Saturday, October 9, 2021

Embargoed by MasterCard/Visa, kratom vendors turn to crypto and eChecks


I spend a fair amount of time tracking real-world use cases for cryptocurrencies. I'm not talking about silly speculation, or millionaire crypto hobbyists using their bitcoins to buy Teslas, or illegal dark web markets that use Monero for payments. I'm talking about actual licit businesses that have turned to cryptocurrency payments -- not because they particularly care about crypto -- but because they need to.

To date, the retail kratom industry is one of the best examples I've been able to find of broad non-speculative licit cryptocurrency adoption. Kratom is a plant that grows in southeast Asia. The kratom leaf can be ground into a green powder that, when ingested, acts as a stimulant. In the U.S., online kratom stores are ubiquitous.

I'm not going to get into whether kratom is dangerous or has medicinal value, or whether it should be legal or not. (For that sort of discussion, I'd suggest visiting the FDA, WebMD, or the Mayo Clinic.) The main point I want to make in this post is that kratom is legal in the US (although several states have banned it).

Although kratom is legal, MasterCard and Visa have decided to prohibit kratom sales from their networks. This poses big problems for online kratom shops. Because the card networks dominate online payments, exile by these oligopolies causes serious financial damage to the unfortunate targets. To survive, the kratom industry has been forced to turn to backup payments systems.

MasterCard's Business Risk Assessment and Monitoring (BRAM) policy, for instance, lists a number of impermissible activities:

Source: Netpay

Most of the prohibited transactions listed by MasterCard are illegal, such as the sale of child pornography. But some are legal, including the sale of "certain types of drugs or chemicals." MasterCard specifically mentions salvia divinorum, a legal drug that has hallucinogenic properties. Although it isn't listed as an example, kratom is usually considered to fall into the same category as salvia.

Acquirers, the financial institutions that connect businesses to the card networks, face large penalties if Visa or MasterCard catch them facilitating prohibited card transactions. To reduce this risk, acquirers will often hire what are called Merchant Monitoring Service Providers, or MMSPs, to scan through retailer data and spot anything that looks dangerous. MMSPs such as LegitScripts are very aggressive about rooting out kratom sales.

Despite the card networks disallowing kratom sales, many of the 20 or so sites that I scanned through still offer card payments. According to my research, kratom sites have a number of ways of securing card availability, one of which is called transactions laundering. That is, a kratom site camouflages its prohibited product sales by routing them through a front store that sells legitimate goods. Eventually these prohibited transactions get caught by the card network or the acquirer, and the site's card network access is revoked. It then has to scramble to build another front.

One commenter on Reddit describes kratom transaction laundering thusly:

"...we can do manual credit cards (as I can) over the phone because we use standard processors that don’t know it’s kratom. We do this by creating Dba’s that have fake web presences selling other products and they don’t find out it’s kratom for a while. Usually we can get a processor to work for 3-12 months before it gets shut down."
(Note: Dba refers to "Doing Business As". A DBA is a business pseudonym or a “fictitious name filing.”)

Another route that kratom sites take to get access to the card networks is to use an overseas aggregator. Kratom Crazy, a website that has since closed for business, describes how and why:

"International is the only way to go because card schemes are less aggressive on banks in international communities. This doesn’t mean they can’t be fined or shut down – oh because they can and still do. No aggregate account we have ever seen has lasted over 6 months before being shut down. The major downside is these accounts are usually 9% fees and up plus 10% rolling reserve over 6 months. So the merchant takes 19%+ off the top immediately plus they have to wait for 2-3 weeks before seeing the first days processing payout. Its a bad deal all around and a massive risk for losing money. In addition, when these accounts get shut down, there is usually no payout to the merchants."
So the upshot is that the sort of card network access that many kratom sites have managed to secure is unreliable and spotty. Indeed, many sites don't accept cards at all, including (at the time of writing) OG Botanicals, Canada Kratom Express, Krypto Kratum, and Rhizohm. Rhizohm's payments page goes to some pains to explain how it would rather be honest than lie to get card access:

Source: rhizOhm


Which gets us to cryptocurrency. Almost all of the kratom sites, including those that haven't been able to sneak themselves into the card networks, accept cryptocurrencies including Bitcoin, Ethereum, Litecoin, XRP, Stellar Lumens, or some other one. Third-party crypto processors like CoinPayments or Coinbase Commerce are typically used for payments processing.

When they accept cards, kratom sites often offer discounts for cryptocurrency payments. For instance, Happy Hippo's checkout page offers a 20% discount:

It's easy to understand why kratom sites would offer such discounts. It's expensive to use overseas aggregators for card payments. By steering a customer to Bitcoin or Ethereum, a kratom vendor saves itself the pain of a 10-15% card processing fee.

