In a recent episode of The Tate Chronicles on HealthcareNOW radio, Jim Tate talks to Ryne Natkze, VP of Strategic Accounts and Healthcare at Sphere. They discuss the current healthcare payments environment and the addition of Health iPASS to the Sphere family of patient engagement and payment solutions.
The Tate Chronicles cover the frontline of Healthcare IT, cutting through the fog and static that exists at the leading edge of healthcare technology and exploring emerging technologies that hold potential to bring beneficial disruptions to healthcare.
Listen to the full podcast now:
The United States is now almost one year into its COVID Pandemic Response that shifted a large percentage of its workforces to a remote office scenario. While every organization works to maintain appropriate security and privacy safeguards in this new milieu, the stakes are higher for those companies that are obligated by the HIPAA Privacy and Safeguard Rules. While you cannot understate the importance of awareness training for a remote work force, there are several steps that companies can implement to support continue compliance, even outside the office.
- Secure Wireless– All employees should ensure that the wireless networks to which they are connected are secured. This seems straightforward and generally, people are aware that they should be requiring passwords to join the network, but secure wireless networks take a little bit more than that. Protection of the networking equipment itself is often overlooked, as more attention is focused on the workstation itself. Users should ensure that they have changed the default administrative credentials on their networking equipment. Setting the SSID (network name) to private can also help secure the network, making it more difficult for criminals to find. Firmware on the access point or router should be updated and patches maintained. Securing network equipment and devices is critical to securely working in a remote environment.
- VPN Connections – When accessing corporate resources, employees should be sure to do so through secure VPN connections. VPNs establish a secure connection between the workstation and the network resource being accessed. Data traffic is exchanged through an encrypted tunnel, offering protections against theft of data in transit. It also obscures the IP address of the workstation by using a proxy. It’s also important to remind employees to disconnect from the network when they are done with work.
- Two Factor Authentication – An additional of security can be added by requiring two factor authentication for logging into corporate assets that may have sensitive or regulated data, such as PHI. This requires users to provide not just a name and password to log-in, but also an additional identifying criterion. Most often, this is a randomized number provided by an authentication tool, such as Google Authenticator or RSA SecurID. This means that even if someone does compromise username and password, they will be unable to log in to those sensitive assets.
- Printing Restrictions – In talking about securing the work environment at home, printing is often overlooked. Printing hard copies of reports or file that contain PHI represents a potential exposure. If employees must print documents with sensitive information, it should be stored in a locked drawer or filing cabinet. When the document is no longer needed it should be shredded.
- Policies and Procedures – While well-documented policies and procedures are a must for the protection of PHI, they are only successful if employees understand them and know how to apply them to their job roles. Not only is it helpful to have the policies regarding the treatment of PHI readily available, but companies may also consider conducting ongoing training about the role their employees play in ensuring the security and confidentiality of PHI. Ongoing communications through email, SharePoint or company messaging systems can act as helpful reminders and assist in creating a culture of security and privacy awareness.
While everyone is managing the seemingly continuous change necessary to maintain healthy communities amidst the pandemic, one thing that remains constant is the need to ensure the protection of sensitive patient data. For that reason, we must ensure that the policies, processes, and pratices that we enforce to secure patient data apply equally in the office and at home.
Leading fintech company integrates with telemedicine solution to deliver secure payments for virtual health and wellness visits.
Nashville, TN, September 15, 2020—Sphere, a leading provider of end-to-end integrated payments and security software, today announced it has teamed up with GenieMD, a global provider of telemedicine solutions, to offer secure payment acceptance through the GenieMD platform.
GenieMD is a HIPAA compliant, cloud based, mobile-first telemedicine platform that features video conferencing, secure text messaging, chronic care management, EMR integration, and now payment processing. Integrating Sphere payment processing technology with the GenieMD platform will facilitate transaction processing without adding barriers to care for patients, while significantly reducing scope for Payment Card Industry Data Security Standards (PCI DSS).
