A Payment Facilitator (“PayFac”) is a company that offers an alternative to contracting with a traditional merchant acquirer or Independent Sales Organization (“ISO”) for card payment services by assuming responsibility for the risk, flow of funds, risk monitoring and ongoing support services for the payment acceptance services required to process transactions. Payment facilitation was widely introduced to the industry when PayPal was created in the 1990s as a response to many small businesses’ rapidly growing need for cost-effective payment services.
Merchants often choose to partner with a payment facilitator due to the simplicity of setting up an account, the short application and reduced underwriting evaluation. The initial onboarding support advantage, along with a single source for client support, reporting, and other operational support tasks, can make using a PayFac for payment processing a simple decision for a merchant. However, there are substantial risks for the PayFac to consider, and many organizations looking to become a payment facilitator may not be well-positioned to assume all financial underwriting and ongoing operational support requirements of a PayFac program. For organizations in this position, becoming a PayFac may be practicable. Instead, these businesses may be better served by working with an existing Payment Services platform, cultivating a PayFac-like environment or developing a Merchant Referral program with solid revenue-share provisions.
PayFacs are able to provide streamlined support through the PayFac management of an existing master merchant account, thus assuming the overall risk posed by the payment program and allowing a streamlining of the requirements placed on their clients. The payment facilitator takes care of initial underwriting, bears the risks of underwriting and merchant losses, and is able to facilitates merchant funding, although they rarely do. PayFacs often handle customer service for their clients. PayFacs can usually obtain lower-cost transaction processing since they support key services in exchange for taking on these support responsibilities and purchasing acquirer services in volume.
PayFacs provide card payment acceptance services that are very similar to traditional merchant acquirer services, but there are some significant differences. Key similarities and differences between the operations of a payment facilitator and traditional acquirer are the following:
|Payment Facilitator||ISO/ Merchant Acquirer|
|Pricing can be controlled by the PayFac and simplified pricing systems such as Flat Discount (e.g., 2.95% + $0.20) can be used to create a simple billing model that many clients prefer.||Pricing is set by the acquirer or ISO. Typical pricing is Interchange Plus, but other methods such as Tiered or Discount models are supported.|
|Payment facilitators can monetize payments more effectively than programs that are tied to referral or revenue share agreements with ISOs or acquirers.
Processing margins for PayFacs range from 15-35+ basis points, if third parties PayFac services are used to 75-95+ basis points for in-house programs. Pricing can be limited to industry segment pricing dynamics, but PayFacs typically improve payment monetization.
|Processing margins vary depending on industry segment, competitiveness, bundling of services, size of the merchant and other issues.
Many ISOs offer Referral or Revenue Share residuals to software developers and platforms to monetize payments. Some of these agreements can be more attractive than taking on all the costs and responsibilities of a PayFac program.
|Agreements can be streamlined, and underwriting performed using underwriting standards tailored to the industry segment and processing requirements. The PayFac being the merchant of record is one reason why underwriting can be simplified. This simplified contracting and boarding is a key advantage of being a PayFac.
Note: Acquirers require these agreements contain language regarding the requirements, compliance with network rules, and underwriting of large sub-merchants.
|Standard merchant agreements covering processing and risk are signed by each merchant. Underwriting can be simplified to some extent, but full review is required since each client is the merchant of record.|
|A PayFac processes payments on behalf of its clients, called sub-merchants. The PayFac is the merchant of record for transactions.||An ISO or acquirer processes payments on behalf of its clients that are call merchants. Each client is the merchant of record for transactions.|
|Sub-merchants sign an agreement with the PayFac for payment services. The sub-merchant agreement includes mandatory provisions related to the merchant acquirer/sponsoring bank.||The merchant accepts and processes payments through an agreement with the acquirer or ISO.|
|PayFacs are responsible for all risks associated with sub-merchants, including fraud, chargebacks, and PCI. Sub-merchants are responsible for risks through their agreement but are not the merchant of record.||The Merchant is responsible for all risks associated with card acceptance, including fraud, chargebacks, and PCI. Merchants are responsible for risks through their agreement and are the merchant of record.|
|The PayFac must be underwritten by acquirer or sponsor bank to ensure it is able to financially cover the risks of all its sub-merchants. This review is required since the acquirer is to be held responsible, in the event that the PayFac is unable to meet its obligations.||The ISO or acquirer is responsible for all risks associated with merchants, including fraud, chargebacks, PCI ad other issues if the merchant is unable to cover its risks.
|The PayFac must underwrite all sub-merchants and is responsible for KYC, AML, FinCen and other review tasks needed to board clients.
