Module 4

Merchant Risk and Underwriting

How acquirers evaluate merchant risk at onboarding and ongoing monitoring to prevent fraud and money laundering

---

The Merchant as the Entry Point

In the transaction fraud world, customer-to-merchant fraud gets most of the attention: stolen cards, account takeover, synthetic identities. But the greater systemic risk often comes from the other direction: merchants themselves.

A fraudulent or compromised merchant is not a transaction-level problem. It is a network-level problem. A single bad merchant can process millions in fraudulent transactions, launder money for criminal enterprises, or test stolen credentials at scale. By the time a payment network detects the fraud, the damage is often done: customer disputes have multiplied, the merchant's acquiring bank is exposed, and regulators are asking hard questions about how the merchant passed onboarding in the first place.

Merchant onboarding is where fraud prevention and financial crime compliance converge. An acquiring bank's entire risk profile hinges on merchant selection: who you onboard, how you verify them, and how you monitor them after they go live.

This module focuses on how acquiring banks, payment facilitators, and other merchant-facing institutions evaluate, onboard, and monitor merchants for risk. The stakes are high. The complexity is significant. And the tools and processes that manage this risk have become increasingly sophisticated.

---

Risk Scoring: Not the Merchant's Transactions, but the Merchant Itself

The fundamental shift in merchant risk assessment is this: you are not scoring the merchant's transactions. You are scoring the merchant as an entity. Does this business legitimately exist? What is its ownership structure? What is its operational history? What is the quality of its banking relationships? What industries or geographies does it operate in?

Merchant risk scoring happens at two critical moments: onboarding (when the merchant applies to be a customer) and ongoing monitoring (after they are live, to detect degradation). The frameworks differ slightly, but the underlying principle is identical: extract and weight risk signals that predict whether a merchant will pose problems down the line.

Pre-Boarding Assessment

When a merchant applies to process payments, the acquiring bank runs a battery of checks. The merchant submits information: business name, ownership, industry, location, expected transaction volume, products sold. The bank verifies this information through multiple channels. If any signal is false or suspicious, the merchant is declined or placed in enhanced review.

The checks are comprehensive. Know Your Business (KYB) processes verify that the business exists and is registered with the appropriate authorities. Business registry lookups confirm ownership and address. Tax identification numbers are validated. Beneficial ownership information is extracted and cross-checked against regulatory watch lists. The merchant's industry is classified using Merchant Category Codes (MCC codes), and the acquisition bank assesses whether that industry carries elevated risk.

The output is a merchant risk score. Low-risk merchants (established retail, SaaS, low-MCC-risk categories) proceed directly to underwriting. Medium-risk merchants (travel, e-commerce, cryptocurrency related) go to enhanced review. High-risk merchants (gambling, adult content, high-risk jurisdictions) may be declined immediately or required to post collateral and accept higher fees.

Ongoing Monitoring and Risk Tier Assignment

Once a merchant is live, monitoring does not stop. The merchant is assigned to a risk tier, and that tier determines the monitoring intensity and operational constraints placed on the merchant.

Tier 1 (Low-Risk): Established merchants with strong KYB verification, clean compliance history, and low-MCC-risk categories. Minimal ongoing monitoring, standard settlement terms, no reserved funds.

Tier 2 (Medium-Risk): Merchants with reasonable verification but elevated category risk or moderate transaction volume growth. Monthly monitoring, transaction velocity thresholds, possible rolling reserves of 1 to 5 percent.

Tier 3 (High-Risk): Merchants in high-risk categories, with recent onboarding, or showing red flags in transaction patterns. Weekly or daily monitoring, strict transaction volume caps, rolling reserves of 10 to 25 percent, shortened settlement cycles.

Tier 4 (Suspended): Merchants flagged for suspected fraud, money laundering, or compliance violations. All transactions are held pending investigation. If violations are confirmed, the merchant is terminated.

---

The Underwriting Process: Know Your Business (KYB)

Know Your Business is the merchant-side equivalent of Know Your Customer (KYC). It is a mandatory compliance process and a critical risk control. The goal is to verify that the merchant is who they claim to be, operating in the industry they claim, and free from regulatory sanction.

