Freeing Monthly Donor Hostages: Survey Results
In Can Your Monthly Donors Be Held Hostage? we alerted readers that many organizations attempting to switch CRMs or payment processors—or both—are shocked and surprised when the vendor they want to leave refuses to transfer their monthly donors’ credit card or other payment data to the new vendor. Data hostage-taking!
We ran an Agitator Survey to get a more detailed picture of just what nonprofits are running into.
NOW…the results are in.
Quite frankly, I’m shocked by the number of nonprofits that are negatively affected and the number that have had to take “No!” for an answer. Among those who choose to fight the hostage-takers and their deceptive tactics or simply walk away suffered losses ranging from 50% of their monthly donors to those who kept most of their monthly donors –but only by going through the slow process of running two systems at the same time.
I was equally disturbed by how little some organizations understand about their data contracts and their rights. In fact, there seems to be no ‘best practice’ of who–if anyone– in a nonprofit should be in charge of understanding and monitoring these vendor agreements.
If you care about the retention of monthly your monthly donors you’ll want to read and share the results of this Survey.
Who Responded?
As of this morning 98 organizations have responded. 93 of those organization have an annual income from monthly giving programs ranging from more than $500,000 (14 %) to less than $10,000 (40%) with the remaining 46% posting annual sustainer income ranging from between $10,000 to $100,000 a year. 5 of the 98 respondents currently don’t have monthly giving programs, but are planning to start one in the next year.
Where are monthly donor records and credit card information are stored and maintained?
- 47%–As part of the Constituent Relationship Management (CRM) system [For example, Raisers Edge, Bloomerang, DonorPerfect, Little Green Light, Neon, ROI Solutions, Luminate, Team Approach or similar systems.]
- 42%–On a separate system maintained by a company that processes our credit cards for monthly giving. [For example, payment processors like Blackbaud Merchant Services, Fairway/Sage/Paya, Payment Solutions Inc., Pay Pal, Vantiv/Worldpay, Authorize.net, First Data, Aring Habits, EFT Corp or similar companies.]
- 11%–On its own system—separate from either the CRM or payment processing company.
So far, pretty straight forward. But here’s where the story gets interesting –and somewhat scary.
What are your rights? Who’s in charge?
When asked, “Does your organization contract with the CRM or Payment Processor specifically permit you to transfer/move your records to another system(s) at any time you choose to do so?” there’s a frightening/dangerous absence of knowledge.
- Only 25% of the respondents knew specifically whether transfer was permitted. ( 14% ‘yes’; 11.2% ‘No’)
- A whopping 36% were “Not Sure”.
- A total of 18% had never read the agreements with either their CRM or payment processor.
- 7%reported “I don’t deal with the issue. And only 10% could identify the person/position in their organization responsible for understanding and dealing with this issue.
A couple of observations on this question. Because so many payment processing and CRM contracts are quite detailed and sometimes obtuse we suspect that many of the “No”s to the transfer question were probably based more on the specific absence of clear information. I’ve never seen an actual contract that says, “WE WILL (or WILL NOT) PERMIT THE MOVE/TRANSFER OF RECORDS TO AN OTHER SYSTEM.”
In short, I think it’s safe to assume that most folks either haven’t carefully read the contracts or, more likely, are simply relying on the information they were given by others in the organization, if they ever asked the transfer question.
What was clear –disturbingly so- is that only 10% of the respondents could identify the person or position in their organization in charge of this issue. The answers in the Survey are seemingly random and range from “office manager” to “bookkeeper” to “database analyst.” Should these folks really be handling such fundamental legal and fundraising issues?
Finally, on the question of transparency, it’s clear neither the CRMs nor the payment processors are apparently shedding any helpful light on this issue. Only 2 of the respondents reported that their vendors clearly explained the transfer issue when the organization signed up for their services.
What to do?
So what do organizations experience when they try to move their credit card and monthly giving records to new CRMs or payment processors? How much resistance and what form does it take?
Here’s the disturbing summary of what organizations encountered and how they finally ‘solved’ the problem with an old vendor reluctant to transfer data to a new vendor:
- 52% of the respondents have never attempted to move their data.
- 5% weren’t sure if their organization had ever tried
- BUT…. 31.2% had tried andmet with resistance from the old vendor.
So…what happens when an organization runs into resistance? How did they solve the problem?
- 4% of the respondents never solved the problem.
- 5% solved it by “persistently badgering the vendor”.
- 1% hired lawyers to solve it.
- 9% solved it only by changing vendors and then individually contacting each donor to ask for their credit card or EFT information and then placing them on a new system.
