By Adam Atlas
Attorney at Law
It's passé to say you are going paperless. In fact, anyone who says that is admitting to remembering a time when paper contracts ruled. Those days are over. Contract management has always been one of the key responsibilities of a business, especially a contract-based business like the ISO business. I thought it would be useful to highlight some of the key considerations in contract management in the digital age.
Ever since the year 2000 when The Electronic Signatures in Global and National Commerce Act (ESIGN, Pub.L. 106–229, 114 Stat. 464, enacted June 30, 2000, 15 U.S.C. ch. 96) was adopted, U.S. contracts formed by electronic means have been no less valid than those produced in paper form.
It now seems quaint to refer to electronic contract formation as a thing, given that most of the contracts we typically enter into are electronic. Anyway, the point here is substance over form. In New York, where I am licensed (and in many other states), a contract is binding if there is an offer, acceptance, consideration, mutual assent, an intent to be bound and both sides agree on all of the essential terms.
When those conditions are met, a contract is formed. An ISO should not think that because there is no tangible written agreement that no contract has been formed. Instead, the ISO should review the exchanges between the relevant parties to see if the key conditions to the contract are fulfilled.
The nitty-gritty of contract formation and recordkeeping arises mostly when one party wishes to allege that the contract in question was or was not formed. The courts will decide on the existence of a contract based on the available evidence. Evidence in the digital context includes obvious elements like parties, offer, acceptance, terms and intent to be bound.
However, in the contemporary digital reality, other elements of proof may be no less important, such as login credentials, passwords used, cookies, IP addresses, digital signatures and other crumbs of data that parties leave along the way. The burden of proving that a contract was formed lies with the party seeking to draw the benefit of the contract. That party should then marshal all available evidence to prove the contract was formed.
Suppose you have a web service where users log in and accept terms of use upon signup. The system might produce an elaborate PDF with the party names, signature lines, date of acceptance, etc., but it is more likely not to do that.
Instead, you are likely to have (hopefully) kept track of each version of the terms of use posted to the site and the various digital crumbs that users leave along the way, such as login information, IP address, physical address, time of acceptance, and so forth. These records are the evidence of the contracts formed on your system.
It is useful to revisit the set of data collected, as new data may come along to help improve the evidence in hand, such as very accurate geolocation information from phones or social media profile information.
The acquiring bank for an ISO should prescribe the precise manner in which it would like its merchant agreements to be recorded. These days, many contracts for merchant services are formed using paper-like electronic signature applications. These help to tie the psychological gap between the old paper ways and the contemporary method of contract formation, but they can be a bit clunky.
A strong point of paper-like digital contract formation is that it is likely to produce a more or less complete PDF with all the relevant pricing and terms. This document is extremely helpful in proving that the agreement was accepted, as well as in sharing the agreement with the merchant, the acquirer or others that need to know its terms.
Remember that most processors consider their merchant agreements to be their confidential property. So, even if they reside on your cloud account or system, they may actually belong to the processor for whom you are an ISO.
Now that we are in the business of creating and accumulating large quantities of digital contract records, it behooves the ISO to adopt recordkeeping policies that include recordkeeping and deletion policies.
How will contracts be stored? For how long will they be kept? How are they backed-up? Who has access to them? What happens if the primary server for contract data fails?
It's so easy to keep all data forever, that we are sometimes reluctant to delete it. This is not the best practice. Large quantities of data – especially including banking information and Social Security numbers – are attractive for identity thieves and other hackers. ISOs should therefore systematically delete data that is no longer necessary pursuant to a coherent policy.
Most businesses operate to some extent in the cloud. Make sure your cloud services do not conflict with your rights or the rights of your processor or acquirer in the data that is stored in them.
Fortunately, processors are (finally) alert to the reality that ISOs need third-party services to help administer their data, whether it be customer relationship management data, merchant agreements or agent residual reporting.
At this point processors distinguish themselves by the quality of their APIs and the compatibility of their APIs with popular ISO data management platforms, like IRIS CRM.
Note that all confidential information should be dealt with pursuant to a privacy statement or policy drafted in accordance with the ISO's specific intent. Merchants and others will look to ISOs for a privacy policy and will expect them to adhere to it. In addition to being legally necessary, a privacy policy also helps to build credibility with merchants and agents for whom confidential information is very important.
As ISOs use various services to administer their digital contract records, they should adopt internal controls to make sure no single person can compromise critical ISO data or use it to take merchants or agents away. The tools that make digital contract formation easy are also susceptible to security breaches against which the ISO should be constantly vigilant. 
In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, email Adam Atlas, Attorney at Law, at atlas@adamatlas.com or call him at 514-842-0886.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
