Contract management in the paperless age
This story originally appeared in The Green Sheet Issue 160702 on July 25, 2016.
It's passé to say you are going paperless. In fact, anyone who says that is admitting to remembering a time when paper contracts ruled. Those days are over. Contract management has always been one of the key responsibilities of a business, especially a contract-based business like the ISO business. I thought it would be useful to highlight some of the key considerations in contract management in the digital age.
Contracts still exist
Ever since the year 2000 when The Electronic Signatures in Global and National Commerce Act (ESIGN, Pub.L. 106–229, 114 Stat. 464, enacted June 30, 2000, 15 U.S.C. ch. 96) was adopted, U.S. contracts formed by electronic means have been no less valid than those produced in paper form.
It now seems quaint to refer to electronic contract formation as a thing, given that most of the contracts we typically enter into are electronic. Anyway, the point here is substance over form. In New York, where I am licensed (and in many other states), a contract is binding if there is an offer, acceptance, consideration, mutual assent, an intent to be bound and both sides agree on all of the essential terms.
When those conditions are met, a contract is formed. An ISO should not think that because there is no tangible written agreement that no contract has been formed. Instead, the ISO should review the exchanges between the relevant parties to see if the key conditions to the contract are fulfilled.
Proof of contract
The nitty-gritty of contract formation and recordkeeping arises mostly when one party wishes to allege that the contract in question was or was not formed. The courts will decide on the existence of a contract based on the available evidence. Evidence in the digital context includes obvious elements like parties, offer, acceptance, terms and intent to be bound.
However, in the contemporary digital reality, other elements of proof may be no less important, such as login credentials, passwords used, cookies, IP addresses, digital signatures and other crumbs of data that parties leave along the way. The burden of proving that a contract was formed lies with the party seeking to draw the benefit of the contract. That party should then marshal all available evidence to prove the contract was formed.
It is useful to revisit the set of data collected, as new data may come along to help improve the evidence in hand, such as very accurate geolocation information from phones or social media profile information.
Recordkeeping - merchant agreements
The acquiring bank for an ISO should prescribe the precise manner in which it would like its merchant agreements to be recorded. These days, many contracts for merchant services are formed using paper-like electronic signature applications. These help to tie the psychological gap between the old paper ways and the contemporary method of contract formation, but they can be a bit clunky.
A strong point of paper-like digital contract formation is that it is likely to produce a more or less complete PDF with all the relevant pricing and terms. This document is extremely helpful in proving that the agreement was accepted, as well as in sharing the agreement with the merchant, the acquirer or others that need to know its terms.
Remember that most processors consider their merchant agreements to be their confidential property. So, even if they reside on your cloud account or system, they may actually belong to the processor for whom you are an ISO.
Retention and deletion policies
Now that we are in the business of creating and accumulating large quantities of digital contract records, it behooves the ISO to adopt recordkeeping policies that include recordkeeping and deletion policies.
How will contracts be stored? For how long will they be kept? How are they backed-up? Who has access to them? What happens if the primary server for contract data fails?
It's so easy to keep all data forever, that we are sometimes reluctant to delete it. This is not the best practice. Large quantities of data – especially including banking information and Social Security numbers – are attractive for identity thieves and other hackers. ISOs should therefore systematically delete data that is no longer necessary pursuant to a coherent policy.
Most businesses operate to some extent in the cloud. Make sure your cloud services do not conflict with your rights or the rights of your processor or acquirer in the data that is stored in them.
Fortunately, processors are (finally) alert to the reality that ISOs need third-party services to help administer their data, whether it be customer relationship management data, merchant agreements or agent residual reporting.
At this point processors distinguish themselves by the quality of their APIs and the compatibility of their APIs with popular ISO data management platforms, like IRIS CRM.
Privacy in contract formation
As ISOs use various services to administer their digital contract records, they should adopt internal controls to make sure no single person can compromise critical ISO data or use it to take merchants or agents away. The tools that make digital contract formation easy are also susceptible to security breaches against which the ISO should be constantly vigilant.