Billing & Payments Regulatory Compliance l ACI Worldwide
ACI Worldwide

Billing And Payments Regulatory Compliance:



New billing, payment and communication methods are super convenient for the consumer, but have created a regulatory maze that is becoming more and more difficult to navigate.

Data security and privacy regulations ― from PCI to AML ― are now crossing into new areas, and businesses need to be proactive about what they know.

Choosing a third-party provider is just part of the whole picture.

To ensure compliance, more and more organizations are turning to third-party billing and payments expertise. In just two years, we’ve seen a 44% increase in organizations dropping in-house systems for third-party software. But choosing third-party providers is only part of an organization’s regulatory compliance due diligence.

Staying informed about billing, payments and communication regulatory compliance will create a healthy, active partnership with your providers — who can then better serve you.

We're going to dig into some of today's most essential compliance topics, including:

PCI DSS (Payment Card Industry Data Security Standard) Requirements

Since 2006, organizations accepting payments have had to comply with PCI DSS requirements — security standards that help ensure consumer card information is securely maintained.

PCI DSS requirements apply to every organization that accepts, processes, stores or transmits card information. From the biggest mass retailer to a solo crafter selling quilts online — anyone who accepts card payments needs to understand PCI compliance.

The PCI Security Standards Council maintains, evolves and promotes PCI standards. It was founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. PCI compliance enforcement is carried out by the individual payment card brands.

PCI DSS requirements help protect and secure your payments data

The PCI Security Standards Council® has plenty of resources available to help avoid non-compliance and, most importantly, protect your business.

Compliance check: What’s your PCI DSS level?
There are four levels of merchants defined by PCI DSS. Knowing your PCI DSS level is the first step toward ensuring compliance. In today’s environment, staying compliant means being well versed in all applicable regulations, even if you outsource payments to a third party.

Card network changes: Visa, MasterCard, Discover and American Express

The digital revolution brings big opportunities for you — and big challenges. To meet these challenges, card networks frequently make changes to processes and capabilities. It’s important to know what card networks like Visa, MasterCard, Discover and AmericanExpress are planning.

For example: Visa made a change in 2017 that requires return authorization messages. In 2018, they are planning to make changes to the Credential-on-File (CoF) experience that will enhance consumer transparency and control, and give organizations the chance to move more recurring payments from ACH to a card.

NACHA (The Electronic Payments Association)

The Electronic Payments Association is the steward of the ACH (Automated Clearing House) network, which connects all U.S. financial institutions, moving money and information from one bank account to another.

NACHA sets financial services industry common rules and standards for ACH and other transactions. In 1974, NACHA was simply a set of ACH rules — and is now the ACH network’s governing body.

NACHA brings together different organizations to develop rules and standards that benefit a variety of payment consumers, including EBT and healthcare EFT.

NACHA compliance is crucial to operations.

While everyone knows about regulatory organizations like OSHA and the SEC, NACHA isn’t exactly a household name. But, NACHA compliance is paramount for businesses across all industries and sectors.

It’s important to avoid any rule-breaking fallout with NACHA. Non-compliance can lead to losing your ACH privileges — meaning you can’t receive ACH payments or use ACH for direct deposit to pay employees.

Keep your eye on fast-paced NACHA
As with any other set of regulations, NACHA makes frequent updates to their rules. NACHA updated its rules twice last year and have at least one update ready for this year.

AML (Anti-Money Laundering) Rules

Organizations that are billing and taking payments are obligated to comply with the Bank Secrecy Act’s (BSA) AML rules. These rules are designed to detect and report suspicious activity including money laundering, securities fraud and terrorist financing.

It’s important to note that AML rules go way beyond securities firms. To avoid non-compliance, many different types of organizations need to stay current with AML rules.

FINRA (Financial Industry Regulatory Authority) Rule 3310 sets the minimum standards for written AML compliance programs.

Get to know your AML responsibilities

Consumer finance services complying with AML seems logical, but the rules may also apply to healthcare, higher education, government and insurance organizations.

If your organization takes a payment for anything, it’s moving money from one entity to another. You need to always monitor and look for fraud, even when you’ve contracted a third party to facilitate payments on your behalf.

Your third-party billing and payments partner can help with the fraud and OFAC monitoring that ensure your payment methods are AML-compliant.

Get acquainted with AML regulations if your consumers pay…
  • Tuition or housing payments by card using IVR
  • Health insurance premiums online using a card
  • Finance loans online with ACH or debit card options

New CFPB (Consumer Financial Protection Bureau) rules

The CFPB exists to protect consumers, but its recent rules can impact consumer finance companies as well.

A few examples of how to make consumers happy and stay on top of compliance:
  • Send regular loan statements to consumers
    Loan statements (paper or electronic) increase timely payments and give the lender a chance to deepen relationships with targeted messaging and more.
  • Get permission after two failed ACH payments
    To avoid customer complaints, lenders should prioritize debit card payments, which immediately reveal if sufficient funds are available.
  • Notify consumers three days in advance of payment attempt
    Payment reminders have profit potential by lowering delinquency rates.

HIPAA (Health Insurance Portability and Accountability Act) of 1996

For people working in the healthcare and health insurance industries in 1996, HIPAA had a massive impact on business and everyday administrative processes.

Today, the healthcare and health insurance industries know HIPAA through and through. However, many organizations are learning that the convenience of online and IVR payments has made 20+ year-old HIPAA even more complex.