Benefits of the GenieMD and Sphere integration include:
- Mobile friendly—the GenieMD iVisit app lets patients locate a physician, complete a clinical visit and pay for the visit from the palm of their hand
- Compliant—uses a Premium Hosted Payment Page for online payments to separate payment card data from provider environments
- Secure—supports tokenization for safe recurring payment cycles and batch activity
- Flexible—features a portal to access customizable reporting, batch transaction uploads, and more
“As telemedicine is now a vital component of health care delivery, we are proud to partner with GenieMD,” said Steve Rizzuto, Chief Executive Officer of Sphere. “Our combined strengths in healthcare and e-commerce alongside GenieMD’s innovative telehealth platform deliver a complete solution for providers of all sizes.”
“GenieMD prides itself on its commitment to offering a fully integrated, turn-key experience to patients, providers and enterprise business partners,” said Soheil Saadat, Ph.D., founder and CEO of GenieMD, Inc. “Our relationship with Sphere expands that capability and reaffirms GenieMD’s best-in-class status in the rapidly growing telehealth vertical.”
Sphere, powered by TrustCommerce, is a software and financial technology company providing integrated solutions that reduce friction and facilitate better and more secure commercial interactions with customers in specialized vertical markets, primarily healthcare, non-profit, transportation and education. Sphere’s integrated payments technology and security software enable its clients to process payments in a way that is highly secure and compliant; integrated with their core business software; omnichannel to accept payments anytime, anywhere; and processor-neutral. Sphere’s partner-centric focused payments solutions serve small, midsize and enterprise level businesses and software companies in the U.S., Canada, and Australia. Follow us on Twitter and LinkedIn. For news and thought leadership, visit the Sphere Blog.
GenieMD, Inc. is an award-winning, global provider of telemedicine solutions. It offers a convenient, cost-effective, easily accessible platform to connect patients and providers around the world. Its targeted evidence-based intake questionnaire followed by a secure video consultation makes the process seamless and cost-effective for patients and efficient for providers. Maximizing the potential of cloud computing, big data, artificial intelligence and mobile technologies, GenieMD is transforming health care to provide the best and fastest care to patients, when they need it most. To learn more about GenieMD, visit www.geniemd.com.
Sphere recently sat down with its own Andrew Immerman, Senior Vice President of Technology to answer questions asked regularly by software vendors when choosing a payments platform with which to integrate. Mr. Immerman leverages over 20 years of experience in the development, deployment, coordination and operation of quality-driven, mission-critical technologies.
Sphere: Why use a gateway when you can connect directly to an acquirer/processor?
Immerman: Premium gateways are optimized to dramatically reduce the costs and risks of electronic payment acceptance. In general, processors are optimized to extend as much functionality as possible to the widest possible user base. To facilitate these objectives, premium gateways offer user-friendly human interfaces and easy to integrate application programming interfaces (APIs). Processors, on the other hand, extend complex, yet highly functional, user interfaces and APIs. As a result, processor interfaces are generally far more costly and time consuming to implement.
Premium gateways offer a wide variety of value adds and flexibility processors generally cannot. For example, gateways can offer fraud prevention and analysis solutions generally beyond those of the processors themselves. Additionally, gateways can offer management and automation for scheduled payments, such as those of a recurring, installment, or deferred nature. As from such functional value adds, gateways almost always natively support seamless transitions from one processor and acquirer to another.
In general, only merchants processing an extreme and sustained volume of transactions, such as 100+ transactions per second (TPS), are advised to directly integrate with a processor. Such merchants essentially build and use their own gateways, though often without the benefit of proven and ever-maturing technologies.
Sphere: Should gateway uptime/availability be a concern when selecting a gateway, or has cloud computing made this a non-issue?
Immerman: Dependability, performance, security, and many other quality attributes should be considered whenever evaluating any technology for use. As part of any dependability evaluation, availability, reliability, resiliency, and controlability should all be considered. Availability describes a system’s functional readiness; reliability describes a system’s functional correctness and consistency; resiliency describes a system’s ability to endure exceptions; and, controlability describes the efficacy and efficiency of system controls for management, maintenance, and administration. These quality attributes are implemented using careful and proven design, development, and deployment lifecycles.
