Doug Sandberg – FirstView Financial
If you’ve watched even an hour of television in the last decade, you’re probably familiar with the formula for pharmaceutical ads: 10 seconds to tell you how great the drug is; another 40 to run through the side effects; and 10 more to say you might be eligible for subsidized coverage.
According to Doug Sandberg, general counsel for FirstView Financial, that last part is about to experience a massive shift—one that could result in huge savings for millions of patients with hard-to-treat conditions.
“What we’re doing is helping pharmaceutical companies come up with better ways for patients to pay for drugs—and receive benefits,” Sandberg says. “So for example, instead of checks or coupons, which are how companies traditionally gave out rebates, people will have virtual or physical prepaid cards that they can use at pharmacies to obtain expensive specialized medication.”
Pushing out the paper
Based in Atlanta, FirstView specializes in software-based payment technology solutions that make it easier for customers—mostly pharmaceutical companies—to send and receive payments.
In the past, patients eligible for discounted prescriptions would have to request a paper rebate or check. Now, thanks to FirstView’s technology, those customers can use a prepaid card to pay for their drugs—often at a discount. The goal, Sandberg says, is to reduce the costs and facilitate patient acceptance and adherence to otherwise expensive specialty medications—and provide a seamless and auditable financial platform to accommodate those transactions.
But while the technology has helped create more seamless access, the compliance demands faced by Sandberg and his team are anything but simple.
“The payment card industry is a whole different animal when it comes to compliance requirements,” Sandberg says. “You’re talking about a lot of cardholder data that needs to be protected.”
A high bar
The Payment Card Industry Data Security Standard (PCI DSS) represents one of the company’s highest compliance hurdles. Created in 2004, the standards were designed by the nation’s leading card brands (VISA, MasterCard, American Express and Discover) to prevent fraud by putting the onus of protecting cardholder data on the organizations handling the transactions (processors like FirstView, third party service providers and merchants who take payments).
To that end, in addition to performing ongoing self-assessments, the company must submit to annual PCI audits in order to validate its compliance with PCI DSS. Sandberg works closely with his technology team and qualified security assessors to demonstrate that the company is in compliance with PCI mandated safeguards: appropriate firewalls, encrypted data, limited access to data, physical security, and so on.
“We provide system access to our customers—pharma and their service providers—through our ProXe360© Portal so that they can manage their programs,” Sandberg explains. “However, all of the critical cardholder data resides on our system. The idea is to give our customers an easy way to access data, but that data lives with us. We handle the PCI compliance so our customers don’t have to.”
Health care isn’t the only industry where FirstView’s tools are being used, however. With the rise of cryptocurrencies like Bitcoin, the company has customers in the alternative financial services sector, and issues prepaid cards to customers of cryptocurrency conversion companies. In the U.S., once the currency is converted to U.S. Dollars, funds can be loaded onto cards issued by FirstView and sponsored by their customers.
Here, as with other alternative financial or general purpose reloadable (GPR) card products—like payroll cards, for example—Sandberg and his team are focusing on the know-your-customer (KYC) and anti-money-laundering (AML) components of the 2001 USA Patriot Act, which—among other things—sought to deter organizations from doing business with terrorists, money launderers and specially designated nationals (SDN) identified by the Office of Foreign Assets Control (OFAC).
As part of the effort, all of FirstView’s GPR cardholders are checked against both an identity verification platform and OFAC screening to validate two things: they are who they say they are; and they don’t show up on OFAC’s list of SDN (with whom U.S. citizens and companies are prohibited from doing business).
“Because it’s decentralized, Bitcoin has become an attractive vehicle for nefarious actors looking to funnel money around the world,” Sandberg says. “As we grow that part of the business, it’s imperative that we continue to pay close attention to who our cardholders are.”
Down the pike
With the issue of data privacy looming larger by the day, propelled by headlines about hacks and breaches, Sandberg says the department is scrutinizing new and emerging laws—both in the U.S. and around the world.
In the wake of the European Union’s General Data Protection Regulation (GDPR) which lays out sweeping rules for how organizations send and receive information belonging to EU citizens, FirstView has kept a close eye on privacy legislation on the horizon within the U.S.—like in California, which recently adopted a GDPR-like privacy statute.
More broadly, as part of the American Transaction Processors Coalition (ATPC), an organization representing more than 70 companies in the financial services sector, Sandberg and his team are able to keep abreast of prospective legislation—federal, state and otherwise.
“Between the ATPC and a team of trusted outside firms, we feel we have a really good handle on where the shifts are happening with respect to data privacy, and that’s a testament to both the ATPC and our amazing outside counsel,” Sandberg says. “The rules are only going to get more stringent, so we have to be ready to meet them.”
Part of the solution
Where others see a thicket of paperwork and process reviews, Sandberg has come to view the country’s growing emphasis on data privacy as a potential boon—rather than a burden—to FirstView’s business model.
The goal, he says, is for the company to be “so embedded as a financial platform within these industry ecosystems,” that working closely with FirstView will be a critical step in meeting more robust data privacy standards.
““We need to be in the business of compliance and technology solutions,” Sandberg states. “At the end of the day, pharmaceutical companies need to be paid for their products, and patients need an easy way to pay for their medications. If we can do it in a way that’s both compliant and helps drive costs down, that’s a win for everyone.”
Showcase your feature on your website with a custom “As Featured in Vanguard” badge that links directly to your article!
Copy and paste this script into your page coding (ideally right before the closing