10 minute read
November 10, 2020

Due Diligence

Before you can operate in the payments space with Marqeta, Marqeta must collect information about your business to assess your company’s practices and overall health in a process known as due diligence. The due diligence process gives Marqeta context about your company and your program, including legal documents (e.g. articles of incorporation), financial statements, and policies/procedures (e.g. information security policy).

Marqeta facilitates the necessary research and approvals, then communicates directly with the issuing bank, card network, and any other regulatory bodies as appropriate. Depending on your engagement, there are differences in the required documentation.

Step 1 — Pre-screen questionnaire

The optional pre-screen questionnaire helps Marqeta know more about your company. The questionnaire focuses on the following aspects of your business:

  • Business contact information, standing, legal entity

  • Compliance and licensing information

If you are a privately owned company (i.e., not traded publicly), you must also provide:

  • Controlling officer information

  • Principal ownership information

  • Banking information, if Marqeta is the Program Manager

For businesses identified as higher risk, additional documentation may be requested as part of the pre-screening process.

Step 2 — Bank and card network approval

In this step, you submit documents to Marqeta so that the issuing bank and card network can review and approve your request to work with them. It is important to submit the requested documents quickly.

  • If Marqeta is the Program Manager, Marqeta will begin coordinating and receiving bank and card network approval as soon as you provide a complete due diligence package.

  • If you have a Powered engagement with Marqeta, Marqeta will perform due diligence before moving forward in the process. You will need to communicate with the issuing bank and card network as well coordinating with other vendors, if applicable.

Marqeta provides you with sandbox credentials when the bank and card network approval stage has been successfully completed.

Below are the documents and information you must provide as part of this step.

Due Diligence Requirement Description

Articles of Incorporation*

For US locations, the articles of incorporation show when your company was founded, along with basic information about the business. You can retrieve these documents by contacting the office that handles business registration in your state (typically the Secretary of State).

For businesses based in Canada, you may provide a Certificate of Incorporation instead.

Two years financial statements (audited preferred)*

Your financial statements help Marqeta establish confidence that you can fund transactions and will be accountable for the payments Marqeta processes. Marqeta requests audited financial statements to confirm that they are accurate and certified.

Business continuity/disaster recovery policy

Since you provide the interfaces to your customers (e.g. the end-user application and customer support), your card program becomes unavailable when your systems are down. These policies help Marqeta better understand your operations, in the event that your systems become unavailable.

Examples of what Marqeta might need to know include:

  • If you have documented policies and procedures.

  • If you have redundant data center operations.

  • If you outsource data center operations (and to whom).

  • If you outsource customer-facing functions such as customer support.

If you are using Cardholder Support Services from Marqeta, the disaster recovery policy will be a Marqeta responsibility.

Data security policy

These policies help Marqeta confirm that your customers' data is maintained securely. Inappropriate data access (i.e., a breach) can impact Marqeta and the issuing bank.

Examples of what Marqeta might need to know include:

  • How you protect sensitive information.

  • How you limit access to sensitive information for employees, contractors, and third parties.

  • If you conduct background checks on persons who will have access to sensitive information.

  • The process you follow to revoke access to systems for terminated persons.

Proof of insurance

Marqeta requires documentation of your liability, cyber, and/or errors and omissions coverage, as specified in the Master Service Agreement (MSA).

Third-party service providers

Provide a list of any third-party service providers involved in any part of your card program including customer support, website/mobile app development and management, and network/technical support.

If these service providers have access to sensitive card or customer personal identification information, Marqeta may need to review their business to ensure they have the proper security controls in place to protect that information.

Pending litigation

If you are engaged in any pending litigation or other regulatory action that could have a material impact on your business, you must provide a summary of the action, including the possible business impacts.

Policy documents

If Marqeta is the Program Manager, you need to provide the below policies for review:

  • Anti-Money Laundering (AML) policy and procedures.

  • Customer Identification Program (CIP) / Know Your Customer (KYC) policy and procedures, if applicable.

  • PCI Data Security Standard (DSS) Attestation of Compliance (AOC), if applicable.

  • Fraud prevention policy.

  • Business continuity/disaster recovery policy.

  • Anti-human trafficking policy.

  • Regional-specific policies like Personal Information Protection and Electronic Documents Act (PIPEDA).

Additional information

Marqeta may have follow-up questions, based on what you provide, and request additional information.

*Not required for publicly traded companies or federally regulated financial institutions.

Step 3 — Documentation verification

A certified environment is part of the path toward production readiness. To certify your environment, Marqeta will review the information provided in previous steps, including:

  • Information security checklist

  • Business continuity/disaster recovery addendum

Additionally, if Marqeta is the Program Manager, you must also provide the latest PCI DSS AOC.

At this point, you have completed due diligence, your integration is certified, and you are ready to complete business readiness by setting up your program funding account.

Feedback on this page?

If you feel we can do anything better, please let our team know.