If this is a push subscription then the Merge Agent process account used to make connections to the Publisher and Distributor must be db_owner in the distribution database, be a member of the PAL, a login associated with a user in the publication database, and have read permissions on the snapshot share.
If this is a pull subscription then the Merge Agent process account used to make connections to the Subscriber must be db_owner in the subscription database. The account used to connect to the Publisher and Distributor must be a member of the PAL, a login associated with a user in the publication and distribution databases, and have read permissions on the snapshot share.
This is all covered in the section Permissions That Are Required by Agents in Replication Agent Security Model.