The FTC Gives the Merchant of Record Model a Paddling

The Federal Trade Commission (FTC) recently settled an enforcement action with Paddle.com, a U.K.-based payments company, and its U.S. subsidiary (“Paddle”). The settlement resolves claims against Paddle for violation of the Federal Trade Commission Act, Telemarketing Sales Rule, and Restore Online Shoppers’ Confidence Act. The settlement is notable for the FTC’s focus on Paddle’s use of a “merchant of record” (MOR) model for payment processing. Although increasingly popular for digital marketplaces, platforms, and cross-border e-commerce, the MOR model exists in a gray area under card network rules and can increase the risk of fraud, money laundering, and other issues. Below, we discuss the MOR model generally, differing approaches taken by the card networks on what it means to be a “merchant,” the FTC’s concerns in the Paddle enforcement action, and best practices for platforms and marketplaces.

Merchant of Record Model

The MOR model generally refers to an approach in which a company processes transactions through its own merchant account for sales of goods or services that are ultimately provided or performed by third parties. Often the company hosts an e-commerce platform or marketplace featuring goods and services from multiple third parties. Companies may implement the model differently, with variations in the extent to which the MOR company (i.e., the e-commerce platform or marketplace) purports to sell the goods and services marketed on the platform, sets uniform terms of sale, manages customer service, or takes responsibility for fulfillment and shipping. When a transaction is submitted for processing, funds settle through the card network to the MOR company’s acquirer or payment facilitator and are then either received by the MOR for distribution to the third-party sellers featured on its platform or distributed directly to those sellers based on the MOR company’s instructions.

Network Rules Approaches to MOR

Currently, the payment card networks take different approaches to the MOR model. For example, the Visa Rules state that any entity that submits a card transaction for processing and receives settlement funds is considered a merchant if the entity:

• Represents itself as selling the goods or services to the cardholder;
• Uses its own name primarily to identify its store, website, or app; and
• Provides recourse to the cardholder in the event of a dispute.

Visa may also consider factors such as whether the entity books the sale as revenue, provides customer service and handles returns, and owns or takes possession of the goods or services sold. Visa prohibits merchants from taking title or ownership of goods momentarily prior to a sale (a “flash title transfer”) and does not consider the recipient of a flash title transfer to be the “merchant.” Entities that do not meet these criteria are required to register with Visa as one or another form of merchant aggregator, including a marketplace, payment facilitator, or digital wallet.

The Visa Rules describe a marketplace as an entity that, among other requirements, (i) brings together cardholders and third-party retailers on an e-commerce website or mobile app, (ii) handles payments for sales and refunds on behalf of the retailers and receives settlements on their behalf, and (iii) is responsible for settling disputes between cardholders and retailers. A marketplace must enter into agreements with the retailers on its platform and require them to comply with the Visa Rules. Although the “marketplace” category would appear to fit companies pursuing an MOR model, there do not appear to be any companies publicly registered as marketplaces in the United States on the Visa Global Registry of Service Providers.

Mastercard also recently published rules recognizing the concept of a “Platform Merchant,” described as a merchant that enables, manages, or hosts third-party sellers on a consumer-facing online platform operated by the merchant to accept cards for such sales. Mastercard requires a Platform Merchant to:

• Implement policies and procedures to collect and verify information about third-party sellers and their principal owners, and comply with U.S. laws on anti-money laundering, anti-terrorist financing, and sanction screening;
• Enter into a contract with each third-party seller, which must specify the seller is prohibited from conducting fraudulent or unauthorized transactions;
• Ensure third-party seller names are visible at the point of sale/point of interaction and prevent scams and unlawful usage of existing trademarks;
• Establish fraud loss control measures;
• Monitor transactions for compliance with applicable law; and
• Understand its liability for seller acts and omissions and manage customer disputes.

The Mastercard rules do not appear to require a company pursuing an MOR model to register in a separate category of service provider and do not specifically discuss settlement issues. Therefore, while the Mastercard rules seem to accept the concept of MOR, they also appear designed to mitigate certain risks identified in the FTC’s enforcement action against Paddle.

FTC’s Paddle Enforcement Action

According to the FTC, Paddle operated an MOR model by submitting for processing the sales transactions of various global clients purporting to offer tech support and similar software services through its own merchant accounts. The FTC alleged that many of these entities were scams, charging consumers for tech support services they did not need, using fake virus alerts, and using pop-ups designed to look like alerts from legitimate anti-virus companies. The FTC’s enforcement action against Paddle includes a litany of allegations that will be familiar to anyone who has followed FTC enforcement precedents in the payment processing industry, including that Paddle:

• Failed to perform material due diligence and monitoring on its clients;
• Ignored complaints from consumers, networks, and acquirers; and
• Failed to redress high levels of chargebacks and disputes.

However, the enforcement action is interesting for the FTC’s focus on establishing that Paddle was not the “merchant” in these transactions and should have been registered with the card networks as a payment facilitator or other aggregator type. The FTC calls out that:

• Paddle was not (and did not purport to be) the actual seller of goods and services to cardholders;
• Paddle characterized its services as “end-to-end payment processing” and a “payment and billing solution”;
• Paddle’s clients were expected to manage the marketing, customer service, delivery, fulfillment, and customer support for their own products and services;
• Product pricing, refund terms, and other conditions of sale were determined by Paddle’s clients, not Paddle;
• Paddle never took possession of its client’s products and did not buy them in bulk at wholesale – Paddle purported to take “flash” title at the time of the sale to a consumer; and
• Paddle did not book the full value of the sales as its own revenue and only reported its processing fees as revenue.

Although many of Paddle’s alleged violations are typical of FTC targets over the years, the agency notes certain features of the MOR model that create a higher potential for risk. For example, while other processing intermediaries, such as payment processors and payment facilitators, have specific card network responsibilities for performing due diligence and monitoring on merchants, a company operating as the “merchant” is technically not subject to these requirements because there is not supposed to be any downstream party behind them. Similarly, by operating as an MOR through a single merchant account, chargebacks and disputes are spread across the MOR’s entire client portfolio, meaning high rates of problematic transactions related to specific sellers will be difficult or impossible for networks and acquirers to identify. In addition, if only the MOR’s name is disclosed on a consumer’s statement and in processing records, the true seller’s identity may be concealed from both the card networks and consumers.

Paddle’s settlement with the FTC includes a $5 million fine and a permanent ban from tech-support telemarketer payment processing. In addition, Paddle is required to perform enhanced screening and monitoring of high-risk, high-chargeback, or high-volume clients and must submit compliance reports to the FTC and maintain records of accounting, personnel, and certain consumer communications.

Takeaways

Although the allegations against Paddle were particularly severe, including a disregard for red flags and scams affecting numerous consumers, there are important takeaways that any company considering leveraging an MOR model through a digital sales platform should review. These include but are not limited to:

• Assessing whether “merchant” is an appropriate category for processing and confirming network rules compliance;
• Verifying the identity of the sellers on the platform and conducting material due diligence and monitoring as a best practice;
• Entering into contractual arrangements with each seller on the platform with terms that prohibit unlawful sales, fraud, and unauthorized transactions;
• Enforcing the terms of the platform, including by taking appropriate action when complaints are submitted about sellers on the platform, up to and including termination;
• Tracking disputes and chargebacks on a seller-by-seller basis to identify higher risk sellers; and
• Ensuring appropriate customer service is provided to cardholders and providing recourse as a part of the company’s customer dispute/error resolution process.

Morrison Foerster can support companies in their assessments of these issues and provide guidance on risk mitigation strategies. If you have questions or would like to discuss these issues further, please contact the authors of this client alert.