You don’t have to be a monthly giving genius to know that when you have to contact each donor individually and ask them anew for their payment information and commitment that you’re gonna lose a boatload of donors. Unless…. you make an extraordinary effort.
Here’s the workaround used by one very committed respondent: “Changed vendors, maintained the old vendor to process the old payments and over the course of two years transferred over the donors as their cards expired or as we asked them to increase gifts. Had a higher cost but felt it was worth and lost very few donors this way.
Excuses. Excuses. And More Excuses.
Frankly, the hostage -taking process on the part of some vendors is a lot worse than I thought. I realize that any business is reluctant to lose a client; particularly the easy revenue that comes from payment processing. But still…
While I sure don’t object to vendors being well paid, I sure as hell object when they resort to lies and deceit to protect their pot of gold for as long as they can drag out the process. Shame on them.
Here’s a verbatim sampling of excuses, nonsense and tech-speak bullshit that respondents encountered from some vendors when they requested their monthly giving data be transferred. I’ve taken the liberty of noting why the vendor’s answer is pure nonsense.
- “They claimed “Privacy” and wouldn’t elaborate but that their policy and promise to the people whose credit card information they had prevented them from discussing with us.”[ False.The data belongs to the nonprofit. Nothing prevents the vendor from discussing data issues.]
- “For security reasons and to comply with PCI standards, their system is not designed to give raw credit card details” [First, you should not be dealing with any vendor that is not PCI compliant. Assuming they are compliant, all they have to do is transfer the data to another PCI compliant vendor. They’re lying.]
- They will make the transfer if we indemnify them and pay for the data processing time to transfer the records. Estimated cost: $500,000 [ This is what’s known as “extortion” Shocking, to say the least , and not part of any standard industry practice outside of organized crime.]
- “For reasons of PCI compliance they could not release the credit card information to us or our new vendor.” [PCI compliant data should not be released to the nonprofit, but can and should be transferred an another PCI compliant vendor.
- “When we switched from[name withheld—(for now])to another online provider, they gave us a ton of run-around and made the process extremely difficult. It took hours of staff time and resources to migrate the data”. [ This is a pathetic practice that losing CRM vendors employ to punish clients who leave, while dragging out to process to bring in additional revenue. ]
And I could go on and on. What is clear from the responses is that there are indeed some bad actors out there . Their practices of deceit, delay and denial suck. They deserve to be exposed. We are in the process of compiling information, interviewing CRMs and payment processors and will publish a Guide to Data Hostage-Taking when our research is complete. Hopefully, with that information readers will be able to tell the good/responsive from the unresponsive/bad and deceptive vendors.
If you have any experiences you’d like to share confidentially please email me personally (Roger@theagitator.net) and I’ll be back in touch.
Meanwhile, don’t let the vendor you plan to leave hide behind tech-speak gibberish like “PCI-DSS regulations”…”data privacy”…or other inaccurate or confusing excuses.
Your donor data, belongs to you. The only legitimate concern of the old vendor should be that the place to which they’re moving your data is also a PCI-compliant vendor.
Roger
P.S. For Agtiator readers whose organizations’ data fall under the European Union’s General Data Protection Regulation ( GDRP ) have have the absolute right to control its own donor data. But remember, as Ilja De Coster, Fundraising Data Strategist at DonorVoice note, the GDPR is only a tool for protection. And that protection only counts when the nonprofit claims its rights.
Roger, thanks for shedding light on this subject! What is going on in the murky back rooms of some payment processing firms is dreadful.
Don’t forget about the past situations where payment funds were mixed with other funds before being paid out. Thankfully, PCI compliance has addressed those.
It will change, just like phone numbers that used to be kept hostage by certain phone companies…
Keep digging partner!
Roger, you are truly living up to the name of your blog — The Agitator. Kudos to you for agitating about this outrageous practice. We have had more than a few our new Engaging Networks clients — fresh from choosing us as their next online fundraising platform — encounter resistance and obfuscation when they asked their payment gateway to help them migrate their recurring donor data over to one of the 13 payment gateways that Engaging Networks supports. Admittedly the process can be complicated, but it is made more arduous (and it’s a nasty surprise) when the payment gateway refuses to assist the nonprofit. The advice in your piece seems pretty good, especially the suggestion that nonprofits should insist on clear language, up front in their contract with the payment gateway, explicitly confirming that the nonprofit (not the gateway) owns the donor payment data, and the gateway must assist (at a reasonable cost “not to exceed $X”) the organization to migrate their recurring donor tokens whenever the organization wishes to depart. As for “complying with PCI rules,” that is required, but not so difficult, and certainly not a reasonable excuse for a payment processor to refuse to help a departing customer to depart. Keep up the good work!
