Payments Law Tool Kit

Venable / 32 31 / Venable Privacy and Data Security Privacy and data security are of paramount importance in the payments industry. One of the main functions of payments companies is to receive and process data, and it is critical that they do so in a safe and secure manner. In order to manage these processes and associated risks, payments companies need to develop and implement appropriate policies and procedures in the areas of data privacy, security, and cybersecurity. Data Privacy and Security For every organization, data privacy and security are critical elements of risk management. Solutions require counsel experienced in all aspects of privacy and data security, including industry-specific best practices and compliance with U.S. and international requirements, legislative advocacy, participation in agency rulemakings, and development of new legal standards, as well as defending clients in government enforcement actions and private litigation. In light of the California Consumer Privacy Act (CCPA) and other state and federal laws, now is a good time to get your data and privacy house in order by taking these initial steps toward compliance, such as assessing and mapping your data collection use practices. Cybersecurity In today’s world, businesses and organizations must take a proactive approach to pervasive cybersecurity threats. This requires leveraging experienced counsel, proven organizational governance models, technological tools, insurance coverage, and public relations expertise. The voluntary federal “Cybersecurity Framework” is a useful guide that helps organizations set baselines and reduce risk without fear of increasing liability of regulatory enforcement and private and class action litigation that can lead to financial and reputational harm. In particular, it is important for a company to perform a risk assessment and develop asset management, data governance policies, and risk mitigation practices. Private Litigation Multilayered payments business is fraught with commercial disputes and private litigation. Disputes typically result from unexpected changes to a business relationship and may involve merchant processing agreements, ISO agreements, sales agent agreements, referral agreements, sponsorship agreements, and other arrangements that break down. Providers of payment services must contractually manage their financial and reputational risks while enforcing requirements imposed on the industry by network providers and financial institutions. Meanwhile, merchants have threatened or filed lawsuits against payment processors for any number of reasons emanating from the contract, including: • Deceptive sales and marketing practices resulting in higher than expected fees • Fee increases made without notice or the merchant’s consent • Unexpected fines and assessments passed on to the merchant • Exclusivity provisions prohibiting the merchant from working with other processors • Early termination fees and related consequences for attempting to stop services before the end of a contract term • The processor’s or bank’s contractual right to withhold reserves from expected settlement funds • Use of personal guarantees • Choice of venue for dispute resolutions • Placing a merchant on the Merchant Alert to Control High-Risk Merchants (MATCH) list Many of these issues turn on the contractual relationship between the parties, thus emphasizing the importance of careful review and drafting when setting up a service relationship or partnership. When disputes do arise, it is important to consider all avenues of resolution – ranging from private settlements to contractually mandated arbitration and litigation.