purchase or transaction scenarios. Ask for the URL from where the customer purchased the product and ensure it matches the URL you have on file. If the customer returned the product, ask open-ended questions about the return process and the customer s satisfaction Chargeback Monitoring and Reporting to Card Schemes While it is important to understand the Card Scheme chargeback monitoring programs, this document does not speak to those programs as it is the intent that if these guidelines, or some other reasonable step or strategy identified by ETA Members, are followed, any systemic merchant chargeback issues will have been resolved or the merchant will have been closed prior to entering into or persisting in a program. The review of each merchant according to Card Scheme and internally defined chargeback thresholds could identify accounts with the potential for increased financial risk as well as for identification by the Card Schemes for violations and subsequent fines Enhanced Review of the Sales Processing Method The recommended practices discussed in Section 3.4 for Internet, MOTO, and mcommerce Merchants apply here as well. When reviewing higher risk merchants in these categories it is a recommended practice to investigate fully, notate the merchant file completely, and take action concretely Internet Merchants Website Content Monitoring All website pages should be reviewed every 30 days to ensure merchants are not processing prohibited or illegal transactions. Review website product and/or service offerings and disclosures to ensure that there have been no material changes from underwriting approved content as described in Section , at least annually. Merchants with high volume or 2014 Electronic Transactions Association. All rights reserved. 59

65 those on restricted or monitored lists should be reviewed more frequently according to risk tolerances established by your individual policy. See Exhibit C for detailed recommendations on reviewing websites Monitoring Internet Merchants with Negative Option Marketing Website should have a clear and conspicuous disclosure of the terms before the customer agrees to order The action that must be taken by the consumer to avoid further charges should clearly and conspicuously displayed The action required to be taken by the consumer to cancel should be clearly and conspicuously displayed ETA Members should consider whether the length of any trial period is reasonable for the product (e.g., at least 14 days for tangible products; intangible or digital products may be less). The amount and timing of recurring charges should be clearly and conspicuously displayed Disclosures should be in close proximity to the buy button The specific card that will be charged should be clearly and conspicuously displayed An ETA Member may monitor for multiple sales on the same card to ensure there are no sales being charged that the cardholder is not aware of Shipping timelines should be clear (and typically required by the Card Schemes to be the same day the card is charged) You should understand all URLs being used by the merchant with each merchant account Refunds should be timely and consistent If the merchant is passing an indicator with the transaction that tells you whether it is an initial transaction or a recurring charge, you may track chargeback and refund ratios accordingly Telemarketing Including Mail Order/Telephone Order (MOTO) General Transaction Monitoring Electronic Transactions Association. All rights reserved.

66 It is important to monitor for multiple sales on the same card to ensure there are not upsells or cross sells that were not approved It is important to match the ticket amounts to that expected based on the script review Returns should be timely and consistent Marketing Monitoring Periodic script review Secret shopping Telephone Merchants with Negative Option Marketing Scripts should include a clear disclosure of the terms before the customer provides payment information and agrees to order The action that must be taken by the customer to avoid further charges should be clearly explained The action that must be taken by the customer to cancel should be clearly explained The amount and timing of recurring charges should be clearly explained The specific card to be charged and amount that will be charged should be clearly explained The ETA Member should monitor for multiple sales on the same card to ensure there are no sales being charged that the cardholder is not aware of Shipping timelines should be clearly explained You should understand all URLs being used by the merchant with each merchant account Refunds should be timely and consistent If the merchant is passing an indicator with the transaction that tells you whether it is an initial transaction or continuity you can track chargeback and refund ratios accordingly 2014 Electronic Transactions Association. All rights reserved. 61

67 Mobile Commerce Regardless of the screen size or character limitations, the website should be reviewed just as a non-mobile website as all requirements are the same The fact that tablet sites have a higher average ticket than smartphone sites should be factored in to the transaction review 5.8. Increased and Expanded Marketing Review Affiliate/Affiliate Network Marketing Affiliates are generally responsible for directing consumers to merchant websites for purchases. It is recommended to monitor the processing statistics separately for each affiliate. It is also a recommended practice to require this monitoring be conducted at the merchant level. It is further suggested that you periodically request information from the merchant about the merchant s affiliate monitoring. Merchants typically have this information in the customer relationship management (CRM) system available for reporting. You should require the merchant take action to correct or remove affiliates that are creating negative ratios, which may be indicative of consumer disclosure issues. Criteria that you may recommend for the merchant to use in monitoring affiliate activity includes: Approval ratios per affiliate should be monitored and the following triggers should be reviewed: 100% approval ratios in any batch <70% approval ratios Rebill ratio <65% Decline codes on those not approved should be less than 4% fraud codes (lost/stolen, pick up card, etc.) Refund ratios per affiliate should be monitored and the following triggers should be reviewed: <5% refunds to sales >10% refunds to sales Chargeback ratios should be monitored and the following statistics should be reviewed: >.50% chargeback to sales If greater than.70% the merchant should know why and report that for approval Transactions should be tracked to ensure that they are not coming from the same IP or device Electronic Transactions Association. All rights reserved.

68 6. Guidelines for Sponsoring and Monitoring of Independent Sales Organizations (ISOs) 6.1. Purpose and Scope of Guidelines for Sponsoring and Monitoring ISOs This Section 6 of the Guidelines is meant to be a reference for ETA Members who sponsor ISOs in the underwriting and monitoring of those ISOs. As used in these Guidelines, sponsored ISOs, sub-isos, and agents when applicable will be jointly referred to as ISOs. The recommendations are intended to reflect the complexity of the relationship with a third party that is contractually permitted to perform any merchant-facing services. It is up to each ETA Member to determine the commensurate level of due diligence and risk management that is appropriate based on the individual relationships established with each ISO; however, certain minimum levels of oversight are necessary as long as there is a relationship with an ISO. For example, if an ISO relationship is limited only to sales activities performed by the ISO with no underwriting, monitoring, or other operational functionality performed by the ISO, you should still periodically review the ISO s marketing materials and sales practices to ensure compliance with Card Scheme and your individual policies, as well as monitor merchant portfolio statistics associated with the ISO in areas such as application fraud, among others. Although this document does not cover all areas of oversight of ISO marketing activity, it does provide high-level examples. As defined in the overall purpose of these Guidelines, the recommendations provided within this Section 6 are also meant to prevent merchants engaging in practices that are unfair, deceptive, or harmful to consumers from participating in the card acceptance ecosystem. This goal may be furthered through active oversight of ISO merchant portfolios in a manner that can provide for earlier detection and mitigation of issues that may present loss exposure or consumer harm due to undesirable or prohibited merchants and merchant types; or, undesirable or prohibited merchant operational, sales, or marketing practices. These Guidelines can further assist you in identifying those ISOs (or those seeking sponsorship) that may be poorly managing merchants; or, those ISOs that may be facilitating undesirable or prohibited practices, knowingly or unknowingly. ETA Members that are unfamiliar with the risks related to higher risk merchants, or those that lack the proper due diligence and controls to manage those risks, may expose themselves and the card acceptance ecosystem to undesirable ISOs and merchants. Regulatory authorities such as the FDIC have stated that entities (such as ETA members) that sponsor ISOs that engage in higher risk activities are expected to perform proper due diligence and risk assessments and maintain processes to monitor such relationships to determine whether merchants are operating in accordance with applicable laws. The FDIC has further stated that such entities that have appropriate controls in place will not be criticized for providing services to higher risk businesses that are operating in compliance with applicable laws Objectives for Guidelines for Sponsoring and Monitoring ISOs The goals of this Section 6 of the Guidelines may be accomplished through definition of red flags for ISOs, which, as in the underwriting and monitoring of merchant accounts already discussed in Sections 2 through 5, will not necessarily dictate action. These red flags are examples of the types of situations 2014 Electronic Transactions Association. All rights reserved. 63

69 that could prompt review of the ISOs and the merchant portfolios and result in documentation in the ISO s file including: the reason for the review, the findings determined from the review, and the resulting decisions. The notation should include the decision that the activity is acceptable; or, whether further mitigation efforts including an action plan are warranted. These flags could also help detect individual merchant types within an ISO portfolio that, although permitted by the Card Schemes, are not permitted by an individual ETA Member s self-defined policies. Recommendations are made for remediation timeframes which should include an action plan with milestones and timelines, up to and including termination of the ISO agreement, when plans are not met; or, the circumstances triggering review are severe. Review of the ISO should be based on a thorough understanding of processing and related anomalies at the portfolio level, within segments such as MCC, merchant or product type, processing methods, and/or sales and marketing methods. Each ETA Member should also have requirements in place for monitoring of specific merchants within an ISO portfolio that fall within the ETA Member s defined criteria for ISO reporting to the ETA Member Special Considerations for Sponsoring and Monitoring ISOs Please note that this Section 6 is not meant to replace any laws, regulations, or guidelines applicable to third-party relationships, including but not limited to risk management authorities and guidance referenced in Section 1.4 and Exhibit A, or for contract provisions and considerations that should follow regulatory authority and legal counsel recommendations and Card Scheme requirements. Privacy, data security, business continuity, and contingency planning are considerations of which all ETA Members should remain cognizant. In addition, certain ISO and merchant business types, sales methods, or marketing practices may also require additional due diligence or registration as required by the Card Schemes and regulators. While not covered in depth in these Guidelines, Card Scheme registration, as well as data security, should be a focus of underwriting both ISOs and merchants as required by the Card Schemes and as appropriate based on an ETA Member s individual policies.. At all times, ETA Members should use their best judgment as it relates to each ISO, the ISO s business practices, and the ISO s merchant portfolios. ETA Members may request additional information from the ISO in the course of due diligence or monitoring, or impose restrictions, if necessary, for reasons including but not limited to: portfolio or specific merchant transaction processing activity with particular attention to daily processing volume, refunds and dispute activity; changes to principal credit or business financial condition; changes to the business model or to the accepted risk level of the business model; or, other combinations of factors determined by the ETA Member Policy and Procedures for Sponsoring and Monitoring ISOs All policies regarding ISO Sponsorship should have strong objectives explaining your goal for the use of ISOs, including the market segments in which you intend to allow ISOs to participate, and the inherent risks associated with processing for higher risk merchants, if allowed. Your policy should outline how the ISOs will be selected, assessed, and overseen. Each ETA Member should designate sufficient Electronic Transactions Association. All rights reserved.

70 staff with the necessary expertise, authority, and accountability to oversee and monitor ISOs with clear escalation requirements and procedures defined. The policy document should clearly outline the minimum requirements for underwriting, reviewing, and monitoring the transactions for ISOs that bear liability, and address the solicitation and oversight of sales agents and the role that the ETA Member will take in the oversight of the agent s activities. Each ETA Member should determine its tolerance and define within its policy the requirements for oversight of merchants identified in Card Scheme fraud and chargeback programs, including timeframes for rehabilitation and/or termination. No ISO may perform any contracted services including solicitation of merchants until the sponsorship has been approved by the ETA Member and Card Schemes and a written contract has been executed Effective Tools and Strategies for Due Diligence of ISOs Purpose for Due Diligence of ISOs Each ETA Member should be responsible for its ISO relationships and ensuring that the use of ISOs does not increase risk within the card acceptance ecosystem; particularly in areas of loss exposure, reputational risk, and fairness to consumers. In order to become an ISO, the entity seeking sponsorship should have sound business practices that the ETA Member has validated and is confident will not compromise the integrity of the card acceptance ecosystem. The first step to preventing harm from entering the card acceptance ecosystem is a thorough understanding of the entities who seek to solicit merchants on behalf of the ETA Member, either directly or through the use of additional ISOs or independent sales agents. ETA Members should not rely solely on experience with or prior knowledge of an ISO or the principals in lieu of conducting in depth due diligence of the ISOs ability to perform the intended functions. If you uncover information about an ISO or its principals that indicates additional scrutiny is warranted, then the scope of due diligence should broaden accordingly Objectives for Due Diligence of ISOs The objectives of ISO underwriting are to determine that the ISO satisfactorily meets the requirements of Card Scheme and the ETA Member individual policies in the following areas: Identify the ISO s principals and any related entities Determine that the ISO s financial condition is basically sound and can support the ISO liability or credit risk to the ETA Member Activities that Support Objectives for Due Diligence of ISOs Determine that the ISO and its principals have satisfactory credit based on the ETA Member s individual policy 2014 Electronic Transactions Association. All rights reserved. 65

71 Determine that the principals do not have a criminal history that would preclude the ETA Member from conducting business with the ISO Determine whether there is anything in the ISO s, or its principals, background or method of doing business that would preclude the business from being approved as an ISO based on Card Scheme and the ETA Member s individual policy Determine the functions that the ISO will perform, including levels of merchant support Determine the breadth of knowledge of key management staff at the ISOs that are performing merchant customer service, underwriting, and risk management Review business continuity and disaster recovery of systems plans, if appropriate Understand the ISO business model and ancillary products or services Understand if the ISO is performing any ACH movement outside of the processor Understand all additional services offered, not just merchant sales Risk Considerations There are several types of risks that you must review and understood when sponsoring ISOs. Recent guidelines published in 2013 by the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board identify the following types of risk to those using third parties (including ISOs) to perform critical operational activities Operational Risk Risk associated with the products, services and functions provided by ISOs to merchants, or by merchants to consumers; or, the delivery channels and processes that support such products, services, and functions. Operational risk also includes considerations such as the potential exposure for an ETA Member to experience losses based on inadequate processes, external events, or human error Compliance Risk The risk that ISOs or merchants will fail to comply with U.S. laws, regulations, ethical standards, or an ETA Member s individual policy and procedures Credit Risk The risk associated with an ISO that is unwilling or unable to fulfill obligations to the ETA Member or merchants, or cover the associated credit risk for merchants as a result of poor management of merchant underwriting and risk resulting in low-quality merchant portfolios Electronic Transactions Association. All rights reserved.

72 Legal Risk The potential that an ISO or merchant relationship could expose the ETA Member to legal expenses, including possible lawsuits Strategic Risk When an ISO relationship offers products and services or conducts business in a manner that is not consistent or compatible with the ETA Member s strategic goals Reputation Risk The likelihood that poor performance, service disruptions, or undesirable activities including violations of consumer law could lead to legal issues, loss of business, or negative perceptions in the marketplace for the ETA Member Concentration Risk The risk associated when multiple processes, significant merchant relationships, or entire portfolios are reliant on limited resources or geographic concentration of resources Background Investigation Effective Tools and Strategies It is critical for each ETA Member to understand the business and principals in an ISO relationship. The extent of due diligence review will be determined by each ETA Member based on the complexity and risk exposure associated with the ISO relationship. This subsection provides recommendations of factors to review and tools to use when conducting the background investigation Corporate/Partnership Documentation You should cross check all principals named on the formation documents against databases maintained by the state of formation, looking for prior or additional business involvement. For any prior business involvement found, your additional research could focus on: History of consumer complaints Lawsuits filed against the ISO or principals Lawsuits filed by the ISO or the principals For any principals listed that are not individuals, you should thoroughly investigate the entities, looking for indications that any parties might be seeking anonymity. Potential indicators could include, but are not limited to: 2014 Electronic Transactions Association. All rights reserved. 67

73 Layers of corporations within the ownership structure Venture capital or angel investment groups where the applicant states there are too many owners to name individually or that represent silent partners Background Investigation of Principals All individuals with a principal interest in the ISO should be investigated, at a minimum including, but not limited to: OFAC Specially Designated Nationals (SDN) List check Criminal background check Minor crimes may be ignored Major crimes should be evaluated Financial crimes are likely to be cause for rejection ISO and Principal(s) Reputation As discussed in Section , ETA Members should be cognizant of any reputation risks that an ISO relationship could present. Thorough research into the public perception of the business and principals that could have an impact on the ETA Member could include the following elements: Research experiences with other sponsoring entities (if applicable) Perform reference checks with industry associations Review any history of consumer complaints or actions with the BBB, FTC, or states Attorneys General Review for lawsuits filed against the ISO or principals Review for lawsuits filed by the ISO or principals Reverse Searches ETA Members should be careful to verify data provided on the ISO application, looking for similarities to any other entity that may indicate a new ISO formation might be an attempt to re-brand an existing company with a damaged reputation. It is recommended to perform reverse searches on easily identifiable contact information, such as: Phone numbers provided on the ISO application and on any websites associated with the business Electronic Transactions Association. All rights reserved.

