By Daniel Federgreen
Personally identifiable information (PII) is a major driver of value in merchant portfolio acquisition. PII, by definition, is central to any discussion of privacy in the payments industry. Merchant service providers must be able to access and transmit PII securely to facilitate transactions, which are the heart of commerce.
The question is, how do the privacy policies of an acquisition target, compared to the acquiring entity's policies, affect the target's valuation and the ability to consummate a sale?
ISOs, merchant level salespeople, processors and acquiring banks are information-driven. For many, awareness of the responsibility to manage PII and the deep understanding of the harm that breach or loss of this information can cause is elusive. And a high-profile discussion regarding security and privacy continues: How should we, as an industry, manage PII in the portfolio acquisition process, and what are the challenges associated with this?
High-speed data transfer is central to the modern electronic world. However, too often data streams contain information that is ambiguous or unknown to both senders and recipients of the data, and the streams may contain PII. Thus the information is not only sensitive to individuals and entities, but it also often contains information that, if obtained by unauthorized parties, could be used for criminal purposes.
When merchant portfolios are bought and sold, what is really being obtained - and therefore the item of value - is the information in the portfolio's database that, when transmitted among authorized payment entities, allows for the processing of payment transactions.
Associated with this information is a laundry list of data that may contain Social Security numbers, dates of birth, driver's license numbers, home and business addresses, and other items that define PII.
Of note, the PII being transmitted may contain not only current relationships; it also may contain details pertaining to prior relationships that were not appropriately purged from databases, as well as third-party data from extraneous inputs.
The policy of the target should reflect the various statutes that affect the target organization, based upon the jurisdictions in which the target operates.
This must be balanced with the business needs of the acquiring organization. The potential conflict between the privacy polices of the target and acquirer must be reconciled before a relationship can be consummated.
Data privacy management has become a modern informational nightmare. Fundamental questions of whose data it is to who has the right to sell or transfer it are issues that must be addressed. Not just because of the legal liabilities associated with this, but also because of the social and ethical responsibilities of the entities involved.
In the book Information Privacy by Peter P. Swire and Sol Berman, the authors describe the four basic areas that every organization faces regarding the handling of information. They are legal compliance, reputation, investment and reticence.
All who are involved with the art of the deal should understand these four concepts. Legal compliance is the requirement that each organization comply with all applicable laws.
Reputation is that the organization must protect its reputation as a trusted institution with respected brands. Investment requires that the organization receive proper return on its investment. Reticence, in this context, is the need for the organization to use the acquired information as robustly as its competitors.
If, in the evaluation of the potential target, the privacy statement is deemed incompatible or unacceptable to the acquiring organization, the acquiring organization must factor in the costs related to providing appropriate notice of changes to the policy and the potential effects of said changes in terms of erosion of the target's merchant base.
To my knowledge, no study has addressed this issue. Therefore, no known predictive model can be applied. What might be called a reasonable guess is simply nothing more than a guess.
It is probably safe to assume the majority of published privacy policies are compatible in terms of immediate needs. Modifications so that privacy polices of merged entities can coexist across an entire enterprise can be put in place during a transitional period while the acquired portfolio's merchant population is integrated in a manner that is least disruptive. The concept of Privacy by Design can serve as a useful guide to accomplish this process.
A fundamental concept today is that of Privacy by Design developed by Dr. Anna Cavoukian. As described by Dr. Cavoukian, "Privacy by Design asserts that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization's default mode of operation."
Privacy by Design presents a set of "foundational principles" that can help companies innovate in ways that are consistent with fair information practices. These seven principles are:
The merger, acquisition or divestiture of merchant portfolios or any other entity with respect to the intrinsic PII of an entity targeted for acquisition must be accounted for in the predictive modeling of cost of acquisition and valuation of the target.
The issue is how to successfully integrate this information without compromising the security and privacy and, at the same time, meet the stated four objectives of Swire and Berman. As author Ursula Le Guin stated, "When action grows unprofitable, gather information; when information grows unprofitable, sleep."
Daniel Federgreen can be reached at firstname.lastname@example.org. He currently is employed in the corporate financial group of a Fortune 50 company.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next