A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

May 08, 2023 • Issue 23:05:01

Legal ease:
ISOs gone digital: Legal implications for digital-only ISOs

By Adam Atlas
Attorney at Law

At this point, pretty much anything on paper only is inherently suspicious. Whether by force of numbers or because of the many advantages, business is digital-first. It might be helpful to remind you of some of the legal implications of operating a digital-only business.

E-Sign Act

Way back in 2000, Congress enacted the E-Sign Act, which made electronic agreements no less effective than good old paper contracts. For electronic agreements to be valid, the parties must have had access to the terms in advance of accepting, must have been able to download or copy the terms before accepting them, and the parties must express consent.

There must also be an electronic record of the acceptance. The electronic record of acceptance does not need to be a signed pdf; it could be simply a record of the form of agreement presented for acceptance together with records of the person or entity that accepted the agreement, such as IP address, name and other identifying information.

Realistically, at this point, the absence of any digital record could make a party nervous that the hard-copy contract will be lost or difficult to assert later on for lack of evidence.

Digital communications

As you know, a contract is but the beginning of a relationship between, for example, a merchant and an ISO. After formation of the contract, the parties will need to communicate with each other. Increasingly, even formal notice provisions are drafted so that email notices are entirely effective as formal notice—without the need for a FedEx or certified letter. It's important to note that the expectation of electronic communication should be the subject of express consent in payment services agreements—especially if electronic communication is permitted as the only form of communication. In fact, it is now commonplace for banks to present clients with a stand-alone electronic communication consent to ensure that clients will not complain, later on, that they did not receive one or more notices on paper.

My expectation is that the hoopla over digital communication will turn in the other direction, so that a typical customer will believe themselves to be aggrieved if they do not receive digital notifications.

Whatever form of communication is chosen, the choice should be expressed in the terms of the contract that brings the two parties together.

Nested terms

Have you noticed that accepting terms of use of one supplier often includes accepting terms of one or more other suppliers? These "Russian doll" sets of terms are the norm in banking-as-a-service and other fintech models that complement or compete with traditional ISO businesses.

I am not aware of case law concerning the enforceability of terms that appear inside other terms, but it's advisable to let the consumer, merchant or other user see each of the individual terms and privacy policies they are accepting—as opt-in options—so that as a supplier you are not having to prove to a court that the consumer or merchant actually saw and accepted the terms.

As a user of services supplied under a mashup of multiple sets of terms, consider the multiple places to which your data is being sent and whether that poses excessive risk to your organization.

Security

No discussion of digital-first operations is complete without a reminder that storing troves of data creates opportunity for bad actors to exploit.

In the ISO business specifically, cardholder data is the hot potato. Unless your ISO systems are themselves PCI-compliant, your ISO should not access, store or transmit cardholder data. Fortunately, there are any number of third parties ready to perform the secure gateway and data communication functions for ISOs and their merchants.

Some time ago, gateways and other data-only platforms were able to limit their liability to 30 days of fees or some other nominal amount, using the argument that their puny fees did not justify assumption of substantial liability. Those days are gone.

Gateways and other services that mostly collect, store and communicate data are increasingly taking real liability for data breaches and for the materially negative financial consequences of their failures. For example, if a gateway accidentally processes a batch of transactions twice, and that results in chargebacks or other losses, ISOs and other parties are increasingly achieving real concessions from the gateway when negotiating caps on the liability of the gateway.

It's important to take time and consider exactly who sues whom if there is a data breach and exactly how limited each party's liability is under those circumstances. Contractual clauses will not usually allow parties to limit their own liability for serious fraud or other wrongdoing, but many breaches occur without any ill-intent on the part of the platform that is breached.

Data portability

ISOs using processors or other platforms to assist in their operations should consider the right to port data elsewhere, as well as how easy that right will be to exercise in the real world. If the data is exported in a format that is incomprehensible to a reasonable successor platform, the ISO may have to rebuild the database despite having access to the data.

Some processors cling to merchants by holding onto their data when a merchant initiates a request to transfer their data to a successor processor. There is something off-putting about that. It is also arguably illegal considering a lot of data held by a processor belongs to the merchant. In any case, ISOs should consider their rights and the rights of their merchants to access and move data should the need arise.

AI-generated content

This article was written by a real person, the old-fashioned way, but torrents of articles and marketing material are coming that will not have had much human involvement at all. Before posting any such content, review it to see that it makes sense and does not mislead potential clients or partners. It's so easy to create content now; some sales and marketing folks might skip the important step of ensuring that marketing material is not misleading. end of article

In publishing The Green Sheet, neither the author nor the publisher are engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law by email at atlas@adamatlas.com or by phone at 514-842-0886.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing