2.8.3.5.

Payment Aggregator
This section outlines the policies and rules that apply to entities (third
parties or S/Es) that operate as Payment Aggregators in either the Card
Present or Card Not Present payment environment. Payment Aggregators
are entities that contract with an Acquirer to provide Payment Services to
Sponsored Merchants. These Sponsored Merchants may or may not have a
direct relationship with the Acquirer.

Acquirers that contract with Payment Aggregators are liable for all acts,
omissions and other adverse conditions caused by the Payment
Aggregators and their respective Sponsored Merchants. In the event that a
Payment Aggregator is unable to fulfill their obligations to their Sponsored
Merchants, the Acquirer will be responsible for Transaction processing and
Settlement with Sponsored Merchant(s). The Acquirer will hold AEGNS
harmless against any claims made by a Sponsored Merchant or its
representatives that it has not received accurate, complete and timely
Settlement from the Payment Aggregator. As a result, the Acquirer must at
all times be responsible for and manage, direct, and control all aspects of
its Payment Aggregator activities and enforce all program management and
operating policies applicable to Payment Aggregators and Sponsored
Merchants in accordance with Section
2.8.3.5 and other sections referenced in the
Business and Operational Policies manual. AEGNS or its designee reserves the
right to conduct audits of an Acquirer, its Payment Aggregators, and the
Payment Aggregator’s sponsored
Merchants at any time for the purpose of determining compliance with
these Payment Aggregator rules and other applicable policies provided in
the Business and Operational Policies manual.

2.8.3.5.1. Payment Aggregator Qualifications

An Acquirer must execute a Payment Aggregator Agreement with a Payment
Aggregator.

This agreement must contain the requirements established in Section 2.8.3.5.4,

“Payment Aggregator Agreement Requirements,” on page 4.

An Acquirer must ensure their Payment Aggregators adhere to all general

policies and rules as provided in the Business and Operational Policies manual
and the specific minimum requirements for Payment Aggregators
described in this policy.

1
2.8.3.5.2. General Requirements for Acquirers, Payment Aggregators, and
Sponsored Merchants

(check list)
• Payment Aggregators have been assessed and, based on the Acquirer’s
assessment, have adequate resources, financial and otherwise, to meet
their obligations and deliver the services in accordance with applicable law
prior to entering into a Payment Aggregator Agreement.

• Payment Aggregators must enter into a Sponsored Merchant Agreement

with each Sponsored Merchant.

Payment Aggregators must enforce each Sponsored Merchant's compliance

with the provisions of the Sponsored Merchant Agreement as outlined in
Section 2.8.3.5.5, “Sponsored Merchant Agreement Requirements,” see
page 6 below, including the termination of Payment Services provided to
Sponsored Merchants if they fail to comply with any of these provisions.

• Payment Aggregators must meet the anti-money laundering (AML) and

anti- terrorist financing (ATF) program requirements established in Section
2.3, “Anti- Money Laundering, Screening, U.S. Sanctions, and Anti-
Corruption
Requirements,” see page 6 below.
Acquirers must also be prepared to provide copies of these documents to
AEGNS within thirty (30) days, or as otherwise specified, of request from AEGNS.

• Payment Aggregators and their respective Sponsored Merchants must

comply with the AEGNS Data Security Policy as set forth in Section 2.4,
“Participant Data Security Policy,” see page 7 below.

• Payment Aggregators and their Sponsored Merchants must at all times

operate their business in a safe and sound manner and in compliance
with applicable law, and must not directly or indirectly engage in or
facilitate any action that does not comply with local laws or regulations.

• Payment Aggregators and their Sponsored Merchants must have all

licenses and legal and regulatory permissions necessary to conduct
business.

