Eliminating Card Not Present Channel Concerns

In 2016 baby boomers lost their place as members of America’s largest living generation. With millennials representing the largest population cohort, organizations must adopt modern technologies that meet the needs of a generation glued to their smart devices. However, there is an element of concern surrounding the security of these new technologies and how to remain compliant – on average a data breach costs an organization $3.6 million, a price that could quite easily sink a smaller company.

However, remaining compliant is something that is often imaged to be much more complicated than it is, and when properly understood means your organization has one less thing to worry about. Here are four key areas that should be at the top of any organization’s compliance priority list when considering adopting card not present channels.

1.  No Need to Fear, Reg E Is Here

Fear of Reg E litigation has caused some organizations to revert back to paper-based payments, but that doesn’t need to be the case.

The Electronic Funds Transfer Act and its implementing regulation (Reg E) establish the rights, liabilities and responsibilities of participants in “electronic funds transactions” involving ACH payments and debit card transactions. Rule-making is shared between the Federal Reserve and the CFPB, but with increased scrutiny from the CFPB, there has been some confusion among collectors as to what type of transactions are covered by Reg E, as well as how the regulation applies to recurring payments.

In simple terms, if funds are being collected directly from a deposit account, then Reg E applies. An “account” in this instance is defined as any “demand deposit, savings deposit or other asset account established for personal, family or household purposes.”

With plentiful documentation and numerous specialists now in this area, Reg E is no longer a time-consuming enigma.

2.  E-sign: You Don’t Need a Pen to Sign Here

Another frequent point of confusion is the interplay between the Electronic Funds Transfer Act, Reg E and e-sign. E-sign is simply an electronic means of satisfying certain notice and signature requirements of the EFTA, meaning both service providers and consumers can eliminate paper communication. In contrast, the EFTA is a federal law enacted in 1978 to protect consumers when their funds are transferred electronically.

E-sign refers to all legally required communications with a consumer, not just payments. The basic requirements of e-sign are as follows:

• The consumer must consent to receiving legally required disclosures electronically;
• The consumer must be informed of their right to receive such disclosures in paper form and any associated costs;
• The business should identify whether or not the consent relates to a particular transaction, such as account opening documents, or to ongoing disclosures over the course of the parties’ relationship (for example, account statements);
• The consumer must be informed of their right to withdraw consent to electronic disclosures, and the process and terms for such withdrawal;
• The business must provide a method for updating the consumer’s contact information;
• The business must provide the consumer with the hardware and software requirements necessary for communicating electronically; and
• The consumer must confirm consent electronically in a manner that reasonably demonstrates the consumer’s ability to receive or access necessary communication electronically.

As digital communication becomes the norm, e-sign compliance will minimize risk and differentiate a business from others that are still only offering wet signatures and paper disclosures.

3.  All Cards Are Not Made Equal

Different cards have different requirements regarding the data that needs to be stored when collecting a payment over the phone.

One-time debit or credit payments are one of the most straightforward phone payments to process. They can be authorized via an oral call recording, which the organization needs to keep a record of for a minimum of two years. Recurring credit card payments, which are governed by the Truth in Lending Act and Regulation Z, follow the same process with the only difference being that the authorization can also be completed in writing, however it does not necessarily need to be signed.

Recurring debit payments are where people tend to panic, however, with the correct processes in place, this doesn’t need to be the case. These payments are subject to Reg E, EFTA and the interpretation of these according to the CFPB. They require written authorization that must be signed, but it is not compulsorily for this to be a wet signature. Many organizations have the view that if a consumer is required to sign in ink and return a letter a payment is less likely to be made – this is a key driver behind e-sign.

In addition to certain regulatory requirements, collectors must also be aware of the PCI data security standards. To be PCI compliant when recording calls, businesses need to ensure the card number and card verification value (CVV/CV2) are not captured together. New technology is able to mask card numbers, but if they’re using legacy phone technology, organizations need to make sure the card’s CVV/CV2 is not captured. If there is a need to collect both, the two details need to be encrypted and stored separately.

Most processors have the ability to distinguish whether a card is debit or credit by its first few digits, however not all of them have this ability. In your payment call script, a key question should be what type of card the consumer is using – if an organization has done its part by asking, the law provides a safe harbour if the customer then incorrectly informs them of the card type they are using and the relevant checks haven’t been carried out. In any event, calls should be recorded and a record should be kept of the consumer’s consent.

4.  Inconvenient Convenience Fees

Inconvenience fees as they should be known are anything but convenient, both for processors and consumers, especially involving transactions governed by the FDCPA. Policies aren’t only state-specific but can also differ depending on card processing networks. Charging the fee, used to offset the cost of payment processing by charging consumers for the privilege of using an alternative payment channel or a payment method that is not standard for the merchant, is a process that is heavily disliked by the CFPB.

For the second time in five years, the BillingTree ARM survey found that a majority of agencies were not collecting convenience fees, nor were they planning to. Is the reason behind an increased number of merchants dropping this fee due to pressure by the CFPB? Or could it be that paying with plastic is no longer seen as the convenient option but the norm, and organizations don’t want to alienate potential customers by charging a fee that so many of them are against?

If an organization decides to charge a convenience fee, it needs to check the laws in the state it is based in, the states in which it operates, as well as the states where its consumers reside.

The Key to Compliance

When wanting to remain compliant, these four key areas are a great place to begin, but as always, make sure to check with your compliance experts to ensure your business is operating within the bounds of applicable laws, rules and regulations. When deciding who to trust with processing your payments, you should check they maintain reputable payment technology, a focus on compliance and the correct certifications. Look for appropriate PCI-DSS, HIPAA, and SSAE-16 certifications and audits.

New technology will bring many benefits to your organization, however these investments will come at a great cost if you don’t keep rules and regulations in mind. Remaining compliant when implementing new technology doesn’t have to be difficult and the benefits the latest and greatest tools bring are well worth the time spent understanding the requirements.

Barton “Chip” Bright is General Counsel and Chief Compliance Officer for BillingTree. He can be reached at bbright@mybillingtree.com.