The first in a series of articles from Arbor Law’s James Sanford, which examines fundamental issues that any merchant business may need to consider when contracting for payment services.

Ensuring the flow of money is critical for any merchant business to succeed – to both pay its customers and to get paid. Payments impact every area of any merchant’s business including its relationships with customers, regulators, payment providers and other third parties.

How a merchant’s payments are handled and how both due diligence and contracts support that reality, could potentially be the difference between a thriving business, and one under siege!

What is a merchant payment agreement?

In very basic terms, a merchant payment agreement describes the formal contractual arrangement between a business entity (the merchant) and a payment service provider (the provider). Such agreement outlines the specific terms and conditions governing how the provider will handle payments from and to merchant’s customers for merchant goods or services.

How to approach merchant payment contracts

A robust contract with a relevant payment provider (“PSP”), does not guarantee there won’t ever be problems paying and getting paid, but it can certainly help to support this objective – in combination with adequate, early stage (and ongoing) due diligence.  Of course, well-run finance and payment provider management teams will prove crucial too in allowing the merchant business to suitably monitor (and where necessary enforce) a PSP’s obligations to merchant and its customers.

A commercial payment contract is in most aspects, like any other commercial service arrangement, and it need not be shrouded in mystery or confusion.  Nor should the cliché, that payment is just about pushing money from A to B and hardly complex, be taken too seriously.

However, it still surprises me, after more than 16 years’ experience supporting both merchants (large and small) and PSPs, how little attention is paid by merchant management, and some in-house legal teams, to the fundamentals that any decent payment contract and supporting due diligence should at least try to address, as part of overall contract good practice and risk mitigation principles.

This is especially the case, with merchants who choose to operate in high-risk sectors or jurisdictions or in the so-called “regulatory grey area”.  Gaming, adult and travel sectors spring immediately to mind.

This means that any sensible contracting approach for merchant payment agreements should not just focus on the contract provisions themselves, but good due diligence groundwork, and a merchant organisation operationalised to both meet merchant’s own obligations, as well as verify that the PSP can and will honour its commitments.

So, what are the key areas and issues to try to tackle, from day one, and as soon as a new or re-negotiated payment contract hits the merchant payment team’s desk?

Let’s run through some of the basic, material steps and points a merchant might want to consider.

1. Doing your Due Diligence homework

Before even picking up a payment contract draft, the merchant should ensure it is performing adequate due diligence on the PSP.

It is critical to identify from the earliest moment possible whether the PSP payment services, operational/business model, handling of funds, use of accounts, data management are compliant with applicable law and merchant’s own policies around fundamental areas like AML, anti-corruption, treasury management, data security, privacy and so on.

Without these stones being turned over, the contract draft itself (even if favourable or neutral to the merchant) may already be an unreliable reflection of the reality and not fit for purpose – making the task for the merchant’s payment and legal teams, and all other stakeholders, unnecessarily inefficient and difficult.  The likely result will be added time to review and not dealing with potential risk issues.

Any reasonable due diligence exercise should act as an early and essential risk management and mitigation exercise – to allow the merchant to identify any core risks (and benefits too), of the PSP in front of them.  This is especially important in the case of high-risk merchants.

For instance, due diligence should help a merchant understand whether there are any significant risks to:

• The services being unlawful/non-compliant – the regulatory and legal basis for PSP services is valid and sustainable.
• Maintaining the integrity and confidentiality of transaction or personal data.
• Ensuring merchant funds (and customer deposits and payouts) are adequately protected at all points in the payment journey, against bad actors, PSP error and other vulnerabilities.
• Funds being settled accurately, in a timely manner, without any material threat of third-party intervention such as from regulators, banking partners, law enforcement etc.
• Merchant branding and merchant customer goodwill – ensuring provider is accountable for how it uses merchant IP, customer data and any other merchant assets.
• Merchant, due to its use of unlicensed services, assets or data provided by the PSP.
• Service stability and continuity – e.g. how robust is the PSP from a financial, operational and regulatory/licensing perspective? Does it rely heavily on any third party/ies for its operations? Where is the PSP based; who, if anyone, regulates the PSP?
• Merchant’s ability to control service quality and changes (including pricing), through SLAs, governance/review mechanisms, and ultimately exit rights.