Larger sub-merchants with <$ 1million in volume for a single card brand, must be underwritten by the acquirer supporting the PayFac.
|The PayFac must underwrite all sub-merchants and is responsible for KYC, AML, FinCen and other review tasks needed to board clients.|
|Merchant payment processing services for a PayFac are provided by an acquirer that processes the transactions with the card networks.
Third party service providers such as Payrix, Finix and Amaryllis can support these services for a fee.
|Merchant payment processing services are provided by the ISO or acquirer that processes the transactions with the card networks.
ISOs and acquirers can provide many of services through systems they develop or they can use a third party for these services.
|Sub-merchant deposits can be deposited by the acquirer directly to the sub-merchant or the PayFac.
If funds are settled to the PayFac, then the PayFac must comply with money transmission laws and may be required to obtain money transmitter licensing, to move funds through their accounts.
|Funds flow from the acquirer and then to the merchant. ISOs do not take possession of funds in operating accounts, rather the funds flow through their processor or bank sponsorship relationships.|
|PayFacs can control the timing and break-out of funds flows using manager or instructed funding through an acquirer to avoid money transmitter licensing issues. The acquirer funds the sub-merchants based on rule sets or instructions sent by the PayFac.||Acquirers can control the timing of deposits to merchants based on the deposit timeframes that are provided in the merchant agreement.|
|PayFacs are responsible for reporting, billing, chargeback processing, operations support, client services and other tasks.
Third Party service providers such as Payrix, Finix, and Amaryllis can support these services for a fee.
|The ISO or acquirer is responsible for reporting, billing, chargeback processing, operations support, client services and other tasks.
Processors such as Fiserv/Frist Data, FIS/Worldpay, and others can provide processing services required to support the ISO or acquirer.
|The PayFac must periodically perform risk monitoring evaluations of sub-merchants that are obligated to comply with ongoing risk monitoring requirements.||The ISO or acquirer must provide periodic risk monitoring of all merchants that are obligated to comply with ongoing risk monitoring requirements.|
|PayFacs undergo annual reviews by their acquirer or sponsor bank to ensure they are in compliance with all PayFac requirements.||Acquirers are reviewed by the card associations, as well as a wide variety of other organizations, as part of their risk reviews and other regulatory requirements.|
Since the signing of The Electronic Fund Transfer Act (“EFTA”) in 1978, the rights, liabilities and responsibilities of consumers who make electronic payments and the companies that offer it as a service, have been governed by a complex web of state and federal regulations.
The extent to which any electronic payment is subject to the various statutes regulating financial services depends on the specific nature of the transaction and the risk, financial and otherwise, associated with it. The regulation that payment facilitators face is two-fold, due to their position in the middle of a decoupled transaction. Payment facilitators are subject to one set of rules when charging customers and another when disbursing funds to merchants. The legal burden is even heavier for companies that facilitate payments to overseas merchants, sell regulated goods or provide services.
Payment facilitators often require specialized staff to ensure regulatory compliance due to the nature and complexity of the regulatory framework. Outlining the entirety of the regulatory landscape and determining which statutes are applicable are big tasks. A high-level overview of some critical regulatory issues that payment facilitators currently face is outlined in the following sections.
Anti-Money Laundering (AML) and Know Your Customer (KYC)
The Bank Secrecy Act (“BSA”) of 1970 requires all financial institutions to detect and prevent money laundering. Regulated companies must develop an Anti-Money Laundering (“AML”) compliance program that is approved by each company’s board of directors.
The BSA has been amended several times over the past four decades, most notably in 2001 with President George W. Bush’s signing of the USA PATRIOT Act (“PATRIOT Act”). The PATRIOT Act was initially intended to aid government agencies intercept and obstruct terrorism but has far-reaching implications for financial institutions and other regulated businesses. To detect and prevent terrorist financing, companies must now verify the identities of individuals using their platform to conduct financial transactions. Upon request, these companies must provide information related to potential terrorist identities and activities to the U.S. government.
The PATRIOT ACT further requires businesses to develop Customer Identification Programs (“CIP”) proportional to the size and type of their business. A CIP outlines its process for obtaining, retaining and reporting information about its customers. These requirements are often referred to as Know Your Customer (“KYC”) requirements. KYC processes are utilized by companies of all sizes, to ensure compliance with the BSA and to prevent identity theft, financial fraud, money laundering and terrorist financing.
