Your Payment Facilitator

Partner

2020
 Why we became a payment facilitator (Payfac)?

Today, many platforms and marketplaces help merchants accept payments by providing online
services for companies of all sizes. Payments functionality has become integral for these
platforms to differentiate their product and create stickiness, and merchants using the platform
no longer need to establish direct relationships with acquiring banks or payment gateways.
Below are some of the most common types of platforms and marketplaces:

E-commerce: Platforms, such as Shopify and Squarespace, which help businesses

or individuals sell physical goods online.

Invoicing: Platforms, like Xero and FreshBooks, which help businesses invoice
their clients.

Fundraising: Platforms, such as Blackbaud and Kindrid, which help nonprofits and
charities raise money or collect donations.
Booking: Platforms, like Mindbody My Assistant and FareHarbor, which facilitate
the scheduling of appointments.

Travel and ticketing: Marketplaces, like Airbnb and Victor, which help connect
individuals with accommodations and experiences.

Retail: Marketplaces, such as Soshoba, which help individuals sell to each other.

On-demand services: A range of services falls into this category, including

ride-sharing (e.g., Lyft, Uber, Nekso), restaurant delivery (e.g., Postmaids,
Deliveroo, DoorDash), and professional services (e.g., Handy ).

Other: We’re constantly seeing platforms emerge that are either hybrids or
something entirely new, supporting services like online health, pharmacy
delivery—even hairdressers.
Payment facilitators categories
In general, into three categories, all served by Celpago:

Commerce platform providers which enable digital transactions through

innovative or enhanced technology on a white label basis. The platform owns
payment flows and is responsible for paying out funds to its merchants (referred
to as sub-merchants) directly.

Independent software vendors — or ISVs — a white label solution. The ISV

directly offers payment solutions but does not control the underlying technology.

Marketplaces or platforms that aggregate a set of sub-merchants, generally serve

as the merchant of record, and control the flow of funds and payouts to
sub-merchants.

Today, it’s easy to add the payments functionality that most platforms and marketplaces
require without becoming a payfac—by using a solution like Celpago.
 What do payfacs do?
Payfacs open a merchant bank account
and receive a merchant ID (MID) to
acquire and aggregate payments for a
group of smaller merchants, typically
called sub-merchants.

Payfacs have embedded payment

systems and register their master MID
with an acquiring bank.

Sub-merchants, on the other hand, are

not required to register their unique
MIDs—instead, transactions are
aggregated under the payfac’s master
MID.

Payfacs simplify the online payments setup for sub-merchants.

Why are we different
What are payfacs responsible for?
Financial partners, card networks, regulators, and acquirers are most concerned with the
following when it comes to payment facilitation:
• Controlling who is on the platform: Setting up the right onboarding processes and building
trust in those processes.
• Meeting KYC, AML, and OFAC compliance requirements: Ensuring
sub-merchants are verified to control for money laundering,
terrorist financing, and other risks and meeting Know Your
Customer (KYC), anti-money laundering (AML), and the US Office
of Foreign Asset Control (OFAC) requirements. If operating
internationally, there are many other regulatory bodies to
consider.

• Auditing account activity on the platform: Putting controls in place

to track and mitigate high-risk financial activity on an ongoing
basis.
• Being PCI compliant: Ensuring the platform is Payment Card Industry (PCI)
compliant and all sub-merchants are accepting payments from customers in a
compliant way. To learn more, review our guide to PCI compliance.

Though these four categories are clear, it’s difficult to find a consistent description of a
payfac’s granular responsibilities. Even the card networks have their own nuanced
definitions.

Visa defines a payment facilitator as a third-party agent that

may do the following:

• Sign a merchant acceptance agreement on behalf of an

acquirer.
• Receive settlement of transaction proceeds from an
acquirer, on behalf of a sub-merchant.
Mastercard defines a payment facilitator as a service provider, registered by an
acquiring bank (merchant processor, to be more specific), to facilitate transactions
on behalf of sub-merchants. Under Mastercard’s rules, a payfac has several
responsibilities:
• Conduct due diligence on each sub-merchant.
• Monitor all sub-merchant activity to ensure compliance
with Mastercard’s standards.
• Maintain PCI compliance.
• Only use settlement funds to pay sub-merchants.
• If a sub-merchant exceeds $100,000 in annual Mastercard
transaction volume, the sub-merchant is required to enter
into a direct merchant agreement with the acquiring bank.

