The Green Sheet Online Edition
November 22, 2010 • Issue 10:11:02
Counterparty risk: Keeping the discussion alive
A number of news articles focused on counterparty risk during the Lehman Brothers Holdings Inc. bankruptcy and the bailout of American International Group Inc. more than two years ago.
Counterparty risk was a hot topic within our industry, too, as financial conditions deteriorated and a big-name ISO filed for bankruptcy.
Though economic conditions have improved, I thought the article, "Who's your counterparty?" by Barry Sloan, Chief Executive Officer of Newtek Business Services Inc., The Green Sheet, Sept. 27, 2010, issue 10:09:02, provided a great discussion topic. Here's an excerpt:
"I have been in the workplace for more than 30 years and have been trained in three industries: consumer retail, financial services and electronic payment processing. All of my mentors have stressed counterparty risk.
"Why is it that in the merchant processing world, few participants focus on counterparty risk until it's too late? It is great to submit deals, but if the counterparty you select cannot perform, the sales you have worked so hard to make will have disappearing residuals due to nonpayment by a weak or disingenuous counterparty.
"Do you need your ISOs or processors to file for bankruptcy before you look at their financials? Do you need to have a fraud issue before you do an extensive background check on a potential business partner?
"Would you transmit all of your or your clients' sensitive information (birth dates, addresses, Social Security numbers, bank account information) via fax without knowing if the information was secure? If you are a merchant level salesperson (MLS), do you know if you are covered by your ISO for security breaches?"
The article resonated with me. At heart, we are an industry that compensates for selling a service and managing the ensuing risks. We expect payment for merchant risk but we do not differentiate or discount payments from lesser counterparties.
Certainly a payment from JPMorgan Chase & Co., Wells Fargo & Co. or Harris NA is more secure than a residual stream from a small or startup ISO.
Further, why do we not differentiate between first- and second-tier processors? Authorization costs are critical to our success; however, our industry does not seem to place any value in dealing with a First Data Corp. or TSYS Acquiring Solutions as opposed to a second-tier processor, yet we have seen several second-tier processors either shut their doors or encounter serious breach-related issues over the last decade.
In addition, a startup gateway does not provide the same assurance of continuity as an existing and long-established gateway, yet we do not seem to place value in that longevity and existing customer base.
This has never made sense to me and no matter how this is positioned within our industry, we, as MLSs, do not seem to want to pay any amount for this security.
Counterparty risk and MLSs
Based on my perspective and Sloan's article, I asked GS Online MLS Forum users the following:
"What do you think about counterparty risk? Is this an issue for MLSs? What about lesser issues such as maintaining the confidentiality of merchant information? Do acquirers ask us to email sensitive data in an unsecure format and, if so, whose issue is this?"
FASTTRANSACT responded first. "To expand upon this, let's look at it from going in the other direction," she wrote. "How do the ISOs know if the MLS that is submitting business to us is also protecting the merchant information? What do they do with the application once it is faxed in?
"How do they store it? Do they create a database on an Excel spreadsheet that they use to reference for residual verification and attrition? Is that spreadsheet behind a firewall?
"How about the transportation of that application? Do they have the paperwork strewn across the front seat of their car and leave it unlocked as they pop into another potential customer?
"We focus a lot on what does the ISO do to protect this vital information, but I think as an ISO they also have the right to be asking the MLS the same questions."
While FASTTRANSACT's questions are real counterparty concerns, they differ from the examples I provided. Major financial services companies, for example, need to take certain measures designed, in part, to ensure
their customers are not terrorists, money launderers or drug dealers.
While these are risks the companies need to avoid, if one of their customers is closed for failing to meet guidelines, there is no concentrated hole in the business.
On the other hand, if a major financial institution were to fail (ignoring Federal Deposit Insurance Corp. insurance in the case of banks), this could put a major hole in the business plan of their suppliers or major customers. This is what happened when Lehman failed and why our government did not allow AIG to fail.
CLEARENT suggested we look not only at the immediate partner but also the counterparty risk of that partner and the future risk profile of the partner. "I think the definition is a little vague, in that most MLSs or ISAs assume no merchant risk. So, the true risk they must measure is to their future income and value."
CLEARENT added that when it comes to assessing future income and value, current financials may not be the best gauge of a potential partner's viability.
"An ISO partner can be very healthy and then have one large loss that eats up their reserve and puts them in a difficult position that they may not recover," he noted. "It doesn't have to be a PCI loss either. It can be a large fraud loss or a merchant bankruptcy."
