An editorial posted this week onPaymentsSource looks at the Federal Trade Commission’s recentactions against independent sales organizations IRN Payment Systemsand Newtek Merchant Solutions.
Each ISO is alleged to have “provided substantial assistance” totwo merchants that were involved in telemarketing scams, TreasureYour Success and Innovative Wealth Builders. After a long recap ofthe proceedings in each of the two lawsuits brought by the FTC, theopinion piece arrives at the point of its argument, which isseemingly that merchant processors need to be better at duediligence than they are now. Furthermore, they are at risk of beingsued for complicity by providing services to merchants whosebusiness violates federal trade laws.
(Interestingly, one detail that the opinion piece points out isone that has not received much attention up until this point: thatMasterCard is identified in the suits as having known about theactivities of IRN’s and Newtek’s merchants while simultaneouslyallowing them continued access to the payment network.)
Sure, there’s regulatory risk. But what kind? Not only does thepiece not go far enough in delineating the regulatory risk thatISOs take on when they deal with merchants that may not have themost consumer-friendly business practices (or ones that areblatantly illegal), it seems to argue that merchant acquirers andtheir agents are exposed to such regulatory risk in nearly everyrelationship with merchants who are “consumer-facing.” Theconclusion of the piece:
In short, all corporations that provideservices to companies that collect or use consumer informationshould closely watch the FTC’s lawsuits against these two paymentprocessors and fully assess the legal risks that might beassociated with their business relationships.
While this is a rather broad and vague statement applied to theregulator’s cause du jour, there is an essential truth there.Merchant acquirers and ISOs who own the risk for their merchantaccounts need to be cognizant of who they are doing business with.The risks vary so much that they can be extraordinarily difficultto monitor and manage with systemic consistency, but the IRN andNewtek cases highlight a different problem: providers’ willingnessto turn a blind eye when profit motives eclipse good businesssense. The editorial misses the mark. The case is not about “datasecurity and privacy.” It is about a couple of high-risk playerschoosing to ignore very specific activities that harmedconsumers.
If there is one certain thing, it is this: ISOs and other entitiesthat serve merchants are in a state of constant internal strugglebetween the Sales and Risk Management portions of the organization.The struggle only intensifies when the client in question is bothhigh-risk and a potential revenue maker. Sure, there are legitimatebusinesses that operate in high-risk segments that often do verywell for themselves (and their payment processor), butbest-in-class providers serve them with eyes wide open. Theymonitor chargeback activity and pay attention to what cardholderssay in their affidavits (if present). They establish risk reservesof the merchants’ funds while conducting periodical review of bothtransactions and overall business practices. When it comes toregulated industries such as telemarketing, it is better forpayment service providers’ management to listen to objective riskanalysis than to flirt with becoming a co-defendant in an FTCsuit.