But cryptocurrency isn't the only payments option that kratom sites fall back on. Even more popular than crypto is eChecks, a traditional "fiat" form of payment that gets processed via an automated clearing house, or ACH. A kratom buyer inputs their bank routing and account numbers into the payments page, the payment then gets routed to the ACH network and, once cleared & settled, the funds arrive in the kratom merchant's bank account.

In the same way that a business must work with a card acquirer to get access to Visa or MasterCard payments, they must work with an eCheck acquirer in order to accept eCheck payments. But onboarding standards seems to be much looser with eCheck acquirers than card acquirers. For instance, in the screen shot below an eCheck acquirer is actively soliciting all sorts of high-risk industries, including not only kratom but also CBD oil and MLM-based businesses.  

Many kratom sites also accept a bespoke payments method called GreenBean Pay. Users open an account with GreanBean Pay and submit their banking account information. The service then uses Plaid -- a piece of financial plumbing that allows apps to hook into banks -- to link to the buyer's bank account and process the kratom payment.

Lastly, a bunch of kratom sites accept person-to-person payments options such as Cash App, Venmo, Zelle, and Interac eTransfer. (This probably goes against these services' terms of service, which generally limit usage to person-to-person payments).

While these backup options have become vital for connecting kratom retailers to the public, they are not really a great substitute for a card network connection. Cryptocurrency is clunky, awkward, and risky. eCheck is slow. By not offering the convenience of card payments, kratom sites lose out on a steady stream of would-be buyers. And this is evident by how desperate they are to find hacks that get them back into the Visa and MasterCard walled gardens.

In closing, I want to touch on something I mentioned in my previous post on MasterCard and porn. A big reason that card networks refuse to process legal transactions for things like kratom (or, similarly, for salvia divinorum, which I wrote about here) is they don't want to damage their brand. These substances may be permitted by law but they are controversial, and so the networks refuse to touch them.

All businesses have the right to protect their brands. But the card networks are oligopolies, and thus necessary for online survival. And so in my view the card networks should be required to forfeit their right to protect their brands. That is, Visa and MasterCard (insofar as they retain their oligopolistic powers) should not be be allowed to police vendors for what they deem to be controversial but legal products.

Which is not to say that I'm a champion of kratom. I'm only suggesting that the appropriate way to control such a product is not by card network bans, but by the Drug Enforcement Agency declaring it to be a scheduled drug.

The good news is that these sorts of situations are very rare. The card companies allow almost every legal transaction under the sun on to their networks, save a few outliers like kratum. This means that the population of licit businesses that need to use a back-up system like cryptocurrency payments (or echecks) is not very big. But examples like this still warrant our attention. Even if we don't particularly care about kratom, one day a product that we regularly consume could get censored by Visa or MasterCard.

Tuesday, October 5, 2021

MasterCard as censor


Governments have incredible powers to dictate what people buy online.

By virtue of being oligopolies, the two payments networks -- MasterCard and Visa -- exercise the same powers as governments do. If MasterCard bars your business from its network, you effectively don't exist.  

We may not agree with how governments set rules about what things we can buy, but at least there is a somewhat transparent and democratic process -- however flawed -- behind the government's decisions. Visa and MasterCard's rulings, on the other hand, are opaque and driven by card executives, not voters. It is important to monitor these networks to see how they are exercising their powers of online censorship.

In this spirit, here are some thoughts on MasterCard's new rule change, AN 5196, which governs websites that provide adult content. Now, it could be that you don't particularly care about porn. But even then, it's worthwhile to pick through the rule change to see how the scope of online commerce is about to be narrowed. As I wrote in my recent article for the Sound Money Project, the sex industry exists at the edge of the payments universe and thus serves as a useful barometer for the general state of payments inclusion.

Issued earlier this year, AN 5196, or Revised Standards for New Specialty Merchant Registration Requirements for Adult Content Merchants, requires adult sites to obtain consent from all models who are depicted in a video or image. Sites must also verify the identity and age of all models. These systems must be in place by October 15, 2021. It is the job of acquirers, those companies that connect adult sites to the MasterCard network, to ensure that rules are being followed. Sites that don't comply will be disciplined or banned.

Here is how one site, JustForFans, is implementing the changes:

In addition to collecting information, MasterCard will now require that content be reviewed by sites prior to publication to ensure that it is not illegal and that it does not "otherwise violate the Standards." If the content is a real-time stream, the site must be able monitor it and take it down immediately.

AN 5196 will also require porn sites to provide their acquirer with monthly reports including a list of all content flagged as "potentially illegal or otherwise in violation of the Standards," as well as the actions taken to address these violations.

Although MasterCard's actions are designed to reduce the amount of illegal adult content, it will also result in less legal adult content being available online.

Let's start by going through the justification for MasterCard's censoring of illegal content. This decision isn't entirely up to MasterCard, as I'm going to show.