Business Verification

Business verification checks whether the merchant's claimed entity actually exists. This is straightforward for registered corporations (lookup in business registries), but more complex for sole proprietorships and informal businesses. The bank will verify: business name, registration number, address, date of establishment, ownership structure.

For international merchants, verification becomes harder. Not all jurisdictions maintain accessible business registries. Some merchants operate in jurisdictions with weak governance. In these cases, banks supplement registry checks with third-party due diligence services. Companies like Bureau van Dijk, Refinitiv, and WorldCheck maintain databases of business entities and can verify existence across most jurisdictions.

Beneficial Ownership Information

Beneficial ownership information identifies the natural persons who ultimately control or benefit from the business. A company might be registered under a manager or agent, but the actual owner could be someone else. This matters because the actual owner might be sanctioned, have a criminal history, or be a politically exposed person (PEP). Banking regulations require banks to identify ultimate beneficiaries and screen them against sanctions lists.

Large companies have transparent ownership. A public company's beneficial owner is publicly known. But private companies, shell companies, and entities in opaque jurisdictions can hide true ownership. The underwriter will dig deeper: request personal identification from claimed owners, cross-check their information against sanctions lists, and flag any inconsistencies or red flags.

Industry Risk Categorisation

Every merchant is assigned a Merchant Category Code (MCC). The MCC is a four-digit code that describes the merchant's primary business activity. There are thousands of MCCs covering everything from restaurants (5812) to insurance agents (6211) to legal services (7279).

MCCs are assigned by card networks, but they carry regulatory weight. Certain MCCs are designated as high-risk because they are common vehicles for money laundering, sanctions evasion, or fraud. These high-risk MCCs include gambling (7995), adult content (6211 for adult services, among others), money transmission (7777), cryptocurrency exchanges (6211 for virtual currency), travel (4511 airlines, 5812 travel agencies), and pharmaceuticals (5912 for prescription drugs, 5411 supplements).

Merchants in high-risk MCCs face enhanced scrutiny. Higher fees are common (acquiring banks charge 3 to 5 percent higher processing fees for high-MCC merchants). Rolling reserves are higher. Transaction limits are stricter. And the acquiring bank monitors these merchants more closely for signs of abuse.

---

High-Risk Merchant Categories and MCC Complexity

Understanding which MCCs are considered high-risk is essential to understanding merchant underwriting. The risk is not theoretical. Each of these categories has operational challenges and regulatory exposure.

Gambling and Gaming (MCC 7995)

Gambling merchants are high-risk because they attract both regulatory scrutiny and fraudulent activity. Regulatory risk comes from the fact that gambling is illegal in many jurisdictions, and payment processors must not serve merchants operating in those jurisdictions. Fraud risk comes from the fact that gambling sites are attractive targets for stolen card testing and chargeback fraud (customers gamble, lose money, then dispute the transaction claiming they never authorised it).

Acquiring banks require extensive gambling merchant underwriting: proof of gaming licenses, verification of operational jurisdiction, proof of responsible gambling compliance, and pre-funding deposit requirements. Many traditional banks will not acquire gambling merchants at all, leaving the space to specialist acquirers.

Travel and Ticketing (MCC 4511, 4722)

Travel merchants (airlines, hotels, tour operators, ticketing agencies) are high-risk because they are targets for ATO fraud and have high dispute rates. A travel merchant might see 5 to 10 percent of transactions disputed: customer claims they never received the ticket, the flight was cancelled without authorisation, the hotel had issues, or the ticket was fraudulent.

Chargebacks in travel are particularly difficult to defend because the customer must claim they received something tangible (a ticket, reservation confirmation) and the burden of proof falls on the merchant. A merchant might have email evidence of the booking and payment, but the customer's bank will often credit the customer anyway to maintain the banking relationship.

Supplements and Wellness (MCC 5411, 5912)

Supplement merchants are high-risk because the regulatory landscape is complex and compliance failures carry significant penalties. The FDA has jurisdiction over supplements in the US, and claims made by supplement vendors are highly scrutinised. Additionally, supplement merchants often have high chargeback rates and attract complaint complaints about product efficacy.

