Merchant Risk Management-Acquirer’s Perspective
Timely onboarding of the merchants is one of the core concerns for any merchant acquiring institution. The Now Economy is booming, the rate of change is accelerating while making the agility and adaptability critical for each business wishing to prosper. But how can an acquiring institution successfully onboard a merchant while accounting for its responsibilities in terms of risk management? Unfortunately, there is no silver bullet that will help to streamline the processes and ensure robust merchant risk management for acquirers.
Merchant risk management is a complex exercise which should be applied on a case-by-case basis. It should look at the intricacies of each merchant and provide the optimal decision in lines with a general pre-established risk management framework. Further, we will discuss considerations that are essential to crafting a framework for merchant risk management for acquirers. We will provide you with some practical tips that will help merchant acquirers to ensure that they understand the risk evaluation process and account for the shortcomings that can be exploited.
Primary risks posed by merchants
Merchant acquiring can only be profitable with adequate risk management controls that are implemented by the acquirer. To understand how to mitigate the risks to which institutions are exposed, it is essential to identify the primary risks that may arise whilst processing transactions for merchants. Below we will outline and discuss each risk in more detail. Notably, this article looks at the risks from the macro-perspective and provides only a brief overview of such specifics as transaction laundering, merchant-cardholder complicity, etc. Stay tuned for other articles that will outline them in detail.
Strategic risk is a risk that incorrect decisions within the management framework may have a negative impact on the overall acquirer’s business health. It primarily refers to the lines of business that the acquirer is willing to process on an ongoing basis. Acquirer’s senior management must decide whether merchant processing activities are consistent with the company’s overall business plan, strategic direction, and risk appetite. If the capital base is limited in relation to existing or projected sales volume, the acquirer may lack the financial capacity to support the level of risk. Therefore, its primary considerations should concern the industries and strategic direction that acquirer is planning to take. Strategic considerations include:
- The current business environment to determine whether the line of business can be managed safely and profitably;
- The need for a highly specialised and reliable infrastructure;
- The potential impact of the activity on earnings and capital;
- The liability for fraud and chargeback losses and for card association fines;
- The need for a strong merchant management program;
- The risk and reward analysis of whether acquirer can generate adequate sales without taking unacceptable risks.
Merchants typically collect advance payments for supplying products and services based on certain warranties (product will be delivered, service will be provided, product will achieve a certain goal, etc.). Hence, although processing card transactions is technically not an extension of credit, acquirers are relying on the creditworthiness of the merchant.
Credit risk arises as a consequence of chargebacks which can occur up to 120 days from the day of acquiring the transaction. They can pose a substantial risk in terms of credit exposure in instances that the merchant becomes bankrupt or unable to pay for any other reason. As an institution which facilitated the merchant’s acceptance of payments, the acquirer remains ultimately responsible for the chargebacks.
Acquirers have often been forced to cover large chargebacks when merchants have gone bankrupt or committed fraud. In many of these cases, the merchant engaged in deceptive or misleading practices. The contingent liability can span several months of the merchant’s sales volume because of the cardholder’s rights to dispute the charge and start the chargeback process. Moreover, high-volumes of chargebacks may result in large fines from the card associations imposed on acquirers. Normally, these can be passed down to the merchant, however, in cases of merchant inability of payment, they will fall onto the acquirer.
International Card Associations fines
BRAM is MasterCard’s Business Risk Assessment and Mitigation program, which restricts merchants that pose significant fraud, regulatory, or legal risk, by barring them from using the MasterCard system. Visa has a similar program called the Global Brand Protection Program that is also aimed at providing consistency while strengthening the prevention, monitoring and enforcement of penalties for transactions that could potentially damage the Visa brand.
BRAM and GBPP violations are related to illegal content governed by local, state or federal laws and or rules/regulations established by the card brand associations. In most cases such violations related to the breach of IP rights, such as the sale of counterfeit goods or digital media, as well as broadcasting IP protected entertainment content. BRAM and GBPP fines are passed to the merchants, but as discussed above, the ability of the acquirer to withhold fine amounts from the merchants depends on in cases of merchant inability of payment, they will fall onto the acquirer.
Liquidity is essential for any financial institution as it underlines proper operation and availability of funds and assets. In acquiring, liquidity risk can be measured by the ability of the acquirer to timely transmit funds to the merchants. Acquirers often limit this risk by paying merchants after receiving funds from the issuing bank. If the acquirer pays the merchant prior to receiving funds from the issuer, the acquirer could sustain a loss if the issuer is unable or unwilling to pay. Often, the liquidity risk is mitigated by delaying the settlement and establishing specific days for settlement (e.g. daily settlement with three days delay). Furthermore, chargebacks may also have substantial effects on the liquidity of the acquirer.
