isa U.S.A. has again changed its rules for acquirers and ISOs, thereby necessitating an immediate change in all merchant agreements. This sets the stage for sanctions by Visa and/or civil litigation for those who fail to comply.

All tri-party merchant agreements (between an acquirer, an ISO and a merchant) must now include a separate, stand-alone disclosure page clearly informing the merchant that the acquirer has primary responsibility for the merchant relationship.

This development is part of the Acquirer Risk Program, which Visa initiated in January 2004 to reduce the risk associated with acquirers' increasing dependence on ISOs and other agents in managing merchant relationships. The program seeks to clarify acquirers' obligations and accountability in exercising appropriate control over all aspects of operations.

The disclosure page must clearly apprise the merchant of the following member bank responsibilities:

• A Visa member is the only entity approved to extend acceptance of Visa products directly to a merchant.
• A Visa member must be a principal (signer) to the merchant agreement.
• The Visa member is responsible for educating merchants on pertinent Visa operating regulations with which merchants must comply.
• The Visa member, not the ISO, must provide, administer and control settlement funds for the merchant.
• The Visa Member, not the ISO, must hold, administer and control all reserve funds that are derived from settlement.

The disclosure page must contain the member bank's address and phone number; it must also disclose that the member is primarily responsible for the merchant relationship and may be contacted at any time for any reason.

Merchant responsibilities

The disclosure page must clearly inform the merchant that he or she is primarily responsible for:

• Complying with cardholder data security and storage requirements
• Maintaining fraud and chargebacks below established thresholds
• Reviewing and understanding the merchant agreement
• Complying with Visa's operating regulations. The disclosure page must include the following:
• Merchant's name, business address & phone number
• Title of the individual signing the document on behalf of the merchant
• Agent/salesperson's name.

The page must be dated and signed by the merchant's principal owner or authorized officer to confirm that he/she has reviewed the document. A copy must be provided to the merchant at the time of signing, and the merchant must retain it. The member must also maintain a copy in the merchant's file.

By requiring these disclosures, the program seeks to improve merchant account administration. For example, after numerous recent compliance audits, Visa determined that acquirers' insufficient oversight of merchant underwriting and compliance monitoring represents the most prevalent risk in this area. The program therefore prescribes daily oversight of merchant underwriting and monitoring as a "member best practice." It requires acquirers to advise merchants that acquirers are responsible for educating merchants on Visa operating regs with which merchants must comply.

Thus, acquirers must carefully review (and periodically update) their merchant agreements and disclosure pages to faithfully reflect all current key Visa operating regulations in a way that fairly apprises merchants of the rules governing their conduct.

Visa's audits also revealed that acquirers often had limited or no access to merchant files and ISO reporting; improperly allowed ISOs to hold merchant reserves in several cases; and, in rare cases, entered into tri-party agreements through non-member sub-agents. Visa has attempted to address these issues in its disclosure page requirements.

Potential ramifications of the disclosure page rule are significant. According to Visa, acquirers that fail to provide an appropriate disclosure page for each merchant agreement will be in "serious violation" of the Acquirer Risk Program. This may result in fines or reduction conditions for the acquirer. Acquirers and ISOs that fail to adhere to Visa's new disclosure page rule also are likely to find themselves in litigation if any of their merchants fails to comply with Visa's requirements concerning data security and storage, fraud and chargeback thresholds, or otherwise.

Indeed, providing inadequate disclosures, or none at all, furnishes any merchant with a vehicle for shifting blame to the acquirer and/or ISO should the merchant fail to comply with Visa's requirements. This represents a clear litigation trap. It's important to note that Visa's sample disclosure page fails to satisfy the rule's requirements in several respects. For example, it does not include a plain statement that the member bank:

• Is primarily responsible for the merchant relationship
• May be contacted at any time and for any reason
• Must provide an executed copy of the disclosure page to the merchant at the time it is signed
• Must maintain a copy of the disclosure page in the merchant's file as part of required due diligence.

So, rely on Visa's requirements, not its sample, in drafting disclosure pages. Now is the time to carefully review and update your merchant agreements to ensure full compliance with these new requirements.

This article is for informational purposes only. Please consult an attorney before relying upon it for your specific legal needs. Theodore F. Monroe is an Attorney whose practice focuses on the electronic payment and direct marketing industries. For more information about this article or any other matter, please e-mail Mr. Monroe at monroe@tfmlaw.com or call him at 213-622-7509