74 All addresses provided for the ISO and all principals Prior Businesses Owned or Operated by ISO Principals History of consumer and/or merchant complaints Reference Checks Lawsuits filed against the business Lawsuits filed by the business Financial Review Effective Tools and Strategies ISOs taking financial liability should be financially strong and have sufficient liquidity to substantiate the business plan and associated risk, or adequate insurance policies in place to cover potential gaps between risk and liquidity Financial Statement Review It is recommended that ETA Members review at minimum the most recent three (3) years complete financial statements, as well as the current year to date statements. These historical statements should demonstrate positive short and long-term strength and show sufficient financial capacity and capital available to cover potential losses over and above the projected residual stream. Financial strength and liquidity ratios should show positive trends using parameters including, but not limited to, the quick ratio, acid test ratio, and defensive interval Tax Return Review Tax returns for both the business and the principals are also recommended to be reviewed for the previous three (3) years. Tax returns should be compared with the financial statements to ensure consistency, and any anomalies should be thoroughly reviewed Credit Check The business Commercial Credit Report should be reviewed and compared to the business financials and tax returns to verify information provided and look for anomalies that need to be investigated. All principals personal credit bureau reports should be reviewed and compared to the personal tax returns provided. The ETA Member should use the credit report to verify all personal information provided on the application. Prior employment may also be used to support reputation and background reviews by closely reviewing the principal s history for ties to organizations that may present reputation risk for the ETA Member Electronic Transactions Association. All rights reserved. 69

75 Insurance Coverage Review ISOs with financial liability should have sufficient insurance coverage for the level of complexity of the business against losses. This coverage is recommended to include dishonest or negligent acts, hazard insurance for fire, data loss, and protection of documents. Additional insurance coverage could include topics such as intellectual property rights. Specific insurance for chargebacks and breaches may be considered based on the portfolio Existing ISO Contract Review It might be helpful for you to understand the terms of any existing contract that the ISO may have with other sponsors. It may also be important to understand if a non-compete exists and which party owns the merchant relationship and/or residual stream, specifically if the ISO is moving its portfolio Merchant Portfolio Review If an ISO has an existing relationship with an established merchant portfolio, you should conduct a review of the portfolio even if the ISO will not be converting the portfolio to you. As part of any such review, you should understand the types, quantities, and performance metrics of the merchants in the existing portfolio. You should further ensure that the ISO portfolio content and practices meet your defined policies. Examples of things to examine when reviewing an existing portfolio include: Merchant Portfolio Basis Points The existing merchant portfolio should be understood in terms of profitability and loss as a reflection of overall activity, at minimum: Average portfolio profit margin and major contributing factors Average portfolio bad debt and major contributing merchants Merchant Portfolio Activity Statistics Portfolio statistics should be evaluated as discussed in Section for underwriting merchants and used to set baseline performance monitoring criteria for the ISO when reviewing trend reporting discussed in and performing periodic reviews broken out into verticals as determined appropriate by each ETA Member based on the understanding of the ISO portfolio. It is recommended at minimum to review: Card present to card not present processing statistics Transaction count and dollar amounts Electronic Transactions Association. All rights reserved.

76 Refund ratios for count and dollar amounts Chargeback ratios for count and dollar amounts Merchant Portfolio Demographics The ETA Member should review portfolio demographics that are available based on the makeup of the merchant portfolio. Statistics and six (6)-month trend reporting should be reviewed for each category as discussed in Section using a format similar to that provided in Exhibit I. Examples of demographic categories that may be analyzed include, but are not limited to: Restricted merchants MCCs Business type or marketing method concentrations Processing method concentrations (mobile, e-com, MOTO, face-to-face, etc.) Other verticals determined appropriate, including those with concentrations of merchants requiring higher due diligence Merchant Portfolio Loss History Review of the ISO s historical management of losses and bad debt may provide significant insight for the underwriting and risk management practices of the ISO and help uncover areas of potential concern or opportunities for training. The ETA Member should review the loss history for the past three (3) years, and: Obtain detailed explanations of unusual or large losses Understand procedural changes implemented due to large losses Examine the open portfolio for any current merchants with similar characteristics to loss merchants The ETA Member should also understand the ISO s merchant bad debt practices, including: Third-party collection and/or other agencies used ISO oversight of those third-party activities A review of general performance 2014 Electronic Transactions Association. All rights reserved. 71

77 Review of Business Plan and Marketing Analysis While this section is not intended to provide complete information regarding business plans and marketing plans, it is intended give the ETA Member a starting point. A good business plan may provide a thorough and logical breakdown of how the ISO profits and may include information regarding the history, competition, finances, operations, and merchants. It is important to understand the ISO s approach to soliciting business, the growth goals and projections as well as the types of merchants that may be targeted in order to ensure that the ISO has realistic expectations and core principles that align with your goals. The complexity of the business plan should provide insight into the depth of experience and sophistication of the ISO organization and help you determine the appropriate levels of oversight that may be required to properly oversee the relationship. Examples of key elements to analyze in a business plan could include: Business Attributes Length of time in business Market share Staff experience Understand the ISO s technology and systems that the ISO has in place or plans to use, either proprietary or commercially available Business Volatility Review for significant historical changes to the business model or activities Understand why the ISO is looking for a new or secondary relationship along with the intended sales strategy Understand how often the ISO has obtained new or secondary relationships along with the reason for the changes Marketing Effectiveness Compare the communicated strategy to the current merchant portfolio, if applicable, including: Targeted merchant business types and reasons for pursuit Targeted agent and/or referral partner types and reasons for pursuit Understand expected merchant application metrics, such as: Number of merchants Electronic Transactions Association. All rights reserved.

78 Verticals Processing volumes Card not present vs. card present Traditional vs. non-traditional Products and Services You should understand the ISO s value-added products and services, including: Determine what products and services the ISO intends to sell in addition to payment processing Determine what is offered directly by the ISO vs. through an additional third party Determine whether any value-adds create additional registration and/or data security concerns Determine if third-party vendors are performing any of the ISO s services or providing any ISO-branded products, which may include merchant PCI Compliance validation programs or technology partners such as gateways or mobile application providers, and the extent to which that third party may create additional liability for the ISO or the ETA Member Value-Added Resellers (VARs) Determine if the ISO business plan includes building a network of VARs that will provide integration services between merchants and the ISOs or your technology solutions and whether those VARs present additional registration and/or data security concerns Marketing and Solicitation Materials The ETA Member responsible for ensuring that ISO marketing materials are compliant with Card Scheme requirements may find these tips and tools useful when reviewing the marketing and solicitation materials: Review and understand all marketing and solicitation materials, including websites Ensure that the pricing structure and cost savings claims are realistic and do not violate any billing disclosure or consumer protection rules (including UDAAP and other laws) Ensure that the materials follow all Card Scheme rules 2014 Electronic Transactions Association. All rights reserved. 73

79 Review marketing through all channels employed by the ISO, including a web sign up process Go through the customer (i.e., merchant) application experience to evaluate the disclosures and compliance with requirements, including hard copy/paper, online, mobile, or other types of applications methods ISO Policy and Procedures Requirements Each ETA Member should ensure the ISO has minimum required policies and procedures in place, as defined by the ETA Member s policies for ISOs. The ETA Member should review and approve all existing or proposed ISO policies and procedures. Particular attention should be paid to the ISO business goals to ensure that there is no conflict with your strategic goals. Policies that may be included as applicable, but not limited to the following list: Merchant solicitation Merchant acceptance criteria/ credit policy (underwriting) Merchant deposit monitoring standards/ transactional risk monitoring Merchant collection (bad debt) Agent solicitation Agent acceptance criteria/credit policy (underwriting) Onsite Inspection It is recommended that onsite inspection be performed by each ETA Member of its current and prospective ISOs. This can provide the ETA Member with the benefits of verifying the understanding of ISO operations and seeing firsthand the systems and internal controls used by the ISO. It can also provide an opportunity to meet with key management staff who will be interacting regularly with you. Onsite inspections also help you ensure that the ISO is properly staffed to support the services and operations. ISOs with more responsibility or technical product or service offerings, such as gateways, may have requirements for data security, and you should ensure that proper security and data controls are in place as applicable ISO Training Program Examples It is recommended for ETA Members who oversee ISOs to have a formal training program in place for new ISOs. It is also recommended that such training occur onsite, either at your or the ISO s location, as appropriate. Dependent on your policies and the services managed by the ISO, the training program could include: Credit Policy and Procedures Electronic Transactions Association. All rights reserved.