Many nations have laws that prohibit various types of adult content. Child pornography is universally illegal. Revenge porn, or the posting of pornographic images of a partner without permission, is also prohibited in many jurisdictions, either explicitly via anti-revenge porn laws or through anti-privacy and/or anti-cyberharassment laws. Sex trafficking, which includes cases such as Girls Do Porn, (a company that used fraud and intimidation to recruit non-professionals to pose in porn videos) is also illegal. Obscenity is prohibited in many jurisdictions, too.

Society has generally gone one step further than punishing the people who are responsible for committing crime. To help further reduce crime, we also punish the financial institutions that facilitate these illegal transactions. If a bank knowingly provides services to a child pornography site, for instance, that bank may be held criminally liable for laundering money.

To avoid being punished for accepting the proceeds of crime, financial institutions make an effort to filter out illegal payments, say by implementing customer due diligence, or know-your-customer (KYC), requirements. By demonstrating to law enforcement that they have filters in place, bankers can avoid prosecution for money laundering.

It is courtesy of this filters that financial institutions like MasterCard help project society's laws about content, however imperfect, onto online commerce. MasterCard performs this role of censor because we (i.e. voters and politicians) have delegated it that role.

Which gets us back to AN 5196.

A 2020 exposé by the New York Times revealed that one of the world' biggest porn sites, PornHub, had allowed child sexual abuse material and other non-consensual videos to appear on its site. (I wrote about this event here.) Because card acquirers must ensure that the businesses they connect to the MasterCard network are not selling illegal content, Pornhub should never have been allowed to host this content in the first place.

MasterCard's response was AN 5196. Prior to the Pornhub incident, acquirers were obligated to stop illegal porn from being transacted on the MasterCard network, but they were allowed to devise their own methods for doing so. The new rules impose explicit and uniform procedures across all acquirers. (I've already described what they are above, including collecting identification.)

AN 5196 will almost certainly reduce the amount of illegal content being transacted along the MasterCard network, and thus the amount of illegal content available on the internet. Some illegal content will inevitably flow to alternative adult sites that use cryptocurrencies or eChecks for payments. But without the ease of a card transactions, this content won't attract the same number of eyeballs as before.  

Unfortunately, AN 5196 has a blast radius. It will also reduce the amount of legal adult content available on the internet. Because adult sites will now have to collect the personal data of all people appearing in videos and other images, content makers who worry about being doxxed by insiders at porn site, or who fear losing their data to hackers who compromise sites, will stop providing content. (To be fair, some adult sites were already requiring identification prior to MasterCard's rule change.)

It might be possible to reduce the amount of law-abiding models who self-censor themselves out of fear of losing personal data. But this would require a different, more privacy friendly, approach to managing identity. That's a whole other conversation.

MasterCard's ban will also reduce the amount of legal but risqué/controversial material that is available online. 

You'll notice that AN 5196 requires adult sites to preview all content not only for potentially illegality but also for violations of "the Standards." 

What are MasterCard's standards?

In addition to prohibiting illegal material, MasterCard has long prohibited any transactions that may hurt its brand or "damage the goodwill of the Corporation." It provides a bit more clarity on this in 5.12.7 (2) of its rule book, where it declares the following activities to be in violation of its rules:

"The sale of a product or service, including an image, which is patently offensive and lacks serious artistic value (such as, by way of example and not limitation, images of nonconsensual sexual behavior, sexual exploitation of a minor, nonconsensual mutilation of a person or body part, and bestiality), or any other material that the Corporation deems unacceptable to sell in connection with a Mark."

I'm not entirely sure how MasterCard or its acquirers determine what is "unacceptable" or lacking "serious artistic value." Whatever the case, AN 5196 is likely to lead to an increase in brand-related censorship. The new set of rules requires that adult sites peruse each individual bit of content prior to publication. With sites applying more attention to content than ever before, this increases the likelihood of legal material being removed out of concern over MasterCard's reputation.

In addition, sites must now file monthly reports with their acquirers in which they list all content flagged as illegal or in violation of the Standards. The pressure to demonstrate that they are protecting MasterCard's brand will probably lead adult sites to apply harsher censoring standards than before.

If I may editorialize a bit, all businesses have the right to protect their brands. But MasterCard is an oligopoly, and thus necessary for online survival. And so it should be required to forfeit that right. That is, MasterCard shouldn't be allowed to police content for what it deems to be controversial material that could hurt its reputation. Governments have to provide services to every citizen, even ones who look funny or do strange things. The same should apply to MasterCard. 

So to sum up, the scope of online commerce is about to be narrowed. AN 5196 will reduce the amount of content available online by: 1) reducing illegal adult content; 2) reducing legal adult content being produced by those preferring anonymity, and; 3) reducing legal content that is deemed to be brand-damaging.

As far as I know, this is the first time that a card network has forced a set of content providers to adopt a know-your-customer requirement. For now, MasterCard has limited this requirement to adult sites. But who knows, one day it may require other types of content providers (i.e. social media?) to adopt the same standards as porn. While there may be benefits to this sort of policy, let's not forget the costs.