The Green Sheet Online Edition
February 9, 2026 • 26:02:01
Legal ease
International acquiring: Legal tips on ISO expansion
The most common trigger for international expansion of an ISO is a merchant asking the ISO for a merchant account in Canada or somewhere more exotic. On the bright side, acquiring (like issuing) answers to a single set of payment network (Visa, Mastercard, etc.) rules, making acquiring in other countries somewhat similar to U.S. acquiring.
However, foreign laws and customs introduce hurdles that require a U.S. ISO to jump through a few hoops before offering acquiring services for non-US merchants. The purpose of this column is to identify some of the key legal issues involved in taking a US ISO on the road to serve merchants outside of the United States.
Regions of the world
In broad strokes, payment networks divide the world into five or six regions. Those regions are North America (NA); Latin America, including the Caribbean, (LAC), Europe (EUR), Asia Pacific (AP), Middle East & Africa (MEA) and Eastern Europe (EE).
As a rule, acquirers in one region will not board merchants from another region. Also, within a single region (such as North America) acquirers in one country (for example, the United States) will often decline to accept merchants from another country (for example, Canada). Acquirers resist out-of-region or out-of-country merchants because of payment network rules, local laws and risk management.
A Malaysian bank will do a better job underwriting a Malaysian merchant than a U.S. bank will because the Malaysian bank understands the risk profiles and credit history of a local merchant by reference to local credit rating agencies and other local indicators.
As a result of acquiring being siloed into various regions and sometimes countries within those regions, in order to acquire all over the world, an ISO would have to have somewhere between five and 10 acquiring relationships, one for each region or country requiring an individual acquirer.
Regional acquirers will also usually require the regional ISO to operate through a locally incorporated entity; consequently, a fully international ISO will have to incorporate local entities in each region.
Finally, local laws may impose certain licensing and registration requirements in the local entity that might not apply in the United States.
Non-bank acquirers
In the United States, acquirers are banks. Outside of the United States, local payment network rules and laws have opened the market to non-bank acquirers. This means an entity can be a full principal member and acquirer within a network without being a bank. This opportunity often comes as a surprise to U.S. ISOs expanding outside of the United States.
That said, it's still not easy to become a principal member of a payment network. There are capital requirements, commercial requirements and local legal requirements that make the process much harder than spinning up an ISO in the U.S. market. In Europe for example, non-bank acquirers (as well as payment facilitators) are regulated as Payment Institutions (PIs). A PI is the EU equivalent of a U.S. money services business (MSB).
In addition to capital and commercial requirements that payment networks may impose, payments regulators have their own capital, AML compliance, security standards, reporting, staffing and other statutory necessities for operating a payments business that happens to process merchant payments.
Despite their being non-bank acquirers outside of the United States (in places like the EU and Canada, for example), it is still possible to operate merely as an ISO without taking on the highly regulated role of acquiring and settling funds. In those jurisdictions, the sponsoring acquirer might simply be a non-bank.
Regulation of ISOs
For now, U.S. ISOs, as sales organizations of acquiring banks, are largely unregulated except for the contractual obligation of adhering to bank AML, compliance and security standards. Those requirements of U.S. ISOs are mostly borne out of contracts with acquiring banks, not out of the law. Outside of the United States, however, some ISOs are regulated even if they never touch funds.
In Canada, for example, a new regulator, the Bank of Canada, came online in 2025 and regulates Payment Service Providers (PSPs). Entities that transmit funds or hold funds in hosted accounts (that is, MSBs) are PSPs that are also regulated by the Bank of Canada.
However, some entities that never touch funds but are involved in authorizing or processing the initiation of electronic payments are regulated as PSPs. They have to register with the Bank of Canada as well as adopt and comply with a raft of policies that would be a surprise for a U.S. ISO that never touches the funds.
The Retail Payment Activities Act (RPAA) is the new Canadian law bringing the Bank of Canada into regulation of PSPs. The RPAA is brand new, and a lot of U.S., Canadian and other nations' ISOs, processors and other payments companies are still working their way through exactly how to comply with its requirements.
The takeaway here is that a U.S. ISO should not expect a 'free ride' in each new country where they do business. Some jurisdictions may hold the ISO to a level of compliance that is altogether foreign to the U.S. experience.
OFAC sanctions
When boarding merchants for a U.S. acquirer, the merchant and its principals are checked against sanctions lists of the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC). Foreign countries have their own sanctions lists as well as local standards of AML and sanctions compliance.
Operating as an ISO in a foreign country would require the ISO to adhere to those local standards. However, a U.S.-owned foreign ISO should also comply with U.S. sanctions laws.
The US Foreign Corrupt Practices Act (FCPA) makes it illegal to bribe foreign government officials to win or keep business. In some foreign countries, especially in the developing world, it is sometimes difficult to get a business going without numerous government approvals. These approvals are sometimes hard to get without a bribe. Don't do it; it's not worth it. A U.S. person could face up to 20 years in a U.S. prison for an FCPA violation.
Get legal advice: Local, experienced payments counsel can advise you on how to get up and running quickly. It's recommended. 
In publishing The Green Sheet, neither the author nor the publisher are engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law email: atlas@adamatlas.com, Tel. 514-842-0886.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