80 Systems Access and Controls Risk Policies and Procedures Sales Procedures, to include but not be limited to: Proper disclosure regarding merchant account terms and conditions, including fees Agent and referral recruitment and due diligence policies 6.7. Periodic Reviews Periodic reviews allow ETA Members to determine if the ongoing ISO processes align with the ETA Member s own business plan and strategy and effectively manage risk. It is recommended to use a standardized review format such as the example provided in Exhibit K. At minimum, annual reviews should be completed of the ISO, or larger producing entities This review should mirror the original underwriting due diligence process and note any changes in condition An onsite review of the staff and procedures followed is recommended Quarterly statistical review of merchant portfolio performance should be completed if the annual review alerts to anomalous conditions Website and merchant sign up flow may need to be reviewed quarterly if merchant complaints or online review indicate anomalous conditions ISO agent solicitation may also need to be reviewed quarterly based on complaints or anomalous activity For higher risk ISOs, it is recommended to conduct reviews more frequently than annually Active monitoring programs to monitor performance may also be helpful 6.8. Effective Tools for Monitoring ISOs and their Merchant Portfolios Each ETA Member should that its ISOs are performing duties as required by the Card Schemes and the ETA Member s policy for the underwriting and oversight of merchant accounts. Each ETA Member should perform some level of oversight of the daily functions of the ISO as well as monitor the overall metrics to help understand when a more intense review of the ISO may be necessary. The information in this subsection provides examples of such oversight. If you are performing underwriting or risk management functions, rather than the ISO, these practices have been covered in the earlier sections of the Guidelines Electronic Transactions Association. All rights reserved. 75

81 If the ISO has sub-isos or agents responsible for a large portion of business, as defined by your risk policies, the review outlined below should be performed at the sub-iso and/or agent level as well. The sub-iso/sub-agent review should be performed by the ISO on a monthly basis and then reported to you on a monthly or quarterly basis. If the sub-iso and/or agent is not performing as desired, you may want to directly monitor and review the sub-iso and/or agent as well. At a minimum, if there is concern about a sub-iso and/or agent s performance, the ISO should be able to demonstrate that satisfactory due diligence has been completed. When necessary, a written remediation plan should be in place with defined timeframes for improvement and repercussions if remediation requirements are not met Shadow Monitoring Each ETA Member should have processes in place to perform ongoing quality checks of ISO merchant underwriting and risk monitoring practices. These checks may vary from full review of all files and transactions to a review of a predetermined percentage based on the ETA Member s own policy and comfort level with the experience of each ISO, as well as the types of merchants and corresponding levels of risk in each portfolio. If a percentage is selected and the requirements are not met at the designated tolerance, an additional selection should be reviewed for a specific timeframe. If further determination is made that the tolerances are not being met, it is recommended that the ISO should then be placed on a remediation plan similar to that defined in Section Shadow Underwriting The ETA Member should understand the daily underwriting practices of the ISO. One effective tactic to achieve that understanding is to review all or some of the files that are underwritten. You should be able to review the files through secure access to the ISO s system or a secure posting of the documents. If this is not available, the ISO should send a hard copy to you. This review should ensure that all information required, based on Sections 2 and 3 of these Guidelines, is collected, reviewed, and used to both approve and decline merchant applicants. If the ISO targets or has a concentration of merchants that present a greater exposure, the review should cover either all of the files submitted for approval or a higher percentage than ISOs with a concentration in merchants that have a lower exposure. If it is determined through review that the ISO is not meeting your requirements, such review should be increased and the ISO should be further trained on your requirements. You should give the ISO clear timelines for remediation as defined in Section Shadow Transaction Review Each ETA Member should understand the daily transaction, chargeback, and refund monitoring practices of the ISO. One of the best tactics to achieve that understanding is to review all or some of the merchants transactions and review of the case notes Electronic Transactions Association. All rights reserved.

82 written by the ISO on large or anomalous items. It is recommended that you require that the ISO provide you with view or read-only access to the ISO s systems. This review should ensure that all information required, based on Sections 4 and 5 of these Guidelines, is collected, reviewed, and used by the ISO in deciding the outcome of such monitoring. If the ISO specializes in merchants that have a greater risk exposure, the review should be more in-depth than of an ISO that specializes in merchants that have a lower risk exposure. If the ISO uses its own risk monitoring system and you are unable to directly access that system, you should have exception parameters established for the ISO s merchant transaction activity within your own risk system. You should have staff assigned to review the exceptions of highest priority and follow up with the ISO to request explanation on those exceptions of concern to you. If it is determined through review that the ISO is not meeting your requirements, such review should be increased and the ISO should be further trained on your requirements. You should give the ISO clear timelines for remediation as defined in Section Shadow Review of Terminated Merchants Each ETA Member should include a review of terminated merchant accounts in the oversight review of the ISO. Such review should ensure the ISO is properly reviewing and terminating merchants based on the procedures defined in Sections 4 and 5 of these Guidelines. As with the review for transaction monitoring, the case notes should be reviewed to ensure all procedures were followed including adding the merchant to MATCH or other negative databases maintained by Card Schemes, when appropriate. If it is determined through review that the ISO is not meeting your requirements, such review should be increased and the ISO should be further trained on your requirements. You should give the ISO clear timelines for remediation as defined in Section Shadow Review of Account Maintenance While it is always a good practice to review change management procedures, it is an effective practice to increase that review when an ISO is under investigation or you have determined that there is a need for ongoing monitoring. It is recommended to examine and understand ISO risk management practices regarding merchant changes. It is also recommended that random sampling audits be performed to ensure proper protocol is followed for changes, particularly for higher risk activity such as ownership, DDA changes or multiple changes occurring in a short timeframe. Each ETA Member should define the types of accounts (size, business type, etc.) that 2014 Electronic Transactions Association. All rights reserved. 77

83 require inclusion in this report when the following types of account changes occur on those accounts, such as: Merchant DBA changes Ownership changes All descriptor changes Any phone number changes Website changes DDA changes Shadow Merchant Reputation Monitoring A plethora of information is available online for reviewing consumer perception regarding a merchant. This is an easy tool for investigating ISOs, particularly those representing potential higher risk due to marketing or sales methods, product type, or operational issues. Types of online resources include but are not limited to: Consumer complaint boards Better Business Bureau (BBB) Ripoff Report General Internet searches Monthly Reporting Each ETA Member should evaluate the ISOs they work with to understand the portfolio statistics and determine appropriate monthly monitoring thresholds according to what makes sense for the individual ISO or merchant portfolio. It should be noted that regulatory authorities such as the OCC have expectations that sufficient documentation and reporting exists to facilitate proper oversight, accountability, and monitoring and risk management. It is recommended that each ETA Member establish reporting on a monthly basis that is either generated from the ETA Member s systems or reported by the ISOs. These reports should summarize activity within the month and identify month-to-month variations in the portfolio over a minimum six (6)-month period to identify trends. In some cases, you may review the monthly statistics over a 12-month period. Such review may also include the comparison Electronic Transactions Association. All rights reserved.

84 of the same time period to the previous year. You should use these reports to determine anomalies that warrant further investigation of the ISO. It is further recommended that such reporting be segmented within a portfolio to provide more in-depth monitoring for areas of concern to allow for early detection of potential issues. This is particularly important for monitoring ISOs that are approved to work with higher risk merchants. This segmentation should be available for all report types in this section. The reports defined in this section are examples of reports that may be reviewed on an ongoing basis. The exact reports reviewed by each ETA Member will be dependent upon the characteristics of the individual portfolios and be clearly defined to ensure the ETA Member understands the merchants within the ISO s portfolio and the exposure that the portfolio presents to the processing ecosystem. Suggested segments may include: Card present/card not present Retail/MOTO/e-Commerce/m-Commerce Restricted/monitored Registered high risk merchants Any other merchant requiring registration MCC Sub-ISO portfolios Independent agent portfolios Business types Merchant verticals Business methods marketing/sales/delayed delivery Geographical location of merchants Third-party vendors used by the merchants (such as CRMs, e-commerce template shops, billing/invoice management systems) Any other criteria defined based on unique characteristics and data points of merchants that can be grouped within the portfolio The report types and example numbers provided in this subsection are meant to represent typical management summary reporting available in the industry for your reference. It is 2014 Electronic Transactions Association. All rights reserved. 79

85 expected that ISOs that have higher concentrations of merchant populations with typically higher ratios will have higher averages than described. If you have approved an ISO for exception merchant processing, this approval should be documented in the ISO file and the numbers triggering further review should be adjusted to better reflect the specific portfolio. Each ETA Member will determine what types of reporting are appropriate for its use. It is important to note that even if the ISO is below established alert thresholds, any change in month-to-month performance within a predetermined tolerance (up or down) of the typical monthly average should be reviewed Portfolio Statistic Reporting Underwriting Monthly Statistics Merchant application approval and decline ratios Pending application stats and trends Record and monitor all instances of ID theft and/or fraudulent applications MCC Monthly Statistics Statistical report showing concentrations of MCCs assigned during the month compared to total applications Report of merchants assigned MCCs requiring additional Card Scheme registration (if applicable) Statistical report showing entire portfolio concentrations of MCC usage If MCC issues such as high concentrations in generic codes, high chargebacks or returns, or improperly coded merchants are found, it is recommended that you also request a report of MCC changes requested, approved or declined with reasons provided If such issues are found, it is recommended that you also monitor for excessive usage of any MCC, particularly generic descriptions Merchant Annual Reviews Completed During the Month A summary list with decisions and high level case notes should be provided of accounts that qualified for annual reviews by the ISO which were completed during the month based on parameters established by the ETA Member for the size of merchant account or circumstances that the ETA Member wishes to see Electronic Transactions Association. All rights reserved.