Each acquiring bank also has different rules for payfacs, which form a complex web of
requirements between card networks and banks. Combined, think of a payfac as an entity that
handles the relationships with card networks, sub-merchant onboarding, and payment services
for merchants. The payfac directly handles paying out funds to sub-merchants.
Most of the requirements for payfacs are enforced by the card networks and
acquiring banks. However, regional differences influence how stringently card
networks and banks enforce these requirements in the Americas, Europe, and Asia.
For example, Visa and Visa Europe are two different entities and may apply rules
differently.
How to become a Payfac

Becoming a Payfac requires building and investing in multiple systems for payment
processing, sub-merchant onboarding, compliance, risk management, payouts, and
more. Payfacs also have ongoing requirements to maintain their good standing and
credit requirements with acquiring banks and card networks.

The Electronic Transactions Association (an advisory organization with members

from banks, card networks, and payment processors, also referred to as ETA)
strongly recommends engaging industry experts and legal counsel to ensure
adherence to laws and guidance that span card networks, acquiring banks, state and
federal governments, and global regulatory organizations (e.g., OFAC).
 Set up payment systems
∙ Find an acquiring bank: Prospective payfacs approach acquirers with a business plan in order
to establish a partnership and get sponsored to facilitate payments for sub-merchants.
∙ Integrate payment gateways: Payment gateways provide functionality for sub-merchants to
process online payments.
∙ Obtain Level 1 PCI DSS certification: To ensure the security of sensitive data, the payfac is
required to be Payment Card Industry Data Security Standard (known as PCI DSS) certified,
which may also include Europay, Mastercard, and Visa (EMV or chip) certification if the payfac
supports in-person transactions.
∙ Build merchant management: This includes merchant dashboards, payout systems, and
dispute management systems to handle chargebacks.
 Set up merchant onboarding and
compliance systems

• Create underwriting policies and systems to ensure only lawful businesses that comply with
card network and acquirer rules are onboarded. The payfac’s system and employees will need
to do the following
o Verify identities of sub-merchants, including KYC, ownership structure, and business
details.
o Check OFAC and MATCH lists for sub-merchants before onboarding; Mastercard
manages the Member Alert to Control High-Risk Merchants (MATCH) list.
o Assess sub-merchant’s financial health and risk, including fraud, credit, financial,
compliance, regulatory, or reputational risk.
∙ To manage and mitigate risk, build systems and internal policies to conduct due
diligence. The payfac’s system and employees will need to do the following:
o Comply with AML laws by encoding rules and requirements from card
networks and regulatory organizations.
o Identify suspicious activities (including indicators of terrorist financing).
o File Suspicious Activity Reports (known as SARs) with the Financial Crimes
Enforcement Network (FinCEN) or acquirer, as required.
∙ Submit registrations and apply for any additional required licenses:
o Register as a payfac with each card network.
o Apply for money transmitter licenses (MTLs) in each state the payfac
operates in, if required to support certain fund flows.
o Apply for regional licenses if required. (Brazil, Malaysia, and the EU—to
name a few—require separate licenses.)
 Manage ongoing processes and systems
• Onboard and underwrite each sub-merchant: Verify the identity, business model, and owner
information for each sub-merchant. Set up payment processing for sub-merchants.
• Monitor risk and update risk systems: Perform due diligence, monitor sub-merchant activity
on an ongoing basis, and mitigate risk as needed (e.g., apply processing caps, delayed funding, or
reserves).
• Prevent and block fraud: Proactively prevent fraud on the platform and block or review
suspicious transactions. Best practices include using adaptive machine learning for fraud
detection. Submit evidence to card networks when needed for chargebacks on behalf of
sub-merchants.
• Pay out funds to sub-merchants: Ensure sub-merchants are paid their earnings on time.
Reporting and reconciliation: Generate and distribute 1099s or other tax forms as
needed annually.
• Maintain PCI DSS compliance: Ensure the platform remains compliant even as data
flows and customer experiences evolve. Note that some card networks may require
payfacs to submit quarterly or annual reports or complete an annual on-site
assessment to validate ongoing compliance.
• Renew payfac registration and licenses: Re-register as a payfac with card networks
annually, and update or renew MTLs on the required cadence.
 Global expansion

If the platform needs to operate internationally and support sub-merchants in other regions,
partnerships with local acquirers, gateways, and other service providers may be necessary. In
general, platforms build local systems from scratch in order to adapt to local requirements or
support multiple regions.
Governments and regulators may also have different requirements based on geography. The new
European payments law, known as the second Payment Services Directive or PSD2, recently
introduced major changes that significantly impact multisided platforms, or marketplace
businesses, in Europe. Many of these businesses can no longer rely on an exemption from
licensing that they availed of previously. Platforms that control the flow of funds need to acquire
an e-money license, which can take months and millions of euros to obtain.
 Adapt to changing landscapes