• Payment Aggregators and their Sponsored Merchants must not engage

in illegal or potentially deceptive marketing practices or otherwise
process Transactions that may adversely affect the American Express
Brand, and
Otherwise must adhere to AEGNS’

2
Brand Protection policy as provided in Section 2.8.5, “Brand Protection,”
See attached documentation.

• Payment Aggregators and their Sponsored Merchants must adhere to

the policies for review and approval for Marketing and Branding
requirements established in Section 2.8.19, “Marketing, Advertising, and
Public Relations,” see page 9 below.

• Acquirers must accept and process Transactions only from Payment

Aggregators and Sponsored Merchants within the geographic territory
or eligible marketing region specified under their Participant
Agreement.

• Payment Aggregators must not contract with another Payment Aggregator

as a Sponsored Merchant, nor allow Payment Aggregators to operate under
another Payment Aggregator as a Sponsored Merchant.

• Payment Aggregators and their Sponsored Merchants must comply with

the requirements in Section 2.8.7, “S/E Website Information Display
Guidelines,” see page 9 below, and ensure, on an ongoing basis, that such
websites do not contain any content or material that may cause harm to
any individuals or damage to the American Express Brand.

• Neither the Payment Aggregators nor any of their respective Sponsored

Merchants are in Prohibited Industries (as detailed in Section 2.8.4.1,
“Prohibited Industries,” see page 10 below) and/or engaging in American
Express related business with any country on which the United States has
imposed economic sanctions (as detailed in Section 2.3.6.1, “Prohibited
Countries and Regions,” see page 11 below).

• Payment Aggregators and Sponsored Merchants must ensure

Transactions submitted to AEGNS comply with the Network
Specifications manuals.

• Acquirers must monitor the activities of their Payment Aggregators and

Sponsored Merchants to deter fraud and other wrongful activity, and to
ensure that they are in full compliance with all other requirements as
outlined in Section 2.8, “Requirements for Conducting Merchant Acquiring
Business,” see page 12 below and provided in Section 2.8.3.5, “Payment
Aggregator,” see page 1 above.

• Acquirers must ensure that their Payment Aggregators and respective

Sponsored Merchants operate in accordance with obligations and
requirements provided in Section 8.10, “AEGNS Issuer and Card member
3
Risk Management,” See attachment on page 4.
Additionally, upon request of AEGNS, the Acquirer must provide an
Attestation of Compliance with the general requirements as set out in this
section.

2.8.3.5.3. Reporting Requirements for Payment Aggregators

AEGNS may request information about Payment Aggregators, which may
include the data elements listed in Table 2-91. Acquirers must submit the
information to AEGNS no later than thirty (30) days, or as otherwise
specified, after such request.

1. The list of data elements in Table 2-9 is not an exhaustive list and
AEGNS may, in its sole discretion, request other data elements.
Table 2-9. Data Elements for Payment Aggregators
Data Elements
• Acquirer ID Number
• Payment Aggregator Start Date
• Payment Aggregator Termination Date (when applicable)
• Payment Aggregator Status: new/renew/termination
• Payment Aggregator Doing Business As (DBA) name
• Payment Aggregator Legal Name
• Payment Aggregator Business function
• Payment Aggregator S/E#
• Payment Aggregator Contact information:
• Legal address
• Principal owner name
• Business phone
• Business address
• Business URL

2.8.3.5.4. Payment Aggregator Agreement Requirements

Although an Acquirer may design its own Payment Aggregator Agreement,
this agreement must contain the principles and substance provided in
Chapter 2,
“Business Policies and Rules,” beginning on page 17, including, but not
limited to, statements specifying:
• The Acquirer’s right to immediately terminate a Payment Aggregator or
Sponsored Merchant contract for good cause or fraudulent or other activity,
or upon AEGNS request.
• Payment Aggregators are liable for all Settlement activity on behalf of their
Sponsored Merchants, including Chargebacks and Credits. Payment
Aggregators are also liable for all other acts, omissions, and Card member
customer service-related issues caused by the Payment Aggregators’
4
Sponsored Merchants.

5
• Payment Aggregators must perform due diligence and “Know Your
Customer (KYC)” screening for each of its Sponsored Merchants, which
must include a financial review and background check of their principal or
controlling owner.