86 Card Scheme Registrations or Renewals Completed A summary list of all new and renewed registrations should be noted and provided on a monthly basis. Ensure all new partners receive proper training on Card Scheme and your individual rules PCI Compliance Statistics PCI Compliance statistics should be monitored on a frequency to be determined by each ETA Member as best fits individual monitoring needs. Such monitoring frequency should meet minimum Card Scheme requirements Attrition Reports The following types of reports described are meant as suggestions of things that you should look for if it is determined that monitoring of attrition data is an area of concern for a particular ISO based on anomalous activity that warrants closer attention: A list of larger merchant accounts as defined in Sections and closed during the month should be reported with reasons for closure High percentages, as defined by your policies, of attrition at the portfolio level or within established verticals, examined for potential deceptive practices that may have been used by the ISO during the sales process Assessment of Early Termination Fees Evaluate the number and total dollars of fees assessed to merchants that the ISO terminated, or that ended their relationship with the ISO, during the contract term. Ensure the fees assessed were properly disclosed during the sales process and reasonable based on the merchants processing statistics Top Processing Volume, Chargeback Volume and Refund Volume Reports As described in Section , merchants that represent significant percentages of a portfolio should be reviewed periodically, outside of the review for flagging excessive activity parameters. If a merchant is identified in more than one category listed above, a single review is appropriate. It is an effective business practice to perform a cumulative assessment for merchants with related or chained merchant accounts. Within grouped merchants, each location should be reported individually to determine whether the total processing statistics are hiding an issue at a single location Electronic Transactions Association. All rights reserved. 81

87 The review of these larger processing merchants should be documented in a standardized format such as that described in Section As a recommended practice this reporting and subsequent review should be done for merchants in the portfolio, and/or verticals, that represent the: Top processing volume Top chargeback volume by both dollar and count Top refund volume by both dollar and count Merchant Exception Monitoring Reporting The establishment of monthly management reporting for exception monitoring is important to ensure that there is appropriate senior-level oversight of the day-to-day activities within risk management. Monthly reporting should provide a high-level summary regarding activity deemed by each ETA Member to warrant management and/or senior-level attention. Each ETA Member should understand the portfolio activity that may present a higher risk or acts that are taken to reduce risk. Daily Exception Significant Events Summary Report Each ETA Member should establish criteria for reporting of higher risk events that are reviewed during the daily exception monitoring throughout the month. This report should include events where substantial potential loss was mitigated as well as those that are pending mitigation, or likely to create a loss. The ETA Member should also request that identified repeat patterns of fraud or merchant behavior be reported. Monthly Merchants Processing in Excess of the Approved Dollar Volume It is a recommended practice to know when merchants are processing greater volumes than approved. Each ETA Member should determine a threshold for identifying merchants to be reviewed for increased processing approval following due diligence appropriate for the level as defined in Section 2 of these Guidelines. The occurrence of processing outside of parameters, if excessive across the ISO portfolio, should be reviewed for sales vertical, agent or sub- ISO trends to understand if more training is necessary in defining application volumes or if application volumes may be under-represented to facilitate merchant account approval. Decreased Activity Reporting Each ETA Member should define a threshold for ISO reporting of large accounts that experience a decline in processing volume Electronic Transactions Association. All rights reserved.

88 Merchants with larger monthly sales activity as defined in Sections and/or whose processing has decreased by a predetermined % from the prior month Merchants with larger monthly sales activity as defined in Sections and/or who have experienced two (2) or more successive months of decreasing activity Merchants who process some predetermined volume in the prior month but had no processing in the report month or that show a pattern of roller coaster processing should be reviewed and such activity should be understood Refund Monitoring Reporting Each ETA Member should define a threshold ratio for expected refund processing as a reflection of both dollar value and number of transactions, above which ISO activity will be further reviewed. Upon review, the ETA Member should gain an understanding of the merchants driving the portfolio refund ratio as defined in Section If the ETA Member finds the ratios acceptable based on review of the ISO portfolio, the ISO file should be documented with the degree of exception approved and the reasons why. New thresholds should also be established to trigger additional future review. If the ETA Member does not find the ratios acceptable, remediation efforts as defined in Section should be followed. It is important to note that anomalous portfolios may exist based on differing concentrations of merchant risk categories. ISOs approved for such activity should be well documented and understood by the sponsoring ETA Member, with specialized monitoring criteria established as makes sense for the ETA Member s business plan. Some examples of portfolio refund ratios established from industry averages that may require action and/or potential actions as the ratios increase from category to category are listed below: Card present refund ratios greater than 2% or card not present refund ratios greater than 3% at the portfolio level. It is recommended that the ETA Member obtain a written outline of the specific merchants or verticals driving the portfolio refund ratio, with documentation regarding the reasons for acceptability of the increased ratios or the ISO s remediation plan. Card present refund ratios greater than 3% or card not present refund ratios greater than 5% at the portfolio level Electronic Transactions Association. All rights reserved. 83

89 It is recommended that the ETA Member obtain a written outline of the specific merchants or verticals driving the portfolio refund ratio as well as a written remediation plan for the reduction of the portfolio refund ratios. Card present refund ratios greater than 4% or card not present refund ratios greater than 8% at the portfolio level. It is recommended that the ETA Member understand why the refund ratios have not already been reduced based on the remediation plan provided. It is further recommended that the ETA Member establish a timeframe within which the reduction should occur and that: Such timeframe should not be longer than three (3) months to show improvement; If no improvement is noted, the ETA Member should follow the strategies in Section for actions that should be taken, up to and including nonrenewal or immediate cessation of the ISO s contract. If the refund ratio is at or above the ratios described above and such ratio is acceptable to the ETA Member, the ISO file should be properly documented explaining the acceptable ratios and identifying parameters at which the ISO portfolio activity may be considered unacceptable Chargeback Monitoring Reporting As recommended for refund monitoring in the previous subsection, each ETA Member should define a threshold ratio for expected chargeback activity, as a reflection of both dollar value and number of transactions, above which ISO activity will be further reviewed. Upon review, the ETA Member should gain an understanding of the merchants driving the portfolio chargeback ratio. Chargebacks and dispute resolution statistics for merchants with chargeback activity above a threshold defined by the ETA Member should be explained with documented reasons for acceptability. If warranted, the ISO should provide a plan to reduce the chargebacks. As with refund statistics, anomalous portfolios may exist based on differing concentrations of merchant risk categories. ISOs approved for such activity should be well documented and understood by the sponsoring ETA Member, with specialized monitoring criteria established as makes sense for the ETA Member s business plan. If the ETA Member finds the chargeback ratios acceptable based on review of the ISO portfolio, the ISO file should be documented with the degree of exception approved, the approving ETA Member authorized individual and the reasons for the exception. If the ETA Member does not find the chargeback ratios acceptable, then remediation efforts as defined in Section are recommended. Some examples of chargeback Electronic Transactions Association. All rights reserved.