“Cloud”-based technologies generally enjoy greater dependability and performance through service-driven relationships that abstract single points of failure. The configuration of cloud-based technologies and, more so, the services, applications, and other software that run thereon, dictate the potential and realized dependability and performance of such technologies. Put another way, cloud-based technologies reduce some risks; however, poor designs, such as those having single points of failure, are often just as failure-prone as are non-cloud-based technologies. As an analogous example, consider that multi-engine aircraft are often considered safer than singles. In actuality, multi-engine aircraft are generally more challenging to operate and are still susceptible to fuel depletion and contamination, both essentially being single points of failure.
When considering the introduction of any new technology, such as those of a payment gateway, it is generally advisable to obtain historical dependability, performance, and security data, as well as to understand and assess its continuity, resiliency, and resumption considerations.
Sphere: Does using a gateway add time to a transaction, especially if it’s EMV? Can bandwidth/capacity affect transaction times, especially during peak periods?
Immerman: Whereas all payment processing steps do increase round-trip transaction times, premium gateways do so with increases of no more than 10 to 50 milliseconds, including EMV overhead. In many cases, a premium gateway may be able to offer reductions in transaction times through highly tuned, high-throughput integrations with upstream entities. As an example, Sphere round-trip transaction times include overheads generally well under 50 milliseconds and, in total, average less than one second, including all round-trip times with the processor, associations, and issues.
Sphere: Every gateway is PCI validated, what makes Sphere more secure?
Immerman: Payment gateways, like all entities that handle sensitive cardholder information, are expected to maintain ongoing compliance with the PCI Data Security Standard (DSS). That said, not all do. In some cases, organizations predominantly focus on annual PCI DSS revalidation efforts, as opposed to ongoing compliance. Often, the terms “secure,” “compliant,” “validated,” and “certified” are used interchangeably when, in fact, each is distinctly different from one another. For example, being secure and/or being compliant are ongoing states, while being validated and/or being certified are based on assessments of security and compliance at specific points in time. Moreover, most security and/or compliance assessments are sample based, as opposed to being comprehensive. Additionally, no single security standard is truly comprehensive or all encompassing. All this is to say that being PCI “validated” may only be a superficial indication of an organization’s security and/or compliance maturity.
In numerous ways, Sphere distinguishes itself in the community of payment gateways and other service providers. As just a few examples of Sphere’s commitment to exceptional security and compliance:
- Sphere maintains several independent compliance and security organizations that operate in tandem with one another, as well as with mutual accountability;
- Sphere prioritizes and invests in security and compliance as separate activities to ensure that both are achieved;
- Sphere leverages several security frameworks to ensure better coverage (e.g., Sphere maintains compliance with the PCI DSS, as well as the PCI Point-to-Point-Encryption (P2PE) Standard and the HITRUST Common Security Framework (CSF);
- Sphere establishes compliance and security requirements that, in many cases, exceed those of the PCI DSS, PCI P2PE, and/or HITRUST CSF;
- Sphere invests separately in the architecture, the implementation, the administration, and the assessment of security and other sensitive solutions;
- Sphere implements security considerations through the lifecycle of all plans, processes, products, and technologies;
- Sphere offers and encourages ongoing training for all employees; and,
- Sphere maintains a culture where security, privacy, compliance, and risk mitigation in general are championed.
Sphere: What can go wrong with payments and what risk does that introduce to me and my customers?
Immerman: Payment processing involves numerous entities and many complex workflows. Any degradation with any interconnectivity, any degradation with any processing entity, and/or any workflow exception can lead to connectivity failures, processing failures, duplicated or otherwise erroneous financial authorizations, incorrect settlement or funding, etc., not to mention numerous risks relating to security, privacy, and compliance.
Premium payment gateways implement numerous checks, balances, and other controls to minimize the vulnerabilities and risks of processing exceptions. Such controls may include redundant connectivities, client- and server-side availability switching (fail-over and load-balancing), verification cross-checks, integrated and continuous system health and integrity monitoring, and autonomous exception containment, mitigation, recovery, and reporting.