Office of Foreign Assets Control (OFAC)
The Office of Foreign Assets Control (“OFAC”), part of the U.S. Department of the Treasury, operates under the umbrella of the Secretary of the Treasury for Terrorism and Financial Intelligence. Federal regulations require all companies to comply with OFAC rules. These rules apply to all financial transactions between any two counter-parties.
The OFAC provides an updated list of all individuals and businesses, with whom U.S. persons and businesses may not do business. To remain compliant, payment facilitators must develop and enforce preventative procedures that ensure their services are not being used by persons on the OFAC list or in support of sanctioned activities.
Financial Crimes Enforcement Network
All Money Services Businesses (“MSBs”) are required to register with the U.S. Department of Treasury through the Financial Crimes Enforcement Network (“FinCEN”). FinCEN is a bureau of the U.S. Department of the Treasury that collects, analyzes, and coordinates the sharing of information about financial transactions, in order to combat financial crimes. A MSB’s failure to register with FinCen may result in the MSB facing criminal and/or civil penalties.
Once registered with FinCEN, companies are subject to the BSA, which — in addition to other obligations — requires companies to file Suspicious Activity Reports (“SARs”) for activities that might signify money laundering, tax evasion or other financial crimes. Companies may also be required to register as a MSB in the individual states in which they operate. State regulators have been known to monitor the public FinCEN list for newly registered companies that have failed to register at the state level.
MSBs include companies that provide money transmission services or the acceptance of “currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.”
Virtually all states regulate money transmission through an agency or department located in the consumer affairs or in the financial institution’s bureau of the state’s executive branch. In most states, unlicensed money transmission can lead to civil and/or criminal sanctions. Individuals that help operate an unlicensed money transmitting business may be fined and/ or imprisoned.
While the purpose and content of the state laws may be quite similar, each state has its own application and compliance requirements. These requirements can be very expensive in terms of fees, legal costs and time. States often require lengthy and intrusive background checks, as well as disclosure from senior executives, directors, and investors to obtain a Money Transmission License (“MTL”). It is not uncommon for a business to spend over $600,000 to $1,200,000 over a six-to-twelve-month period, to obtain state licenses. Obtaining nationwide coverage of MTL licenses can easily take years. In addition, companies are subject to bonding and net worth requirements which require large deposits of cash or other assets. This can be a prohibitive roadblock for smaller, early-stage companies that do not have the financial ability to do such.
Complete money services licensing involves continuing compliance-related responsibilities and costs, including annual MTL fees and assessments. Other compliance requirements include ongoing reporting, audits and examinations, annual assessments, bonding, minimum capital, and qualified investments.
Money transmitters must typically create and maintain compliance-related support and monitoring functions within the organization to fulfill each state’s compliance-related requirements. This involves hiring compliance staff and building an infrastructure to support and fulfill each state’s compliance requirements.
Determining whether a business is a money transmitter is a matter of degree in some cases. Not all platforms that facilitate payments are money transmitters, thus platforms are highly motivated to design their payment infrastructure in such a way as to minimize the likelihood of being classified as a money transmitter by state or federal regulators.
In 2011, the IRS introduced the Form 1099-K to reduce the discrepancy between the amount of income that people voluntarily report to the IRS and the total amount of income that they should report. The Form 1099-K only reports the movement of funds; individual merchants must decide whether these funds represent taxable income. These forms must be issued for all merchants and sub-merchants of payment facilitators. These forms can be produced by a third-party using data supplied by the PayFac, the acquirer, or by the PayFac, depending on the arrangements made to support the PayFac’s sub-merchants.
The IRS tax code requires payment facilitators to issue a Form 1099-K to all merchants that process payments totaling upwards of $20,000 in a calendar year and to file a corresponding form with the IRS. If the company is required to file over 250 forms each year, they must file electronically. The Form 1099-K requires the merchant’s Tax ID, legal name, address, and total transactions for the calendar year. If a company files inaccurate, incomplete, or tardy returns, it may be fined for each erroneous filing, with no maximum penalty.