90 ratios established from industry averages that may indicate review and potential actions are necessary as the ratios increase from category to category are listed below: If the chargeback ratio is acceptable to the ETA Member at a higher level for the ISO portfolio, the ISO file should be properly documented explaining the acceptable ratios and identifying parameters at which the ISO portfolio activity may be considered unacceptable. Chargeback ratios of 30 basis points (BPS) or greater at the portfolio level. It is recommended that the ETA Member obtain a written outline of the specific merchants or verticals driving the increased chargeback ratio with documentation regarding either the reasons for acceptability of the higher ratios or the ISO s plans for remediation Chargeback ratios of 50 BPS or greater at the portfolio level. It is recommended that the ETA Member obtain a written outline of the specific merchants or verticals driving the higher chargeback ratio and obtain a written remediation plan to reduce the portfolio chargeback ratios as well as the individual ratios for the merchants causing the higher portfolio ratio. Chargeback ratios 70 BPS or greater at the portfolio level. It is recommended that the ETA Member understand why the chargeback ratios have not already been reduced based on the remediation plan provided. It is further recommended that the ETA Member also establish a timeframe within which the reduction must occur and that: Such timeframe should not be longer than three (3) months to show improvement; If no improvement is noted, the ETA Member should follow the strategies in Section for actions that should be taken up to and including nonrenewal or immediate cessation of contract Card Scheme Excessive Merchant Chargeback Activity If the ETA Member allows ISOs to rehabilitate merchants identified under Card Scheme monitoring programs, the ETA Member should define polices for oversight of the ISO program. It is recommended that oversight of the progress of such merchants be tightly controlled, with frequent updated trend reporting for merchant activity throughout the month Electronic Transactions Association. All rights reserved. 85

91 Merchant Loss Reporting Each ETA Member should gain an understanding of the merchants driving the larger losses, defining a threshold at which the ISO is required to report activity to the ETA Member in a monthly summary. The monthly reporting may include the items listed below: Significant merchant losses above an amount defined by the ETA Member Description of the circumstances that led to the loss(es) Portfolio monthly loss trends over a rolling 12-month period Annual trending showing year over year performance should also be reviewed and understood Seasonal trends for the merchant portfolio should be taken into account when evaluating loss trends Significant Terminations Each ETA Member should understand the circumstances of large merchants that have been terminated by the ISO and any resulting actions, such as the assessment of early termination fees Merchant Reserve Activity Each ETA Member should understand and approve significant (as defined by the ETA Member) merchant funds released and should require monthly reporting of funds released and significant (as defined by the ETA Member) merchant funds collected Secret Shopping Summary When Secret Shopping is a tool in use by the ISO, the ETA Member should request that a summary list be provided monthly, containing accounts that were subject to secret shopping by the ISO, including case notes showing satisfactory results or the remediation required Restricted Merchant Exception Activity It is recommended that larger exceptions generated on restricted merchant types and the subsequent review findings be summarized by the ISO for the ETA Member s review Electronic Transactions Association. All rights reserved.

92 6.9. Remediation If an ETA Member, through proper review of its ISOs as noted above, finds that an ISO is not adhering to the ETA Member s requirements, the ETA Member should make an assessment to determine whether circumstances warrant the implementation of remediation proceedings. Remediation plans should be in writing and include items such as those listed in below, which may also be used in conjunction with increasing ISO reserves held by the ETA Member or increasing rates being charged to the ISO based on the poor performance. Reserves and pricing increases should not be in lieu of the ISO discontinuing the practices as defined in its remediation plan and should instead be used as incentive to swiftly adhere to the plan. The ETA Member must make an assessment of each situation while bearing in mind the responsibility of the ETA Member to safeguard the integrity of the card acceptance ecosystem, prevent the use of deceptive practices by ISOs and merchants, and mitigate reputational risk. The ETA Member must gauge whether the issue can be improved through education and remediation efforts, or whether there are inherent product/service, sales, customer service or other operational issues. The remediation plan should include clear milestones that should correct the issue in a timely manner. Although the actual timeline may differ based on the individual circumstances, improvement should be seen in a minimum of three (3) months with the complete correction seldom taking longer than six (6) months. If a longer timeline is acceptable based on the circumstances, you should clearly note the circumstances allowing the extended remediation and expected completions dates. You should also clearly outline and communicate the repercussions if the milestones are not met, up to and including non-renewal or immediate cessation of contract Remediation Tools Examples of effective methods that may be employed as part of an ISO remediation strategy are listed here. This list contains examples for your consideration to employ as makes sense according to the circumstances with the individual ISO and is not meant to be all inclusive. You should use your best judgment in determining how best to manage each situation. Onsite audits Portfolio analysis to determine root causes of inflated statistics Review the portfolio based on available data points such as MCC, processing method, sub-iso, independent sales agent or other verticals appropriate to the portfolio Reduction in underwriting authorities extended Remove auto-approval authority Restrict the types of merchants the ISO is permitted to sign 2014 Electronic Transactions Association. All rights reserved. 87

93 Increase restrictions and definitions of merchants that require ETA Member escalated approval Increased oversight and/or Shadow Monitoring of the underwriting process Increase sample percentage of applications reviewed up to 100% depending on the severity of ISO issues Increased oversight and/or Shadow Monitoring of risk-related functions Increase sample % of exceptions reviewed up to 100% depending on the severity of ISO issues Increased risk mitigation requirements for applicable merchants Mandate deposit settlement delays Mandate daily discount Require written merchant remediation plans Mandate merchant reserve requirements Mandate merchant account processing suspension during investigation or remediation Mandate merchant termination requirements Increased detail of monthly reporting Include specific verticals that are identified as a potential cause of the ISO s position Reduce thresholds that trigger reporting Change in commission structure or reduction in residual payment Remediation Timeframes Remediation plans should typically be extended in three (3)-month intervals, with individual circumstances and severity determining whether that time should be shorter or longer. Within the three (3)-month remediation periods, evaluations should be made at minimum every month to determine progress toward identified goals. It should be recognized that ISOs may need time to implement a reasonable plan of action, specifically if system changes are necessary, and for the resulting benefit of that plan to be realized in month-end reporting. However, improvement should begin to be seen by the Electronic Transactions Association. All rights reserved.

94 second or third month to determine whether additional time should be given. Although certain circumstances may dictate a longer remediation timeframe, it is not recommended that you accept remediation plans predicting greater than a six (6)-month remediation period. It is further recommended that when the plan is taking longer than six (6) months, or other agreed upon timeframe, that you understand the cause and consider actions up to and including nonrenewal or termination of the contract ISO Termination Termination of the ISO relationship is an extreme measure, however an ETA Member should consider this option if the ISO is not remediating as they agreed through the plan they designed or when the ISO is not responding to other financial repercussions. In addition, regulatory authorities such as the OCC have stated in published guidelines that there is an expectation to see written contingency plans for terminating relationships in an effective manner. These Guidelines do not make recommendations on specific circumstances that warrant termination, as that is up to the individual ETA Member to determine; however, the recommendation is that each ETA Member has such a plan in place. If the ETA Member choses to terminate an ISO, that ISO should be properly reported to the Card Schemes to ensure the Card Schemes understand the circumstances surrounding termination Electronic Transactions Association. All rights reserved. 89

95 7. Conclusion The Guidelines included in this document are the result of a collaborative effort among ETA Members based on their recognition of the need for an educational initiative for ETA Members regarding effective tools for protecting the consumer, merchants, and the card acceptance ecosystem. These Guidelines are not exhaustive, but may be helpful to ETA Members of all sizes and at all levels of organizational complexity in underwriting, monitoring, and managing merchants and ISOs at varying levels of risk exposure. ETA Members should provide feedback regarding additional considerations for future versions of these guidelines and ongoing educational efforts to keep all ETA Members informed of emerging opportunities based on advances in technology and the effects those opportunities have on underwriting and risk management practices. ETA Members have the latitude to determine the methods to perform gap analysis and implement recommendations as best fits the complexity of their individual organizations so long as the minimum requirements of the Card Schemes, their bank and governing regulatory authorities are met. Once an ETA Member has gone through an internal gap analysis and implemented the guidelines or other risk mitigation tools as appropriate for their individual business needs, an agile business approach as defined throughout this document can make future incorporation of additional, newly defined effective business practices more manageable Electronic Transactions Association. All rights reserved.

