Section R25-21-3 - Payment Provider Standards(1) Prerequisite to consideration of a payment provider under this rule, a Utah MRB must provide the Division of Finance and State Treasurer documentation associated with the payment provider in accordance with Subsection 26-61a-603(1).(2) A payment provider must provide certification signed by an officer of the bank of first deposit acknowledging that the payment provider is facilitating cannabis-related transactions legal under Utah law on behalf of a Utah MRB.(3) A payment provider must provide certification from the bank of first deposit that data transmitted to the bank is adequate and transparent for the following regulatory requirements: (a) Certification as to Know Your Customer compliance pursuant to the Federal USA Patriot Act, Public Law 107-56.(b) Certification as to due diligence pursuant to the Federal Department of Treasury, Financial Crimes Enforcement Network (FinCEN) guidance given in FIN-2014-G001, "BSA Expectations Regarding Marijuana-Related Businesses," Issued February 14, 2014; and(c) Certification as to compliance with Suspicious Activity Report (SAR) and Currency Transaction Report (CTR) filings pursuant to the Federal Bank Secrecy Act.(4) A payment provider must provide certification and supporting documentation that Automated Clearing House (ACH) transactions are compliant with National Automated Clearing House Association Rules and Operating Guidelines.(5) The Payment Card Industry Data Security Standards (PCI-DSS) comprise the security framework the Division of Finance will use to evaluate information security of payment provider solutions. A payment provider must provide PCI-DSS assessments, as applicable, including: (a) PA-DSS certification for devices with a signature from a Payment Application Qualified Security Assessor (PA-QSA); and(b) PCI-DSS Report on Compliance or Attestation of Compliance with a signature from a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).(6) A payment provider facilitating cash transfers to a Utah MRB's Bank must: (a) certify that the payment provider supplies detailed records of cash transfers to Utah MRBs and their respective banks;(b) provide written policies and procedures that demonstrate that the payment provider adequately protects the safety of Utah MRB employees and the payment provider's drivers; and(c) certify that the payment provider supplies data sufficient for Suspicious Activity Report for cash transfers to bank of first deposit.(7) payment providers that use more than one processor must submit the required documentation and be compliant for all processors the Provider may utilize.(8) payment providers must adhere to the standards and rules established by the governing entity for the funds transfer system.(9) A payment provider will supply documentation, information, data, and a response to a written request for information that the Division of Finance perceives as necessary to ensure compliance.Utah Admin. Code R25-21-3
Amended by Utah State Bulletin Number 2020-06, effective 3/10/2020Amended by Utah State Bulletin Number 2020-18, effective 9/7/2020Amended by Utah State Bulletin Number 2023-05, effective 2/21/2023