Regulatory Update: Merchant Acquiring Industry


Navigator Edition: October 2016
By: Raymond Carter

There have been several instances in the fairly recent past in which federal agencies other than the traditional bank regulators (e.g., Office of the Comptroller of the Currency, Federal Reserve, Federal Deposit Insurance Company) have influenced the acquiring industry by threatening or taking direct action against certain transaction processors.

The Federal Trade Commission’s (“FTC”) mission is to prevent business practices that are anticompetitive, deceptive, or unfair to consumers without unduly burdening legitimate business activity. Their investigative authority specifically excludes banks, which are separately enforced by other federal agencies. However, non-bank payment processors are within the FTC’s scope of authority.
The Consumer Financial Protection Bureau (“CFPB”), initiated through the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 and politically controversial since its inception, was created to provide a single point of accountability for enforcing federal consumer financial laws and protecting consumers in the financial marketplace. Its scope includes bank and non-bank providers of consumer financial products.

To date, the FTC and CFPB actions against payment processors primarily focus on processing transactions for debt collectors, telemarketing merchants, and continuity merchants. The regulatory goal in each of these cases generally was to enforce consumer protections by putting a stop to practices where merchants were alleged to have acted in a deceptive or fraudulent manner and prevent these types of businesses from accessing the payments systems. We see an additional goal of establishing precedent through court actions and settlements rather than engaging the legislative process to influence industry conduct.

Figure 1: Recent Actions Against Payment Processors

figure-1_-recent-actions-against-payment-processorsSource: Consumer Financial Protection Bureau; Federal Trade Commission.

Acquirers have not historically been required to police the actions of its merchants, so why now? Following the economic downturn and the banking bailout, the U.S. federal government formed a multi-agency task force dubbed the Financial Fraud Enforcement Task Force to reduce financial crimes and wring what it believed to be widespread fraud out of the banking sector. The initial objective was to hold accountable those who helped bring about the last financial crisis as well as those who would attempt to take advantage of the efforts at economic recovery. With more than 20 federal agencies, 94 US Attorneys Offices and state and local partners, it is the broadest coalition of law enforcement, investigatory and regulatory agencies ever assembled to combat financial fraud.

While few have been held accountable for bringing about the last financial crisis, a concentrated focus has been put on the payments sector. After multiple actions against individuals and companies performing fraudulent acts, the task force decided that to be more effective, it would center its attention on where these fraudulent entities enter the banking system by eliminating, or choking off access to the payments system. Hence the term Operation Choke Point entered the public forum. Formed outside of Congressional oversight, Operation Choke Point was first disclosed in March 2013. The probe aimed to prevent fraudsters from accessing consumer bank accounts by choking off their access to the payments system. Its effects have been felt by banks, payment processors and companies that make short-term consumer loans over the Internet. Enforcement was broad and targeted numerous legitimate businesses. The origin of the list of business types impacted by Operation Choke Point, though not intended for that purpose, was The FDIC’s Supervisory Insights Journal.

Figure 2: Merchants Associated with High-Risk Activities

figure-2_-merchants-associated-with-high-risk-activitiesSource: The FDIC’s Supervisory Insights Journal, Summer 2011.

Of note, on January 29, 2015, the FDIC issued a Financial Institution Letter that states “The Federal Deposit Insurance Corporation (FDIC) issued a Financial Institution Letter today encouraging supervised institutions to take a risk-based approach in assessing individual customer relationships, rather than declining to provide banking services to entire categories of customers without regard to the risks presented by an individual customer or the financial institution’s ability to manage the risk.”

Acquirers that serve these industries would be well served to have the right controls in place to both manage risks and placate regulators, including the following key controls:

  1. Load Balancing: Controls to ensure that merchants are not opening additional accounts under separate names or shell companies to avoid detection of fraudulent behavior.
  2. Transaction Laundering: Tools to validate that known e-commerce merchants are not processing transactions for additional, unidentified websites that may be selling illicit or illegal products or services.
  3. Telemarketing Scripts: Reviews to ensure that merchant call scripts are not unfair, deceptive, or abusive.
  4. Chargebacks: Systems to monitor merchants for volume and percentage of chargebacks and reason codes.
  5. Returns: Systems to monitor merchants for volume and percentage of credit refunds.
  6. Underwriting: Quality Assurance function to validate compliance with policies.
  7. Prohibited List: Controls to validate adherence to prohibited lists without exception.

For more information, please contact Raymond Carter, Principal, raymond.carter@firstannapolis.com, specializing in Mechant Acquiring and Commercial Risk.

Share: Tweet about this on TwitterShare on LinkedIn

To read the rest of this article, please subscribe to

The Navigator Newsletter