Feature-2

Risk Management Refresh

ETA releases updated version of seminal merchant and ISO underwriting guidelines

By Christine Umbrell

Keeping pace with the ever-changing payments space and associated regulatory environment, ETA has revised one of its most widely accessed publications, the “Guidelines on Merchant and ISO Underwriting and Risk Monitoring.” First published in 2014, the document was updated in 2016 and has now been revised for 2018 to incorporate important changes, including guidelines to comply with the Financial Crimes Enforcement Network’s (FinCEN’s) beneficial ownership rule.

The publication of the revised guidelines was officially announced February 15, when ETA CEO Jason Oxman testified on Capitol Hill at a hearing of the Subcommittee on Financial Institutions and Consumer Credit. During the hearing, which focused on “Examining De-Risking and Its Effect on Access to Financial Services,” Oxman educated lawmakers about the risks involved in underwriting and explained how the newly revised document provides information regarding recommended effective tools to help mitigate merchant risk in the card acceptance ecosystem.

“For both back-end networks and systems, as well as consumer payment products, payments technology firms have heavily invested time and resources into ensuring data security,” Oxman explained during the testimony. “The rate of fraud on payment systems is at remarkably low levels, thanks to due diligence programs to prevent fraudulent actors from accessing payments systems.”

ETA’s newly revised underwriting guidelines serve as one tool to help payments companies avoid conducting business with such fraudulent actors. When they debuted four years ago, they quickly gained acceptance as industry best practices. They continue to remain highly regarded, in part, because they keep current with the changing payments ecosystem.

The “Guidelines on Merchant and ISO Underwriting and Risk Monitoring” was originally published “with the intention that they would be a living document,” explains Amy Zirkle, ETA’s vice president, industry affairs. “Its value comes in its being current, to reflect the current practices in risk management.” Entities that provide payments acceptance to merchants and third parties are required to follow strict rules and regulations imposed by the card brands, she says, and the document serves as “a very efficient tool for underwriting.”

For the latest update, subject matter experts re-evaluated the entire document to ensure that ETA members have thorough information to support their risk managementt practices. “The guidelines were developed through a collaborative process,” explains Andrew Bigart, Esq., partner with Venable LLP, who participated in the latest revisions. “ETA members and industry practitioners worked together to develop the voluntary best practices outlined in the document.”

Some sections within the 2018 revision needed no significant changes, and adjustments to other sections were more stylistic, according to Zirkle. The most significant revisions, however, included a section on the beneficial ownership rule, which goes into effect in May 2018, and a chart of “red flags” to assist members in identifying potential problem areas.

Beneficial Ownership

The new version of the document offers guidance for payments professionals seeking to adhere to FinCEN’s final rule on customer due diligence (CDD), which was adopted in 2016 but with mandatory compliance delayed until May 11, 2018.

“The CDD rule requires covered financial institutions to establish and maintain written procedures that are reasonably designed to identify and verify the beneficial owners of legal entity customers,” according to the U.S. Department of the Treasury. “These procedures must enable the institution to identify the beneficial owners of each customer at the time a new account is opened, unless the customer is otherwise excluded or the account is exempted. Also, the procedures must establish risk-based practices for verifying the identity of each beneficial owner identified to the covered financial institution, to the extent reasonable and practicable. The procedures must contain the elements required for verifying the identity of customers that are individuals under applicable customer identification program requirements.”

A “beneficial owner” includes any individual who, directly or indirectly, owns 25 percent or more of the legal entity in question, or one individual who has significant responsibility to control, manage, or direct the legal entity.

The CDD rule amends the anti-money laundering (AML) program requirements for covered financial institutions, including banks and credit unions, “to explicitly require covered institutions to implement and maintain appropriate risk-based procedures for conducting ongoing customer due diligence,” according to the Treasury guidance.

To ensure ETA members are prepared to engage in practices in alignment with the CDD rule, the revised “Guidelines on Merchant and ISO Underwriting and Risk Monitoring” offers recommendations regarding compliance with AML regulations as well as the FinCEN’s beneficial ownership rule and its impact on the process of customer identification and verification, according to Bigart.

For example, starting in May, banks are obligated to identify and verify the beneficial owners of all legal entity customers at the time of account opening. “Even if a processor, ISO, or payment facilitator is not directly subject to these requirements, these entities are almost always contractually required by their sponsor banks to engage in customer identification and verification activities,” according to ETA’s new guidelines. “As such, processors, ISOs, and payment facilitators should implement programs designed to capture the customer information of merchants (including beneficial ownership information) seeking access to merchant processing accounts.”

