Card data security breach insurance seems like a product made in heaven for ISOs. It protects the merchant against losses arising out of a data security breach and provides revenue income potential to the ISO. It has the added benefit of guarding the ISO from the loss that it would incur if the merchant is unable to pay security breach fines and assessments. In theory this is an attractive program. Merchants benefit by low cost insurance coverage for an event usually beyond their control, available because they are part of an aggregate. ISOs benefit by providing a valuable service to its
merchant base, with the added perk of "stickiness", or making it less attractive for a merchant to leave.
But not so fast. By offering that program to merchants, ISOs may unwittingly be subjecting themselves to state insurance regulation. Often the structure of the program can be tweaked to avoid this problem.
Set forth below is a description of the product, the program, and its potential pitfalls.
Typically an ISO teams up with a card data security breach insurance company to offer data breach coverage for a nominal fee to each of the merchants in the ISO's portfolio. Once a merchant is enrolled, the insurance covers losses incurred by the merchant if a breach occurs. The insurance may cover, for example, the expenses incurred during an audit following a suspected data breach, fines imposed by the card associations, and costs of card replacement, each within the limits specified in the particular policy.
If the merchant agreement allows the ISO to add new services unilaterally, the ISO could mandate that the merchants enroll in the program and tack the premiums on as a new monthly or annual fee. Alternatively, if the merchant contract requires the merchant to consent to any new service or fee, the program may be offered on an opt-in or opt-out basis. Merchants may be informed of the program through a letter or a message on the monthly statement, with the insurance premiums included in the merchant's next statement.
ISOs' connections to merchants makes this an attractive way to market such insurance. Insurance companies need merchants to buy the insurance. ISOs have a ready stable of merchants at their fingertips. But if the ISO markets this product the way it markets other merchant services, it may be walking right into a trap.
Each state specifies different activities that will cause a company to be deemed an "insurance agent" within the meaning of that state's laws, and which are prohibited for unlicensed entities. For example, New York law prohibits unlicensed entities to be involved in claims adjustment or receive commissions in connection with the provision of insurance to a third party. Further, some laws specify that an entity that markets an insurance program or collects premiums must be licensed as an insurance agent.
So if the ISO provides claims adjustment and receives payment each time a merchant enrolls for an insurance policy (in other words, a commission), or markets the program, it would need to
be licensed as an insurance agent. Becoming licensed as an insurance agent may require exams, application, and ongoing compliance fees. Failing to do so if required may subject the ISO to fines on a per-occurrence basis. Best to avoid this, if possible.
Some insurance underwriters indicate that ISOs do not need to be licensed in order to provide the insurance program to merchants. In theory this may be true, so long as the program is structured appropriately within the confines of each stateÕs insurance law. But it gives ISOs a false sense of security that in participating in the program, the ISO is automatically in compliance with state insurance laws.
However, all is not lost. In most cases it is possible for an ISO to provide data security breach insurance coverage to their merchants without becoming an insurance agent under state regulation. Care must be taken to structure the program to avoid taking on "agency" activities.
First, carefully review the agreement between the ISO and the insurer to determine exactly which activities the ISO will be undertaking under the program. Then analyze the appropriate state's insurance regulation to determine which activities will bring you within the definition of an "insurance agent" under that state's law. Then lay those activities side by side against the applicable state insurance law, to verify that no activity within the ambit of the "insurance agent" definition will be undertaken by the ISO. Insurance laws tend to be less than self-evident; if you are unsure of whether what you will be required to do may be deemed to classify you as an insurance agent, check with a lawyer who may provide some insight.
The good news is that insurance providers typically are willing to work with ISOs to restructure their offerings to make sure that state insurance statutes are not violated. Data security breach insurance for merchants is a win-win all the way around. It's just a matter of being on your toes to be aware of the parameters of the law. So take a good look at the statute, structure your program accordingly, and sleep well knowing you have avoided a visit from your friendly state insurance regulator.
The above does not constitute legal advice; for advice about a particular program, consult your lawyer. 
|
