Financial businesses that facilitate payment transactions—such as acquiring banks, payment facilitators (payfacs), and independent sales organizations (ISOs)—face a difficult balancing act in managing merchant risk that grows more precarious as a company scales. On one end, a business wants to employ rigorous underwriting and other strong fraud prevention methods to preserve card network relationships and brand integrity; on the other, the business wants to provide a smooth customer experience and minimize operational costs to increase revenue. Where is the balance point that allows a payment service provider to effectively mitigate risk while optimizing growth? And what are the best methods for finding that sweet spot?
With the advancement of artificial intelligence combined with new fraud tactics, the complexity and scale of managing merchant risk is growing. As card-not-present transactions make up an ever-larger share of total transaction volume, the stakes for finding the right balance in merchant risk mitigation have never been higher.
Merchant Risks: Meeting Challenges with Solutions
Although companies processing payments may have strong policies and underwriting processes, they ultimately have limited control over what their merchants do once they have entered their payments ecosystem. While merchants may appear legitimate initially, some engage in fraudulent practices after gaining trust and approval. The more merchants a company has to process, the harder it is to effectively vet and monitor them all, so the problem becomes a question of how to scale while still having safeguards to mitigate risk.
Acquiring and sponsor banks, payfacs, and ISOs vary in their degree of responsibility for merchant risk, but their core challenges are often strikingly similar. Each entity plays a role in the payments ecosystem, but its risk exposure is shaped by its position in the value chain. Their success hinges on managing these risks throughout the merchant lifecycle, from onboarding to ongoing monitoring. Here’s a look at some of those critical differences for each entity and how they intersect:
Acquiring and Sponsor Bank
Acquiring banks carry the bulk of the responsibility for regulatory scrutiny, brand damage, and operational costs when a merchant violates card network rules or engages in fraudulent behavior. These banks maintain merchant accounts and are responsible for transaction authorization and settlement. While they may pass down fines or penalties to ISOs or payfacs for specific violations, they are the ones held accountable by regulatory bodies and card networks through programs such as BRAM and VIRP. As such, acquiring banks must maintain rigorous oversight over their merchant portfolios, ensuring downstream entities comply with all requirements.
Payment Facilitators (Payfacs)
Payfacs provide processing services, merchant account management, risk management, and fraud detection. They own the risk within their portfolios and are tasked with balancing regulatory demands with fraud prevention. As intermediaries between merchants and acquiring banks, payfacs face the challenge of maintaining compliance while navigating the ever-evolving threat of fraud. For payfacs, effective risk management is essential to protect against fines and penalties that can be passed down from acquiring banks.
Independent Sales Organizations (ISOs)
ISOs provide merchant services by partnering with acquiring banks, processors, and other financial institutions. Depending on the structure of these relationships, ISOs can play either a sales-focused role or take on more direct responsibility for managing merchant risk. Smaller retail ISOs typically have limited ownership over merchant risk, while larger wholesale ISOs are more involved in underwriting, risk assessment, and compliance management. These larger ISOs may operate their own underwriting platforms and maintain in-house credit, risk, and compliance teams to oversee merchant activity.
Despite their differences, acquiring banks, payfacs, and ISOs all face the same challenge: the need to manage merchant risk efficiently while scaling their operations.
Common Merchant Risk Challenges
One of the major pain points across all entities is friction during the onboarding process. Many internal teams collect less information upfront to speed up merchant onboarding and support business growth. This approach can reduce visibility into merchants’ accurate risk profiles, potentially allowing higher-risk merchants to enter the payments ecosystem unnoticed.
Additionally, many financial institutions lack the internal bandwidth to continuously monitor merchant activity. Transaction monitoring helps flag suspicious activity but provides limited visibility into merchant activity. Furthermore, relying on manual approaches or outdated monitoring tools can lead to false positives or missed violations, leaving organizations vulnerable to fraud and/or regulatory violations.
Failing to monitor merchants throughout their life cycle can expose payment processors to a variety of challenges:
Transaction Laundering: Hidden networks of fraudulent transactions can expose financial institutions to card network fines and increased operational costs.
Regulatory Scrutiny: Regulatory bodies may impose fines or penalties if fraudulent or illegal activity is discovered within a merchant’s operations.
Brand and Reputational Fallout: When merchants violate rules, the acquiring bank or payfac may suffer reputational harm, which can impact relationships with partners and consumers.
Increased Operational Costs: When violations occur, the time and resources required to address the issue can increase operating expenses.
Strained Acquirer Relationships: Fines and regulatory scrutiny can damage relationships between financial institutions and their acquiring partners, making it difficult to maintain trust and growth.
Given these risks, a more comprehensive approach to managing merchant risk is necessary, including ensuring continuous merchant monitoring.
The Importance of Continuous Monitoring
Ongoing merchant monitoring is critical for identifying violations and protecting financial institutions from regulatory scrutiny and reputational harm. By ensuring merchants adhere to card network rules and regulatory guidelines, acquiring banks, payfacs, and ISOs can prevent costly fines and protect their brand’s reputation.
While some payment service providers perform merchant monitoring in house, payment service providers often work with an independent third-party merchant monitoring solution provider (MMSP) due to concerns regarding time, regulatory expertise, and effects on business operations. While these solutions vary widely, the most effective strategy for managing and detecting problematic merchant behavior is combining advanced technology such as artificial intelligence (AI) and big data with human expertise to identify real-time risks. This approach prioritizes early fraud detection, transaction laundering, and other problematic behavior before it can result in card network fines, reputational damage, or harm to the public.
A merchant monitoring service provider works as an extension of internal risk and compliance teams, helping them to quickly and accurately identify merchant risk based on specific risk indicators such as BRAM/VIRP rules, regulatory actions, and internal company policies. More advanced solutions may offer detailed notes about flagged merchants to help risk and compliance teams quickly and accurately action merchants, whether it’s to help the merchant resolve specific issues or to quickly off-board the merchant.
Preparing for the Future of Merchant Risk Management
As the payments ecosystem becomes more complex, acquiring banks, payfacs, and ISOs must continue to evolve their approach to merchant risk management. While it’s impossible to eliminate all risks, financial institutions can mitigate their exposure by implementing scalable risk management solutions, strengthening their onboarding processes, and investing in continuous monitoring. This provides protection against fines and reputational damage and positions them for long-term success in a competitive, risk-laden payment environment.