FinQub
Learn · PayFacs

From ISO to PayFac: the compliance stack you inherit when you move up

Becoming a PayFac means inheriting risk you did not carry as an ISO. Here is the eight-layer tech stack you will need, the build-vs-buy decisions at each layer, and the record the sponsor bank and the card networks will ask you to produce.

Updated June 2026·8 min read

The PayFac ladder

Most merchant services companies start somewhere on a ladder that runs from sales agent to acquiring bank. The further up the rung, the more economics you keep and the more compliance responsibility you own.

  • Sales agent. You refer merchants to an acquirer. The acquirer underwrites and boards them. You earn 5 to 10 basis points on their volume. No license, no compliance load.
  • ISO (Independent Sales Organization). You board merchants under an acquirer's master account, often with your own brand on top. You earn 10 to 25 bps. The acquirer still owns underwriting and risk; you are the sales motion.
  • Wholesale ISO. Same shape as an ISO, with more pricing freedom and often a private-label processing relationship. 15 to 30 bps.
  • PayFac (Payment Facilitator). You hold the master merchant identification number with a sponsor bank. You board sub-merchants under your account, instantly, on your own underwriting and risk decisions. You earn 30 to 50 bps. You register with Visa and Mastercard once your sub-merchant volume crosses $1M annually. You answer to the sponsor bank, the card networks, and a federal regulator.
  • Sub-acquirer or aggregator. Similar to a PayFac with deeper sponsor-bank entanglement, higher portfolio limits, and more direct settlement responsibility.
  • Acquirer. A bank with direct membership in Visa or Mastercard, bearing its own balance-sheet exposure on every transaction it acquires.

Most vertical SaaS companies that add payments aim for PayFac. The economics and the product experience are dramatically better than ISO. The compliance and risk load is dramatically worse. This page is about that step.

What changes when you become a PayFac

When you stop being an ISO and become a PayFac, you inherit responsibilities the acquirer used to carry:

  • You underwrite every sub-merchant. The acquirer used to do this in three days. As a PayFac you do it in seconds, before you can board them. The boarding decision is yours.
  • You hold the master MID. Every sub-merchant transacts under your account. Their chargebacks, fraud, and disputes show up on your monthly report to Visa and Mastercard.
  • You own the VAMP and MATCH numbers. Visa's Acquirer Monitoring Program measures your fraud and chargeback ratios across the entire portfolio. Hit the thresholds and you pay fines. Mastercard's MATCH list captures terminated sub-merchants; you query it before boarding and you write to it after termination.
  • Your sponsor bank owns you regulatorily. Sponsor banks sit under OCC, FDIC, or Federal Reserve oversight. Their oversight of you is the form their oversight takes. They want continuous monitoring of your portfolio and information requests answered in days, not weeks.
  • The risk decisions are yours. Whether to board, whether to terminate, whether to file a SAR. These come from your underwriting team, your rulebook, your analysts. The acquirer used to make these calls. Now you do.

The corresponding payoff is real. PayFacs earn three to five times the basis points of an ISO. They board sub-merchants in minutes instead of days, which is the unlock vertical SaaS payments depends on. But the compliance bar is much higher, and it tilts the build-vs-buy math at every layer of the stack.

The eight-layer compliance stack you will need

A PayFac runs roughly eight categories of tooling on top of its processor relationship:

  • Onboarding and KYB. Verify the legal entity, the UBOs, and the principals. Vendors: Middesk, Persona, Sumsub, Trulioo.
  • Sanctions and PEP screening. Check the business and every UBO against OFAC, EU, UN, OFSI, and politically-exposed-person lists. Continuous re-screening as those lists update. Vendors: ComplyAdvantage, Refinitiv (LSEG), Dow Jones Risk Center.
  • Transaction monitoring and AML. Detect structuring, velocity changes, suspicious counterparty patterns. Generate alerts your analysts work. Vendors: Hummingbird, Unit21, Verafin, Featurespace.
  • Fraud and risk decisioning. Device intelligence, behavioral signals, transaction-time risk scoring. Vendors: Sardine, Sift, Forter, Riskified, Kount.
  • Card processing partner. The actual rails. PayFac-as-a-service vendors handle the boarding, settlement, and reserve plumbing for you. Vendors: Stripe Connect, Adyen, Finix, Checkout.com, BlueSnap.
  • Chargeback and dispute. Real-time alerts before a chargeback files (Ethoca for Mastercard, Verifi for Visa) and automated representment (Chargehound, Justt). The faster you respond, the lower your ratios.
  • Reserve and collateral management. As a PayFac you hold reserves against sub-merchant exposure. Most platforms build this themselves on top of what their processor partner provides.
  • Tax reporting. Form 1099-K for US sub-merchants, plus state and 1099-MISC variants. Built on top of the processor's reporting, or a specialized vendor if you span multiple jurisdictions.

That is eight categories and twenty-plus vendors to choose from. You will not run all of them, but you will touch at least five.

Where to build, where to buy

The honest math on each layer at typical PayFac scale (1k to 50k sub-merchants):

  • KYB, KYC, sanctions, fraud, transaction monitoring: buy. The data feeds, the model coverage, and the evidence requirements move too fast to maintain in-house. Buy these from specialists.
  • Card processing: buy. Building this from scratch puts you 18 months behind any reasonable launch date. Pick a PayFac-as-a-service partner and stay focused on the underwriting and product layers above it.
  • Chargeback prevention and automated representment: buy. These vendors integrate with Visa and Mastercard alert programs in ways you cannot do directly.
  • Reserve management: usually build. Most processors expose the primitives; the business rules are yours.
  • Tax reporting: build a thin layer on top of the processor's data, or buy a specialized vendor if you serve multiple jurisdictions.
  • Risk decisioning logic (your rulebook): build. This is your judgment, your underwriting policy, your appetite. No vendor sells you this.
  • The compliance record beneath it all: this is where it gets interesting.

The record beneath the stack

You can buy or build every layer above. None of them gives you the one thing the sponsor bank and the examiner ask for: a single record per sub-merchant that holds every signal, every decision, every override, and every policy version that applied.

Each vendor's console holds its own slice. Middesk has your KYB. Sardine has your fraud scores. ComplyAdvantage has your sanctions history. Your processor has the chargebacks. Hummingbird has your filed SARs. Your underwriting team has the rulebook decisions.

When the sponsor bank's quarterly review asks “what did you know about sub-merchant X on March 14, 2026, when you boarded them?” the answer today is assembled by hand across five to seven consoles. Same when Visa flags your VAMP ratio and you need to explain a specific sub-merchant cluster. Same when a federal examiner subpoenas your decision history.

This is the compliance evidence layer. It is the part most ISOs underestimate when they move up. FinQub is the single source of truth for fintech risk decisions: every vendor signal lands on one record per sub-merchant, with the rule that fired, the underwriting decision, the policy version pinned, and the analyst override if there was one. The sponsor-bank request becomes one query against the record. The VAMP investigation is one query. The examiner subpoena is one query.

This is not case management (Hummingbird does that). It is not a fraud vendor (Sardine does that). It is the record beneath the case and the fraud signal, the thing every PayFac eventually builds in-house in their second year, after their first sponsor-bank information request takes three weeks.

A checklist for the ISO-to-PayFac transition

  • Lock the sponsor-bank relationship before you build anything. Their underwriting and program requirements set the bar for everything else.
  • Pick the PayFac-as-a-service partner early. Switching processors after launch is a hidden 6-month tax.
  • Buy KYB, sanctions, AML, and fraud. Do not build them.
  • Build the rulebook (your underwriting and risk policy). Do not try to buy your judgment.
  • Decide where the compliance record lives before your first sub-merchant boards. Adding it later means rebuilding evidence history with regulators.
  • Plan for continuous monitoring, not just boarding. The risk shows up after sub-merchants are live (see continuous sub-merchant monitoring).
  • Watch VAMP and MATCH ratios at the portfolio level monthly. The thresholds tighten in 2026 (see Visa VAMP 2026).

Frequently asked questions

Do I need to become a PayFac, or can I stay an ISO?

It depends on the friction. If your customers complain that merchant boarding takes three days, if your unit economics don't work at ISO basis points, or if you can't customize the product experience around payments, those are the signals to upgrade. If none of those bite, ISO is materially cheaper to operate. Most vertical SaaS payments companies hit those signals between $100M and $300M of annual processed volume.

What is the actual revenue uplift from ISO to PayFac?

Roughly three to five times the basis points on processed volume. A platform processing $500M annually as an ISO earning 15 bps becomes 40 to 50 bps as a PayFac. That is roughly $750k to $2M of additional revenue before costs. The compliance stack discussed in this article typically adds $400k to $1M in vendor and team costs, so the net uplift depends on how much of the stack you build versus buy.

How long does PayFac registration take?

Visa and Mastercard registration is typically 60 to 90 days after you have a sponsor bank in place. Sponsor-bank negotiation is another 60 to 120 days. Plan 6 to 9 months from the decision to your first sub-merchant boarded. Programs that have not done it before often add another 3 months for unanticipated rework on underwriting policy, AML program design, and the information-request response process.

What does a sponsor bank actually want from a new PayFac?

A program description, the underwriting policy, the risk appetite statement, the chargeback monitoring plan, the AML program, BSA officer credentials, the executive team's compliance history, the technology stack (including which vendors you use for KYB, sanctions, transaction monitoring, and fraud), and a credible answer to how you will handle information requests in 7 to 14 days. They want continuous monitoring metrics monthly. They will quiz you on all of it during onboarding and quarterly thereafter.

Where does FinQub fit in the PayFac stack?

FinQub is the record every signal and decision lands on. Sub-merchant onboarding signals from your KYB, sanctions, transaction monitoring, and fraud vendors land on one record per sub-merchant, alongside the underwriting decision, the policy version that applied, and the analyst override if there was one. When Visa, Mastercard, your sponsor bank, or a federal examiner asks for the history of a specific sub-merchant, the answer is one query against that record, not an assembly job across five to seven consoles. FinQub does not replace your processor, your KYB vendor, or your case-management tool. It is the record beneath them.

The stack runs on the vendors you choose. The record runs underneath all of them. See how every vendor signal lands on one record per sub-merchant, or book a short walkthrough below.

Decide better in the moment. Defend every one of them after.

Every risk decision your team makes today is one someone will question later. The teams that answer instantly didn't work harder. They kept the record.