Insider's Report on Payments Warning to ISOs and other Third Parties: Know Your Customer By Patti Murphy
ike it or not, the transaction-acquiring business has been pulled into the global war on terror. As a result, you can expect a lot more folks to be looking over your shoulder, and I'm not just talking about the Feds. Card companies and networks, too, are placing a sharper focus on the relationships between banks and the litany of non-banks that regularly come into contact with transaction data. This includes ISOs and their independent contractors, authorization and processing networks, encryption service organizations, ATM maintenance companies, and countless other companies that support transaction acquiring and card-issuing banks.
Visa and MasterCard both have put members on notice that while in the past they may not have strictly enforced what are known as "Third Party Registration" rules, they will do so with mighty vigilance beginning this year. Visa has said it will begin monitoring for compliance by September 30, 2003. MasterCard was unavailable for comment on this article.
Meanwhile, the EFT Association, a multi-industry trade group based in Herndon, Va., has weighed in with a set of "best practices" for ATM acquirers. While compliance is voluntary, the best practices laid out by EFTA's ATM Integrity Task Force pretty much mirror the requirements Visa, MasterCard and the major ATM networks have laid out for transaction acquirers - so it's time to consider EFTA's best practices standard operating procedures in today's marketplace.
In a nutshell, the rules require that banks perform comprehensive due diligence reviews of any "third party" that touches credit/debit card transaction data that clear through the banking system.
The reviews must include financial and security audits of companies, principals and key agents of those companies and their various past business relationships, company/product certifications by the appropriate gatekeepers (e.g., Visa and MasterCard) and detailed information concerning subcontractors.
Companies (and subcontractors) that pass muster can then register with Visa, MasterCard and/or the ATM network. Fees vary somewhat and are paid to Visa and MasterCard by the banks, though many banks will pass along the charges.
At Visa, the cost for adding a new agent to the system is $5,000. Mike Smith, Senior Vice President for Corporate Risk Management, explained that once an ISO or other organization has registered, there are no additional signup fees if another bank registers the company/person as part of its due diligence.
The due diligence process itself can be labor-intensive and time-consuming. Humboldt Bank Merchant Services, for example, hired a full-time employee just to keep pace with Visa and MasterCard registration requirements, according to Linda Grimm, Vice President of Operations.
The costs can be hefty, too. In addition to initial registration fees, there are annual fees and fees for adding independent contractors to a service provider's registration.
Violations are costlier. A first-time violation of what Visa calls its Cardholder Information Security Program (CISP) is $50,000; two breaches of the rules cost a bank $100,000. Failure to abide by MasterCard's rules for registering third parties can result in fines of up to $50,000 and/or membership termination, according to documents provided by a MasterCard spokesman.
Oh, and let's not forget the potential backlash from a compromised payment operation: At the end of the day, every bank is responsible for transactions it acquires, and every credit/debit card transaction ultimately is "acquired" by a bank. Federal regulations limit a consumer's liability for unauthorized transactions to about $50.
Several New York area banks got a stark reminder of this in 2001 and 2002. It began when a group of crooks purchased more than a dozen ATMs that, when placed in retail locations, were used to "skim" cardholder information. With new cards created from the "skimmed" data, the crooks siphoned more than $3.5 million from unsuspecting consumers' bank accounts before any one was arrested. (The ringleader reportedly is still at large.)
When the U.S. Secret Service (the federal agency that investigates card crimes) was called into the investigation, it had trouble locating many of the suspected ATMs because of poor record-keeping by some of the ISOs that sold the machines, according to published reports.
"That incident really heightened awareness that the 'know your customers' mantra hasn't been handled well," said Susan Zawodniak, an executive with NYCE, the ATM/POS network.
Know your customer (KYC) has been a mantra in banking, but until recently most folks thought it applied only to over-the-counter relationships - you know, like identifying and documenting customers who walk into banks with satchels of currency, then wire the money to accounts at offshore banks.
"If there is an account involved, the bank has to know who the customer is," said Henry Polmer, a partner in the Washington law offices of Piper Rudnick.
But it's not always that easy. In the acquiring business, especially, at times it seems nearly impossible.
"All too often, we're dealing with entities that we don't even have contracts with," Humboldt's Grimm said. And sometimes, those companies don't want to provide detailed financials. "We're moving forward, doing our due diligence" and passing on some registration requests, sans contracts, Grimm said, adding, "the ones we are working with are cooperating."
Yet, "there are so many third and fourth parties down the line with access to this data that we don't even know about," she said.
And that might be where the danger lies.
"The U.S. Treasury has concerns about the various ways in which terrorists might use the ATM infrastructure -- as a funds-distribution channel, as a source of funds through fraudulent schemes, even possibly to creating chaos in economies through attacks on public confidence in the integrity of payment systems," the EFTA report stated. "[T]his problem is very real, it is immediate, it is significant and non-trivial ... it is in emerging regulatory cross hairs."
Visa's Smith concurred that these are real threats. And he said Visa and other big players in the payment space want to be proactive in ensuring that all channels and entry points are protected. "It's across the board," Smith said of the registration process. Acquirers, issuers, prepaid cards, "unbranded ATMs" - these are just some of the business lines that are being scrutinized.
The alternative is greater government oversight. "Regulators are looking closely at this business," Smith said. "We want to be a self-regulated business."
That means a lot more looking over the shoulders of payment companies that use bank-controlled payments networks such as Visa, MasterCard and NYCE.
It means more education, too. So you can expect to hear a lot about the registration process at industry conferences and meetings in the months ahead.
Patti Murphy is Contributing Editor of The Green Sheet and President of Takoma Group. She can be reached at patti@greensheet.com
|