The revised document also explains that, once the FinCEN rule takes effect, banks will be required to “identify and verify a legal entity customer’s beneficial owner(s) at the time of account opening. To ensure compliance, sponsor banks are likely to push these beneficial ownership 
requirements to their processor, ISO, and payment facilitator partners.” ETA members can expect to find additional instructions regarding adherence to the new rule in the full document.

Red Flags

Another important update to the 2018 guidelines is the addition of Exhibit L, a chart titled “‘Red Flags’ in Merchant Underwriting and Monitoring.” This chart lists several “red flags that might indicate to someone that something fishy is going on with a merchant,” explains Zirkle.

This section offers specific suspicious activities to look for and explains what each activity could mean. Red flags are detailed in eight categories: application information; beneficial owners, hidden owners, and controlling persons; background checks; related accounts; merchant site visits; merchant marketing; multiple merchant identification numbers; and ongoing monitoring.

This chart should be seen as a tool to aid payments professionals in identifying potential areas of concern. For example, a red flag of “inconsistent information” indicates the processor should “make an accurate evaluation of the merchant.” In addition, an overly optimistic anticipated sales volumes for a startup “should trigger an inquiry about whether the merchant has been truthful in completing its application.” And “straw men” accounts may suggest “load balancing, or a merchant’s inability to pass usual risk reviews on its own,” according to the updated guidelines. These are just three of the more than 30 red flag examples included in the new chart.

Additional Modifications

While the revisions related to beneficial ownership and the addition of the red flag chart are the two most significant updates to the 2018 underwriting guidelines, the entire document has been updated to feature language and suggestions that are in compliance with the most recent changes in the payments ecosystem. Rewrites and additions have been made throughout. Below are just of few of these new changes:

  • An addition to the section on time frames for merchant underwriting policy has been made to indicate that “automatic approvals” should be reserved for lower-risk merchants that have met basic hurdles.
  • In the section on activities that support risk management goals, EMV considerations have been added.
  • The section on monitoring of micro and mobile merchants has been amended to include “instant boarding” merchants.
  • Section 5, “Risk Management for Merchants Requiring Enhanced Due Diligence,” has been rewritten to improve the overall readability of the section, including updates from the Federal Trade Commission and VISA regulations. Best practices also have been enhanced.

The Basis for a Micro-Credentialing Program

Publication of the newest version of the guidelines paves the way for the debut of an associated micro-credentialing program. In addition, ETA is planning to develop a micro-credential based on its payment facilitator guidelines as well. “We’re moving forward with a micro-credentialing program and also are in discussions with a number of companies around the development of a corporate certification program tied to those guidelines,” she says.

While plans for the micro-credential have not been finalized, “we are looking to leverage the guidelines as a vital ETA industry document and the basis for an online micro-credential course” that requires certificants to demonstrate a deep knowledge of the document, Zirkle says. The credential will be offered online so individuals can work through self-paced modules.

Zirkle says ETA will likely offer courses to walk potential certificants through the document. “Included throughout the courses will be knowledge checks for each section” to ensure participants accurately grasp the content. “This is a way to engage the industry in really knowing the document, inside and out,” she adds. Micro-credentialing participants may include “anybody in the risk space—acquirers, processors, ISOs—anybody interested in the risk management compliance piece,” Zirkle says.

Part of the Payments Solution  

The 2018 version of the “Guidelines on Merchant and ISO Underwriting and Risk Monitoring” is designed to assist ETA members in improving security and reducing risk in payments, but it is just one part of a comprehensive and strategic payments strategy that should be embraced by payments professionals. “ETA’s overall goal is to be the hub around all things payments, and risk management and security is a big part of that,” says Zirkle.

Adds Bigart, “For payments professionals, whether in sales, compliance, or risk, the guidelines [is] a great resource for understanding best practices for merchant and ISO underwriting and risk monitoring.”

Editor’s Note: The information provided here is based on the publication, “Guidelines on Merchant and ISO Underwriting and Risk Monitoring,” developed by a working group consisting of risk professionals and other personnel from various ETA member companies. Readers should refer to legal or other counsel for complete guidance.

Christine Umbrell is a contributing writer to Transaction Trends. Reach her at [email protected].