By: Brandon Megrath, Program Manager
Identifying rogue file lockers during boarding
Two of the major card networks recently released revised standards for high-risk file locker merchant registration. While file lockers (also known as cyberlockers or cloud storage) can be legitimate, there are also rogue file lockers that are used to host illegal or brand-damaging content. Just one piece of illegal content can cause a file locker to be considered rogue. Card networks are now requiring that acquirers register any file locker merchant or submerchant that exhibits high-risk behavior. Acquirers must closely and continually monitor the performance and activities of these high-risk merchants and submerchants to ensure they are complying with all applicable laws and regulations.
What makes a file locker high-risk?
A file locker is an online service that offers file-storing and file-sharing services for media files and data. File locker services can include file storage (offering storage and archiving of files for remote access), file transferring (facilitating the transferring of large files from one user to another), and file sharing (distributing files via download or “streaming” video playback).
Due to the high potential of being used for illegal purposes, any entity that provides access to or accepts payments on behalf of such file lockers will be considered a high-risk merchant.
How can I determine if a file locker is legitimate or rogue?
Many cloud storage and file sharing services comply with all applicable laws and regulations and are completely legitimate; we all use some sort of service to make accessing and sharing files easy. Personal or business file backup, photo storage for easy sharing with friends and family, and distributing access to files that are too large for email are all forms of legitimate file locker usage.
Rogue file lockers, however, often use elaborate business models to hide unlawful actions and can be difficult to detect at first glance. They may illegally distribute copyright-protected digital content (pirated movies, music and software shared without rights-holder authorization or proper licensing) and/or prohibited sexual material (child pornography, child abuse, bestiality, rape or violent imagery).
Here are a few questions to help you determine if your file locker merchant is legitimate or rogue:
- Do users who share content earn any portion of the revenue generated if others download or view their material?
- Do users need to pay to increase their download/upload speed, maximum file size, or storage space? Do users need to pay for the ability to skip advertisements or download multiple files simultaneously? Will users have access blocked if they don’t purchase a premium service?
- Are uploaded files automatically accessible via any search engine? Are users able to search through all content stored on the file locker?
File locker merchants that show any of these characteristics should be subject to an enhanced due
How can I protect myself?
The card networks outline underwriting and monitoring processes that must be in place as part of acquirers’ due-diligence requirements. High-risk merchants will have additional onboarding processes required that will need to be documented as well. Any “auto-approval” processes should be revised so that file lockers are not boarded without a thorough manual review.
Acquirers should also encourage their merchants to implement processes to ensure they stay compliant by creating a file lockers best practices and requirements policy. See this article for some tips on best practices on how to keep a clean file locker.
Merchants, at a minimum, must agree with the following requirements as part of an acquiring contract:
- They will be able to prove their compliance with the acquirer’s best practices and requirements policies at all times, and maintain records that prove this compliance.
- They will fully cooperate with any inquiry concerning compliance.
- They understand that their account may become restricted or terminated if compliance cannot be proved or if full cooperation with any inquiry is refused.
- They will make an effort to ensure their services are not being used for illegal purposes.
What if I didn’t know my merchant was engaging in
Whether an acquirer is aware of it or not, they are responsible for any illegal content found on file locker merchants in their portfolio. Acquirers that fail to prevent transactions for illegal sales may be subject to non-compliance assessments or other repercussions – such as terminating specific merchant types, prohibiting the signing of all or specific merchant categories, terminating ISO/PSP relationships, or other serious consequences that could adversely affect the acquirer’s reputation and bottom line.
While high-risk file lockers require the most diligence, every merchant should be monitored carefully and continually, as a single piece of illegal content can be enough to ruin payment relationships.