Compliance and risk leaders in the Americas, Europe, and Asia exhibit a polarity in their attitudes about payment facilitators. First, there are those who either endorse or oppose. Second, there are PFs that are either fit or unfit for partnership. This yields three observations:
- Risk teams see PFs in general as either “friends” or “foes”
- Risk teams categorize PFs into “safe bets” or “wild cards”
- Risk teams demand oversight rights when working with PFs
Differences between regions
G2 recently conducted a survey with acquirers globally. The results showed a greater willingness among banks and processors to work with PFs in EMEA and APAC. In the Americas, one-half of respondents actively work with PFs. In EMEA and APAC, the numbers were closer to two-thirds.
When asked if they knew if there were PFs in their portfolios, there was some doubt. A significant number of acquirers in all regions had either discovered a merchant unknowingly acting as a PF in the past year or did not know if that activity was occurring (see Figure 1).
Figure 1: Have you in the past year discovered a merchant in your portfolio believed to be a single merchant but acting as a PF?
Taken together, these figures suggest a great deal of “known unknowns” and “unknown unknowns.” It suggests acquirers in EMEA and APAC have a better handle on working with PFs than those in the Americas.
The risk world typically exhibits gray areas and middle ground. But in the case of PFs, there are red lines drawn. Each acquirer draws its own lines independently to express who’s in and who’s out. The remainder of this article will look into these red lines.
Observation 1: Risk teams see PFs as either “friends” or “foes”
With the number of payment facilitators set to grow meaningfully over the next few years, each acquirer will make a decision—embrace or abstain. Choosing which side of the fence depends on whether an acquirer primarily sees PFs as sources of growth or risk.
Some compliance teams see PFs as friends; others see them as foes. Some zero in on upside, others on downside.
Friend or foe?
For compliance and risk leaders, this is not a spontaneous choice. It’s a conditional, pragmatic, step-by-step journey. Even the believers have adopted a trust-but-verify stance.
The compliance and risk teams who embrace PFs buy into them as a new scalable sales channel that fuels growth. They focus on a few PFs with which to succeed. Said one compliance head, “We choose a small number opportunistically because they take so long to get over the board.”
Acquirers use parental words to describe the process of teaching PFs, such as “babysitting,” “handholding,” and “nurturing.” But the protectiveness is about self-preservation, not affection. Said one bank, “even experienced PFs will slip up.” Banks are simply looking after their interests (see Figure 2: In acquirers’ own words).
This is warranted, because newly minted PFs can sometimes play unsafely when unsupervised. One acquirer described a PF telling a sub merchant that it could approve sizable payments without validation because, “technically, it’s possible.” Never mind it was prohibited. It’s this kind of laxness that keeps acquirers serving PFs awake at night.
Often, new PFs don’t know underwriting, accounting, or card network rules. Some want all funds to go to them so they can then pay downstream merchants. “These are prospects we see most often, but they don’t make it far because they won’t implement controls or let us implement controls,” said a risk officer.
Another compliance professional put it more succinctly: “the new PFs we see are ridiculous and not worth wasting time.”
Said another member of the PF community: “It is only a matter of time before a registered PF goes belly up due to a lack of understanding of the risk associated with taking liability for sub merchants and meeting the rules of the card brands.”
Figure 2: In acquirers’ own words
|…those who view PFs as “friends”||…those who view PFs as “foes”|
|“I like categories like software providers for camps. Many don’t realize they are PFs.”||“Our systems weren’t built with PFs in mind.”|
|“PFs with “specialist” experience in gambling, or adult businesses can do better job managing submerchants that we could.”||“Are we going to pay employees to do manual monitoring for small fees, high risk, and the need to audit physically each year? Likely not.”|
|“We have a high respect for some PFs’ technological background and platforms.”||“We see them as a risk we don’t want to touch, so we avoid them like the plague.”|
|“We choose a small number opportunistically because they take so long to get over the board.”||“Even experienced PFs will slip up”|
|“We reduce the effort involved to vet PFs so it becomes cost justified to sponsor them.”||“You never know if a PF is behaving well for 18 months to get you to lower your defenses so it can take advantage of you.”|
Upside and downside
But such statements are fair warnings, not death warrants. It only takes a small number of acquirers—maybe as few as one or two—to create a market for sponsorship. Choosing segments strategically, getting in early to attract the best PFs, then investing in controls and processes yields first mover advantage. A risk specialist from one bank concerned about cannibalization said sticking to agreed strategic segments overcomes cannibalization concerns from management.