• Payment Aggregators must retain any records concerning the

investigation of its Sponsored Merchants, and provide such records to the
Acquirer and/or AEGN within thirty (30) days, or otherwise specified, of
request from AEGN.

• Payment Aggregators must provide the names of owner(s) for each of their
Sponsored Merchants on the Network through the Sponsored Merchant
Reporting as outlined in Section 2.8.3.5.6, “Sponsored Merchant Reporting
Requirements,” see page 13 below.

• Payment Aggregators must ensure that their Sponsored Merchants comply

with the AEGNS Data Security Policy as set forth in Section 2.4, “Participant
Data Security Policy,” see page 7 below.

• Payment Aggregators must remove American Express Licensed Marks

from their website and wherever else they are displayed upon
termination of the Payment Aggregator Agreement.

6
 ADDEDUM TO DOCUMENT BASED ON REFERENCED PAGES

Section 2.8.3.5.5:Sponsored Merchant Agreement Requirements

Although Payment Aggregators may design their own
Sponsored Merchant Agreement, each Payment
Aggregator must enter into a written agreement with
each Sponsored Merchant, and such agreements must
contain the principles and substance provided in Section
2.8.3, “S/E Qualifications and Agreement Requirements,”
on page 108. In addition, the agreement should include
the following specific provisions:
• Sponsored Merchants are required to comply with all applicable
laws, rules and regulations relating to the conduct of the
Sponsored Merchant’s business.
• A requirement that Payment Aggregators have the right to
immediately terminate a Sponsored Merchant for good cause, or
fraudulent or other activity, or upon request of the Acquirer or AEGNS.
• The Sponsored Merchant must adhere to AEGN Card Acceptance
and Authorization policies and procedures.
• A provision to ensure Transactions submitted to AEGNS comply
with the Network Specifications manuals.
• Sponsored Merchants are responsible for being aware of and adhering
to privacy and data protection laws and provide specific and adequate
disclosures to Cardmembers of collection, use and processing of
personal data.
• Sponsored Merchants must comply with the AEGNS Data Security
Policy provided in Section 2.4, “Participant Data Security Policy,” on
page 57.
• A requirement to remove American Express Licensed Marks from
the Sponsored Merchant website and any other locations under the
control of the Sponsored Merchant, no later than thirty (30) days
of termination of the Sponsored Merchant Agreement

2.1. A nti-Money Laundering, Screening,

U . S . S a n c t i o n s , an d A n t i -
Corruption
Requirements
Money laundering has generally been defined as the process by which
the proceeds of criminal activity are moved through the financial system
in order to hide all traces of their criminal or illegal origin. The
transactions need not, and frequently do not, involve cash and the
movement of funds can involve any variety of financial instruments,
products, or services.
7
Terrorist financing involves the movement of funds (legitimately or
illicitly derived) undetected through the financial system so that
terrorists can use these funds to support their activities. Dollar values
related to terrorist financing tend to be significantly smaller than those
associated with the proceeds of money laundering related to crime and
therefore can be much more difficult to identify when moved through
the financial system.
The U.S. government, and other governments around the world,
maintain trade and economic sanctions against individuals, entities, and
countries for participating in or providing support to various criminal,
terrorist, or human rights-violative activities. As a U.S. company,
American Express must comply with all sanctions administered and
enforced by the U.S. government through the Treasury Department's
Office of Foreign Assets Control (OFAC), and also must comply with
applicable local sanctions regimes in the foreign jurisdictions in which it
operates.
Participants are required to maintain an effective anti-money
laundering, anti-terrorist financing, and sanctions compliance program
to prevent the use of Participant operations for criminal purposes and to
satisfy AEGNS that the Participant's business is not being conducted in
circumstances that would in any way facilitate money laundering or the
financing of terrorist activities or pose a sanctions, money laundering,
terrorist financing, or other regulatory risk to AEGNS. Elements of this
program should include:
• Internal policies, procedures, and controls (including an automated screening tool)
related to anti-money laundering, sanctions compliance, and anti-terrorist financing;
• Dedicated personnel responsible for the compliance function;
• A regular employee training program on the identification and prevention of money
laundering, sanctions, and terrorist financing;
• Record-keeping;
• Periodic audits (internal and/or external); and
• Background checks on the owners, members of the management board, direct or
indirect shareholders, holding companies, directors, officers, and employees of
Participant.
In order to support AEGNS’ obligations under the Uniting and
Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism (“USA PATRIOT”) Act of 2001,
Participants are required to cooperate with AEGNS to understand and
document Participants’ AML/ATF program, prior to becoming a Participant
on the AEGN and on an ongoing basis thereafter as determined by
AEGNS.
The ongoing monitoring of Participants’ AML/ATF/sanctions compliance
programs may include, but is not limited to, an initial risk assessment
and due diligence process to be satisfactorily completed prior to

8
 Participant joining AEGNS, risk assessment update at least annually,
update of Compliance due diligence periodically based on the risk
assessment, onsite inspection and testing, reporting of metrics relevant
to Participant’s AML/ATF programs, and other requests for information
about Participant's AML/ATF program as may be required by AEGNS or
by law. AEGNS will determine and communicate specific requirements to
the Participant at the time it is requested.

2.2. P articipant Data Security Policy

The AEGNS Data Security Policy (DSP) is a set of comprehensive policy

requirements designed to protect Account Data whenever such data is
stored, processed, or transmitted. Compromised data negatively
impacts consumers, S/Es, and Card Issuers. Addressing this threat by
implementing security operating policies can help improve customer
trust, reduce potential liability, and enhance the security of the Network.
AEGNS has endorsed and incorporated into DSP the following:
• Payment Card Industry Data Security Standard (PCI DSS)
• Payment Card Industry Software-based PIN Entry on Commercial off-the-shelf (COTS)
• Payment Card Industry PIN Transaction Security (PCI PTS) Standard
• Payment Card Industry PIN Security Requirements
• Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS)
• Payment Card Industry Secure Software Standard (PCI SSS)
• Payment Card Industry Secure Software Lifecycle (PCI Secure SLC) Standard

For details on requirements specific to PCI PIN Security, see Section

2.4.8, “Encryption Data Security Requirements,” on page 65.
AEGNS recommends Participants and their Service Providers use a PCI
Qualified PIN Assessor (QPA) to assess/demonstrate compliance to PCI
PIN Security Requirements.
These standards include requirements for security management, policies,
procedures, network architecture, software design, POS and PIN
acceptance devices, payment application security, and other critical
protective measures. The standards are intended to help organizations
proactively protect Account Data.
Details regarding the PCI standards and how to comply with their
requirements can be found at www.pcisecuritystandards.org.
All Participants, S/Es, and Service Providers must comply with the
AEGNS DSP. As part of that requirement, Participants must:
1. Comply with the PCI DSS, as outlined in Section 2.4.2, “Acquirer Data Security
Compliance Require- ments,” on page 59 and Section 2.4.4, “Issuer Data Security
Compliance Requirements,” on page 62; and
9
 2. Validate their compliance with the PCI DSS as outlined in Section 2.4.3, “Acquirer Data
Security Compli- ance Validation Requirements,” on page 61 and Section 2.4.5, “Issuer
Data Security Compliance Valida- tion Requirements,” on page 62; and
3. Report to AEGNS their compliance validation with the PCI DSS, as outlined in Section
2.4.6, “Participant Data Security Compliance Validation Documentation,” on page 63.

Participants must also ensure their agreements with S/Es and Service
Providers include:
• A requirement to comply with the following:
- PCI DSS
- PCI PTS
- PCI Software-based PIN Entry on COTS
- PCI PIN Security
- PCI PA-DSS
- PCI SSS
- PCI Secure SLC
• Provisions requiring that S/Es and Service Providers report all instances of a Data
Compromise immediately to the Participant, and in no case later than twenty-four (24)
hours after discovery of the incident. See Section 2.4.11, “Notification of Data
Compromise from AEGNS to Potentially Impacted Issuers,” on page 71 for details.

2.2.1. Marketing, Advertising, and Public Relations

Acquirers must adhere to the following policies for review and
approval of marketing, advertising, and public relations
materials. Acquirers are responsible for ensuring that S/Es
adhere to the same requirements.
• The American Express Blue Box logo may only be reproduced and used as
specified in the Marketing section on Knowledge Base.
• Acquirers and S/Es may not use any existing American Express sign offs or
slogans (past or present) nor may Acquirers or S/Es mimic, ridicule, copy,
or alter any past or present American Express sign off or slogan.
• Acquirers and S/Es may not place any American Express Licensed Mark on
any product, service, or communications materials without the prior written
approval of AEGNS. Communications materials, when designed, should
place American Express Licensed Marks in a preferred position.
In addition, Acquirers must comply with the neutrality principles
set out in “Exhibit 19. Neutrality Principles for Conducting
Merchant Acquiring Business” on page 589 when promoting
local S/E offers.

2.2.2. S/E Website Information Display Guidelines

Acquirers must ensure that S/Es adhere to the following
website information display guidelines. The S/E website must
display the following:

10
 • An accurate description of Goods/Services offered, including the
currency type for the Transaction (e.g., U.S. Dollars, Canadian Dollars)
• An email address and a telephone number for customer service disputes
• The S/E’s return/refund policy
• A description of the S/E’s delivery policy (e.g., No COD, No overnight)
• A description of the S/E’s security practices (e.g., information highlighting
security practices the S/E uses to secure Transactions conducted on the
Internet)
• A statement of known export restrictions, tariffs, and any other regulations
• The name of the country in which the S/E is located
• A privacy statement regarding the type of personal information collected
and how the information is used. Additionally, S/Es must provide to
consumers the option to decline being included in marketing campaigns or
having their personal information included on lists sold to third parties. S/Es
may use the following privacy statement, provided that their practices
comply with this statement:
At [S/E name] we are committed to protecting the privacy of all our
customers. We collect only customer information that is needed and we
inform all customers how we use it. On a regular basis, we give customers
choices about how their data will be used including the option to decide
whether or not they wish to have their names removed from lists used for
marketing campaigns. All customer information is stored securely and access
to it is limited to those employees who specifically need it to conduct their
business responsibilities. All [S/E name] employees and business partners
are responsible for upholding our privacy principles.

2.8.4.1. Prohibited Industries

Acquirers shall not contract with businesses deemed
prohibited according to the following list nor seek to alter the
industry designation in order to circumvent the policies as set
forth in this section. In addition, Acquirers must not allow
S/Es to submit Transactions that were conducted in prohibited
industries, as defined in this section.
Unless otherwise specified, all restrictions regarding
prohibited industries apply to conventional businesses having
physical buildings and facilities, as well as businesses
operating remotely (i.e., Internet S/Es).
The following are designated as prohibited industries:
• Illegal businesses and activities according to the laws and regulations
governing the S/E
• Check Cashing/Check Guarantee businesses
• Collection Agencies (receivable on Card)
• Credit Restoration Services
• Door-to-door sales (except for national and multinational Accounts)
• Multi-level marketing (including pyramid selling, excludes national
and multinational Accounts)
• Prostitution (including S/Es involved in prostitution such as unlicensed
massage parlors and escort services)

11
 • Internet adult digital content
• Individuals and organizations that the U.S. government identifies as
supporting terrorism and which are listed on the Internet at:
www.treasury.gov/offices/enforcement/ofac/sdn/index.shtml
• Sale of Infringing Products

AEGNS monitors Network activity related to the policies

detailed in this section. Acquirers that do not comply with
these requirements are subject to non-compliance fees. Refer
to Section 2.8.5.2, “Reporting Violations,” on page 121 for
details on reporting violations and applicable
non-compliance fees.
AEGNS may require an Acquirer to terminate Card
acceptance with an S/E that meets any of the prohibited
industry criteria listed above.

2.3.6.1. Prohibited Countries and Regions

The following jurisdictions, among others, are currently subject
to comprehensive or highly restrictive sanctions programs
administered by OFAC. As a result, Participants on the AEGN
are prohibited from engaging in any American Express-related
business with individuals or entities residing or located in, or
incorporated under the laws of any of the following:
• The Crimean Region of Ukraine (including Sevastopol)
• Iran
• Democratic People's Republic of Korea (North Korea)
• Sudan
• Syria

Additionally, Participants are prohibited from engaging in any

American Express-related business with any Cardmember,
S/E, or other customer that is owned or controlled by the
government of a prohibited country, including agencies and
subdivisions and any entity owned, controlled by or acting on
behalf of such governments (whether or not physically located
in these countries, such as embassies and state-owned
businesses).
If a Participant becomes aware that an Authorization Request
has originated in one (1) of the Prohibited Countries and
Regions, or by a government or related entity of one (1) of
the Prohibited Countries and Regions, the Participant must
immediately notify AEGNS.

12
2.3. R e q u i r e m e n t s fo r C o n d u c t i n g
M e r c h a n t Ac q u i r i n g B u s i ne ss
This section provides policies and rules specific to Acquirers.
Each Acquirer is required to (i) purchase all Charges made by
Cardmembers on any Card and submitted to such Acquirer by its S/Es
(ii) pay for the same in accordance with the schedule of payments set
forth in its S/E agreements with such S/Es. Charges incurred by
Cardmembers, must be submitted to Clearing Centers at the times and
in the formats designated by AEGNS. Acquirers shall allow Charges to
be submitted by S/Es, and shall pay for Charges submitted by such
S/Es, only in the Authorized Currency.
Each Acquirer must be a party to all of its S/E agreements. The
authority to act as an Acquirer and be the named contractual party on
the relevant agreement cannot be transferred, outsourced or delegated.
Acquirers must ensure that all agreements, disclosures,
communications, and solicitations comply with applicable laws and
regulations and this AEGNS manual, including, without limitation,
Section 2.8.3.3, “Compliant S/E Agreement Design,” on page 109.
Subject to this AEGNS manual and the Issuer's and Acquirer's
rights to be reimbursed pursuant to the Chargeback policy, each
Acquirer alone bears all financial risk (for example, fraud risk)
arising from or associated with its Merchant Acquiring Business.
Acquirers shall provide each of their S/Es with adequate operating
materials and equipment (including the means to obtain Authorizations
for Charges in the most expeditious manner), instructions on the
procedures for honoring Cards and processing record of charge forms,
and details as to the Acquirer's different payment options. Acquirers
shall ensure that all S/Es display at least one (1) decal denoting
acceptance of American Express® Cards on parity terms with all other
general purpose card networks.
In carrying out its S/E acquisition and servicing duties, an Acquirer may
require an S/E to own a bank account in the Territory but shall not
require existing or prospective S/Es to establish a banking relationship
with such Acquirer or any other specific banking institution, or to service
S/Es that have not established such a banking relationship differently in
any way from those that have.
Acquirers must follow the neutrality principles listed in “Exhibit 19.
Neutrality Principles for Conducting Merchant Acquiring Business” on
page 589 with regard to the manner in which S/E offers, promotions
and network capabilities will be made available to Issuers and their

13
Cardmembers.

2.8.3.5.1. Sponsored Merchant Reporting Requirements

AEGNS may request information about Sponsored
Merchants operating through a Payment Aggregator
registered on the Network. Such requests may include
the data elements listed in Table 2-111. Acquirers must
provide the data to AEGNS within thirty (30) days, or as
otherwise specified, of such request. Detailed reporting
and submission instructions will be included in the AEGNS
request.

14