So, You Want To Be A PayFac

So, you want to be a PayFac? As a software platform, you’ve decided that instead of referring merchants to a third-party provider to process payments, you want to offer the service yourself. What now? In Episode Three of the payments facilitator series, Rich Aberman, co-founder of WePay, walks PYMNTS’ Karen Webster through the process.

The first order of business is to find a sponsor-acquirer — a company like Vantiv, Wells Fargo Merchant Services or Chase Merchant Services, which sponsors Amazon, Square and others.

Sponsor-acquirers won’t take on just anyone, though. Every PayFac they take on represents an investment of time and trust. Each one is a liability and a risk, with the potential to harm their bottom lines or reputations if the sponsorship goes poorly. For instance, said Aberman, if a sub-merchant is selling illicit goods, or if the master merchant fails to uphold the policies the acquirer approved, then those damages roll up to the acquirer and make it look bad.

Therefore, the acquirer will want to conduct due diligence to ensure the applicant is a legitimate business — and that it is large enough to justify an investment. The applicant will need to demonstrate it has policies and procedures in place to comply with requirements: an acceptable use policy, a credit and fraud risk underwriting policy and an anti-money laundering/know your customer (AML/KYC) compliance policy, for example. The applicant will also have to show it has the team, operations and infrastructure to enforce those policies.

Once a sponsor-acquirer agrees to execute a sponsorship agreement, it’s time to get down to business. WePay’s Rich Aberman listed three things a merchant needs to operate as a payments facilitator: payment rails and infrastructure, risk and compliance infrastructure and a grasp of its own risk tolerance.

First, the payment rails and infrastructure. A PayFac needs to process payments going both in and out to fund its sub-merchants. In between, there are overhead costs associated with moving those funds around. If there’s a chargeback, it will be up to the PayFac to associate that chargeback with a specific sub-merchant and payment and then recover those funds. If a sub-merchant applies but his ACH credit fails, the PayFac must be prepared to manage an exception case smoothly.

Next, the risk and compliance infrastructure. This is key for enforcing the policies the acquirer approved when accepting the master merchant’s application. Ideally, PayFacs will want to automate this process as much as possible by implementing machine learning solutions or rules-based AI.

At the base of the risk and compliance structure should be a sturdy risk engine that can store and access all the data collected from sub-merchants, from application information — including credit score, phone number, email address and more — to actual transaction data. The risk engine should also be able to digest the data and return useful signals that can then be given to either an agent or a machine learning engine to help the merchant make informed decisions.

Data vendors are another key building block in the risk and compliance infrastructure. They’re the ones who will process application data from sub-merchants to help the master merchant evaluate the risks of taking them on. These third-party data vendors might be credit bureaus, or they might be charged with checking phone numbers to ensure they aren’t prepaid phones. They might even simply scan for information they’ve seen before in other applications — especially fraudulent ones.

The final piece of the risk and compliance puzzle is rule configuration. If a PayFac is using machine learning models to help automate applications and compliance, then it should start by teaching that artificial intelligence the patterns or thresholds for which to look and which applications to deny.

On-boarding and underwriting many small merchants (with limited friction) is a big challenge and requires technology to make it happen. However, if a PayFac is serving a handful of very large merchants (for example, a PayFac serving the government or an educational institution), then the process is pretty straightforward.

Either way, someone is going to have to be responsible for a certain degree of manual decision-making, and someone is going to have to keep the artificial intelligence up-to-date with new rules and patterns or the system will quickly grow stale. The right team is an important part of the “infrastructure.”

Finally, a PayFac must have a good sense of its own risk tolerance. The master merchant will experience loss, said Aberman — the question is how much. That number depends on not only how well the merchant executes the first two steps, but on myriad outside factors. The PayFac, therefore, must decide on how much risk it wants to assume.

At the end of the day, it’s a lot of work, and becoming a PayFac isn’t for every software platform. Aberman said that’s why WePay and others offer comparable benefits to becoming a PayFac without requiring merchants to register as such with card networks. Other companies offer some of those benefits but still require the merchant to register with a sponsor-acquirer — a PayFac-in-a-box, as Webster referred to it.

“If it sounds too good to be true, often it is,” Webster said. “To be an operating PayFac, you have to do it at scale. It’s not static, [and] you don’t do it just once. As you look at new verticals, and as more threats become apparent in the payments ecosystem, you have to further enhance the capabilities you have.”

Aberman said merchants who are thinking about a PayFac-as-a-service solution should ask themselves how much they’ll need to build on top and whether the move is really right for their companies. In some cases, the answer will be yes — and he’s not against the model. But Aberman is against the perception that there is one right solution — or an easy answer — for every ISV (independent software vendor) or payment platform that wishes to become a PayFac.

“Not all technology is created the same,” Aberman advised. “Look through the various functions that the technology is performing for you. Decide what assessment criteria you’re using. What do you hope the technology can do for you? What makes it better versus worse? There’s a lot of room to differentiate in the space, given the drastically different requirements from different customers. I’m not saying WePay is going to be the best in all cases.”