Improving Risk Management For Payment Facilitation
Over the last two decades, Payment Facilitation has been an exciting innovation in the world of payment acceptance and has seen adoption accelerate in recent years. RPY Innovations has been on the forefront of this trend helping over 150 ISVs stand up as Payment Facilitators, or PayFacs.
The PayFac acquiring model has enabled ISVs or SaaS businesses to capture a share of the processing fees of transactions that take place on the platforms that they’ve built, enabling both better monetization as well as more control over their end-to-end customer experience. Similarly, this model has enabled acquiring banks to abstract much of the payment processing technology and risk management away and into this intermediary PayFac layer that they sponsor. On paper, this is a win-win. Acquiring banks take less risk and have less tech burden and give away some acceptable margin to the PayFacs that they sponsor, who take on the risk and integrate the processing technology into their own existing stack. So what could go wrong?
Understanding Payment Facilitation Risk
This isn’t the first time you’ve seen RPY address the topic of risk. We recently unveiled the framework for a dimensional risk model we’re building with input from key industry stakeholders. We’ve also heard scores of conversations surrounding risk at the Electronic Transactions Association’s annual Strategic Leadership Forum and at this year’s Money 20/20 conference. Risk is on everyone’s minds. Financial risk, transaction risk, regulatory risk, risk from increasingly sophisticated fraud, risk from AI, among others, dominated the share of mind. And there are a dozen generative AI based tools vying to manage each vector of risk. But one risk topic that isn’t being talked about, and from our perspective, should be talked about, is the risk management practices of many Payment Facilitators.
In order to start accepting payments as a PayFac, an ISV must first pass an acquirer audit that verifies the existence of various underwriting, risk management and regulatory compliance policies, procedures and tools. However, what is on paper isn’t always what is being practiced, and even with the best of intentions, gaps exist. We’ll go over three such areas of focus here.
KYC / KYB
Over the past decade, many solutions have been built or improved that can plug into PayFac's risk management systems for conducting KYC/KYB. Between these and solutions certain PayFacs have built in-house, options abound. Here at RPY, we certainly have opinions on which solutions tackle this aspect of the underwriting and merchant onboarding process well and which don’t. We won’t name names, but we can share that the range in quality of options concerns us. Furthermore, it is even more alarming that there appears to be very little accountability for whether these systems are sufficiently robust or being used consistently in practice by the risk management teams at PayFacs. The sponsor banks who are essentially paying for the PayFacs to manage this key risk and regulatory compliance requirement should be doing more than simply checking a box on the existence of such tools and asking for the indemnification paragraph in their merchant acquirer agreements.
As Emily Baxter, a consultant at RPY and an ACAMS certified AML specialist often points out to our clients, PayFacs essentially give their sub-merchants an unlimited line of credit by virtue of financially guaranteeing their trustworthiness to the sponsor bank. As every credit card transaction has an average chargeback window of 180 days, the funds are not fully guaranteed until that date, but most sub-merchants are funded for their transactions within a day or two. This means the PayFac is essentially issuing credit to the sub-merchant for that 6 month window. If the KYC/KYB process isn’t sufficiently robust and is porous enough to allow bad actors to be onboarded, the scale of the kind of fraud that the PayFac could be liable for, and the ensuing reputational risk to both the PayFac and the sponsor bank, is significant.
AML / SAR Filing
Similar to the KYC/KYB process, we find that the compliance with AML laws and specifically, the filing process for SARs, or Suspicious Activity Reports, is insufficiently clear at many PayFacs. In this case, the fault doesn’t squarely rest with any one party. Payment Facilitation is still a relatively new model and one that largely grew up in the boom years post-9/11 and following the tumultuous period known as the Great Financial Crisis. The pendulum has swung to the extremes of complacency as a result, which has permitted this particular issue to persist.
PayFacs have no way of directly filing an SAR with FINCEN. They are neither banks and most are not Money Service Businesses, two of the required business categories for engaging directly with FINCEN. Sponsor banks however, can file SARs with FINCEN. Ostensibly, PayFacs can provide their sponsor banks with the details surrounding a case so that the SAR can be filed by the sponsor bank. However, to our knowledge this isn’t happening with any degree of consistency with numerous PayFacs. Verifying the existence and day-to-day practice of such a process just hasn’t been a part of the diligence that acquiring banks take before green-lighting their sponsorship of PayFacs so there is no forcing mechanism for PayFacs to be thorough or even active in filingSARs.
The Director of Compliance
In the early days, there simply weren’t many seasoned banking regulatory compliance professionals who could adopt the compliance operational methodology and apply it thoroughly and thoughtfully to the Payment Facilitation acquiring model. Often, some combination of the head of the payments program, the CEO, the CFO, and/or the Controller would take on the responsibilities of a compliance officer. The role was often an afterthought, relegated to a checkbox on a long list of checkboxes along the way to being able to accept payments. See a theme here?
Since the Payment Facilitation acquiring model itself was self-defined by the industry (it still is today by the way), it’s no surprise that the nature and scope of a compliance officer’s role would also be self-defined at its infancy. However, as the PayFac model has matured, this role should no longer be so ill-defined and underappreciated. A properly empowered Director of Compliance would serve as a necessary ballast against the business agenda of the CEO or Head of Payments. The role, independent of other agendas, would help ensure the critical processes of regulatory compliance and its associated financial, legal and reputational risks are being properly managed. The fact that the preceding two risk areas exist is partially a symptom of a culture of weak compliance management, which extends from the lack of a duly appointed and empowered compliance officer.
Improving Payment Facilitation Risk Management
The three areas of risk identified above within Payment Facilitation are interrelated. The PayFac model is no longer a nascent one. It’s time the industry recognize existing gaps in the compliance and risk management practices and improve them. That requires a collaborative effort from existing and prospective PayFacs as well as the acquiring banks that sponsor them. In certain cases, the solution is relatively simple - like requiring a fully empowered Director of Compliance with a standardized scope of responsibility and requisite level of experience. In others, the solutions are more challenging, like building the proper channels of communication and the associated staffing and training required for SARs to be filed with FINCEN so that PayFacs and their sponsor banks are adhering to the AML laws of the land. While the cost associated with these actions may not have a short term ROI, in the long term, it builds a more resilient industry and business model, which benefits all participants.
At RPY, we will continue to advocate for the adoption of better best practices in the payments industry through our client work, our thought leadership and via our solutions like our work on building a dimensional risk model. If we’ve had the pleasure of supporting your business in the past or present, you already know our penchant for building a payments business the right way. If our paths have yet to cross but you’re interested in our work or would like to collaborate in advocacy, please reach out.