ISOs, PayFacs and other odd terms
Like many payments people, we get confused on what these terms mean and all the nuances between the parties and what they really do. The confusion comes from the complexities, but also because they all mean different things to the parties themselves, to the different card schemes, the regulators and also across different jurisdictions. This also applies to “sales partners”, “TPPs”, “marketplace” and where these all ‘fit into the mix’.
In some instances, e.g. marketplaces, we must rely upon the Visa card rules alone in the absence of any Mastercard guidance. We will also talk here about the European market architecture because say, the USA market is quite different: and we prefer to be confused by one market at a time.
The Merchant Acquirer
An acquirer is both a client of the card schemes, that has to contractually follow their rules and also an entity that contracts with merchants to process card-based sales transactions. When other parties are involved, such as a payment facilitator, ISO, gateway or marketplace amongst many others, it is almost always the acquirer that has full responsibility to the card schemes and regulators; so must maintain oversight over all the third parties that are involved.
We will look here at some of the third parties and focus today upon ISOs, payment facilitators and marketplaces, their operating models and the risks involved in the oversight of these organisations. An acquirer must monitor what they do, assert and demonstrate strong governance of and control over them, to ensure that the acquirer complies with:
- card scheme rules, risk management requirements and technical standards that apply
- local laws, and all global laws that apply for transactions that take place outside its market
- the acquirer’s own policies.
The acquirer is legally and contractually responsible for managing many aspects of the payment ecosystem risks directly or through the third parties that it engages, which include:
- operational risks including errors, disputes and cases of fraud
- regulatory and compliance risk
- credit risk
- brand and reputation risk
- infrastructural and enterprise risks and its part in the wider payments network.
Third Party Agents
Also referred to as TPPs or agents, these are generic terms, used more by Visa and Mastercard but also widely by regulators, and in many cases encapsulate the entities referred to below. There are many more TPPs that can contract with an acquirer or with a merchant to help with aspects of processing payments. For merchants, TPPs will often need to be approved by other parties in the process to make sure that what they are doing is correct, regulated or comply with the acquirer requirements and card scheme rules.
In all cases, all parties that are involved in the payments processes must be identifiable by the acquirer, and often approved and registered with the card schemes too; to ensure that issues such as PCI DSS, AML/CTF processes, GDPR and other rules and legislation are complied with.
Whilst we will cover below three types of party: the ISO, the marketplace and the payment facilitator; there are many others, e.g. gateway providers, digital wallet operators and third-party bill payment providers plus many more. Most parties undertake multiple roles and functions, so it is easy to become confused by what a provider does or to give it any particular ‘category’.
ISO (Independent Sales Organisation) – or “sales partner”
ISOs ’sell’ acquirer services to individual merchants.
ISOs will have a contract with one or more acquirers to find and contract with merchant customers, or to persuade them to process cards with a different acquirer; they ensure the merchant completes required documentation, e.g. application form, identification and other merchant documentation; and present this to the acquirer for approval and for due diligence obligations to be met. ISOs may also provide customer support to merchants thereafter, provide training or other items such as selling POS devices and acceptance software.
That is all. The card rules do not allow them to set prices, ‘touch’ transactions, settle payments, or to manage disputes, fraud or other functions. Contracts need to be regularly reviewed by acquirers. The acquirer and ISO will agree on the fees for finding these merchants, which can include a share in the profits too. The contracts for processing the payments will, in all cases, be between the acquirer and the merchant.
Marketplaces ‘bring together’ buyers and sellers/retailers ‘suppliers’ in one place – e.g. in one website or mobile application -they will appear as a ‘single online shop’ branded in the name of the marketplace that will be ‘the merchant’ and process the card transactions. It will be the marketplace that ensures that the goods/services are despatched/ delivered (by the ‘suppliers’) and coordinates all fraud, dispute, refund actions and follow-up services from the suppliers.
The acquirer must understand, approve, monitor and manage all aspects of the card processing, and ensure that transactions are monitored and settled with the marketplace; as well as agreeing what types of transactions can be processed by the marketplace. The ‘suppliers’ will not usually have a contract with the acquirer, just the marketplace: who will then contract with the ‘suppliers’ to deliver the products/services and with the ‘buyers’ for their purchases. Because of this, the name of the marketplace will appear on cardholder statements as the party responsible for the sale. The supplier of the goods/services can be regarded as a contracted ‘fulfilment house’.