The definition of a payment facilitator is still evolving—so is its role. (The Electronic Transactions
Association, or ETA, published a 73-page report with new guidelines in September 2018.) Any
investments made now to become a payfac will require updates over time to meet changing
regulations and requirements.
The technology landscape is evolving as well: Consider that different providers and vendors may
be required to offer solutions for local payment methods (like SEPA, Alipay, or iDEAL), multiple
currencies, mobile payments, in-person transactions, billing systems for invoicing or subscription
payments, and much more.
 The cost of becoming a payfac
Category Description Setup Minimum time required Approximate minimum cost

PAYMENT SYSTEMS SETUP

Acquirer sponsorship Put a strong business plan in place and potentially 3–6 months Varies by acquirer
hire a consultant to assist

Hire a payments attorney

Payment gateways Negotiate, contract with, and integrate payment 1–4 months Varies by gateway, but typically a
gateways combination of fixed and per
transaction fees
PCI compliance (and EMV Validate Level 1 PCI DSS compliance (includes 3–5 months $50,000–$500,000
certification, if needed) on-site auditor visit)

Merchant management Build merchant dashboards 6–12+ months $600,000+ (minimum 4 FTEs at
system $150,000 per year)
Build merchant payout systems

Build dispute management systems for different card

networks
 The cost of becoming a payfac
Category Description Minimum time required Approximate minimum cost

MERCHANT ONBOARDING AND COMPLIANCE SYSTEMS SETUP

Compliance program Encode card network requirements 2–8 months $300,000+ (minimum 2 FTEs at
$150,000 per year)
Build data retention and privacy systems
Underwriting policies Integrate with ID verification providers 3–12 months $500,000+

Build risk-scoring systems

OPTIONALLY, USE A THIRD-PARTY VENDOR:

Third-party vendor Select, contract with, and integrate third-party vendor 3–6 months $150,000–$250,000 per year
systems
REGISTRATIONS AND OBTAINING LICENSES
License fees and regulatory Initial fees paid to Visa ($5,000) and Mastercard 6–18 months Network fees: $10,000
registrations ($5,000)
US and international licenses:
MTLs required when payfac controls fund flows >$1,000,000
($150,000/year for approximately 3 years to set up 50
states = $450,000 minimum)
 The cost of becoming a payfac
Ongoing
Category Description Approximate minimum cost
Merchant onboarding and One-time fees include $1–$2 for onboarding and initial risk review and $2–$3 for ID $5 per month per account
monitoring verification

Ongoing monitoring system

Risk monitoring and mitigation Due diligence and risk management to ensure all sub-merchants stay in compliance $250,000+ per year (1 FTE at
$150,000 per year and 1 risk
Update risk systems on regular cadence analyst at $100,000 per year)

Maintain platform-level balances or reserves on sub-merchants to protect against

Fraud prevention
Chargeback management
Payouts and funds routing
Reporting and reconciliation
Annual PCI validation
Renew payfac registration (and Re-register as a payfac with Visa and Mastercard ($5,000 per year each)
credit risk
Operate or integrate with third-party systems to prevent and block fraud $0.04–$0.10 per transaction
Handle chargeback and evidence submission $15 per dispute
Ensure merchants get paid out on the right schedule $0.25 per transaction
Generate and distribute 1099s or other tax forms as required (1099s cost as little as $5–$255 per form
$5 per form to generate, but can incur up to $250 in fees if filed incorrectly)
$100,000 per year (1 finance FTE)
Run platform-level financial close processes and financial audits as needed
Validate Level 1 PCI DSS compliance every year and re-validate any time changes $200,000+ per year
are made to payment flows throughout the year
$10,000+ per year
Celpago, the next alternative for your business
The implementation of the payment facilitator like Celpago is a very complex and expensive
development, which requires large technical and financial resources, so we are offering a
better way with the fast and easy integration offered our platform, these times are shortened
considerably and development costs are reduced.

In a nutshell , we will make sure you have e wallets and payments available for your clients and
let you interact with them using your core competencies without worrying about your banking
and payment platform

Call us to discuss how we can help you monetize your brand and your customers
Your Payment Facilitator
Partner
sales@celpago.com
2020