I always enjoy writing about current events or current issues we’re seeing in our business. Over the last year we’ve received a few BRAM and GBPP investigations from the card brands. Mastercard’s Business Risk Assessment and Mitigation (BRAM) Program and Visa’s Global Brand Protection Program (GBPP) are designed to protect card brands and consumers from illegal and/or brand-damaging activity. These programs can impose non-compliance assessments for any detected fraudulent or illegal activity that may pose regulatory or reputation risk. Just to be clear, an investigation is not a violation and while we’ve only received a few investigations, it’s more than we have received in the past. This month we thought it would be a good time to share our learnings with the industry and what you can do to remain card brand compliant.
What is a BRAM/GBPP investigation?
A BRAM/GBPP investigation does not necessarily mean that there’s a content issue with a merchant. It means the card brand wants to do a little research to make sure there aren’t any problems on a site that could potentially put its name or brand in the news. We’ve all seen that happen and have felt the repercussions because of it. Card brands like Visa and Mastercard and others don’t want their brands associated with bad behaviors of industry merchants. Many investigations seem to come from tip-offs to the card brands from an individual or business. For example, we recently experienced one that stemmed from claims made in a podcast and Twitter notifications that caught the eye of the card brands. Others we dealt with were tipoffs of models being potentially underage in large cam programs. Luckily, we were able to work through the investigations with our acquirers and the card brands to show that the Segpay merchants identified were all 100% compliant with no issues.
What happens during an investigation?
When you go through an investigation, there’s a series of documents that need to be provided. These include monthly scan results to show that there had been no flags. It’s important to provide merchant policies that address content moderation, age verification, licensing arrangements, and more. You also need to provide any additional background regarding the website and how it might relate to the investigation. Ensuring compliance is important. Mastercard regulation, AN5195 (Revised Standards for New Specialty Merchant Registration Requirements for Adult Content Merchants) outlines some very specific merchant compliance requirements for all adult merchants, that went into effect back in October of 2021. Visa regulation (Visa Rule 0003356) was rolled out in August of 2022 also outlines their requirements, which are largely the same as MasterCard’s standards. The complaint process outlined in both of these regulations are important for each merchant to have in place. (we wrote about these in the December 2022 column)
As a refresher, both Visa and Mastercard require that each website have a compliant process. This can be a link or a form on the website that allows for the reporting of content that may be illegal or otherwise violates the Visa rules and regulations. The compliant process also allows for any person depicted in a video or other content to have the ability to request the content be removed based on the lack of consent. In both cases, the merchant has seven days to resolve all reported complaints.
Having a complaint process in place and following it was, as many readers will be aware, one of the findings that might have prevented or mitigated much of the turmoil we’ve experienced over the past year. Let’s learn from not repeating past mistakes.
What You Need to Collect
The regulations outlined by Visa and Mastercard are not specific as to what should be collected. We suggest that at a minimum you know who reported the concern and what type of complaint it is. Is it a DMCA (Digital Millennium Copyright Act) violation, content removal request, terms of service violation, or BRAM violation? Another key item is that merchants must report the complaints monthly to their payment facilitator or if they are set up on a direct account report to their acquirer. This report should outline who initiated the complaint, what was the complaint, and what was the disposition of the complaint. Even if you have no activity or requests for content removal in a given month, reporting a “no issue” report shows that you are actively managing.
Having a complaint process link or form on your website and collecting this information is a requirement of both card brands. It’s not a lot of work but showing that you are following the rules and actively managing your program goes a long way, especially if you’re ever subject to a BRAM or GBPP investigation.
As we always say, staying compliant today avoids potential problems tomorrow.
Want to learn more about your recurring payment processing options?
Reach out to us with your questions at [email protected] and we can walk you through ways in which we can keep you and your company card-brand compliant.