Card Network Compliance
PayFacs must abide by all the operating rules and regulations established by the card associations (e.g., Visa, MasterCard, American Express, and Discover), including the specific rules applicable to payment facilitators, Third-Party Processors, and Payment Aggregators. The card networks publish and regularly update their operating regulations and card-acceptance policies and procedures. For example, American Express updates its Merchant Regulations at least twice a year and is over 200 pages long. Similarly, Visa and MasterCard update their rules regularly. These rules contain more than 800 pages of operating requirements (not all of which apply to merchant processing and payment facilitators. All merchants are required to follow these rules, as a requisite to accepting card payments. The PayFac must also enforce adherence to these rules by their sub-merchants. This section outlines a few of the most important regulations that pertain to payment facilitators.
Aggregation occurs when payments are processed by a single organization on behalf of a number of smaller participating businesses. Online marketplaces, for example, charge customers on behalf of individual merchants. Amazon is an aggregator and only charges a customer once upon checkout, even though funds are often paid to a group of small sellers. In this scenario, the platform, rather than the merchant providing the good or service, is the merchant of record. These platforms are considered aggregators.
Aggregation introduces additional risk because the payment facilitator is responsible for accepting and disbursing payments to third parties, even though it has little control over the quality or delivery of the good or service these third- parties provide.
Aggregators are required to register with the card associations, who generally discourage aggregation given the inherent risk of the model. Failure to register is tantamount to “factoring” (the expressly prohibited practice of processing payments for a purpose other than that for which the business was approved). Platforms caught factoring face serious penalties, including the termination of their merchant account, and/or hefty fines.
Registering as an aggregator requires sponsorship from an acquirer. Acquirers are the banks or financial institutions that accept card payments on behalf of merchants. Not surprisingly, most acquirers are unwilling to underwrite aggregators, given the additional regulatory and financial risk associated with them. Acquirers willing to underwrite these businesses establish approval processes significantly more rigorous than those for less risky business models.
Once approved, aggregators face additional regulations and requirements from the card associations, including rules covering things like:
- The types of merchants for whom they may process payments.
- The agreement they must execute with each merchant.
- The information they must collect and the checks they must perform for each merchant.
- The merchant information and processing data they must report to the card associations.
- The policies and procedures they must develop and submit to the card associations for approval.
- The information they must disclose to cardholders and merchants.
- The customer service they (or their sub-merchants) must provide.
- The operating regulations they must enforce.
Payment Card Industry Data Security Standards
The Payment Card Industry Data Security Standard (“PCI DSS”) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information, adequately protect cardholder data. The PCI DSS is administered and managed by the Payment Card Industry Security Standards Council (“PCI SSC”). The PCI SSC is a non-governmental regulatory body established by the card networks.
While all merchants must be PCI DSS compliant, payment facilitators undergo an additional level of scrutiny. Any platform that stores, processes, or transmits cardholder data for a third party must register with the card associations as a Level 1 PCI DSS-Compliant Service Provider, which requires an annual independent security audit and regular network vulnerability scans by an Approved Scanning Vendor (“ASV”). Payment facilitators must also ensure the compliance of individual merchants that operate on their platforms. These merchants are not exempt from PCI compliance, even if their payments are administered by a payment facilitator; though it may reduce the risk of exposure and the effort required to validate compliance.
Failure to comply with the PCI DSS may result in fines, higher transaction fees, and/or termination of the relationship between the card associations and the delinquent payment facilitator or merchant. Furthermore, platforms that suspect or confirm the unauthorized access, use, theft or misappropriation of cardholder information, incur additional obligations, including the responsibility to notify the relevant authorities and conduct a thorough forensic investigation by a reputable third-party forensic investigator. Many states have also passed laws that require companies to report data breaches to the affected parties.
Card networks have developed rules for how and when merchants can charge transaction fees, which are often a critical source of revenue for platforms that facilitate payments between merchants and their customers. The card networks prohibit merchants from prioritizing one payment method over another or applying “surcharges” that dissuade cardholders from using a payment card. They do, however, permit merchants and payment facilitators to charge convenience fees for the privilege of paying for a product or service using an alternative payment channel.
The policies that determine what is a permitted “convenience fee” vary by card network and by applicable state laws. According to Visa’s policies, certain criteria must be met for a merchant to charge a convenience fee. For example, the fee must be disclosed prior to payment, presented as a flat fee (i.e., not a percentage of the sale), and applied to all means of payment accepted in that channel. However, many merchants do not fully comply with convenience fee provisions.