Visa rules define how marketplaces should operate (since 2017), whereas Mastercard rules are rather quiet.
Complications come with Merchant Category Codes (MCC), as marketplaces that supply only goods of one type (e.g., food delivery, software or ride-share services) will have a single MCC. Thereafter, it becomes more complex with a general marketplace, similar to a department store, and uses MCC 5262. The biggest challenges involve higher risk products where all parties need to understand what is being sold to comply with local legal requirements – for both seller and buyer.
A payment facilitator, also known as a PayFac, PF or sometimes a merchant aggregator or even a Type II TPP is a business to which an acquirer may delegate various functions to. In the purest sense, they have a single merchant account with the acquirer and process transactions through that account for more than one smaller merchant. This means that payment facilitators may distribute a combined settlement sum to the merchants involved, handle disputes, fraud and other customer matters. Often the payment facilitator will also be an ISO that finds merchants, provides customer service – see above, but may also sell/ provide POS terminals and gateway software for e-commerce transaction and/or other services.
Importantly, the payment facilitator will undertake all of these functions on a contracted delegated basis on behalf of one or more acquirers with the full knowledge and from the acquirer(s) itself. The responsibility and accountability remain at all times with the acquirer for all regulatory and scheme matters.
Merchant contracts can involve two or three parties, but must always be transparent about who the acquirer is and where the responsibilities lie, and statement narrative must identify the merchant AND the payment facilitator. The acquirer/payment facilitator contract needs to be very clear about the delegated responsibilities and obligations of both parties, and will set the fees that are commensurate with the services delegated and the risks managed.
Acquirers can (and do) suffer large/catastrophic losses from merchant failures and/or payment facilitator failures, as it is the acquirer that takes full and ultimate responsibility, which means that acquirers need to enforce the laws and card scheme rules and then monitor exposures, risks and performance very carefully and audit them continuously. Critical functions an acquirer will wish to retain control over will include those that can and do lead to serious issues and include: new business underwriting, especially understanding the exposures, and the AML risks and obligations that all remain with the acquirer (and even personally with its regulated officers). For acquirers, non-compliance fines can be significant, operating restrictions and loss of licences very real, and costs of regulatory investigations can be very high. This is why an acquirer will often duplicate key processes that are delegated to another party.
Payment facilitators do provide other critical services though, that acquirers may not deliver such as online systems for sales integration and sector-specific expertise, which has led to many more applications globally to become a payment facilitator. Despite this critical role, the card schemes can be nervous about the complexity of various third parties that exist in the payments chain’.
With all these different parties involved, people can misunderstand the various responsibilities and eco-system risks involved to make sure that the systems always ‘work’, and that all global laws complied with. Observers can struggle to understand the relevance of all the rules, laws and the extensive and strict governance and controls needed and how these contribute to protecting the integrity of payments overall. e.g. correct application of MCCs can at times be a major challenge and often seen as trivial for all parties involved rather than as a key tool to help us follow global regulations and thereby protect children and vulnerable people.
It should be clear from this article that starting a new payment facilitator is not easy for anyone involved and especially for the acquirer – as a ‘pseudo-regulator’. The payment facilitator will need a clear strategy and business plans, strong governance, robust and secure systems, effective and scalable risk management, measurement and controls, AML as well as other legal considerations, contracts, PCI compliance, training, card-scheme approvals; and much much more.
Despite these challenges, if a prospective payment facilitator gets its proposition right, works closely with an acquirer, identifies, and manages the risks and exposures and manages merchants properly, the payment facilitator can greatly help the payments industry and merchant groups, drive new and/or incremental business; and deliver services and expertise that may not be possible for an acquirer. And hopefully, it can also find a niche to drive new revenues and profits.
Author: Bill Trueman & Kevin Smith, Payments Risk Directors, London, Payments Consulting Network
If you found this article helpful and would be interested in reading similar articles by our consulting team, please subscribe to our newsletter.