96 Exhibit A Exhibit A Red Flags Rule Visa International Operating Regulations & MasterCard Rules US PATRIOT Act Bank Secrecy Act (BSA)/ Anti-Money Laundering Laws (AML) Consumer Financial Protection Bureau (CFBP) Laws and Regulations Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) The Federal Trade Commission (FTC) Act and FTC Bureau of Consumer Protection Telemarketing Sales Rule (TSR) The FTC Fair Credit Reporting Act (FCRA) The FTC Dot Com Disclosure Guidelines FTC Guidelines for Online Negative Option Marketing The FTC Franchise and Business Opportunities Rule The United States Federal Communications Commission (FCC) Telephone Consumer Protection Act (TCPA) Payment Card Industry Data Security Standards (PCIDSS) Office of the Comptroller of the Currency (OCC) Advisory on Merchant Processing and Risk Management Guidance Federal Deposit Insurance Corporation (FDIC): Guidance on Payment Processor Relationships, Risk Management Examination Manual for Credit Card Activities and Supervisory Approach to Payment Processing Relationships with Merchant Customers That Engage in Higher-Risk Activities Telephone Order Merchandise Trade Regulation Rule The Restore Online Shopper s Confidence Act Office of the Comptroller of the Currency (OCC): Third-Party Relationships Risk Management Guidance FDIC Unlawful Internet Gambling Enforcement Act of 2006 (UIGEA) Bureau of Alcohol, Tobacco, Firearms and Explosives Laws, Regulations and Rulings IRS Topic 307 Backup Witholding 2014 Electronic Transactions Association. All rights reserved. 91

97 Exhibit B.1 Merchant A CORPORATION $162,139, $57.77 $4,902, % $585, % Merchant A CORPORATION $19,487, $1, $196, % $13, % Merchant A UK LIMITED $3,088, $1, $87, % $ % Merchant A UK LIMITED $ $0.03 $87, % $ % DBA 2012 AV Number of Trans Average Ticket 2012 Credits 2012 CR % 2012 CB's 2012 CB? Merchant A CORPORATION 4/6/2010 $19,871, $2, $130, % $15, % $60,000,000 $33,119,505 Merchant A UK LIMITED 4/6/2010 $3,875, $1, $29, % $6, % $60,000,000 $6,459,085 Merchant A UK LIMITED 4/6/2010 $37,030, $66.25 $712, % $173, % $72,000,000 $61,717,887 Totals $200,295, $68.69 $5,476, % $804, % $333,826,171 Merchant A CORPORATION 12/7/2009 $139,517, $59.51 $4,603, % $608, % $192,000,000 $232,529,694 DBA Date Opened 2013 AV Number of Trans Average Ticket 2013 Credits 2013 CR% 2013 CB's 2013 CB% AV Annualized Sample Relationship Processing Summary Electronic Transactions Association. All rights reserved.

98 Exhibit B.2 Sample Processing Statement Analysis Month Tickets Sales Avg Ticket # of Returns Return Volume Return % (based on trans) Return % (based on volume) # of Chargebacks Chargeback Volume CB % (based on trans) Jan #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Feb #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Mar #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Apr #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! May #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Jun #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Jul #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Aug #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Sep #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Oct #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Nov #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! Dec #DIV/0! #DIV/0! #DIV/0! #DIV/0! #DIV/0! 0 - $ #DIV/0! 0 - $ #DIV/0! #DIV/0! 0 - $ #DIV/0! #DIV/0! CB % (based on volume) Summary Average Monthly Volume #DIV/0! Average Ticket #DIV/0! Average Return % by Transaction #DIV/0! Average Return % by Volume #DIV/0! Average CB % by Transaction #DIV/0! Average CB % by Volume #DIV/0! 2014 Electronic Transactions Association. All rights reserved. 93

99 Exhibit C Website Basic Review Checklist All website pages must be captured and stored with the merchant file either in paper or electronically. Merchant Name: URL: Domain Name Owner captured from Whois: Server Location: Type of Product Sold: Customer Support contact information: Phone: Address: Terms and Conditions: Does corporation name match application name? Yes No Negative option billing: Yes No Are charges listed other than the ONE on the purchase page? Yes No Membership of any type: Yes No Privacy Policy: Yes No Data Share: Yes No Shipping Policy: Refund Policy: Currency in U.S. Dollars: Yes No Secure Processing: Yes No Initials of person performing review: Date of Review: Electronic Transactions Association. All rights reserved.

100 Exhibit D Quick Reference Guide Online Review Resources Resource Name: Link: Description: Superpages.com - Address/Phone Reverse Search MasterCard Online (TMF search) - blic/extranet/login/workspace.html Used to access MasterCard Match/TMF Search Domain/URL/Whois Lookup - URL/Domain registration search used to verify who registered a website People search Address/Phone Reverse Search Business Filings Texas state site Nonprofit Organization Lookup Better Business Bureau Federal Reserve routing # directory ml Reviews/ _ACH.cfm Used to access state corporation records Used to access state corporation records Reverse search to verify non profit status Access to BBB reports used to view customer comments for a merchant Used to verify routing numbers provided on applications Ebay Member Search W0QQ_advZ1QQ_sofindtypeZ25?_rdc=1 Used to verify Ebay member/seller ratings and view customer comments Ripoff Report Used to view customer comments for a merchant Alexa Website traffic and information. Global ranking/ time on site/ website visits by country Scam.com Works as a message board regarding various fraud merchants and schemes Network solutions /index.jsp Gives the name of the person or company who own the rights to the website. IP/physical address is also disclosed. Way back machine Will give you the exact look of a website during a specific period of time. IC3 Works as a message board regarding various fraud merchants and schemes. Explains how the schemes work. Bureau of Consumer Protection Business Center -advertising-and-marketing-internetrules-road Is a legal resource to ensure compliance with laws and regulations in many industries. Salty droid An opinion blog reviewing internet marketers Electronic Transactions Association. All rights reserved. 95

101 Exhibit E Sample Bank Statement Summary Bank Statements [Checking] Months Ending Balance Jan-12 Feb-12 Mar-12 Apr-12 May-12 Jun-12 Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Dollars $1.20 $1.00 $0.80 $0.60 $0.40 $0.20 $0.00 Jan- 12 Feb- 12 Mar- 12 Checking Apr- 12 May- 12 Jun- 12 Jul- 12 Aug- Sep- Oct Nov- Dec Total - Average Months Bank Statements [Savings] Months Ending Balance Jan-12 $0.00 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Dollars $1.00 $0.90 $0.80 $0.70 $0.60 $0.50 $0.40 $0.30 $0.20 $0.10 $0.00 Jan- 12 Feb- 12 Mar- 12 Savings Apr- 12 May- 12 Jun- 12 Jul- 12 Aug- Sep- Oct Nov- Dec Total - Average - Months Bank Statements [Total] Months Ending Balance Jan-12 $0.00 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Total - Average - Dollars $1.00 $0.90 $0.80 $0.70 $0.60 $0.50 $0.40 $0.30 $0.20 $0.10 $0.00 Jan- 12 Feb- 12 Mar- 12 Total Banking Apr-12 May- Jun Months Jul-12 Aug- 12 Sep- 12 Oct-12 Nov- 12 Dec Electronic Transactions Association. All rights reserved.

102 Exhibit F Company Name Audited _Reviewed _Compiled _Internal _Tax Forms Current Asset Current Liabilities Current Ratio Quick Ratio Cash Inventory A/R Total Current Asset Date - FYE 2011 Date - FYE 2012 Date Intangibles Building/Equip. Other long-term assets Total Assets A/P Current Potion of L-T Debt Other Short-Term Loans Other Current Liabilities Total Current Liabilities Long Term Liabilities Total Liabilities Stockholder Equity(breakdown) Total Liab./Total Assets Total Debt/Equity Sales Cost of Goods Sold Gross Profit Total Operating Expenses Operating Income Interest/Depreciation Expense Income before Taxes Income Tax Expense Net Income After Taxes Cash Flow(N/I +Int Exp/Depres.) Cash Flow/C-P Long Term Debt 2014 Electronic Transactions Association. All rights reserved. 97

103 Exhibit G.1 Setting Reserves Traditional 5% - 6 months rolling or with a cap 10% - 1 year rolling or with a cap Less Traditional Based on future service/delivery time frames High Risk Up to 1 to 1 ratio of processing 1 to 1 will not cover fines FTC is now seizing reserves Electronic Transactions Association. All rights reserved.

104 Exhibit G.2 *Debt to Tangible Net Worth should not exceed 4 Total Liabilities Net Worth Net Intangible Assets Debt to Tangible Net Worth Total Liabilities/(Net Worth - Net intangible Assets) $0.00 $0.00 $0.00 #DIV/0! *Defensive Interval should be between days Current Assets Inventory Daily Operating Expenses Defensive Interval (Current Assets-Inventory)/Daily Operating Expenses $0.00 $0.00 $0.00 #DIV/0! *Debt to Equity Ratio should not be greater than 1 Total Liabilities Total Shareholder Equity Debt to Equity Ratio Total Liabilities/Total Shareholder Equity $0.00 $0.00 #DIV/0! *Debt ratio should be less than 1 Total Liabilities Total Assets Debt Ratio Total Liabilities/Total Assets $0.00 $0.00 #DIV/0! *Quick Ratio (acidity test) should be at or near 1 Current Assets Inventory Quick Assets Current Liability Quick Ratio (Current Assets-inventory=quick assets)/current liability $0.00 $0.00 $0.00 $0.00 #DIV/0! *Current Ratio should be at or near 2 Current Assets Current Liabilities Current Ratio (Current Assets/Current Liabilities) $0.00 $0.00 #DIV/0! *Monthly volume should not exceed 3 times the Quick Assets Current Assets Inventory Quick Assets Monthly Processing Quick Assets X 3 (Current Assets - Inventory = Quick Assets)/Monthly Processing Volume $0.00 $0.00 $0.00 $0.00 $0.00 Estimated Annual Volume $1,825, (Credit Exposure + Delayed Delivery Exposure + Fee Exposure) $103, Total Exposure Discount and Fee Exposure Estimated Average Daily Visa/MasterCard Volume $5, N = Average Days Before Discount or Fees Collected 15 Discount Rate 2% (Average Daily*N*Discount Rate) $1, Delayed Delivery Risk Exposure Number of Delayed Delivery Days 15 Estimated Average Daily Visa/MasterCard Volume $5, Delayed delivery percent of sales % (Refund Ratio + CB Ratio)*(Average Daily*180 Days) $75, Credit and Chargeback Risk Exposure Refund Ratio 2.50% Chargeback Ratio 0.50% Estimated Average Daily Visa/MasterCard Volume $5, Exposure Timeframe (Days) 180 (Refund Ratio + CB Ratio)*(Average Daily*Days) $27, DBA: Sample Exposure Calculation Electronic Transactions Association. All rights reserved. 99

