10 minute read
Due Diligence
Before you can operate in the payments space with Marqeta, Marqeta must collect information about your business to assess your company’s practices and overall health in a process known as due diligence. The due diligence process gives Marqeta context about your company and your program, including legal documents (e.g. articles of incorporation), financial statements, and policies/procedures (e.g. information security policy).
Marqeta facilitates the necessary research and approvals, then communicates directly with the issuing bank, card network, and any other regulatory bodies as appropriate. Depending on your engagement, there are differences in the required documentation.
Step 1 — Pre-screen questionnaire
Copy section link
The optional pre-screen questionnaire helps Marqeta know more about your company. The questionnaire focuses on the following aspects of your business:
-
Business contact information, standing, legal entity
-
Compliance and licensing information
If you are a privately owned company (i.e., not traded publicly), you must also provide:
-
Controlling officer information
-
Principal ownership information
-
Banking information, if Marqeta is the Program Manager
For businesses identified as higher risk, additional documentation may be requested as part of the pre-screening process.
Step 2 — Bank and card network approval
Copy section link
In this step, you submit documents to Marqeta so that the issuing bank and card network can review and approve your request to work with them. It is important to submit the requested documents quickly.
-
If Marqeta is the Program Manager, Marqeta will begin coordinating and receiving bank and card network approval as soon as you provide a complete due diligence package.
-
If you have a Processor Only or Processor Plus (Beta) engagement with Marqeta, Marqeta will perform due diligence before moving forward in the process. You will need to communicate with the issuing bank and card network as well coordinating with other vendors, if applicable.
Marqeta provides you with sandbox credentials when the bank and card network approval stage has been successfully completed.
Below are the documents and information you must provide as part of this step.
| Due Diligence Requirement | Description |
|---|---|
Articles of Incorporation* |
For US locations, the articles of incorporation show when your company was founded, along with basic information about the business. You can retrieve these documents by contacting the office that handles business registration in your state (typically the Secretary of State). For businesses based in Canada, you may provide a Certificate of Incorporation instead. |
Two years financial statements (audited preferred)* |
Your financial statements help Marqeta establish confidence that you can fund transactions and will be accountable for the payments Marqeta processes. Marqeta requests audited financial statements to confirm that they are accurate and certified. |
Business continuity/disaster recovery policy |
Since you provide the interfaces to your customers (e.g. the end-user application and customer support), your card program becomes unavailable when your systems are down. These policies help Marqeta better understand your operations, in the event that your systems become unavailable. Examples of what Marqeta might need to know include:
If you are using Cardholder Support Services from Marqeta, the disaster recovery policy will be a Marqeta responsibility. |
Data security policy |
These policies help Marqeta confirm that your customers’ data is maintained securely. Inappropriate data access (i.e., a breach) can impact Marqeta and the issuing bank. Examples of what Marqeta might need to know include:
|
Proof of insurance |
Marqeta requires documentation of your liability, cyber, and/or errors and omissions coverage, as specified in the Master Service Agreement (MSA). |
Third-party service providers |
Provide a list of any third-party service providers involved in any part of your card program including customer support, website/mobile app development and management, and network/technical support. If these service providers have access to sensitive card or customer personal identification information, Marqeta may need to review their business to ensure they have the proper security controls in place to protect that information. |
Pending litigation |
If you are engaged in any pending litigation or other regulatory action that could have a material impact on your business, you must provide a summary of the action, including the possible business impacts. |
Policy documents |
If Marqeta is the Program Manager, you need to provide the below policies for review:
|
Additional information |
Marqeta may have follow-up questions, based on what you provide, and request additional information. |
*Not required for publicly traded companies or federally regulated financial institutions.
Step 3 — Documentation verification
Copy section link
A certified environment is part of the path toward production readiness. To certify your environment, Marqeta will review the information provided in previous steps, including:
-
Information security checklist
-
Business continuity/disaster recovery addendum
Additionally, if Marqeta is the Program Manager, you must also provide the latest PCI DSS AOC.