Payment networks monitor supplement merchants closely. If a supplement merchant shows chargeback rates above 1 to 2 percent, they are flagged for review. If the merchant makes unsubstantiated health claims on their website, they may be terminated immediately.

Cryptocurrency and Virtual Currency (MCC 6211 variant)

Cryptocurrency merchants and exchanges are among the highest-risk MCCs. Regulatory uncertainty is extreme. AML/CFT requirements are strict. Fraud risk is high (customers sending money to fake exchanges, customers using stolen cards to buy cryptocurrency, exchanges being hacked). And the reputational risk to acquiring banks is substantial: regulators scrutinise banks that do business with crypto merchants.

Most traditional banks will not acquire cryptocurrency merchants. Those that do impose strict monitoring, high reserves (25 to 50 percent of transaction volume), and require merchants to implement their own KYC and AML processes.

Adult Content and Services (MCC 7273, variants)

Adult merchants (including sex work payment processing) are high-risk because they are targets for trafficking and exploitation. Regulators require banks to implement trafficking detection and prevention controls. Additionally, these merchants have high chargeback rates and face reputational risk for acquiring banks.

Adult merchants require enhanced KYB, proof of age verification processes, proof that performers and workers are acting voluntarily, and ongoing trafficking monitoring. Many banks decline these merchants entirely.

---

Transaction Laundering and Bust-Out Fraud

The most sophisticated merchant fraud happens through two vectors: transaction laundering and bust-out fraud.

Transaction Laundering

Transaction laundering is when a merchant (or an employee of a merchant) processes transactions for a prohibited or high-risk activity through a merchant account with a lower-risk MCC. The merchant uses a shell company or legitimate merchant account to hide illegal activity.

Example: A gambling operation sets up a merchant account claiming to be a sports merchandise retailer (MCC 5640). They process all gambling transactions through this merchant account with the sports retailer narrative, hiding the true nature of the business. The acquiring bank, payment networks, and payment processors do not realise the transactions are gambling-related.

Transaction laundering is difficult to detect because it relies on merchant misrepresentation, not customer fraud. The customers might be making legitimate transactions. The merchant is the fraudster. Detection requires matching transaction patterns to the claimed MCC: if a sports merchandise merchant is processing thousands of high-value transactions that look like digital payments or subscriptions, the pattern does not match the claimed business.

Networks like Visa and Mastercard run sophisticated transaction pattern analysis to detect transaction laundering. They flag merchants whose transactions do not match their claimed industry. If the pattern is flagged, the merchant is investigated, and if transaction laundering is confirmed, they are terminated and reported to regulators.

Bust-Out Fraud

Bust-out fraud is when a criminal or organised group creates a merchant account with false KYB information, processes legitimate transactions for a period to build credibility and transaction history, then suddenly processes large volumes of fraudulent transactions (using stolen cards or customer funds), and disappears before detection.

The attack has phases. Phase one is onboarding: the criminal creates a fake business entity with false documents and passes KYB checks. Phase two is legitimacy building: they process real transactions (possibly at a loss) to build transaction history and reputation. Phase three is the bust-out: they process massive volumes of fraudulent transactions in a short period (days or weeks), maximizing the amount of stolen funds that clear before the scheme is detected.

Detection happens at phase two or three. An acquiring bank notices a sudden shift in transaction volume or pattern. A customer disputes large batches of transactions. The payment network flags the merchant. But by that time, the merchant has often moved funds out of the account or vanished. The acquiring bank is left holding losses.

Prevention requires velocity monitoring and pattern matching. Merchants are expected to maintain stable transaction profiles. A merchant that suddenly increases volume 10x in a single day is flagged for manual review. A merchant that processes thousands of transactions for the first time, outside their claimed business model, is reviewed immediately.

---

Risk Management Tools: Rolling Reserves, Settlement Delays, and Volume Caps

Once a merchant is rated for risk, the acquiring bank applies operational controls to limit exposure. These controls are particularly common for high-risk and medium-risk merchants.

Rolling Reserves

A rolling reserve is when the acquiring bank withholds a percentage of the merchant's transactions and holds the funds for an extended settlement cycle (typically 180 days). If chargebacks or fraud claims arrive during that period, they are offset against the reserve. If the reserve period ends with no issues, the funds are released.