Sphere: Is integrating to Sphere more complicated than using other gateways?
Immerman: Sphere technologies were designed to be inherently easy to integrate. As an example, the TC Link API, a highly dependable and highly flexible application programming interface (API), can easily be integrated with less than a dozen lines of programming code. Additionally, Sphere products are designed and assured to be compatible with all major operating systems and operating environments. For more information, please refer to the TC Link API Developer Guide, which details and demonstrates its integrational simplicity, as well as its vast functionality.
The Sphere Technology team and I are very proud of the products and services we offer. We look forward to addressing any questions or comments our partners may have, and to assist with all integration efforts.
To learn more about the developer resources that Andrew mentioned, visit our integration page or contact us below:
Expansion to Denver’s growing tech hub accelerates Sphere’s growth and investment in its technology.
Nashville, TN, August 20, 2020—Sphere, Powered by TrustCommerce, a leading provider of end-to-end integrated payments and security software, today announced it has opened a new office in the Denver area. Located in Westminster, this expansion represents continued growth and investment in its technology operations. The satellite office will house IT professionals who focus on software engineering, customer experience, business analysis and more.
To augment our flagship technology center in Santa Ana, California, the Denver area was a natural choice for Sphere. A growing tech hub, Denver is a top 10 market for technology talent. The location will provide geographic diversity for hiring of IT skillsets as well as availability of experienced payments industry professionals.
Sphere is a technology-forward organization; its end-to-end payment solutions enable clients to securely and flexibly process payments via multiple channels using its own proprietary applications and integrations with third-party software vendors. Further, Sphere’s comprehensive suite of security products, which includes PCI Validated Point to Point Encryption and tokenization, helps clients manage risk, reduce costs, and maintain compliance.
“The expansion into the new Denver facility demonstrates our investment into attracting top talent who will help us continue to drive our product and technology roadmap forward,” said Steve Rizzuto, Chief Executive Officer of Sphere.
Last year, Sphere hired Daryl Seaman to lead its Information Technology group with the primary objective of increasing Sphere’s capability and capacity and continuing to advance its commitment to excellence. Mr. Seaman is a 35-year veteran of the payments industry, having served in executive roles at two of the largest acquirers, First Data Corporation and TSYS.
“Choosing the Denver area was a no-brainer,” said Daryl Seaman, Chief Information Officer of Sphere. “We wanted a location with top technology talent in the payments space in the Mountain Time Zone to work closely with our operations in Santa Ana, CA and Irving, TX. Denver fit the bill perfectly and we can’t wait to further develop the team.”
Sphere has open positions in Information Technology in the Westminster and Santa Ana offices and is excited to accelerate product and technology growth with this location.
Sphere, powered by TrustCommerce, is a software and financial technology company providing integrated solutions that reduce friction and facilitate better and more secure commercial interactions with customers in specialized vertical markets, primarily healthcare, non-profit, transportation and education. Sphere’s integrated payments technology and security software enable its clients to process payments in a way that is highly secure and compliant, integrated with their core business software, omnichannel, and processor-neutral. Sphere’s partner-centric focused payments solutions serve small, midsize and enterprise level businesses and software companies in the U.S., Canada, and Australia. Follow us on Twitter and LinkedIn. For news and thought leadership, visit the Sphere Blog.
While healthcare providers are properly focused on patient care, it is important not to overlook the overall patient experience. There are many opportunities to make improvements. One practical way to do this is to allow multiple, digital points of payment. Why is this important? Out-of-pocket costs for patients has increased by 230% in the previous 10 years. Coupled with the challenges presented by COVID-19, health systems need to meet patients where they are and accept non-touch payments anytime, anywhere to improve collections.
Adding new ways to pay may seem like a daunting task. With complex systems that must adhere to stringent compliance and security requirements, the time and resources this change will take may seem like a barrier.
But, with the implementation of a centralized, secure payment solution that can integrate with EHR, kiosks, IVR, and other systems, it becomes much less burdensome. In addition to improving the payment experience for patients, resulting in improved collections, it can also provide organizations with valuable insights and centralized reporting and reconciliation.
Realize Revenue Earlier
An important, bottom-line benefit to providing more points of payment is that it can positively affect an organization’s cash flow by realizing revenue earlier in the billing process. There are smart, simple and secure solutions that can help drive business forward.
69% of consumers don’t believe that healthcare is keeping pace with payments innovation.
You can improve this perception by adding payment methods, which can help increase on time payments and provide patients with the flexibility and security they require. Patients are used to paying for goods and services online, on mobile devices, in app and more. They expect the same capabilities when paying for healthcare services.
To learn more about how healthcare organizations can take payments securely, via many channels, please check out our new E-book, “Secure Payments at Every Touchpoint”.
By Dr. Heather Mark, CCEP
Privacy data leaks can cause long term damage to an organization. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately. Here are 5 questions to get you started.
The subject of data privacy and consumer rights has been a hot topic over the last several years. Beginning with the implementation of the General Data Protection Regulation (GDPR) in the EU, continuing with the passage of privacy laws in California, Massachusetts, Nevada, and continuing with the proposal of almost a dozen more state level consumer privacy laws, businesses are have to sit up and take notice. While these laws certainly aim to protect consumers from businesses that might intentionally misuse data, it also means that organizations must be cognizant of the ways that such sensitive data might “leak” into, or out of, their business ecosystems and the potential damage that can be done by such “contamination.”
I use the term toxic data here to describe data that is protected by regulation (Personally Identifiable Information or PII, Financial Information, Protected Health Information, etc). This data carries with it responsibilities and has to be handled appropriately to avoid serious negative consequences. Not to overdo the analogy, but for small businesses particularly, leaks of such data can prove fatal. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately.
Here are five straightforward questions that organizations can ask to start getting a feel for their own practices.
- What data do we collect?
Surprisingly, the answer to this question for many companies is, ”I’m not sure.” If a organization has been in operation for some time (5 years or more), it may be the case that data collection began simply, with a contact or payment form or cookies and web beacons. Some organizations may have relied on third parties to help with forms and websites and may not have a complete list of data that is collected. In other cases, data collection protocols that were purposely set up may not have evolved with the organization’s needs over time. Doing a data inventory (finding out what data you collect and where that data is stored) is a critical component in protecting that toxic data. You can’t protect it if you don’t know that you have it.
- Why do we collect that data?
Once you’ve determined what data is being collected by the organization, the next step is to answer the “why?” This is where the rubber meets the road. If there is no specific business purpose to collecting the data (i.e., it is considered a “nice to have” or no one can really identify its purpose) then the organization should really examine whether it should change their practice. The more toxic data a company stores, the higher the liability exposure if the data is compromised or, in the case of GDPR, CCPA and similar laws, if the data is used inappropriately. The general guideline for data – if the data is not needed, it should not be collected.
- How does data flow through and out of our organization?
This one might seem obvious, but data has a habit of migrating through organizations if it is not carefully constrained. Understanding how different departments interact with the data, helps to develop appropriate controls in departments handle the toxic data. For example, if the “contact” form for your support group also provides information to your product group or your account management group, understanding where that data goes allows the organization to focus its resources on protecting those data flows and data stores. Additionally, it might bring to light data uses that were not widely known in the organization, allowing for a discussion of risk and appropriate data uses. Understanding the data flow allows the organization to use maximize the positive aspects of data use without “infecting” departments that have no need to access or use it.
As important as how the data flows through the organization is how the data flows out of it. What third parties are being used to support the business operation, and how do those organizations access and use data? Do they need the data to fulfill their obligations? Sitting down and going through these relationships can be extremely helpful in identifying critical vendors and helping to manage third party risk.
- How do we dispose of data when it is no longer needed, or a deletion request is received?
The issue of data disposal, “deletion” or “erasure” is certainly complex and worth speaking with counsel about when drafting and implementing policies and practices. For the purposes of this discussion, the question is how an organization can ensure that such toxic data is appropriately removed from the network or systems. CCPA allows for anonymization or de-identification of data. This means that identifying information is removed so that the data element cannot be tied to an individual. Organizations must also balance their regulatory obligations to maintain records against the consumer request. While the regulatory obligation will supercede the deletion request, it is possible for organizations to meet the spirit of a deletion request while maintaining its legal obligation for record keeping. Doing so requires careful planning and execution and a clear understanding of privacy requirements.
- How do we disclose our data privacy practices?
The central tenet of all privacy laws, and the fair information principles on which they are based, is providing the consumer with ability to make a clear, informed decision about how their personal information is collected and used. To further that objective, organizations must disclose clearly and explicitly the ways in which data is collected and used. Further, consumers must have easily identifiable mechanisms to make privacy-related requests of the organization. And the notice must be provided PRIOR to the collection of data. If data is shared with third parties, that, too, must be disclosed. This allows the consumer the ability to really understand why certain data elements are being collected and they are being used before they consent to share it.
Designing, implementing, and maintaining a privacy program is an “all hands on deck” operation. Every department must be bought it to get a comprehensive picture of the organization’s privacy prognosis and create a “treatment plan” for the toxic data. This also assists in obtaining organization-wide buy in on the program.
Personal information is the currency of this age. Consumers will trade privacy for convenience. The Center for Data Innovation found that 58% of Americans are willing to trade their personal data for a greater level personal convenience. That gives organizations a great deal of power, but also a great deal of responsibility. In order to ensure that companies are mindful of that obligation, states are taking the lead in establishing consumer rights with respect to how data is collected and used. Understanding your organizations relationship with potentially toxic data can help keep everyone, business and consumer, safer.
By Dr. Heather Mark, CCEP
Aristotle wrote that ethics is the habituation of right action. Essentially, we don’t know what’s right out of the starting gate. The virtue of ethical behavior is one that we acquire through example and guidelines. We become ethical, or as Aristotle would have it, virtuous, through practice. The more we practice right action, the more innate it seems to become. It’s not an inherent knowledge, it’s a learned trait. This discussion from Aristotle’s classic work Nicomachean Ethics is a great description of the important interrelatedness of compliance and ethics, particularly in the Payments industry.
The payments industry is highly complex and highly regulated. It’s unlikely that a person new to the industry would walk in and be able to identify right from wrong, speaking in regulatory sense. The lattice of regulation created by the card brand rules, state and local laws, as well as federal regulation, and potentially international laws, can cause confusion even among well-entrenched payments professionals. If you were to overlay that with the development of new business models, such as payment facilitators and marketplaces, the landscape quickly becomes treacherous. This is where a robust Compliance and Ethics program comes into play.
As Aristotle says, a good government will attempt to legislate virtuous behavior to help its citizens learn to act “virtuously.” Eventually, its citizens learn to extrapolate that virtuous behavior beyond those circumstances contemplated by law, and simply behave in a “right” manner. Leaving behind for the moment arguments about legislating morality, let’s focus on the notion that laws act as a guideline for behavior in the absence of an inherent understanding. The compliance program acts as that guideline for the uninitiated. Without long experience or an inherent understanding of the potential pitfalls of non-compliance in the payments space, the compliance program acts as the framework for what’s right and wrong, in a regulatory context.
Virtue, or to use the word that is more familiar to us, ethics is, according to Aristotle, what makes something perform well. So it follow suit then, that an ethical company would perform well. It’s in the best interest of the company, then, to ensure that its team members are inclined to act in a way that is ethical. That means enabling merchant, service providers, and partners to conduct their business in a way that complies card brand rules. That also means recognizing that simply because we can do something, it doesn’t mean we should. We’ve seen this play out in the rise of Fintech.
