Posted by Anne Draves on 02 Jul 2018
Accepting online payments from your customers isn’t just about having a sleek and easy checkout process. Handling sensitive payment data means that businesses are subject to rules and regulations from various entities. In my role as Manager of Operations, I often help our clients navigate the assorted requirements that affect their online payments acceptance programs.
In this blog post, I’ll provide a high-level overview of some key regulations that businesses should have on their radar when it comes to accepting electronic payments. Here I’ll give a glimpse into NACHA’s Operating Rules, the card networks’ best practices for card-not-present transactions, the Payment Card Industry Data Security Standard (PCI DSS), and an overview of FinCEN’s new CDD rule.
NACHA Operating Rules
Transactions made via the Automated Clearing House (ACH) are a popular way for customers to make insurance, utility, and mortgage payments. Businesses that accept ACH payments are subject to NACHA’s Operating Rules, which provide clear guidelines that govern all transactions over the Network. Here is some high-level information regarding ACH return thresholds, which are based on both volume and dollar amounts:
What happens if your business exceeds these thresholds? NACHA will initiate an inquiry into whether the Operating Rules have been violated, which may then determine any associated fines or penalties.
Here at Alacriti, we work closely with our customers to monitor their returns and help lower these rates when they start approaching the thresholds. We recommend that all merchants who accept ACH payments perform a thorough review of NACHA’s Operating Rules and stay up-to-date on changes as they are published.
The major card networks – American Express, Discover, Mastercard, and Visa – have all established guidelines for best practices when accepting card-not-present (CNP) payments. Here’s a brief overview of some key guidelines for accepting CNP payments from your customers.
Failure to implement these best practices can lead to high levels of returns and chargebacks, resulting in fines and even expulsion from the card networks. We collaborate with our customers to ensure that they understand these best practices to help avoid excessive returns and chargebacks.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) applies to all organizations that store, process, or transmit cardholder data. It was developed to help keep customers and their sensitive payment data safe. While PCI DSS is overseen and managed by the Payment Card Industry Security Standards Council (PCI SSC), the council does NOT enforce PCI DSS. Instead, the card networks are responsible for making sure that the underlying merchants adhere to PCI DSS. Failure to do so could result in fines and possible cancellation of merchant accounts via the associated merchant’s acquiring bank.
PCI DSS compliance requirements will vary from business to business. For more information on PCI DSS, please click here.
Know Your Customer (KYC)
KYC is an inclusive term used for the processes that businesses undertake to ensure that their customers are who they say they are. KYC is not just one initiative or discipline – it often encompasses different rules and regulations from industry bodies, government agencies, and internal controls. Businesses of all sizes are required to have controls in place that verify the identities of their underlying customers. In addition, US financial institutions are subject to further mandatory KYC regulations.
One of the newest KYC requirements that affect US financial institutions was rolled out by The Financial Crimes Enforcement Network (FinCEN) in May 2018. FinCEN’s Customer Due Diligence Requirements for Financial Institutions (CDD) rule was introduced to improve financial transparency. This is in addition to existing Bank Secrecy Act (BSA) rules regarding Anti-Money Laundering, plus OFAC compliance and the USA PATRIOT Act.
The CDD rule is an amendment to the Bank Secrecy Act (BSA) that helps prevent bad actors from misusing companies to disguise illegal activity and money laundering. US banks are affected by the CDD rule, as it heightens the requirements for customer due diligence. It adds a new requirement for covered financial institutions to, “Identify and verify the identity the natural persons (known as beneficial owners) of legal entity customers who own, control, and profit from companies when those companies open accounts.”
There are four core requirements that comprise the CDD rule. Covered financial institutions must establish and maintain written policies and procedures that are reasonably designed to:
What does FinCEN’s CDD rule mean for covered US financial institutions? It means that banks must adhere to regulations outlined in the CDD rule and gather all necessary identification documents for beneficial owners when opening new accounts or banking products.
What does it mean for merchants? It means that every bank you interact with must vet you and collect this information for beneficial owners of your business (for example, CEO, CFO, COO, etc.).
The Bottom Line: Accepting online payments from your customers requires adherence to a variety of rules and regulations. Partnering with a seasoned electronic bill presentment and payment (EBPP) provider can help guide you through this process and keep your online payments program running smoothly.
08 May 2018 Blog The Second Pillar of Information Security: Risk Management Lifecycle A comprehensive risk management lifecycle works hand in hand with security policies to create a sustainable information security program. Alacriti’s risk management approach helps keep us nimble in the face of daily threats.