As PSPs explore new ISV/SaaS channels they need to be acutely aware of their new risks exposure. The recent FCA “Dear CEO” letter brings this need even more tightly into focus. PSE spends much of its time at the moment looking at the opportunities presented by these new distribution models, so we thought it to explore the risk and compliance implications of this emerging approach…

Early in March this year, leaders of regulated payments companies in the UK felt the thump of an FCA ‘Dear CEO – Action Needed’ letter hit their desks. The letter required regulated PSPs/acquirers and their agent players to address perceived failings in their AML processes. These emerged following a recent review by the FCA, which exposed common issues in a number of critical areas: 

• The first related to weaknesses in identifying discrepancies between how merchants initially registered themselves and what they actually sold and / or an ability to keep pace with monitoring business growth. 

• The second weakness related to business and customer risk assessments. 

• The third and fourth areas centred around weaknesses caused by ambiguity around due diligence decisioning, ongoing monitoring and policies / procedures including a lack of resources and inadequate training. 

PSE has spent much time over the past 18-24 months supporting regulated PSPs and SaaS/ISV firms who sell to merchants looking at AML processes and have developed several interesting insights. So, coming to the question raised in the title:  Could partnering with a SaaS/ISV company help a PSP to meet its FCA obligations? 

In terms of the first two weaknesses, there is good evidence that working in partnership with a SaaS/ISV should enable PSPs to validate the changing scope of services offered by merchants, their growth, and any increase in business risk. SaaS/ISV information held by providers on merchants can be extensive and provide strong, hard to obfuscate, details on the real nature of a business often extending well beyond traditional acquirer customer due diligence processes. This, in turn, could help risk teams to complete a higher quality risk assessment in many cases. Post-onboarding, PSPs can use this enhanced data to improve monitoring, spot inconsistent merchant behaviour and flag up potential financial crime. 

However, PSPs need to consider information sharing relationships with their bat senses at the ready. Merchants who onboard via the SaaS/ISV channel are not always lower risk or easier to monitor. Placing a PSP’s application process behind a SaaS/ISV provider’s paywall can result in lower application fraud but if they offer ‘free’ software promotion periods, application fraud can spike as bad actors take advantage of open SaaS/ISV onboarding processes.  

Thus, PSPs need to develop a new set of partnering skills and risk policies tailored to the specific characteristics of the SaaS/ISV channel.  PSPs also need to work with the SaaS/ISV to utilise the new shared data fields as well as build new risk models to support “enhanced” due diligence both during onboarding and in-life. This could include looking at tenure on the software platform, distribution of transaction values, split by SKU type, or current and future cashflow.  

Solving the other weaknesses identified by the FCA by using a SaaS/ISV partnership are more problematic.  If the payments onboarding is carried out in the SaaS/ISV’s environment, and their platform controls merchant interaction and data collection, there is a significant risk of ambiguity around who is exactly doing what!  Clear rules must be set from the outset.  Both SaaS/ISV and acquirer PSP policies and procedures need to be formally agreed in contract T&Cs and then regularly audited. SaaS/ISV partners will need financial crime training to ensure all involved understand their regulatory obligations.  These, in turn, need to be available to the FCA should any audit of the PSP be carried out. SaaS/ISV companies are increasing keen to embed and monetise their payments service, but they need to realise that this comes with greater risk and compliance responsibilities.  

So overall, do SaaS/ISV partnerships help or hinder regulated entities’ ability to meet their FCA obligations?  As every risk officers will tell you, the most effective quality control process is the one at the front end.  SaaS/ISV partners can provide valuable additional information to stop the acquirer PSP’s onboarding the wrong merchants and subsequently help manage their changing risk profile. PSPs therefore need to ensure that they work with SaaS/ISV to capture and analyse these additional signals.  

However, with great power comes great responsibilities (yes, I know it is from Spiderman..).  Using the SaaS distribution channel requires PSPs to carefully define partner compliances roles and responsibilities to eliminate any additional risks created.  

The quality of the new risk data streams SaaS partners provided are highly attractive and can reduce financial crime. In PSE’s view they should become an integral part of both Batman and Robin’s utility belt to fight the OCG fraudsters! 

Graham Hiom