If the due diligence feedback is sufficiently positive, or at least does not present any major showstoppers (or if it does, those are capable of being resolved or mitigated to acceptable levels to proceed), this information will empower the merchant contract team to already know what agreement provisions may need introducing, strengthening, or being pushed back on.

2. Key Payment Contract drafting issues (a basic overview)

Some of the more immediate points to be thinking about in the contract wording itself may include the following (note this is not a definitive list):

• Service Description – describe the payment service accurately and clearly including territories covered. Payment types (cards, alternative payments, value added services like fraud detection will bring different, specific rules and compliance burden).
• Variation of terms/service – ensure there is adequate merchant control (mutual agreement, and/or exit rights) to the extent possible.
• Operational model and resilience – e.g. will PSP act as aggregator or gateway? This will impact issues of money flows, possession and control of funds, use of third-party payment methods; consider the extent of PSP reliance on subcontractors, whether PSP has proper business continuity/disaster recovery capabilities and redundancies or obvious single points of failure (e.g. major dependence on a third party).
• Processing and settlement of merchant funds – be clear if PSP has these obligations or a third party (e.g. aggregator vs mere gateway/connector role); clarify timing and method of settlement to document a compliant, timely process; “black box” accounts and arrangements with undisclosed third parties to be avoided.
• Service level agreement – not just on funds settlement timing, but also availability of core payment processing functionality, fault response and resolution (on a technical and customer impact basis – e.g. service is technically up but merchant customers are not receiving any or correct payouts or need to restore missed or incorrect payments and merchant needs proper reconciliation).
• Liability and risk allocation – both merchant side and PSP side. Consider main risk areas such as data privacy, unlawful transaction processing including AML and fraud, protection (and misuse) of merchant (and customer) funds, security breaches etc. Which liabilities need expressing, which should be capped and uncapped? Don’t simply rely on insurances.
• Reserves/security/guarantees – if relevant (e.g. reserve for credit/debit card processing) – consider level of merchant control/participation – e.g. being consulted in advance, proportionality of reserve/security, how used, how paid back etc.
• Data use and relationships – be clear what data is in play (transaction, customer, merchant, personal data etc) – are there rights for data use and, if so, for what? Privacy roles (controller/processor and data sharing)?
• Audit and information rights – merchant need for and ability to scrutinize PSP’s data, systems, processes – for tax, regulatory or compliance reasons. Consider alternative routes to merchant direct scrutiny such as PSP self-audit, merchant rights to key PSP information. Much will depend on the PSP in question, and whether the merchant is in a high-risk sector or not.
• Use of AI (e.g. for enhanced fraud detection, smoother authentication, predictive analytics) – address whether there are sufficient obligations on AI provider or licensor (the PSP or third party) to address issues like bias, privacy, explainability of data sources and data management.
• Suspension and termination rights – these should be linked to credible and legitimate risk scenarios helpful for merchant, not simply in favour of PSP. If appropriate, consider need for exit assistance.
• Governance and reporting – this will depend on the nature, scale and complexity of the services – basic service and contract reviews and dispute/escalation processes to prevent or anticipate issues.
• Governing law and jurisdiction – not just a final thought, but crucial to ensuring the intended legal effect of certain provisions is certain, and to support practical concerns around bringing, and ultimately, enforcing claims and rights in a worst-case scenario.

Final thoughts

It is important to avoid a mechanical or simplistic approach to what should or should not get into a payments contract or form part of due diligence.

The detail of wording and issues to cover may well vary – depending in part on whom the PSP is (their profile, reputation, track record, level of regulation), the jurisdictions and payment services in question and so on, and the merchant sector, whether merchant customer payments cover both online as well as offline/physical points of presence.

Finally, as with any commercial negotiation, the extent of influencing contract changes will be driven by the merchant’s bargaining power in many cases – the PSP may in some circumstances, and perhaps reasonably in certain cases, have a take it or leave it approach.

Further help

This article provides a snapshot of key issues for merchant businesses to consider when contracting for payment services. For pragmatic and cost-effective advice and support on this or other legal questions around engaging with payment service providers, and whether in the UK, Europe or other territories, you can contact James to discuss how he might assist further.

James Sanford has spent more than 25 years working as both in-house and freelance legal adviser within the tech, FMGC, entertainment and payment industries, with special focus since 2007 on payment processing arrangements for online merchants and payment providers. More recently, James has been developing into the AI aspects of payments, as part of a broader international project collaboration.