Compliance 101 for online marketplaces

February 13, 2023

Last week, a startup marketplace was shut down by Stripe due to non-compliance. Marketplace founders know – the weight of compliance, anti-money laundering laws and KYC rules weigh heavier on marketplace founders than anyone else.

Just like many others in the startup scene, I was shocked to see a marketplace startup called Flurly get taken down by card networks. In case you missed the news, here's a quick rundown.

Flurly is a digital download storefront, very similar to what Gumroad is offering at roughly 10x the fees. Users can sign up, create their storefront, upload content they want to sell and get started. These marketplaces hide a lot of the complexities of selling online and at times even act as the "Merchant of Record" (MoR) that stays liable for all taxes, fees – and risks.

As a result, MoR marketplaces invest highly in moderation, safety and security and will regularly check up on their users to make sure all content that gets sold is legal. That's valuable, but also risky and expensive.

Flurly was, intentionally or not, acting as MoR for a range of their oldest users (those who joined before moving to Stripe Connect, a marketplace infrastructure that can shift back the burden of being MoR to each individual seller).

To the great despair of Flurly, one of those oldest users seems to have sold something – or used the system in a way – that's no allowed with credit card providers. They have found said case, shut the account down and have asked for a big fine.

How could this have been prevented? It turns out, running a marketplace comes with higher legal complexity than SaaS or service businesses. As a facilitator, you have to follow anti-money laundering laws (AML) and perform KYC verification on all suppliers.

Disclaimer: None of the content in this post is legal advice. If you are planning to run a marketplace, get a consult with a lawyer and your payment provider. Don't leave things to chance!

My experience with compliance

You might be wondering – why am I speaking on this issue? As a founder of an online mentorship marketplace, I have had more touching points with AML and KYC than I'd have preferred, when I first built the marketplace as a side project.

At its core, it sounds so simple: You collect payments on one side, and pay it out at the other side. That's exactly what I thought. I could just collect payments in PayPal, calculate our splits and use PayPal Mass Pay to spit it out on the other side, maybe once per month. Right?

Wrong. On the day of launch, PayPal informed me that without a clear paper trace on who I am paying, why I'm paying them and where the money goes, there'd be no chance. I did not receive access to Mass Pay on account of it being a high-risk use case. I'd have to perform KYC on all recipients. Way too much work for a side project.

Stripe: Enabling marketplaces, if done right

It was around that time when Stripe launched their Connect product. You could run a marketplace (called "platform") account and connect other Stripe Connect accounts to it. If you wanted, you could also create new Stripe accounts for users on the fly. Stripe would take care of KYC and other ongoing needed verification for you.

Additionally, all payments went through the Stripe network, from credit card payment to a seller's bank payout. This means that Stripe has a paper trail of all payments at all times. Even if a card network, tax office or bank would inquire about a certain payment – there are receipts, invoices and log data to back things up.

Not using the whole Stripe Connect ecosystem means some parts of this lifecycle are opaque, which seems to have been Flurly's downfall in the end.

Compliance when using multiple payment providers

Unfortunately I had to learn a second painful lesson about compliance when building MentorCruise – how to keep compliance when changing providers. You see, Stripe's network is large, but it's not infinite. For example, people in Israel or Brazil still don't have access to Stripe at the time of writing. Sellers in India aren't able to connect to foreign Connect platforms either, limiting some of the reach of the platform and its compliance.

Not wanting to limit where we can do business, we tried to get some of the payments out of Stripe and send them to users using Wise or similar platform. Once again, nope.

It didn't take long for Wise to give us the same treatment as PayPal did just two years back. We weren't able to deliver the necessary receipts and paper trail to prove that our payments were compliant (even though they were!) and Wise banned us for life.

Nowadays, there are others platforms like Trolley or Borderless, that help you keep that paper trail going and will vet and verify recipients on your behalf.

Preparing to run a compliant marketplace

Payment flows aside, what is needed to run a marketplace that'll live on and stays compliant? Turns out, you'll have to set up some extra flows and documents to stay on the safe side of things.

Extended Terms of Service / Supplier Agreement

Terms of Service are an afterthought for most SaaS businesses. For marketplaces, setting up at least a watertight supplier agreement is key. The agreement defines the relationship between you and your suppliers, including but not limited to:

  • The MoR relationship
  • Payment terms
  • Right to withhold payment
  • Prohibited usage
  • The scope of the relationship
  • The relationship with the buyer
  • Data ownership

Once again, this one is highly different between marketplaces, countries and legal forms and it's best to take a look at this with a lawyer of your choice. The supplier agreement is a safety net for you, as a platform, should anything ever go wrong.

In the past, a good supplier agreement has saved me from suppliers asking for payments that weren't theirs (e.g. cause it was disputed or refunded), has allowed me to cut ties with suppliers that would've put a risk and strain on the platform and has protected me from inquiring customers, that had the wrong expectations.

Moderation Policy & Vetting

Besides that, you should have a good moderation policy that allows you to vet your suppliers, remove suppliers that are risky or counter-productive for your business and give you a good way to cut ties in a productive way.

For example, we have a deep safety, reporting and review structure, where we will take immediate actions when a customer feels unsafe or a supplier does not value their agreement. We will also take action if ratings of a suppliers drop beyond what we deem as acceptable.

Due to our policy and mentor agreement, we can take quick actions and also have weekly tasks to make sure our marketplace stays safe and compliant.