Wirecard fraud highlights importance of holistic PSP due diligence and contingency planning for merchants

Financial fraud at Wirecard AG, a German payment service provider (PSP), has caused disruption and uncertainty for business merchants that rely on the global firm to handle customer payments. The accounting scandal has prompted inquiry into potential missteps by auditors, accountancy regulators and financial watchdogs and raised concerns over what businesses can do to mitigate PSP-related risks.

Allegations of misconduct, including financial fraud, have plagued Wirecard for several months. In 2019, the Financial Times began an investigation into alleged accounting misconduct by the company in Asia and the Middle East. However, significant disruption to the company’s operations did not surface until Wirecard’s management disclosed a 1.9-billion-euro discrepancy in its balance sheets in mid-June. Ramifications of the revelation have since pushed Wirecard into bankruptcy, caused disruption for users and assigned blame on the company’s auditor as well as German regulators for failing to act on prior red flags.

Ripple effects, uncertainty for merchants

The fraud scandal has had wide-spread implications for retail and corporate Wirecard users around the world. Fearful of financial harm befalling clients in their respective jurisdictions, financial regulators have taken action to secure access to funds and services. Some of these actions have resulted in additional uncertainty for business merchants. The Monetary Authority in Singapore (MAS) has asked Wirecard to hold Singaporean customers’ funds in segregated accounts with banks in Singapore. The company has complied; however, it has also warned that its ability to continue to process payments for merchants in Singapore could be affected by insolvency proceedings in Germany.

Should the company abruptly cease processing payments for merchants in Singapore, businesses in the region may have little recourse. Wirecard entities in Singapore are not currently licensed by MAS due to a 6-12-month grace period that is provided to payment services firms to apply for the relevant license. During this time, firms are permitted to operate in Singapore.

In the United Kingdom, the Financial Conduct Authority (FCA) briefly suspended, but has since resumed, Wirecard’s operations. The move locked many retail clients out of their accounts and affected several fintech companies that operate business and retail banking services in the UK.

Investigations into financial services firms that have commercial relationships with Wirecard are coming under scrutiny over potential financial crime links. The Philippines’ Anti-Money Laundering Council has said that has initiated investigations into three firms, a move that could have implications for local merchants.

Must-haves for merchants: holistic PSP due diligence and contingency planning

The global chain of regulatory inquiry and enforcement action that has been initiated by financial fraud at Wirecard AG and the company’s subsequent insolvency highlights the need for businesses to conduct comprehensive due diligence on PSPs prior to choosing a provider. In addition to processing payments, PSPs often provide critical operational and regulatory compliance services to merchants. Disruption of these crucial functions could potentially plunge businesses into disarray.

  • Conduct comprehensive risk assessment on PSPs

Payment network support, cyber risk management and information security are usually the main focus points of PSP risk assessment but should not overshadow rigorous and holistic assessment of a provider. Compliance certifications such as Payment Card Industry Data Security Standard (PCI DSS), which is used to assess data security standards, and Payment Application Data Security Standard (PA DSS), which is used to certify payment applications as secure, form a baseline for cybersecurity assessment but don’t necessarily vouch for the overall resilience of a PSP’s operations. Similarly, expansive acquiring channels that speak to a PSP’s ability to process payments across borders may also warrant more in-depth third-party due diligence.

  • Understand legal and regulatory requirements across multiple jurisdictions

Merchants should also consider regulatory factors and legal protections when selecting a PSP. It is imperative for businesses that sell internationally to understand how PSPs are supervised by regulators in their home jurisdiction as well as the jurisdictions in which the merchant operates.

  • Conduct quality checks on PSPs frequently to detects signs of misconduct

Due diligence on PSPs should include continuous monitoring, which could assist merchants in detecting signs of misconduct or financial distress at PSPs and regional acquirers that could impact their ability to provide financial services.

  • Have a business continuity plan in place to mitigate risk

Finally, contingencies for dealing with disruptions in payment processing should be an integral part of business continuity planning for merchants. Having a plan to facilitate a smooth transition to interim payment solutions or to switch PSPs altogether will minimize the chance that businesses are left scrambling for solutions.

Thomson Reuters Regulatory Intelligence

Subscribe toLegal Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.

Subscribe