Helping merchant acquirers streamline policies and manage compliance
In this interview, Susan Horne, Senior Associate at TSG, discusses GARS reviews to help acquirers understand their importance, what they entail, how Visa is involved, and how TSG helps its clients remediate issues to ensure compliance.
Contact TSG to explore how we can help you with your risk and compliance needs.
Q. Peter Michaud
My name is Peter Michaud and I’m the Senior Director of Consulting at TSG. I sat down with Susan Horne, one of TSG’s Senior Associates, to learn more about her payments background, specifically around risk management and compliance. Susan, thanks for taking the time to talk with us. Could you provide a brief background of your career?
Susan Horne:
I started my career in banking over 25 years ago. After working for several banks, I built a merchant acquiring program for a bank, which processed for approximately fifteen ISOs. After running that program for nearly 15 years, I joined TSG. I have expertise in company and portfolio management, policies and procedures, contract research and review, ISO relations, bankcard operations, risk management, and ACH rules and management. Additionally, I complete GARS reviews in conjunction with Visa.
Q. Peter Michaud
What is GARS? Why does it exist? Why do we need to do it? And finally, what’s the reasoning behind it?
Susan Horne:
GARS stands for Global Acquirer Risk Standards. Visa developed it to provide merchant acquirers with a set of risk controls to aid in protecting their institutions, and the card network, from financial harm or reputational damage.
A GARS review is for any acquirer, BIN sponsor, ISO, or merchant, that may be experiencing issues with their program, or may not be, depending on whether Visa wants to impose a review or not. To complete the review a consultant will come in, look at the program, the portfolio, how processes are done, and if there’s policies and procedures in place for items that are required by the card network. Once that is finished a report is issued to Visa as well as the acquirer.
Q. Peter Michaud
So, is GARS considered an audit?
Susan Horne:
GARS is a review, not an audit. I am not an auditor, I’m a consultant for TSG. The GARS is a review of policies and procedures, reporting, documentation, and staffing to ensure that the acquirer follows the rules, has a compliant program, and meets the requirements of all card networks.
Q. Peter Michaud
So when you talk about the acquirer, are you referring to the bank as the acquirer? Or are you talking about the company that signs up the merchant agreement? Could it be a processor and ISO? How do you distinguish between the two?
Susan Horne:
It can be any entity that is processing card payments using the networks. That means it could be a member bank, which would also be a BIN sponsor, and it could also be an ISO or a processor. There are also reviews completed following GARS that are third-party assessments done for merchants, and we complete those as well.
Q. Peter Michaud
From my understanding, Visa works through the BIN sponsor, correct?
Susan Horne:
Not necessarily. Visa will issue a GARS review requirement, and they can issue it to an ISO. It comes through the BIN sponsor because they are the member. That is who is responsible back to Visa, and Mastercard for that matter, but they are ultimately held responsible for the ISO’s program. So, the paperwork would go through the BIN sponsor, the acquirer, the member, but the ISO can be reviewed completely separately. And that the BIN sponsor may not even be involved.
Q. Peter Michaud
So the acquirer, the person that actually signs up the merchant account, can be reviewed. Then the BIN sponsor can go through a GARS review. What does a merchant go through when it comes to GARS?
Susan Horne:
The merchant will go through a third-party review, which follows some of the GARS guidelines. However, these reviews are more about looking at the transaction processing. In many cases, the merchant is identified by Visa because they have entered and remained in an excessive chargeback or fraud program. In those situations, we go in and look and see why transactions are being returned or if there is excessive fraud. Were parameters not put in place? Are they doing AVS? Are they doing CVV? We look at the payment situation, maybe the gateway, and how the payments are actually processed. In many cases when we’ve done merchant reviews, we’ve helped them a lot because they had no idea that they were required to do certain things. Usually this is because the merchant account was not initially set up correctly.
Q. Peter Michaud
When you do these reviews, and you’re working on behalf of whoever’s the client, which could be either the BIN bank, ISO, or the merchant, you are really working in conjunction with Visa. Visa sees you as one of those highly recommended entities to perform these reviews. Is that correct?
Susan Horne:
That is correct. It’s very limited who can actually complete a GARS review. I am one of less than a dozen reviewers approved by Visa. And yes, the client may be the acquirer, and we are working to help them, but we also communicate with Visa. I have conversations with them about the situation, what Visa identified that was wrong, what might not be operating correctly, and compliance rules that are out of line.
When I work with the client, I try to help them as much as possible. I mean, that is what this is, to me it is helping them to comply so that they don’t have any more concerns with Visa, or for Mastercard for that matter. Once they clean up their portfolio for Visa, it kind of streamlines right into Mastercard. I’m happy that I can help them get them on the right track so they don’t have to deal with these issues on a regular basis.
Q. Peter Michaud
So your ultimate goal is to get them off any kind of list, monthly letter, or watch that either Visa or Mastercard has them under? That seems like your primary goal. You’re not there to report back to Visa and work on behalf of Visa or Mastercard, you’re there to work with whoever has one of these issues coming up, and you focus on resolving it. Does that sound about right?
Susan Horne:
That does sound right, I am working with the client to help them solve their pain points. Oftentimes an acquirer wants an exception for something they’re doing, and I have no problem going to Visa and talking to them about those exceptions. If they say no, they say no, but I’m there to help the acquirer. Once we get to remediation of the findings of that review, we work very closely to make sure that the acquirer completes every remediation item, that everything is closed out correctly, that the program is running smoothly. After that, we report to Visa and tell them that the GARS review is complete.
Q. Peter Michaud
So, once the review is completed and the report is provided to the client and Visa, you begin to work through remediation items to address any of the issues identified?
Susan Horne:
Exactly. After I complete the report and it’s been presented to and approved by Visa then I write up a remediation plan. I walk the client through it and review every finding that is listed. We decide how that finding will be resolved and how much time it will take. Once we have a finalized action plan, we send that to Visa for their approval. After that we start working through the findings.
A lot of times this revolves around completing policies. Our clients may not have policies, but they are doing the right thing. They have the requirements but haven’t written them down to create a formal policy. It is also required for them to be approved by a senior level committee, or their board, and in many cases, that hasn’t happened. So we work with them on the policies, get those presented to their board, and then that finding is satisfied. Additionally, I often provide training and more information about the reporting because reporting is often not as robust as it should be.
Feeling Risky? Now is the time to review policies, procedures, reporting, documentation, and staffing to ensure your program is compliant. Contact us today.
Case Study: Assessing Risk & Compliance – learn how TSG helped a commercial bank assess their BIN sponsorship program as a means to evaluate their risk profile.
Related: Visa Global Acquirer Risk Standards