Fintech is an exciting wave of innovation that has been transforming the payments space over the course of the last ten years. Agile, creative companies have been developing new ways for merchants to engage with their customers. Things that we already take for granted, such depositing paper checks from our phones, or paying our friends back for lunch through text messages, are just some of the examples of the innovations borne of the Fintech revolution. But there were some downsides to that rush to the payments space, too. While the vast majority of new Fintech players took the time to learn the payments space, to understand the regulatory environment, and to play according to those rules, there were a few players that saw an opportunity to cash in on the changing industry. Software developers without an understanding of the complexities of the space made decisions, which in retrospect, were not founded on a complete understanding of the risk involved, or of the impact it might have on the end user. With a robust and mature compliance program in place, it’s possible that those companies may have avoided those missteps.
In organizations with a mature program in place, compliance is “business as usual,” baked into product development. The compliance team scopes out potential regulatory roadblocks so that the product and development teams can design with those regulatory requirements in mind. Additionally, it serves as a learning opportunity, as those teams begin to acclimate to the regulatory environment in which they operate. They incorporate those requirements as they evolve that product set or the feature set for particular verticals. They learn the questions to ask when a new project comes along. The regulatory requirements become just a fact of life, doing things the right way. In Aristotle’s words, they become habituated to it. Compliance serves as the touchstone on which companies and organizations can build an ethical culture.
Ethics, then, derives from the repeated practice of doing the right thing, such that when a specific guideline doesn’t exist, one can still determine the right course of action. Eventually, Aristotle says, people will reach a state in which they do the right thing because it is the right thing, not because the law mandates it. Ethics programs are natural extensions of compliance programs, as companies should empower their staff and contractors to do the right thing, even when it’s difficult. Ethics programs are designed to allow employees to report, without fear of retribution, actions that they genuinely feel violate the organization’s Code of Conduct or Compliance policies.
The importance of having an ethical culture can’t be overstated. It is what keeps employees invested in the organization and what maintains relationships with clients and partners. As a side benefit, it helps companies to avoid potential violations of regulatory mandates. Those violations can result in monetary fines and penalties, compensation to affected parties, and government oversight. Ethical and compliance violations also lead to lost revenue as a result of reputational damage. Clients and prospective clients will be reluctant to sign a contract with a company with a demonstrable track record of ethical issues.
What does all this mean to the payments industry? The industry is predicated on what can be a quickly shifting foundation of the intersection of technology and regulation. Maintaining an operational understanding of the relationship between the two is a vital requirement in any partner or service provider in the industry. That means that companies that aren’t willing or able to make an investment in maturing their Compliance and Ethics programs are at a competitive disadvantage. Between card brand regulations, state laws on money transmission, data security and privacy, and federal laws, it quickly becomes imperative for companies to choose a service provider that can help them navigate the compliance landscape, while staying on the forefront of payment technology. It’s a delicate balance. What’s more, it’s important to work with a company that can practice some foresight with respect to the potential impact of forthcoming legislation. Again, this is something that ethics can help accomplish – often doing what’s right to start with can help head off potential issues with future legislation. An example can be found in the use of mobile payment applications.
Installing an application on a mobile device can provide the software manufacturer with a wealth of information – contacts, geolocation, app and device usage. All of this data is incredibly useful for marketing purposes, but collecting that data without the express consent of the end-user is problematic, to put it mildly. A number of mobile payment providers were collecting this information and using “big data analytics” and sharing it with third parties. In fact, that practice led to a number of Congressional hearings on the matter. This is why users now have the option to turn off location services and apps now disclose what they track. This same issue is still playing out in the Cambridge Analytics issue with Facebook. These issues could have been avoided with the adoption of a mindset that says, “Just because we have the technology to do something, that doesn’t mean that we should do it.” This, again, derives from ethical culture and transparency to both end-users and partners.
Sphere is dedicated to the proposition that a payments company cannot be successful without a strong Compliance and Ethics program. Since its inception, Sphere recognized the unique position and responsibility that it has to maintain an environment that fosters ethical behavior. To do so, it is necessary to develop and maintain a Compliance program that serves, not just Sphere, but its clients and partners, as well. At the end of the day, developing such a program is just another way that we serve our clients.
 For the purposes of this discussion, I include security requirements in the compliance discussion.