Due to fallout from the last financial crisis and growing concern over transparency, personal data, and growing fraud and laundering tactics, multiple layers of regulatory compliance are being added to all online and offline transactions that involve the exchange of money.
Just remember that even companies like PayPal made some poor decisions along the way in relation to becoming compliant, including recently paying out $7.7 million for 486 sanctions and violations related to compliance issues.
With so many new regulations and laws associated with these transactions, there is a lot to understand before a FinTech start-up enters the payments industry.
PCI Compliance
One of the biggest areas is Payment Card Industry (PCI) compliance, which has established a set of security standards directed at protecting payment card data. When establishing your gateway to work within the payments industry, PCI standards including building and maintaining a secure network, protecting card holder data, maintaining a risk management program that continually monitors and assesses systems with updated anti-virus software, implementing access control measures, regularly testing networks, and developing and implementing an information security policy.
The data theft has been a huge issue for even the largest retailers, including Target and Home Depot, not to mention other businesses, banks, and financial institutions. Heartland Payment Systems lost 130 million credit card records from their merchant customers in 2008 and then had to pay $60 million to Visa and $41 million to MasterCard.
As a start-up or an established business, you don’t want to be in Heartland Payment Systems’ shoes.
According to a 2015 study by the Identity Theft Resource Center, data breaches in 2014 hit a record high of 783 million records, despite the increased compliance requirements. This means more regulations are most likely on their way.
Until then, you need to follow the current PCI compliance standards if you are in the payments industry because you are accepting and handling credit card information and other financial account information.
Although this does not guarantee that a data breach will not occur, following PCI compliance does increase security and protect your business from certain threats. Yet, without PCI compliance and the potential for a data breach, your start-up is exposed to significant risk, including fines, penalties, and legal fees.
Just know that every time new technology is introduced or new data security threats are uncovered, PCI compliance requirements will evolve, so you will need to spend considerable time or assign someone the task of staying current on the ever-evolving regulatory environment.
Bank Secrecy Act
The Bank Secrecy Act, which was modified by the Patriot Act, was designed to address money laundering and any situations that may provide access for terrorists to finance their activities. If you are considered a money transmitter or provider of prepaid access, this is a set of laws you need to familiarize yourself with as you formulate your payment platform.
State Money Transmitter Licensing
In the payments industry, you will also ensure you have the proper state money transmitter licensing, which currently is in affect in 47 states. The purpose of this compliance has been to protect consumers and address increased money laundering through online payment systems. This state-driven compliance is difficult because there is yet to be a national standard for framing how money transmission is defined for licensing purposes.
Beyond the confusion, registration with FinCEN (Financial Crimes Enforcement Network) can be costly in terms of initial and renewal licensing not to mention the surety bond you must keep. Essentially, compliance is making the payments industry an expensive proposition for entry to ensure that those that do maintain transparent processes in every transaction. Depending on the scope of your payments business, the cost can hit the six-figure mark.
EMV Migration
Up next in October 2015 is the migration to EMV-compliant credit and debit cards to add a layer of global compliance to the payments industry. Around the world, other payment cards and systems already work with smart chip technology, but the U.S. has been a late adopter of this standard.
However, the time is here, which means that, as a start-up, you will need to understand how to adopt the EMVCo standard within your payment system capability as this standard is viewed as a way to combat financial fraud, especially in the mobile payment environment.
Traversing the Compliance Jungle
While it might be daunting to think about addressing all these compliance issues and more, it can be done with thoughtful planning and continual monitoring of the regulatory environment to ensure your payment industry start-up is following the letter of the law. Senior management must make compliance a priority and component of the company’s overall strategy, ensuring it is addressed in all aspects of the business.
John Rampton
John Rampton is a PPC Entrepreneur, Author, Founder at Due a finance company helping small business owners. Follow me on Twitter @johnrampton
|
Recommended posts
|
