BLOG

The Rules and Regulations of Online Payments

Posted by Anne Draves on 02 Jul 2018


Accepting online payments from your customers isn’t just about having a sleek and easy checkout process. Handling sensitive payment data means that businesses are subject to rules and regulations from various entities. In my role as Manager of Operations, I often help our clients navigate the assorted requirements that affect their online payments acceptance programs.

In this blog post, I’ll provide a high-level overview of some key regulations that businesses should have on their radar when it comes to accepting electronic payments. Here I’ll give a glimpse into NACHA’s Operating Rules, the card networks’ best practices for card-not-present transactions, the Payment Card Industry Data Security Standard (PCI DSS), and an overview of FinCEN’s new CDD rule.

NACHA Operating Rules

Transactions made via the Automated Clearing House (ACH) are a popular way for customers to make insurance, utility, and mortgage payments. Businesses that accept ACH payments are subject to NACHA’s Operating Rules, which provide clear guidelines that govern all transactions over the Network. Here is some high-level information regarding ACH return thresholds, which are based on both volume and dollar amounts:

  • There is a 15.0% threshold for all returns across the board
  • The threshold for returns for administrative reasons (no account, unable to locate, etc.) is set at 3.0%
  • There is a threshold of 0.5% for returns for unauthorized transactions

What happens if your business exceeds these thresholds? NACHA will initiate an inquiry into whether the Operating Rules have been violated, which may then determine any associated fines or penalties.

Here at Alacriti, we work closely with our customers to monitor their returns and help lower these rates when they start approaching the thresholds. We recommend that all merchants who accept ACH payments perform a thorough review of NACHA’s Operating Rules and stay up-to-date on changes as they are published.

Card Networks

The major card networks – American Express, Discover, Mastercard, and Visa – have all established guidelines for best practices when accepting card-not-present (CNP) payments. Here’s a brief overview of some key guidelines for accepting CNP payments from your customers.

  • Collect the card number, cardholder name (as it appears on the card), expiration date of the card, and cardholder’s mailing address where they receive the card’s statement
  • Use tools such as Address Verification Service (AVS) and Card Verification Value (CVV) to further verify electronic transactions
  • Use internal or third-party tools to help identify suspicious or fraudulent transactions
  • Provide a record of the transaction via email that outlines order details, return policies, and customer support contact information

Failure to implement these best practices can lead to high levels of returns and chargebacks, resulting in fines and even expulsion from the card networks. We collaborate with our customers to ensure that they understand these best practices to help avoid excessive returns and chargebacks.

PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) applies to all organizations that store, process, or transmit cardholder data. It was developed to help keep customers and their sensitive payment data safe. While PCI DSS is overseen and managed by the Payment Card Industry Security Standards Council (PCI SSC), the council does NOT enforce PCI DSS. Instead, the card networks are responsible for making sure that the underlying merchants adhere to PCI DSS. Failure to do so could result in fines and possible cancellation of merchant accounts via the associated merchant’s acquiring bank.

PCI DSS compliance requirements will vary from business to business. For more information on PCI DSS, please click here.

Know Your Customer (KYC)

KYC is an inclusive term used for the processes that businesses undertake to ensure that their customers are who they say they are. KYC is not just one initiative or discipline – it often encompasses different rules and regulations from industry bodies, government agencies, and internal controls. Businesses of all sizes are required to have controls in place that verify the identities of their underlying customers. In addition, US financial institutions are subject to further mandatory KYC regulations.

One of the newest KYC requirements that affect US financial institutions was rolled out by The Financial Crimes Enforcement Network (FinCEN) in May 2018. FinCEN’s Customer Due Diligence Requirements for Financial Institutions (CDD) rule was introduced to improve financial transparency. This is in addition to existing Bank Secrecy Act (BSA) rules regarding Anti-Money Laundering, plus OFAC compliance and the USA PATRIOT Act.

The CDD rule is an amendment to the Bank Secrecy Act (BSA) that helps prevent bad actors from misusing companies to disguise illegal activity and money laundering. US banks are affected by the CDD rule, as it heightens the requirements for customer due diligence. It adds a new requirement for covered financial institutions to, “Identify and verify the identity the natural persons (known as beneficial owners) of legal entity customers who own, control, and profit from companies when those companies open accounts.”

There are four core requirements that comprise the CDD rule. Covered financial institutions must establish and maintain written policies and procedures that are reasonably designed to:

  1. Identify and verify the identity of customers
  2. Identify and verify the identity of the beneficial owners of companies opening accounts
  3. Understand the nature and purpose of customer relationships to develop customer risk profiles
  4. Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information

What does FinCEN’s CDD rule mean for covered US financial institutions? It means that banks must adhere to regulations outlined in the CDD rule and gather all necessary identification documents for beneficial owners when opening new accounts or banking products.

What does it mean for merchants? It means that every bank you interact with must vet you and collect this information for beneficial owners of your business (for example, CEO, CFO, COO, etc.).

The Bottom Line: Accepting online payments from your customers requires adherence to a variety of rules and regulations. Partnering with a seasoned electronic bill presentment and payment (EBPP) provider can help guide you through this process and keep your online payments program running smoothly.

Stay connected. Get the latest delivered to your inbox.
Anne Draves Product Operations Manager Anne leads Alacriti's Business Operations & Compliance initiatives to ensure our adherence to policies and procedures pertinent to PCI, NACHA, the card networks, and KYC. Her efforts, combined with those of our Governance, Risk & Regulatory Compliance team, combine to form a well-rounded, best-in-class approach to compliance, risk mitigation, and security management.

Related Articles

  • 02 Oct 2018 Blog 3 Payments Stories That Caught Our Eye

  • 18 May 2018 Blog A Primer on PCI DSS

  • 08 May 2018 Blog The Second Pillar of Information Security: Risk Management Lifecycle