Compliance: Who Can Tell Me What to Do?
Compliance Management is one of the most important and most challenging responsibilities in the payments industry. Over the years, I have watched many companies manage their compliance programs badly.
Why have they managed compliance so badly?
There are several reasons.
In the next few blog posts, I will identify a few of them and a strategy to overcome them.
Here’s the first one:
Not knowing who can mandate requirements I must fulfill.
In my recent video “Comply with What?? Says Who?!!”, I recommended each company build a Compliance Database. The first step in creating this database is to make an inventory of all entities that can and do mandate requirements for your company.
There are two types of mandates:
Regulatory: Governments and business associations have the right to legislate rules to ensure safe and legal business practices. Compliance with the regulations flowing out from the legislation is not optional and non-compliance can lead to criminal charges.
Contractual: Payment associations, service providers, and business partnerships tend to be structured by contracts. These contracts may be template or customized. They may be bilateral or multilateral. However, each contract will have requirements and deliverables that need to be complied with. Failure to comply can cause a breach of contract. This breach may negatively impact your company’s day-to-day operations or may remove your business from the contractual relationship – even terminating your company’s ability to fulfill its business mandate.
It is important you uniquely identify legislative and contractual obligations as their compliance requirements and non-compliance penalties are different.
So, who are these entities who can mandate over my company?
As a company in the payments industry, here is a partial list of the authorities who do have the right to mandate requirements:
Government regulatory departments:
On the issuer side of the business, these would include the banking regulator – either federally or at a state or province level.
On a merchant side, the government departments overseeing consumer affairs would have legislation impacting how your business must run.
There are entities that are directly regulated by these departments, like banks, credit unions, and acquirers. Other downstream entities like merchants, merchant services companies, card issuing program managers, and fintechs will have contractual relationships with these banks, credit unions, or acquirers. Since the regulators’ requirements apply to regulated entities AND THEIR DOWNSTREAM PARTNERS, you, as a downstream partner will have compliance to legislation included in your contract.
Professional associations:
These may include business associations, a Better Business Bureau, or merchant trade organizations.
Some of these organizations have compliance requirements to protect their own reputation.
Others are certifying entities recognized by governments. These operate as gatekeepers, allowing or disqualifying companies from participating in a specific industry.
Payment networks:
Direct connectors to payment networks sign on as franchisees or members to the payment networks. Included in the franchise or membership agreements are requirements for the franchisees to comply with all the payment network’s requirements and rules.
Typically, there will be a clause indicating that governmental requirements overrule franchise requirements – but that is the only compliance exception I am aware of.
Once again, these agreements require the franchisee, their downstream partners, and their service providers to all comply with the network’s requirements.
Service providers and outsource partners: You will have contractual agreements with your processor, card provider, merchant services company, POS solutions provider, and other outsource partners. In each of these contracts, they will have requirements you need to comply with. You should also have requirements they need to comply with. Failure to comply with their contractual requirements can jeopardize your relationship with that service provider. Your providers failing to comply with your requirements could leave you with a service provider who doesn’t perform at the level you have contracted them.
Federal and local governments: These entities don’t necessarily have regulations impacting payments (but some do!!). However, they do have requirements that may impact the options a company has to comply with mandated payment compliance. For example, zoning bylaws can impact what your business can do at a specific location.