HHS published two major HIPAA Rules: Privacy & Security
The Privacy Rule established standards for protecting health information. The Security Rule established standards for protecting health information held or transferred electronically.

The premium on health information is relentless.

When someone uses a card to make a health insurance payment and that payment is compromised, it’s not the money on the card that the criminal is after — it’s the private information that comes with the card.

Card numbers are gateways to information thieves, which means when someone uses a card to pay for healthcare services or insurance, or pays into an FSA or HSA account, that card number becomes protected health information.

Privacy rules: FERPA, HIPAA and GLBA

In addition to HIPAA, legislation like the Family Educational Rights & Privacy Act (FERPA) and the Gramm-Leach-Bliley Act (GLBA) help protect consumer privacy.

Privacy starts with best practices:
  • Transparency: Let consumers make informed decisions with clear privacy notices
  • Choice: Empower consumers to control the use of their collected information
  • Access: Allow consumers to update or disable contact information
  • Security: Use strong security encryption to protect consumer data
  • Accountability: Be responsive and comply with national, state and local laws

Keeping data secure helps you stay compliant.

They say time is money — but these days, data is money, and there are lots of people in the shadows trying to steal it. Across all industries, keeping data secure is the key to staying compliant.

Do your part to keep your data secure. Make sure your billing, payments and communication system:
  • Identifies fraud attempts fast through a network of thousands of clients
  • Uses the same company to operate the secure software that built it
  • Implements ISO 27001/27002 and National Institute of Standards and Technology (NIST) Cybersecurity frameworks
  • Upgrades software to latest version regularly
  • Offers defense-in-depth with a layered security model

When it comes to enforcing today’s massive data security regulations, it’s the Federal Trade Commission (FTC) keeping track, making notes and taking names. They’re also the ones who are there to provide support and resources to help companies and consumers lock down their most valuable asset — data.

Get to know different state laws for fees.

Organizations can choose to charge a service fee, surcharge or convenience fee to consumers so they do not have to pay credit and debit card interchange fees.

But, rules surrounding these fees can be complex because they differ from state to state. Some states even have laws completely prohibiting organizations from charging a surcharge for credit card processing.

Service fees vs. surcharges vs. convenience fees
A service fee is charged by the payments processor to process the payment. However, a surcharge comes from the merchant when accepting a credit card payment. Both differ from a convenience fee, which is a charge from the merchant to the consumer for using a convenient or alternative (web, IVR) payments channel.

Non-compliance can bring huge fines — and worse

From AML to NACHA, regulatory non-compliance is at best, exhausting, and at worst, a brand-killing, financially devastating event from which it’s hard to bounce back.

The first thing to consider is the hefty fine and what it costs to “fix things” to meet regulations. But there are many other factors to consider with non-compliance, including:
  • Lost productivity
  • Legal action
  • Loss of customers

Real consequences of non-compliance:
  • HIPAA settlements have reached $5.5 million.
  • Verizon bought Yahoo for $350 million less than they expected due to Yahoo’s security breach.
  • Cyberbreach investigations can cost anywhere from $20,000 to $10 million.

You have a billing and payments provider…
do you know if it’s the right partnership?

Third-party billing and payment partners are fantastic, as long as you choose the right one.

Even with a great third-party partnership, your organization is responsible for its own regulatory compliance. Your third-party partner is there to help keep you compliant, but you need to work with them to make it happen.

Be proactive and be open to collaboration so that your billing and payments partner can best protect you from non-compliance.

Compliance needs should be a conversation, not a presentation.

The first and most important thing you need from a billing and payments partner: An ongoing conversation about your compliance needs. There’s no such thing as one size fits all when it comes to compliance.

The best way to start a conversation is with questions. At the very least, your billing and payments partner should answer “yes” to these questions:
  • Do you know how to structure agreements that keep you out of hot water in terms of money service businesses and AML compliance?
  • Do you have proof of PCI compliance?
  • Do you manage regulatory compliance risk and stay current on regulations?
  • Do you have a consumer privacy policy?
  • Are you up-to-date on all methods of data security?

Go way beyond just “keeping it legal”

It’s not just about passing the test — you want an A+. You want to do what’s best.

Compliance doesn’t stop with AML, PCI DSS, CFPB, HIPAA, NACHA and data security. Other crucial compliance components include:
  • Sarbanes-Oxley (SOX) compliant
    Stay compliant with this 2002 act using detailed planning to make audits seamless, painless and effective
  • FFIEC - Federal bank examination
    Partner with experts who have regular Technology Service Provider Examinations from the Federal Financial Institutions Examinations Council (FFIEC)
  • SSAE16 type II audits
    Before you start, do your research and understand the responsibilities that come with performing and SSAE 16
  • Independent, third-party audit and testing
    Engage with independent third parties to provide a variety of internal and external testing of the control environment
  • Privacy policy
    Maintain a rigorous privacy policy to protect your consumers, and only partner with experts who can improve on your efforts

Find out why more than 5,100 organizations trust ACI

ACI Universal Payments
18 of the world’s largest banks as well as thousands of leading merchants rely on ACI to execute $14 trillion each day in payments and securities. ACI can provide your organization with peace of mind about not just compliance, but your entire approach to billing, payments and communications.

You need compliant and secure billing and payment experiences.
Read our new blog: “When is processing payments in the cloud more secure?

*ACI presents and intends this content only for informational and discussion purposes. You should consider the information presented in light of your individual circumstances and objectives and not as legal advice.