Over the past year, we’ve been seeing a certain issue pop up more and more: investigations by Mastercard’s Business Risk Assessment and Mitigation (BRAM) Program and Visa’s Global Brand Protection Program (GBPP). These programs are designed to protect card brands and consumers from illegal and/or brand-damaging activity, and can impose non-compliance assessments for any such activity.
Just to be clear: an investigation is not a violation, and we’ve only received a few investigations. However, it’s still more than we have received in the past. So this month, I want to share with the industry some lessons we have gleaned and what you can do to remain card brand-compliant.
As a refresher, both Visa and Mastercard require all websites to have a complaint process.
What is a BRAM/GBPP investigation?
A BRAM/GBPP investigation does not necessarily mean that there’s a content issue with a merchant. It means the card brand wants to do a little research on a site to make sure there aren’t any problems there that could potentially put its name or brand in the news. We’ve all seen that happen and have felt the repercussions because of it. Card brands like Visa, Mastercard and others don’t want their brands associated with bad behaviors of industry merchants, of course.
Many investigations seem to arise from tipoffs to the card brands by an individual or business. For example, we recently experienced one that stemmed from claims made in a podcast and related tweets, which caught the eye of the card brands. Others we dealt with were tipoffs about cam models possibly being underage. Luckily, we were able to work through the investigations with our acquirers and the card brands to show that the Segpay merchants identified were all 100% compliant with no issues.
What happens during an investigation?
When a billing company like ours goes through an investigation, it is required to provide a series of documents. These include monthly scan results to show that there have been no flags. It’s important for billing companies to establish merchant policies that address issues like content moderation, age verification and licensing arrangements. We also need to provide any additional background regarding the website in question and how it might relate to the investigation.
Mastercard regulation AN5195, Revised Standards for New Specialty Merchant Registration Requirements for Adult Content Merchants, outlines some very specific compliance requirements for all adult merchants, which went into effect back in October 2021. Visa Rule 0003356, rolled out in August 2022, outlines their requirements, which are largely the same as Mastercard’s standards. The complaint process outlined in both of these regulations is important for each merchant to have in place. For more about the complaint process, see my column in the December 2022 issue of XBIZ World.
As a refresher, both Visa and Mastercard require all websites to have a complaint process. This can be a link or form on the site that allows for the reporting of content that may be illegal or otherwise violates the card brands’ rules and regulations. The complaint process must also allow any person depicted in a video or other content to request that the content be removed based on lack of consent. In both cases, the merchant has seven days to resolve all reported complaints.
As many readers will be aware, having a complaint process in place and following it might have prevented or mitigated much of the turmoil we’ve experienced over the past year. Let’s learn from and not repeat past mistakes.
What Information You Need to Collect
The regulations outlined by Visa and Mastercard are not specific as to what information should be collected. We suggest that, at a minimum, you know who reported the concern and what type of complaint it is. Is it a DMCA (Digital Millennium Copyright Act) violation, content removal request, terms of service violation or BRAM violation?
Another key requirement is that merchants must report the complaints monthly to their payment facilitator or, if they are set up on a direct account, to their acquirer. This report should outline who initiated the complaint, what the complaint was and the disposition of the complaint. Even if you have no activity or requests for content removal in a given month, submitting a “no issue” report shows that you are being diligent.
Having a complaint process link or form on your website and collecting this information is required by both card brands. It’s not a lot of work but showing that you are following the rules and actively managing your program goes a long way, especially if you’re ever subject to a BRAM or GBPP investigation. Staying compliant today avoids potential problems tomorrow.
Cathy Beardsley is president and CEO of Segpay, a merchant services provider offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are kept safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.