Network (Brand) Rules
The card associations establish rules that restrict both merchants and sub-merchants, from engaging in activities that harm or degrade the card network’s brand. Determining whether a merchant has followed the official guidelines for displaying a card network logo is fairly straight forward but ensuring that merchants do not engage in illegal activity, fraudulent, deceptive, or unfair business practices, or the sale of goods or services prohibited by the card networks (e.g., adult digital content, loans, or gambling) can be difficult.
PayFacs must also ensure that individual merchants establish policies (returns, refunds, customer service, disclosures, etc.) in accordance with the operating rules and that they present these policies to cardholders.
Fraud and Loss Prevention
Card-not-present transactions are highly susceptible to fraud and abuse, for which merchants and payment facilitators are held liable. Most of the fraud prevention features supported by the card networks are designed for card-present environments. Visa, for example, has deployed several anti-fraud measures designed to make card reproduction extremely difficult, including holograms and embossed security characters on the face of the card. Merchants are not liable for fraud when card-present transactions are properly authenticated. Card-not-present transactions (card payments made without physically using a card), such as on a website, buyers enter credit card data into a form have fewer levels of protection. The use of tokens and third-party risk services are important tools used to reduce risk in this environment. When a cardholder encounters an issue with the use of their card, a chargeback is the typical means of resolving the issue.
When a cardholder disputes a charge with their bank (the “issuing bank”), the issuing bank reverses the payment and refunds the cardholder. This is called a chargeback. Cardholders are protected from the financial liability of unauthorized credit card transactions by Regulation Z of the Truth in Lending Act and unauthorized debit card transactions by Regulation E of the Electronic Fund Transfer Act. Card associations have even broader rules with further added protections. When fraudulent transactions do occur, a well-defined chain of liability determines who is ultimately responsible for making restitution to the cardholder. For chargebacks resulting from card-not-present transactions, the issuing bank recovers the funds from the merchant’s bank (the “acquiring bank”), and the acquiring bank recovers the funds from the merchant.
Chargebacks are typically received weeks after the original transaction, and it can be difficult to recover funds from a merchant. Acquirers are often conservative in their underwriting of PayFacs, as well as merchants, in order to avoid losses. Typically, an acquirer will research the financial stability, credit worthiness, and underlying riskiness of transacting with a business, and then implement special funding policies, such as reserves or holdbacks, to mitigate its loss. Acquires often require personal guarantees from business owners who are held personally liable for the business’s financial obligations. These guarantees are typically not used by PayFacs to reduce risks.
A payment facilitator is be held responsible for chargebacks and must attempt to collect chargebacks from their sub-merchants. If they cannot collect funds for a chargeback, the money is instead taken from their account. Therefore, the payment facilitator assumes responsibility for recovering funds from the sub-merchants and liability for funds that cannot be recovered.
PayFacs must either recover chargebacks from merchants who generate them or write-off the full amount of the chargeback as a loss. This is perhaps the most important fact of life for a payment facilitator; revenue accrues as tiny percentages of transactions, while losses occur as whole transactions.
Acquirers may avoid an aggregation client given the risk assumed by the PayFac is equal to the aggregate risk of its entire network of sub-merchants. The acquirer reviews a facilitator’s policies, processes, and procedures for determining and mitigating loss, since it does not review the risk of individual sub-merchants.
Payment facilitators interact with both merchants and their customers and must understand the risk associated with both sides of a payment transaction. The four categories of risk include:
Merchant Identity Fraud
When merchant identify fraud occurs, a criminal establishes a merchant account on behalf of a seemingly legitimate business. The criminal makes fraudulent transactions using stolen credit cards and disappears with the proceeds before the cardholders and the processor discover and reverse the unauthorized transactions. When the PayFac attempts to recover the funds, the criminal is gone and the PayFac is liable for the loss and any additional fees or assessments associated with the chargebacks.
This type of fraud happens more often than is thought by most processors. The Federal Trade Commission uncovered a four-year operation in which criminals established more than one-hundred merchant accounts using the Employer Identification Numbers of real businesses, to bilk cardholders and acquirers in excess of $10 million.
Criminals are becoming better at obtaining the information necessary to assume false identities (e.g. birth certificates, government-issued IDs, credit reports). It is difficult, if not impossible, to definitively verify the identity of an online merchant, since the information that legitimate users present to prove their identities can also be obtained by an imposter. The identity of an online merchant often cannot be ascertained with certainty, but there are third-party tools that can assist with identity verification.