CLEARENT feels the telling factor is how a company manages risks to its financial condition. "That means you have to accept the fact that credit policies, as they relate to documentation and approvals on medium- to high-risk merchants, must be sound," he said. "If you find you are getting high-risk merchants through easily, you shouldn't just thank your stars, because they aren't lucky."
In addition to assessing credit policies, you must also "determine who controls what, and who is at risk," CLEARENT explained. "You must determine where your partner's choice falls in the control/risk level.
"If you are partnering with an ISO who has risk, but doesn't control the underwriting, the funding of the merchant or the systems involved, you are at risk - as they are - to a loss that wipes them out. ... If your chosen partner doesn't have risk, then you have to measure who they partner with.
"Don't assume that, if the risk party stops paying your partner, you will get paid. So, measure the partner, and measure your contractual rights. And pay attention to signs of a partner's problems that are red flags, like delayed payments or missed payments, added fees to you or merchants that are sudden with little or no nexus, and multiple staffing changes - along with delays."
Risk mitigation challenges
CREDITCARDMN provided reasons why it is difficult to mitigate counterparty risk. "As far as the merchant's information being secure, both ISOs and MLSs need to be diligent," he posted. "An MLS cannot fully trust that the ISO's database of paperwork to reference later will not succumb to a lost server, not be properly backed up or even be shut off from view with a dispute.
"MLSs must keep all paperwork in a secure manner in electronic or paper form, or both, for later reference and make sure all paperwork is being shared in a safe manner as well.
"ISOs need to ensure that the incoming paperwork is transmitted in a secure manner either via fax or email, and that is really all they can do. ISOs cannot control if an MLS keeps paperwork face up on a car seat or lays it strewn across their desk, but they can control how the information is sent to them and what they do with it once they have it."
CREDITCARDMN believes the onus for securing data should be on ISOs. "It is just like Microsoft and Apple," he wrote. "Apple has less viruses and intrusions, but it's because of statistics.
"If a cyber criminal is going to go through all of the work and risk to steal something or create a virus, they are going to hit the company that has the most products out there and create the biggest impact, and that is Microsoft."
CREDITCARDMN also pointed out how difficult it is for MLSs to perform due diligence when evaluating ISOs. "It is hard enough for a MLS to dissect a contract, negotiate terms and pricing and learn the new ISO's procedures and guidelines," he stated. "When the ISO is a private company, it makes it hard for the average MLS to even find out what the financial stability and risk profile of the ISO is.
"There have been many posts about having the ISO provide financials, but this can realistically only be accomplished if the MLS has a lot of leverage in the way of monthly app count to even have this request taken seriously.
"I really think most MLSs in the industry do not have the first clue about how to go about researching the financial stability of an ISO. I, for one, would actually like to see more discussion in this area as well."
CCGUY offered the following tips:
- Know who you are doing business with and make sure you, the MLS, understand the contract and the schedule A.
- Residuals - give them a few accounts and make sure you are getting paid correctly.
- Financial stability of the ISO - this is not easy to determine unless the company is public.
- Sensitive info - I can tell you that in all the contracts we have, it does not instruct us as to what to do with this info after we send in the applications. We have an office and we have a locked file room. But what about the guy who works out of his home?
- PCI compliance.
CLEARENT provided further advice: "Don't give them [the ISO] a couple of deals to see if you are paid correctly. Get references from ISOs who they do business with. Do you think your merchants are willing to be guinea pigs? "Secondly, all fees, not just PCI, should be considered. Don't zoom in on one thing. ... Don't get wrapped up in one fee. Look at the program as a whole, but make sure they can [support] their equipment.
"And, there is one financial strength you can check: their sponsor bank. One in trouble could put all of [your business] in trouble."
CLEARENT also provided keys to getting meaningful references. "Ask the right questions, and listen to pauses," he advised. The questions he recommended are: "Have you ever had a delay in funding your residuals?
"How have they handled residual questions? When do you get your reports? How easy are they to understand? What format do they come in? Do you talk only with their ops people, or do you still have communications with the people who signed you?"
I like the discussion points CLEARENT addressed. It is not just how financially sound your residual payer is; it's everything in the company's value chain as well. Moreover, it may not be your residual payer that causes your counterparty risk. It could be any third party.
We are not financial analysts, and even if we were to get income and balance sheets, could we really identify the problems within enough time to take action? We need other ways of testing.
We need to continually share information that is not deemed confidential, and we need to recognize a premium should be paid to lessen counterparty risk.
Do not let this discussion die with this article. Use your network and contacts so you ensure your residuals really do have lasting value.
And until next time, when in doubt, sell something!
Ken Musante is President of Eureka Payments LLC. Contact him by phone at 707-476-0573 or by email at firstname.lastname@example.org. For more information, visit www.eurekapayments.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.