Page 30 - GS230501
P. 30

Education




                                                                It's important to note that the expectation of electronic
                                                                communication should be the subject of express
                                                                consent in payment services agreements—especially if
                                                                electronic communication is permitted as the only form
                                                                of communication. In fact, it is now commonplace for
                          Legal ease:                           banks  to  present clients  with a  stand-alone  electronic
                                                                communication consent  to  ensure that clients will not
                                                                complain, later on, that they did not receive one or more
                                                                notices on paper.

                                                                My expectation is that the hoopla over digital
        ISOs gone digital:                                      communication will turn in the other direction, so that a
                                                                typical customer will believe themselves to be aggrieved
                                                                if they do not receive digital notifications.
        Legal implications                                      Whatever form of communication is chosen, the choice


        for digital-only ISOs                                   should be expressed in the terms of the contract that
                                                                brings the two parties together.


        By Adam Atlas                                           Nested terms
        Attorney at Law                                         Have you noticed that accepting terms of use of one
                                                                supplier often includes accepting terms of one or more
                  t this point, pretty much anything on paper   other suppliers? These "Russian doll" sets of terms are
                  only is inherently suspicious. Whether by force   the norm in banking-as-a-service and other fintech
                  of numbers or because of the many advantag-   models that complement or compete with traditional ISO
        A es, business is digital-first. It might be helpful    businesses.
        to remind you of some of the legal implications of operat-
        ing a digital-only business.                            I am not aware of case law concerning the enforceability
                                                                of terms that appear inside other terms, but it's advisable
        E-Sign Act                                              to let the consumer, merchant or other user see each of the
                                                                individual terms and privacy policies they are accepting—
        Way back in 2000, Congress enacted the E-Sign Act, which   as opt-in options—so that as a supplier you are not having
        made electronic agreements no less effective than good   to prove to a court that the consumer or merchant actually
        old paper contracts. For electronic agreements to be valid,   saw and accepted the terms.
        the parties must have had access to the terms in advance
        of accepting, must have been able to download or copy the   As a user of services supplied under a mashup of multiple
        terms before accepting them, and the parties must express   sets of terms, consider the multiple places to which your
        consent.                                                data is being sent and whether that poses excessive risk to
                                                                your organization.
        There must also be an electronic record of the acceptance.
        The electronic record of acceptance does not need to be   Security
        a signed pdf; it could be simply a record of the form of
        agreement presented for acceptance together with records   No discussion of digital-first operations is complete
        of the person or entity that accepted the agreement, such   without a reminder that storing troves of data creates
        as IP address, name and other identifying information.  opportunity for bad actors to exploit.

        Realistically, at this point, the absence of any digital re-  In the ISO business specifically, cardholder data is the
        cord could make a party nervous that the hard-copy con-  hot potato. Unless your ISO systems are themselves PCI-
        tract will be lost or difficult to assert later on for lack of   compliant, your ISO should not access, store or transmit
        evidence.                                               cardholder data. Fortunately, there are any number of
                                                                third parties ready to perform the secure gateway and data
        Digital communications                                  communication functions for ISOs and their merchants.
        As you know, a contract is but the beginning of a relation-  Some time ago, gateways and other data-only platforms
        ship between, for example, a merchant and an ISO. After   were able to limit their liability to 30 days of fees or some
        formation of the contract, the parties will need to commu-  other nominal amount, using the argument that their puny
        nicate with each other. Increasingly, even formal notice   fees did not justify assumption of substantial liability.
        provisions are drafted so that email notices are entirely   Those days are gone.
        effective as formal notice—without the need for a FedEx
        or certified letter.
        30
   25   26   27   28   29   30   31   32   33   34   35