In another case, an acquirer created a two-tier system for its PF partners: one for merchants beneath the MasterCard and Visa thresholds for direct contracts with acquirers, and one for those above. The lower tier merchants (less than $1 million turnover for MasterCard and $100,000 for Visa) contracted directly with the PF. The higher tier qualified for a referral program where the PF earned revenue share since it could not service the merchants.
PF proponents plan ahead for investment in teaching and training. This includes guidance on how to avoid running afoul of card network rules. “We need to work with our PFs to ensure they implement robust controls that give us confidence,” said a risk professional.
But most risk teams are pessimists, seeing PFs as ROI-negative propositions. In this case the “I” stands for time investment. They deem PFs too hard to onboard in relation to potential fee revenue.
“Our systems weren’t built with PFs in mind,” said one compliance leader. “Are we going to pay employees to do manual monitoring for small fees, high risk, and the need to audit physically each year? Likely not.”
Some even have a visceral fear over what could go wrong. “We see them as a risk we don’t want to touch, so we avoid them like the plague,” said one manager.
Vigilance is wise for successful PFs just as it is for acquirers. In the past year, G2 Web Services has identified unknown violating merchants for well-established PFs in the US, UK, France, and Brazil. In addition, a PF client of G2 was able to reduce transaction laundering in its portfolio by 97%.
Observation 2: Risk teams categorize PFs into “safe bets” or “wild cards”
Risk and compliance teams often see two clusters of PFs: established and entrepreneurial. The former are legacy aggregators with mature operations. The latter are often described as innovators and disruptors.
Established PFs typically serve large markets and boast a cross-section of merchants. Startup PFs often address underserved areas, like payment UX of payments and vertical niches.
But compliance teams see them differently. They see safe bets and wild cards.
The safest bets are legacy PFs that acquirers are already serving. They are big fish, originating long before the new rules frameworks were announced by Visa and MasterCard. Since they have “homes” with acquirers, they stay put—unlikely to change sponsor banks. (see Figure 1: Stratification of PFs).
The next safe group is grandfathered in. Some banks work with PFs who had been quietly aggregating before the rules changes. These aggregators know how to underwrite and monitor. Now they are ready to bear risk. Since they have operating experience, even if previously unofficial, they have a track record of technology and processes.
Other banks will accept only those PFs that enable card-present transactions to avoid the downside risk of ecommerce. Some will look for a seal of approval, such as PFs that are members of the European Payment Institutions Federation (EPIF) in the EU.
The entrepreneurial PFs described above tend to fall into the wild card category. But this is uncharted territory, as this group most exhibits the lack of experience and ROI-negative profiles the risk specialists above warn about.
Just inside the wild card zone reside PFs catering to low risk verticals. “I like categories like software providers for camps. Many don’t realize they are PFs,” said a compliance manager.
More intrepid acquirers play further inside the wild card space, seeing them as a means to open up new business categories. They may go for pros in high risk areas like gambling, adult content, or continuity marketing because they can better manage the risk of sub merchants (see Figure 3: Stratification of PFs).
They also may choose unconventional PFs because they are impressed by the technical achievements, such as a bank that sponsored a PF that provided dynamic pricing algorithms to help sub merchants maximize online revenue.
Even as they inch closer, risk teams have anxiety about micro-merchants. Along the spectrum of high transaction merchants and zero transaction micro merchants, the greatest risk lies in the low middle—light volume sub merchants with just enough business to hide illegitimate transactions but not enough to earn compensating fees.
Yet some entrepreneurial PFs may still feel shut out, like outlaws. Those with the worst odds are new PFs that can’t demonstrate a vertical specialty. A compliance team leader who dislikes these broad PFs says, “you are just a glorified ISO if you serve any Tom, Dick or Harry.”
