The Green Sheet Online Edition
October 13, 2025 • 25:10:01
Legal ease
Untangling ROSCA: What you need to know
We've all been there: neck-deep in the account settings of a paid service, hunting for a way to cancel it—without any luck. Have consumers in this situation been misled? Is cancelling so complicated as to be essentially impossible? Perhaps.
Somewhere in the matrix of relationships behind such a service is a payment processor and perhaps an ISO dutifully processing the monthly payments. Are they liable for the heavy hand of their merchant? Each case like this would turn on the individual facts, so this column sets out some of the key legal questions in play and suggests some ideas for how ISOs and payment processors can spot them.
1. What is ROSCA
The Restore Online Shoppers' Confidence Act (ROSCA), 15 U.S.C. §§ 8401–8405 (2010) (ROSCA) was adopted 15 years ago in the early days of online shopping. ROSCA is federal law that establishes basic common-sense ground rules of consumer protection for online shoppers including requiring clear and conspicuous disclosure of material terms before picking up consumer payment information.
Material terms include any "negative option" in the terms, amount and frequency of charges, and disclosure about the fact the charges will continue unless the consumer opts out. The consumer has to opt-in to charges, especially recurring charges. Acceptance by silence is not permitted. ROSCA also mandates a simple cancellation mechanism. Another requirement is that Merchant A cannot transfer cardholder data to Merchant B.
2. Are ISOs and processors subject to ROSCA?
Processors are not expressly responsible for ROSCA compliance. Instead, merchants are responsible for compliance in their terms with consumer customers. However, a processor or ISO could be found liable under ROSCA for colluding with a merchant that is in violation of the law.
How would an ISO be found in collusion with a merchant? A pretty bad case would be one where an ISO or processor counsels a merchant on how to build a program that is very hard to opt out of or hosts the program through technology that they supply to the merchant.
These days, ISOs and processors often supply integrated shopping carts and other checkout tools for merchants. ISOs and processors that supply these tools should consider how they may skew the consumer flow to be more or less ROSCA-compliant.
3. The ISO processor says, 'It wasn't me!'
A processor and ISO could be found to be colluding with ROSCA-breaching merchants even if the consumer never knows they are part of the flow. Neither the processor nor the ISO name need to appear to engage their liability.
Processors and ISOs may argue that the merchant had exclusive liability for all disclosures provided to consumers and all opt-in and opt-out flows. At first blush, this is correct. However, a mastermind for a bank robbery that creates the perfect playbook for a heist and gives that playbook to a criminal gang is potentially liable for having colluded with the gang to carry out the heist.
In the old days, processors and ISOs had a firm defense against claims related to merchant wrongdoing. Merchants caught selling illegal goods and services did not expose putatively innocent processors to liability for their wrongdoing; ISOs and processors argued that it was impossible for them to police the products and sales practices of merchants.
That immunity began to crack about 10 years ago with fake handbag cases. Luxury brands decided to pursue not just the sellers of knock-off handbags but also the payment processors for the sellers, and processor liability was engaged. Processors have since been held liable for aiding in supporting negative billing scams.
Merchants' increasing dependence on processor and ISO billing-management software will only increase the risk to those providers of being blamed for orchestrating merchants' bad behavior.
4. What's an ISO or processor to do?
In my experience, the vast majority of illegal negative billing scenarios can be filtered out with the common-sense "mom test:" What would your mom say about the flow? If the answer comes back with any amount of confusion, there's a problem.
On a more serious note, processors and ISO walk a fine line. On the one hand, they should reject merchants with obviously problematic flows, but they also have to be careful to not slip into being legal counsel to merchants by advising the merchant to make one or another change to their flow.
If a processor or ISO is concerned about a given merchant flow that passes the mom test but still gives them pause, one option is to mandate a legal opinion from the merchant's lawyer that the flow is compliant.
ISOs and processors should follow business news about ROSCA cases, as new, informative caselaw is emerging. 
In publishing The Green Sheet, neither the author nor the publisher are engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law email: atlas@adamatlas.com, Tel. 514-842-0886.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