Operational risk is a risk that arises as a consequence of failed operations within the institution. They range per business line and can occur in any department. Acquirers are faced with operational risk daily as they process payment card transactions for their merchants. Operational risk arises from the acquirer’s failure to process a transaction properly, inadequate controls, employee error or malfeasance, a breakdown in the acquirer’s computer system, or even a natural disaster. Furthermore, regulators can levy fines on acquirers in cases that they did not implement proper disaster management procedures and their clients were unable to process payments. Consequently, operational controls should account for possible failures within the acquirer’s institution.
The acquiring business is subject to extensive regulatory obligations to which institutions, offering payment processing services, are exposed. Failure to follow up with regulatory obligations can lead to substantial fines both from the side of regulatory authorities and card associations, not even speaking about not following internal policies and procedures. The occurrence of breaches is known as compliance failure. The compliance risk may occur in various parts of offering and providing merchant processing services. While the risk may occur at the acquirer level, this risk can also exist when products, services, or systems associated with a third-party relationship are not properly reviewed for compliance, or when the operations of the third-party relationship are not consistent with law, ethical standards, or the acquirer’s policies and procedures. It has implications over a wide variety of topics such as AML/CTF, cybersecurity, data protection, safeguarding requirements, capital adequacy, etc.
Reputation is essential in order to maintain a successful processing business as it reveals to the wider public that the acquirer’s institution is solid and reliable. Strategic direction partially accounts for reputational risk as the acceptable industries with which acquirers operate are outlined from the onset. However, it does not fully encompass all of the matters than can inflict damage to the reputation.
Acquirers must consider the possible reputational risks involved in merchant processing. Should any interaction or aspect of merchant processing conducted by the acquirer or its third-party organisations not be consistent within the regulatory and card association standards, it could be subject to reputational risk. Negative media may have a direct impact on the acquirer’s business by reducing the client base, hampering business development, and preventing from maintaining and extending strategic partnerships. Apart from actions or omissions of the acquirer itself, publicity about adverse events surrounding closely related third-party organisations may increase the reputational risks.
Furthermore, decisions made by third-parties acting on behalf of the acquirer can directly cause the loss of merchant relationships, litigation, fines and penalties, and losses associated with chargeback reimbursements. Hence, it is essential not only to create a solid framework for the acquirer itself but as well to establish the operational lines within which agents will be managed and partners monitored.
Merchant risk management arrangements
Risk management concerns the identification, evaluation, and prioritisation of the risk in accordance with their severity and possibility of materialising. It is an exercise that must be carried on an ongoing basis as risks and challenges to which institution is exposed constantly evolve. Whenever speaking about managing risks related to acquiring, it requires management expertise, significant operational support, and rigorous risk-management systems.
Written policies and procedures
According to the rules of card associations, each merchant acquirer must have a written policy documenting its merchant risk management measures. Such policies must account for all of the identified risks and detail measures and procedures implemented in order to mitigate them. The effective policy is only the first steppingstone on the road to the efficient management of the merchant risks. Most importantly it must be successfully implemented within the acquirer’s institution and all staff members must adhere to it.
The policies and procedures should commensurate with the risk to which the acquirer is exposed. It should detail both the theoretical framework and practical steps that are essential to the business profile. For instance, it should outline how does the acquiring function and at which steps which party is involved (cardholder submits an order, gateway passes the information, card association passes it for authorisation, etc.). Such an outline is helping staff members to understand the whole process of acquiring and to solidify their knowledge. At the same time, it should outline the specific steps that are involved whenever screening and onboarding merchants, how they are monitored and managed on an ongoing basis, how chargebacks are resolved, etc. Such a combination allows preparing a concise framework within which the institution will function. If properly drafted and implemented, policies and procedures will cause to reduce most of the aforementioned risks.
Merchant risk management and underwriting
Merchant underwriting is an essential step in evaluating the risks that are posed by a particular merchant. Whenever performing underwriting, it must be carried out by the skilled and knowledgeable personnel who have expertise when determining risks that potential merchant poses. The underwriting process should consider the merchant’s ability to cover projected chargebacks as well as its potential risk for fraud and business failure. Basically, it must take into account all of the broad categories of the risks outlined above. For such purposes, whenever designing merchant underwriting procedures it is important to keep in mind:
- Criteria for accepting merchants (for example, acceptable business types, time in business, location, sales and chargeback volumes, and financial capacity).