In some cases, criminals use “money mules” to obfuscate their illicit activities. A typical scam involves the criminal charging stolen credit cards and settling the proceeds to a mule. The mule keeps a percentage of the money and transfers the remainder to the scam operator, typically located in another country. Mules are often unaware that these funds are the product of illicit activity. Instead, they are usually hapless victims duped by get-rich-quick schemes or promises of legitimate employment.
When cardholders dispute unauthorized transactions, the payment facilitator attempts to recover the funds from the mule’s bank account. In most cases, however, the mule has already transferred the funds to the scam operator, and the payment must be written off as a loss.
Merchant Credit Risk
Merchant credit risk occurs when a legitimate merchant defaults on its obligation to fund refunds and chargebacks. Although payment facilitators do not issue loans, PayFacs, just like acquirers, take credit risk by settling funds within the chargeback window. The chargeback window varies by card type, but it is usually at least 30 days. Payment facilitators are ultimately liable for all payments settled to merchants within that time period.
Merchant credit risk is greatest among younger, less-established, riskier businesses. Unsurprisingly, these businesses often use payment facilitators solely because traditional acquirers are unwilling to take on their business. Unfortunately, the hesitation to underwrite these businesses is not entirely unjustified, given the higher likelihood of excessive chargebacks and bankruptcy.
Traditional acquirers mitigate this risk by analyzing a merchant’s processing and/or credit history, but that involves a longer underwriting process and assumes that merchants have a pre-existing processing history or credit score. Acquirers are typically risk-averse to young companies that accept pre-orders or deposits before they fulfill orders. This risk is due to the amount of time between payment and fulfillment. The more time, the greater the risk that merchants fail to deliver, thus the larger the financial liability. It is therefore not surprising that some payment processors are simply unwilling to run the risk of supporting such a business.
Buyer Identity Fraud
Buyer Identity Fraud occurs when a fraudulent customer uses a stolen credit card (or a card established with a stolen identity) to purchase a product from a legitimate merchant. By the time the real cardholder discovers the fraudulent charges, the criminal already has possession of the goods.
While cardholders may not be liable for unauthorized transactions, merchants typically do not have this protection. When the real cardholder inevitably reverses the payment, the merchant is out the cost of fulfilling the order, the revenue of the sale and the fees associated with receiving the chargeback. Payment facilitators must address merchant credit risk since legitimate merchants may be unwilling or unable to refund payments for valuable goods or services that have already been delivered.
Friendly fraud is similar to buyer identity fraud, except that the criminal is a previously good customer that purposefully commits fraud as a cardholder. The cardholder pays and the transaction is authorized, but the cardholder contacts their issuer to “dispute” the transaction and reverse it by issuing a chargeback once they have received the product or service. The cardholder gets the goods for at no cost, and the merchant has a financial loss.
Friendly fraud is difficult to detect because the payments are legitimate on their face. Merchants accepting card-not-present payments have limited ways to prove that cardholders authorized the payment since they did present a physical card and were not present to initiate the transaction. The protections afforded to cardholders may play a role in promoting friendly fraud. Since there is such a low barrier to disputing “unauthorized” card-not-present transactions, cardholders chargeback the purchase to avoid paying for it, resulting in loss of the transaction value and cost of the chargeback to the merchant.
Minimizing Chargeback Risk
Preventing losses is equivalent to preventing chargebacks. For a payment facilitator this may seem like a relatively simple goal: reduce chargebacks to an absolute minimum. Unfortunately, the means to achieving this goal of reducing chargebacks is complex.
Many payment scenarios can result in chargebacks. The process of preventing chargebacks is not as simple as detecting the use of stolen credit card numbers. Each type of fraudulent or risky behavior necessitates its own set of protections. Loss prevention can be an inherently complex process for a PayFac.
Detecting Merchant ID Fraud
A PayFac needs good systems and control processes for verifying a user’s identity, as a means to prevent criminals from impersonating actual merchants. To verify identity in real-time, which is an important feature for most major platforms, the payment facilitator must collect and analyze massive amounts of data. This often involves the use of third-party technologies to validate a user’s provided credentials. With so much overlapping data, identity verification is rarely a simple decision operation.
Payment facilitators are more often faced with users that fall somewhere along a spectrum between verified and unverified. Once identity has been assigned a given probability, payment facilitators may still face problems with false positives, which is a valid merchant marked as fraudulent, and false negatives, a truly fraudulent merchant that is allowed to process transactions. PayPal has been widely criticized for its decisions to freeze accounts when they’ve assumed false positives.