Figure 3: Stratification of PFs
|Safe bets: Most acquirers sponsor||Wild cards: Select acquirers sponsor||Outlaws: Very few acquirers sponsor|
|Legacy PFs already in portfolio||PFs with deep experience and controls for “high risk” verticals||PFs with a history of compliance violations|
|Mature PFs quietly aggregating with robust operations||New PFs serving “safe” verticals with strong value proposition||PFs that resist inspections, spot checks and shadow monitoring|
|PFs serving card present environments||New PFs with unique technical skills (e.g. dynamic pricing)||New PFs attempting to serve entire market (“glorified ISO”)|
|PFs with a seal of approval (e.g. EPIF in the EU)|
Observation 3: Risk teams demand oversight rights when working with PFs
Whether risk teams are playing the cards they were dealt in their current portfolio or strengthening their hand by seeking new PFs, they feel entitled to scrutinize. This includes boarding and monitoring processes. Timeframes may last for a year or in perpetuity.
Boarding and monitoring policies
ROI-sensitive risk groups will create different stages applicant PFs must complete before they are approved. One has created a form for PFs to fill out with a step-by-step process that then meters how much human intervention occurs. If the PF passes the first set of form requirements, it is passed to the PCI group for further review, and so on. Key influences on the decision include the PFs’ infrastructure—the PF can’t just rely on the acquirer infrastructure.
Once an acquirer has decided to partner with PFs, strict boarding rules are nearly universal. A PF’s KYC checks on sub merchants should adhere to the processes its acquirer follows for its merchants. This includes passing sub merchants through required checks like MATCH and VMAS. Acquirers will run their oversight by-the-book, such as onsite inspections of PFs’ processes and regular spot checks of boarding paperwork (see Figure 4: Acquirer oversight of PF partners).
After boarding, monitoring practices are equally stringent. They are best described as parallel supervision. Also called “shadow monitoring,” this scrutiny may last a year or more and can easily be accomplished with monitoring providers. If acquirers wait for PFs to report up to them, the lag time can be 3 weeks or more. This is a blind spot that makes them uncomfortable because it creates room for illegal or illicit behavior.
Some acquirers have an edge if they require PFs to use their gateways. That allows them to see originating IP addresses, and even to map back transactions to individual merchants if the billing descriptors are visible and unique.
“You never know if a PF is behaving well for 18 months to get you to lower your defenses so it can take advantage of you,” said one risk manager who remains optimistic but wary. Another acquirer with similar concerns “plugs in” sub merchants to its chargeback and fraud monitoring systems for added reconnaissance.
Parallel supervision is a source of comfort, as is an itchy trigger finger. “You can quickly tell who the cowboy is going to be and cancel him if need be,” said one acquiring compliance officer.
Figure 4: Acquirer oversight of PF partners
|Onboarding sponsored merchants||Monitoring sponsored merchants|
|Strict adherence to required checks like MATCH and VMAS||Shadow monitoring of sponsored merchants in parallel with PF|
|Onsite inspections of PFs’ boarding processes||Requirement to use acquirer in-house gateway|
|Spot checks of boarding paperwork||Plugging in sponsored merchants to acquirer chargeback and fraud monitoring tools|
Team sports and solo politics
No acquiring risk or compliance team goes into the PF space without help. PFs and their acquirer partners alike use vendors like G2 Web Services to enable and automate risk and compliance steps. Acquirers in the “foe” camp use vendors to help them spot PFs inadvertently hiding in their portfolios.
The PF ecosystem is in the early stages of development. Like the start of a political season, early stages can reveal extreme opinions that later soften. Acquirers may loosen or tighten the kinds of controls mentioned above. Even sitting on the fence is still a defensible position now, but not so three years from now.
Discussions with acquirer compliance and risk leaders in Europe, Asia and the Americas suggest all of them are paying attention to the PF opportunity. Some are still sitting on the fence. But when the time comes to step down to vote, there is no climbing back on.
PFs with robust boarding and monitoring practices will prosper. Learn how a PF added a procedure that reduced its risk exposure by $1.8 million.—Dan Frechtling is the chief marketing officer for G2 Web Services.
Dan Frechtling is a panelist on this topic on April 19 at Transact16 for Payment Facilitator Day ’16.