The Green Sheet Online Edition
February 22, 2016 • Issue 16:02:02
Understand and honor confidentiality
On Feb. 27, 2006, The Green Sheet published an article I wrote about confidentiality provisions in ISO and agent agreements titled "Confidentiality clauses in ISO agreements." In this updated article, I revisit this important topic.
Many ISOs and merchant level salespeople (MLSs) gloss over confidentiality provisions in ISO or agent agreements, partly because they are dry reading and partly because they all seem to be alike. But dry as they are, confidentiality provisions can have important implications for your processor relationships. Keep the following in mind when reading confidentiality clauses in your agreements:
Most confidentiality clauses define "confidential information" through a long list of specific inclusions and exclusions. Of these, pricing and merchant information are the most sensitive to the processor. Read the confidentiality clause in your ISO agreement to determine whether these two categories are included. One way to indirectly include pricing within the definition of confidential information is to state that the agreement itself is confidential. Don't think that the pricing schedule is not confidential if the whole agreement is deemed confidential. As an ISO, make sure your agent and referral source data is identified as confidential so that your processor doesn't use your information to take your agents and referral sources.
Information not covered
Most confidentiality clauses have a standard list of exclusions, that is, information that the parties agree will not be confidential. These usually are information that is in the public domain, that a court ordered to be disclosed, or that was already in the party's possession before the party entered into the agreement containing the confidentiality clause. It's normal for these and other specific exclusions to limit what will be considered confidential information.
Use of information
Once you understand exactly what information the agreement designates as confidential, determine how you may use it. For example, an ISO agreement will typically prohibit you from sharing confidential information with a third party. In other words, an ISO cannot tell Processor A what the pricing is on your deal with Processor B. Some processors obligate ISOs to disclose their pricing for third-party suppliers such as those providing equipment or ACH processing. This is controversial. ISOs should reject this, because it obliges ISOs to breach their obligations of confidentiality to those third-party suppliers. It also raises issues of potential illegal and anti-competitive practices on the part of the processor.
Some confidentiality clauses expire when an agreement terminates; others last for some period thereafter. Depending on other issues in your deal, such as non-compete and non-solicitation clauses, you may or may not wish to have a confidentiality clause continue after termination, or you may wish to have it survive for a specific period of time, such as two years. As an ISO or MLS, you depend on leads and merchant information. Excessive restriction of using this information, may limit your ability to grow your business.
Non-solicitation of merchants
Many ISO and agent confidentiality clauses are veiled non-solicitation clauses. For example, even if an ISO agreement contains no prohibition against soliciting merchants after termination, a confidentiality clause may prohibit you from using your old merchant list to move merchants from one processor to another. Make sure that the term of the confidentiality clause coincides with the term of the non-solicit clause. If these two differ, chances are the processor is misleading you. If this is the case, reevaluate whether it makes sense to do business with that processor.
Take time to learn exactly how merchant information is covered by your ISO agreement's confidentiality clause. For example, merchant pricing and the merchant list are distinct types of information that may be treated differently in the ISO agreement.
Regardless of whether the confidentiality clause in your ISO agreement covers cardholder information, never use such information for any purpose whatsoever unless you are 110 percent sure you are authorized to do so.
If you have access to cardholder information, you must comply with state privacy laws as well as industry standards such as the Payment Card Industry Data Security Standard (PCI DSS). As Tim Cranny wrote in "Digging into PCI - Part 7: Restrict access to cardholder data by business need to know," The Green Sheet, Jan. 11, 2010, "the essence of [PCI DSS] Requirement 7 is that the best security is preventative, not reactive. The best way to ensure that cardholder data is not compromised is to simply make sure as few people as possible have access to it." When it comes to cardholder information, always err on the side of caution. Pretend your mother's credit card number is on your list, and act accordingly. Most ISOs and virtually all MLSs should neither have nor need access to this information. Cardholder information is a hot potato you don't want to hold unless you're meant to have it.
The real world
Any industry veteran will tell you that confidentiality and non-solicitation clauses are violated every day across the nation. Some ISOs' hiring agents even (wrongly) encourage new agents to bring merchant lists from their previous ISOs to get their deal count up.
Having been involved in hundreds of agent/ISO/processor/bank disputes over breaches of non-solicit and confidentiality clauses, I feel comfortable advising you to not violate the clauses to which you are bound. While violations may lead to a short-term spike in your production, the long-term effects of such disloyalty will come back to haunt you. I have seen it happen many times. A number of sizable ISOs in the marketplace today are losing considerable business because they have not honored the promises they made to agents.
The payments business comprises a relatively small collection of individuals. It doesn't take long for bad press to get around. So, in short, stay clean. After all, information is the currency of the merchant acquiring business. Confidentiality clauses in ISO agreements protect that currency and help both the ISO and the processor turn it into revenue. That is no secret.
In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, email Adam Atlas, Attorney at Law, at firstname.lastname@example.org or call him at 514-842-0886.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.