If a PayFac makes a false negative underwriting review and allows a fraudulent merchant to process transactions, they risk having to write off all those transactions as losses because of their exposure to chargebacks. Fraudulent behavior is rarely limited to one merchant. Fraudulent users often test a system’s weaknesses by working together in large, anonymous fraud rings across multiple accounts. If these criminals are successful, a payment facilitator will lose large amounts of money very quickly.
Unfortunately, any safeguards put in place to slow down fraudulent or risky activity will also get in the way of good merchants that want to receive their money as quickly as possible. There is a natural tradeoff between providing an enjoyable user experience and implementing protections against fraud. Traditional merchant accounts involve multi-page applications, credit checks, and waiting periods before a merchant is allowed to accept payments. PayFacs can rarely use those same protections.
Assessing Merchant Credit Risk
While verifying merchant identity is a challenge, it is often much harder to identify merchants who, while not exactly fraudulent, pose risk to the platform by the simple act of failing to deliver their products or services on time or as advertised to their customers. Unless you’re running credit checks, verifying a bank account balance, reviewing prior processing history, reviewing business policies, or auditing financials you have very little insight into the credit risk of the business. Platforms can combat this by limiting the amount of funds an individual merchant can process or withdraw, but these limits typically result in customer dissatisfaction.
In both cases of identity fraud and merchant credit risk, payment facilitators may require merchants to post collateral (a “reserve”) to ensure that they can cover any chargebacks they receive. This reduces the exposure of the payment facilitator. The reserve requirement for a particular merchant is determined by the payment facilitator and its assessment of the merchant’s risk. Facilitators can also hold a percentage of a merchant’s payments or delay settlement for days, weeks, or months to minimize credit risk. Payment facilitators should establish reserve requirements proportional to their own risk level and develop procedures for updating and communicating those requirements to merchants, whenever appropriate.
Even the most sophisticated techniques in the world cannot abolish risk and fraud completely. Processors must establish policies and procedures for recovering funds from merchants, referring merchants to internal or third-party collections, or pursuing legal recourse when necessary.
Payment facilitators must also implement processes to manage and resolve disputes between buyers and sellers, as well as implement sufficient safeguards to prevent fraud and identify suspicious activity. As the merchant of record, a PayFac receives chargeback notifications from acquirers and must reconcile the chargeback to its original transaction. In addition to recovering funds from merchants, payment facilitators are also responsible for notifying merchants and providing a means by which merchants can defend themselves against chargebacks. The documentation needed to successfully represent a chargeback depends on the chargeback reason code. Chargeback reason codes differ by each card network and understanding the root cause of a chargeback may not be straightforward. The documentation required to fight a chargeback is often split between the merchant, who fulfills the order, and the PayFac.
Some payment facilitators have productized the dispute resolution process to preempt formal chargebacks. In this scenario, buyers dispute payments through the payment facilitator before filing a complaint with their issuing bank. The payment facilitator then attempts to resolve the dispute between the buyer and seller directly without involving the issuing bank or the acquirer. There is significant operational overhead associated with this method, but it can dramatically reduce chargebacks, especially in cases of “accidental” friendly- fraud (i.e., the cardholder authorized the payment but does not remember or recognize the charge when it appears on their statement).
When considering how to support payments, a software developer or services platform provider should start with one important question: At any point, is ownership of and control of client funds critical to the product? The answer to this question is critical to the options available to a technology services provider looking to add payments to their platform. The funding control decision locks the platform into one of two potential options:
- The first, which is choosing to take control of user funds, is known as Payment All transactions processed by the platform’s clients are deposited (aggregated) into one central account under the responsibility of the platform. Funds are then sent to the client based on the PayFac’s funding time frames and processing schedule. This model can have significant regulatory requirements for the platform.
- The second option involves processing funds directly to the end-user. At no point during the processing of the transaction are sub-merchant funds held in an account managed by the Deposit transfers are initiated by the acquirer processor based on managed payment parameters.
If a technology or software platform chooses to aggregate the funds of its customers, they may be defined alternately as a Payment Facilitator, a Payment Service Provider, or a Third-Party Payment Aggregator. These terms are interchangeable. The card networks use different names for these programs.
A payment facilitator may be subject to regulatory, compliance, and operational challenges if they decide to take control of customer funds at any point. Money Services, Money Transmitter Licenses, and other compliance requirements arise when taking control of client funds.