Regulation
The Great ISO Regulation Debate

by Andrea Wilson

   The great debate continues regarding whether Independent Sales Organizations should be required to comply with uniform regulations and standards. But by whose standards and who's regulations? Not every organization is governed by the same set of rules or banking industry guidelines or even resides in the same state or country. A government regulated industry would only apply to those ISOs under that specific regime, causing considerable imbalance in global business methodology. With the introduction of the Patriot Act, increased pressure from the FTC and other government organizations, the card associations and some banks are exploring the creation of a more structured framework from which ISOs should be monitored, regulated and registered.
  One thing is clear; as the merchant acquiring business has emerged into a powerful and profitable industry, accounting for over $100 billion in gross dollar volume per year, ISOs have emerged as a principal player in the industry. MasterCard International's Senior Vice President for Acquirer Relations, Gerritt Kerkstra, reported that ISO's account for 60-80 percent of merchant signings a year and those merchants account for 12 percent of the annual transaction volume. There is a dark side, however, to the ISO industry. In the past 5 years the industry has been permeated with fraudulent representations, greedy sales representatives, and bottom-of-the-barrel merchant referrals. An enormous risk accompanies this kind of business, one which ultimately affects the entire industry. Risks include lower consumer confidence in bankcard use, to industry reputation damage, to issuer insurance loss claims - all of which carries with it a negative knock-on pricing effect for everyone in the industry.
   The Federal Trade Commission is taking notice of these unethical ISO business practices and is taking a crack at implementing more stringent penalties, which is evidenced by their �victory' with a settlement in January from Certified Merchant Services Ltd, the Texas based ISO accused of deceptive practices relating to the marketing of credit and debit card merchant accounts. "The FTC will continue to follow up on reports of unfair and deceptive sales and billing practices, and stop perpetrators cold," states J. Howard Beales III, Director of the FTC's Bureau of Consumer Protection.
   So what do ISOs do now? MasterCard and VISA require that any sales organization marketing to an acquirer be registered as an ISO or Merchant Service Provider (MSP). They have recently implemented more comprehensive ISO regulations and best business practices to ensure viable, low-risk and long term business relationships between the ISO, merchant and bank acquirer. Registration is facilitated through the acquirer and costs up to $10,000 per ISO. MasterCard and VISA prohibit the practice of �brokering' whereby one ISO provisions merchant contracts on behalf of another unregistered entity. Usually the acquirer has no idea that these side deals and sub-contracting are occurring (which in itself is a problem) and are entered into deliberately by the ISO.
   What often compounds this situation is transaction factoring or facilitation of �grey zone' merchant accounts where ISO A provisions a merchant account for ISO B's client under an aggregator type agreement or simply uses another merchant's approved bank account. This is not only risky, but illegal, and raises the ire of the FTC. Despite the legitimacy of the vast majority of ISOs, a small but growing percentage engage in these shady practices that damage the reputation of the ISO industry.
   Complaints and actions raised by the FTC throughout 2002 highlight the number of illegal cross-border telemarketing businesses originating out of Canada and targeting US Citizens with a barrage of lottery scams and dubious �credit repair' products. These �merchants' solicit US based ISOs to provide them with a merchant account or referral to an acquiring bank (usually Caribbean based), who is overwhelmed by the gross sales volume generating quick and large discount rate revenues. Three months later the 'merchant' absconds with the settlement deposits and the acquirer is left with months of consumer chargeback losses to absorb on their balance sheet. In the meantime, the referring ISO makes quick and easy money at huge margins with no risk to them whatsoever.
   With new acquirers entering the lucrative merchant market, MasterCard is now routinely conducting their Risk Assessment Management Program or RAMP review. The RAMP review is an analysis of each of the primary functions considered to have direct impact on the acquirer's fraud control effort. MasterCard rules require that each member conduct its acquiring activity in a prudent and financially sound manner to avoid inordinate risk to itself and other MasterCard principal members. MasterCard reviews merchant signing procedures, ISO relationships, business practices and contracts, terminal and/or gateway capabilities, authorization process flow, merchant monitoring systems and procedures, deposit monitoring, merchant education programs, interaction with law enforcement and review of fraud workflows and procedures.
   Failure to pass the RAMP review delays the ability of the acquirer to start accepting merchant business. Failure is often directly related to ISO business and merchant referral practices for the acquiring bank (leading to increased risk of fraud). Failure of the ISO and/or the acquirer to comply with MasterCard's ISO regulations include fines ranging from $5000 to $50,000, de-registration of the ISO, termination of principal membership and legal action. Passing the RAMP review goes a long way to ensuring long-term discount rate residuals for the bank and ISO and a well-managed merchant program. To be successful, the ISO must work in partnership with the bank.
   A good starting point is with the banks implementing mandatory ISO registration programs with both Card Associations. Additionally, new risk management controls (contractually) requiring the ISO to assume some if not all of the credit risk associated with the merchants they refer, are being implemented. This transfers the liability and ownership of the merchant back to the ISO and ensures that a more detailed level of risk management and due diligence is conducted and responsibility for the ownership of the merchant business risk is assumed. Many unethical industry practices are directly attributed to unregistered ISOs that fail to operate under the regulations designed to protect the longevity and prosperity of the industry. So what is an effective solution to the ISO regulatory debate? Voluntary enrolment with the member banks, and self-regulation to a standard that satisfies the entire industry including government agencies like the FTC.
   The merchant acquiring industry is a great industry and can be even greater if we all operate within the rules designed to protect us as ISOs and bank acquirers. The FTC is now watching so now is the time to take a long hard look in the mirror and ask if we are part of the solution or part of the problem.