- Underwriting standards for the review of merchants.
- Dissemination of authority required for approval.
- Risk scoring model for underwriting and subsequent monitoring.
- List of information that is required on the merchant application.
Furthermore, if the merchant is engaged in point-of-sale commerce, the underwriter should perform a robust evaluation of the merchant’s location and document the review. Notably, it is much more difficult to perform underwriting for a merchant that is selling through the Internet and emphasis should be placed on establishing whether the company and website are in fact legitimate. The lower level of barriers encountered when setting up an Internet store increases the risk of fraudulent businesses or businesses with minimal financial resources being established compared to the risks associated with traditional merchants. It gets particularly tricky if the merchant is planning to engage in transaction laundering. In such a case, the merchant most probably will try to pose as a low-risk type of business. Hence, it is essential to look out for any discrepancies and apart from performing throughout research via readily available sources to conduct screening with third party screening solutions such as G2 or InvestiGate.
Considerations about contractual matters
Needless to say, well-drafted agreements between acquirers and merchants that they onboard are one of the core safeguards that acquirers can implement. The well-drafted agreement will outline how the relationship is structured and what are the rights and responsibilities of the parties. As a bare minimum, the agreement should always account for:
- The acquirer’s right to review the transaction for fraud prior to releasing funds and settlement;
- Merchant pricing model (e.g. interchange++ or flat rate) and how it can be adjusted throughout the relationship;
- How rolling reserves will be accumulated, disbursed, and used;
- Website and cardholder data security requirements;
- Whether there will be any guarantees given by the merchant;
- Prohibition of splitting sales;
- Whether potential fines will be passed on;
- How merchants must deal with chargebacks, refunds, returns;
- What are merchant monitoring programs and how merchants may be placed on such;
- Acquirer’s rights to set-off and freeze funds;
- Specific consideration regarding practices that are common for the merchant’s industry;
- Termination and the subsequent winding-up of the relationship.
The importance of having an experienced legal counsel drafting agreement that will be used to oversee the relationship with the merchant cannot be overemphasised. Such counsel should have a solid knowledge of both card association rules, national and regional legislation.
Fraud detection and monitoring arrangements
Every acquirer should have an anti-fraud system to monitor the merchant’s daily activity. The acquirer is potentially liable for the fraud losses perpetrated by the merchant, including merchants engaged in deceptive or misleading practices. A merchant can also directly defraud acquirer by such means as factoring and draft laundering. The acquirer’s ability to quickly detect merchant fraud is important in controlling the possible losses. A merchant’s fraud can be extremely costly if not discovered quickly.
Fraud identification is crucial for any acquirer as it leads to primary losses from acquiring, if not managed properly. In order to detect the perpetration of fraud, the first and foremost measure is the monitoring of chargebacks on an ongoing basis. Furthermore, it is important to assess the visits to the website and evaluate them against the number of acquired transactions. Other factors that should be considered include:
- Multiple purchases of the same amount;
- Multiple use of the same cardholder number;
- Multiple requests from the same IP address;
- Multiple refunds;
- The number of authorisations declined.
Furthermore, the issues with ongoing monitoring can arise with the high-volume and high-risk merchants and/or when the acquirer’s policy has not addressed the frequency of reviews and the size of merchants requiring reviews on an ongoing basis. Whenever designing occasional reviews for the monitoring program acquirer’s management should consider the volume, concentrations, high-risk industries, and chargeback history of a particular merchant or the type of merchants. In order to see the exact steps that could be undertaken for a robust merchant monitoring in terms of transaction laundering and card fraud prevention solutions.
Risks versus return
Most often the level of risk undertaken will correlate to the returns that the acquirer is receiving from the processing services. The higher risk merchants bring higher revenue within shorter timeframes than the same volume of transactions processed for low-risk merchants. However, if the risk is managed inadequately, the institution will fail sooner than any of the revenues could be successfully realised. Therefore, it is essential to design a proportionate and robust risk management framework which would be both not too restrictive (as merchants would not pass the underwriting, or it would be too time-consuming and they would decide not to proceed with the onboarding) and efficient (in the sense that it would minimise the identified risks). Merchant risk management measures should commensurate to the institution’s size, strategic direction, and financial resources. Without considering all the particulars, it is impossible to efficiently manage the risks within the acquirer’s institution.
If you are unsure of how to design or improve your risk management framework, you should seek expert advice. Thankfully, you are in the right place and can benefit from management consulting services offered by PSP Lab. Reach out to us in order to maximise your returns whilst mitigating the risks to the highest possible extent.