I don’t think the subject of data transfer with payment processors came up when our organization decided to change systems but we did experience the hostage taking of our data which has resulted in substantial income loss regarding our Sustainer program. Finger pointing, blame and pure astonishment that this could happen. The result: having to reach out to the donors for their information. We are still dealing with reconstructing our program-substantial loss of income.
Roger, I love love love that you are tackling this! When I started focusing on product functionality to optimize payment processing for sustainer giving 8 years ago, I truly didn’t believe I’d see a day when a nonprofit would be successful in getting their card data transferred. But, now we’ve got organizations doing it on a regular basis when they migrate to a new set of tools.
In addition to helping folks understand that it’s possible, I hope you’ll provide some guidance on things to do to help increase retention rate after a move!!
Roger, thanks so much for tackling this! The donor data hostage taking really is outrageous. At WETA, we *eventually* got our cc tokens out of our old eCRM and payment processor and into Engaging Networks and Vantiv. However, the process literally took a couple years and didn’t happen until we made legal threats. It was extremely painful.
I have been through this issue with two different nonprofits, with similar frustration.
But unless I understand incorrectly, I think you shortchanged the PCI Compliance issue a little too much.
My understanding is that PCI Compliance really is core to this issue. For security & PCI complaince, many payment processors DON’T ACTUALLY STORE CREDIT CARD NUMBERS (or bank accounts). Instead, they store a long, “salted” hash that simply communicates an authorization for a charge.
This hash can’t be transferred (or stolen), because it breaks the authorization process. They literally don’t have the credit card numbers to transfer.
But like I said, I could be wrong about that.
Dan,
PCI compliance is a complex and sometimes ambiguous issue. What is NOT ambiguous is that the credit card companies (the actual ‘owners’ of the data) support the transfer of data between PCI Compliant processors. And generally, that’s the way the process works in most cases.
So far, in my reporting, the resistance and foot-dragging –masked in tech-speak gibberish invoking PCI–is usually aimed at protecting the incumbent vendor’s revenue stream.
When we prepare the “Guide” we’ll cover all this in more detail.
Roger
Thanks for the clarification, Roger!
Thank you for exposing the dark underbelly of these processing firms and alerting non-profits to this often unforeseen pitfall of conversion. The greatest tragedy is how the loss of revenue will impact the people who rely on the charities and advocacy groups that are being taken advantage of by these firms. Onward!
I heartily second and third the other thank yous! We only just recently went through this process, and it only involved about a fifth of our Sustainers (our online donors, not those stored in house – I was one of the respondents), and it made me dread the day when we want to leave our current internal CRM. This piece already makes me feel better about asserting our data rights and less reluctant to consider switching to a newer, better, cheaper CRM. Can’t wait for the guide! Also, I’m happy to name names. >:-(
Roger; Thanks for the update. I answered the survey and it was incredibly timely as we’re going through this process right now and were told by our existing vendor that they couldn’t provide our data to our new processor because of PCI issues. We knew that was hooey. (Two PCI compliant vendors should be able to figure this out!!!)
We’re very persistent people and knew it was imperative that we make this work.
Since the survey, we’ve connected attorneys at our org and our current processor, and are working out a way to make this happen.
Things to know to make this process easier:
*Make sure your contract with your processor specifies what will happen in the event that you want your data.
*Also make sure the contract specifies the fees for such a transfer.
*Make sure your privacy policies account for how you handle this type of data.
With nearly $400k in Sustainer charge revenue per month (57% of our Sustainers are on EFT!!!), not getting our data was NOT an option.
Don’t take “no” for an answer!
Thanks you Roger, I can’t tell you how mad this makes me. The vendors are cheating charities and their donors. While you might not be able to post a list of those that are the bad actors, (though I’d love that, your lawyers might not).
But, perhaps a list of vendors who make it easy would be helpful to your readers. Thanks again for this stellar work.
Harvey,
Believe me you’re not alone with your anger. Although, you more than most understand the enormous consequences.
Lots of caring folks like you have sent us info that’s both scary in its specific description of despicable practices
We’re drawing up lists, we will name names; more importantly we’ll make recommendations for dealing with the slime balls.
This will take time, but our legal team ain’t worried. Truth is a defense.
Patiently stay tuned.
Roger
Anne,
And thank you for illustrating the problem. And for your persistence in seeing this through.
I hope you will feel free to confidentially share addition details as we dig into this. You can contact me at roger@theagitator.net
Here’s to sunlight and exposure.
Roger
Roger;
I’ll email you once we have a better idea of how this all ends up.
Anne