105 Exhibit G.3 Sample Exposure Calculation 3 Net Chargebacks $ Chargeback % Refunds $ Refund % Average Ticket Rolling Reserve % Reserve Month Sales $ # of Trans Jan $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Feb $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Mar $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Apr $125,000 2,500 $2, $3, $ 50 5% $ 6,250 May $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Jun $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Jul $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Aug $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Sep $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Oct $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Nov $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Dec $125,000 2,500 $2, $3, $ 50 5% $ 6,250 Total 1,500,000 $ 30,000 $ 42,000 $ ,000 Average 125,000 $ 2,500 3,500 $ 50 5% 6,250 Total Chargeback Basis Points Total Refunds Basis Points Percentage 2.00% Percentage 2.80% Annual Volume $1,500, Automated Risk Calculations Estimated Delayed Delivery Days 15 Estimated Avg Return Days: 30 Chargebacks Risk: $7,000 NOTE: The calculation here is (E24*E21*2.8)/12) - I don't know what 2.8 represents Refund Risk: $3,452 Delayed Delivery: $61,644 Total Exposure: $72,096 Upfront Reserve: $0 Rolling Reserve: $75,000 Avg Volume Per Day: $4,110 Avg Reserve Per Day: $205 Days to Collect Sufficient Reserve: 351 Month to Collect Sufficient Reserve: 11 Surplus: $2, Electronic Transactions Association. All rights reserved.

106 Exhibit G.4 Sample Exposure Calculation 4 Merchant Name: Merchant A Date Completed: 14-Feb-14 Merchant Number: Annual Bank Card Volume: $264,000,000 MCC/SIC: 8699 MCC/SIC Description: MEMBERSHIP ORGANIZATIONS/NOT ELSEWHERE Discount Rate: 2.44% 0 Credit Policy Calculations Manual Adjustments Risk Level: H Risk Level: H Monthly Discount Risk: $536,800 Monthly Discount Risk: $536,800 Credit Ratio: 2.41% Credit Ratio: 3.30% Credit Timeliness (days): 30 Credit Timeliness (days): 30 Credit Risk: $529,644 Credit Risk: $726,000 Chargeback Ratio: 0.17% Chargeback Ratio: 0.44% Chargeback Risk: $104,720 Chargeback Risk: $271,040 FDX Days: 30 FDX Days: 30 FDX Percentage: 20% FDX Percentage: 100% Total FDX Risk: $4,400,000 Total FDX Risk: $22,000,000 Fraud Ratio: 0.09% Fraud Ratio: 0.09% Fraud Risk: $55,263 Fraud Risk: $55,263 Total Merchant Risk: $5,626,426 Total Merchant Risk: $23,589, Electronic Transactions Association. All rights reserved. 101

107 Exhibit H.1 1 of 1 Exhibit H.1. Sample Periodic Merchant Review [Date] Jane Doe, Credit Analyst. John Smith, Unit Manager RECOMMENDATION: Increase AV to $264MM and process with no Reserve based on financial strength and liquidity while continue to review annually. RISK MODEL INDICATES: Mid specific Risk is $23.6MM based on 30 FDX. An AT of $60 indicates this MID is processing for "Premium Subscriptions" by recurring monthly or annual debit. Aggregate Merchant A Risk is approximately $32.6MM based on 30 FDX. This calculation may be overly aggressive as transactions for Talent and/or Marketing Solutions are pay per usage. WEAKNESSES: Deferred Revenue in 2012 was $257.7MM. STRENGTHS: From 2011 to 2012, Revenue grew by 86% and Net Income by 81%. Cash on hand is substantial while carrying very little Long-Term debt. BBB rating A complaints closed with BBB in last 3 years. DNB-PD 79, CCSC 42, FSS 65. One open state tax lien for 14k otherwise no judgments or suits. Generally pays as agreed. Clean processing history. NOTES: Merchant A is publicly traded on NYSE: MERA. As of 08/06/2013 trading at $125 per share. IPO was on 05/5/2010 at $45 per share with a valuation of $2 billion. Revenue Recognition: Talent Solutions (50%) revenue is derived primarily from providing access to the Recruiting product suite. Marketing Solutions ( 25%) earns revenue from the display of advertisements on its website primarily based on a cost per advertisement model. Premium Subscriptions ( 25%) earns revenue from subscriptions to customers that allow users to have further access to premium services. WEBSITE: COMPANY PROFILE: Merchant A and its subsidiaries was incorporated in The Company operates an online professional network on the Internet through which the Company's members are able to create, manage and share their professional identities online, build and engage with their professional networks, access shared knowledge and insights, and find business opportunities, enabling them to be more productive and successful. The company has a diversified business model with revenue coming from Talent Solutions, Marketing Solutions and Premium Subscriptions. Headquartered in Dallas, Merchant A also has offices across the globe. Merchant A adds approximately fifty members per day, and over 25% of members come from International Markets. % in thousand's 12/31/ /31/2012 % Change 6/30/2013 Change in thousand's 12/31/ /31/2012 Income Statement 10-K 10-K 10-Q Balance Sheet 10-K 10-K Revenue $522,189 $972,309 86% $688,366-29% Cash $339,048 $270,408 Cost of Sales $81,448 $125,521 54% $91,648-27% Net Receivables $111,372 $203,607 Gross Profit $440,741 $846,788 92% $596,718-30% Goodwill $12,249 $115,214 Operating Income $25,845 $56, % $31,737-44% Current Asset $725,927 $1,018,797 Net Income $11,912 $21,610 81% $26,350 22% Total Assets $873,697 $1,382,330 Long Term Liabilities $18,551 $27,717 Current Liabilities $226,659 $415,379 Total Liabilities $248,718 $473,906 Retained Earnings $7,240 $28,850 Total Shareholders Equity $624,979 $908,424 Working Capital $499,268 $603,418 Debt ratio MERCHANT'S FINANCIAL INFORMATION Merchant A Merchant A 12/7/2009 Active 5,1 $162,139,282 2,806,537 $58 $4,902, % $585, % MID DBA Legal Name Date Open Status Elig 2012 Sales # Trans Avg Tkt 12 Crdt Cr Ratio 12 C/B's C/B Ratio 2012 MERCHANT'S PROCESSING INFORMATION 2013 YTD Projected MID DBA Legal Name Date Open Status Elig 2013 YTD Sales # Trans Avg Tkt 13 YTD Crdt Cr Ratio 13 YTD C/B's C/B Ratio Annualized AV Annualized AT Projected AV AT Merchant A Merchant A 12/7/2009 Active 5,1 $139,517,816 2,344,397 $60 $4,603, % $608, % $232,529,694 $65 $192,000,000 $65 Exhibit H.1. Sample Periodic Merchant Review Electronic Transactions Association. All rights reserved.

108 Exhibit H.2 Sample Periodic Merchant Review 2 Date PRIN Reserve Merchant Signer Top 250 Approved for $ K/month Boarded: Date PROCESSING SNAPSHOT -Chart of current YTD and Last Year processing - including # of sales/returns/cbs and volume of sales/returns/cbs. Also included is CB ratio and Return ratio OVERVIEW -Summary of biz, what they are selling, business practices etc. CBR & FINANCIALS -Review of CB and Business financials TRANSACTIONAL REVIEW -Review of transactions -Price points, recurring, largest ticket, smallest ticket, what size are the majority of the sales etc HISTORICAL VOLUME -Chart of historical processing 2014 Electronic Transactions Association. All rights reserved. 103