Rolling reserves are a common tool for high-risk merchants. A merchant might receive payment for 95 percent of their transactions in the normal settlement cycle (1 to 3 days), but 5 percent of transactions are held in rolling reserve for 180 days. For a merchant processing $100,000 per day, this means $5,000 per day is held, accumulating to $900,000 in reserved funds at any given time.

Rolling reserves solve two problems. First, they provide a buffer against chargebacks and fraud claims. If a merchant shows high chargeback rates in the first 90 days, the bank can offset chargebacks against the reserve without waiting for clawback claims. Second, they reduce the merchant's incentive to process fraudulent transactions in the final days before closing the account. If a merchant is about to be terminated, they might process large volumes of fraudulent transactions expecting to keep the funds before the bank discovers the fraud. A rolling reserve means funds stay with the bank for 180 days after processing, removing that incentive.

Delayed Settlement

Related to rolling reserves is delayed settlement, where the acquiring bank lengthens the time between transaction processing and fund disbursement. Standard settlement is 1 to 3 days. High-risk merchants might have 7 to 14 day settlement. In extreme cases (bust-out risk, active investigation), settlement can be 30 days or longer.

Delayed settlement gives the bank more time to detect problems. If a merchant is processing fraudulent transactions, chargebacks and fraud claims will arrive within 30 to 60 days. By the time the settling is complete (at 30 days), many fraud signals will have arrived. The bank can then investigate and determine whether funds should be released.

Transaction Volume Caps

For high-risk merchants, acquiring banks impose transaction volume limits. A new gambling merchant might be approved for $10,000 per day in transaction volume. If they exceed that limit, additional transactions are declined until they confirm the spike is legitimate. Volume caps limit the maximum loss from a bust-out scheme: if the volume cap is $10,000 per day and the merchant processes $5 million in fraudulent volume, the bank's loss is capped at the volume cap, not the full amount.

Volume caps also serve as a stability check. If a merchant suddenly increases volume 10x above their cap, it is a signal that something unusual is happening. The cap forces the merchant to request permission to increase volume, which requires another round of risk assessment.

---

Ongoing Monitoring Programmes

Merchant risk assessment does not end at onboarding. The acquiring bank monitors every merchant on an ongoing basis, looking for changes in risk profile.

Visa Fraud Monitoring Programme (VFMP)

Visa operates the Visa Fraud Monitoring Programme, which sets monitoring requirements for acquiring banks. VFMP requires banks to monitor merchants for fraud rates and suspicious activity patterns. If a merchant exceeds 0.9 percent fraud rate (the Visa threshold), the bank must implement monitoring and corrective action.

VFMP monitoring includes: transaction review, chargeback analysis, customer dispute patterns, and pattern matching. Banks must meet these thresholds or face fines from Visa. This creates an incentive for banks to be aggressive in monitoring and quick in terminating high-risk merchants.

Mastercard Monitoring for Assessment, Review and Termination (BRAM)

Mastercard operates a similar programme called BRAM (Monitoring for Assessment, Review and Termination), which sets fraud thresholds and monitoring requirements. The thresholds are similar to Visa's, but the mechanics differ slightly. BRAM requires banks to monitor merchants and take action within defined timeframes.

Both VFMP and BRAM create a network-wide standard for merchant fraud monitoring. Acquiring banks that fail to meet standards face fines. This creates a floor of merchant monitoring across the industry and reduces the risk of a bank overlooking a high-fraud merchant due to lax procedures.

---

The MATCH List and Merchant Termination

When a merchant is terminated for fraud, compliance, or other violations, they are not just removed from one bank. They are added to the MATCH list (Mastercard Advisories for Terminal Security, though the acronym now stands more broadly as Terminated Merchant File).

How MATCH Works

The MATCH list is maintained by Mastercard and contains records of merchants who have been terminated for violations. The list is shared across all acquiring banks. If a merchant is on the MATCH list, they are effectively blacklisted from the acquiring industry: no acquiring bank will process payments for them.

Merchants are added to MATCH for various reasons: fraud, chargebacks, AML violations, sanctions violations, high-risk activity, unsafe practices. Once on the list, a merchant remains on it for five years (with limited exceptions for low-risk reasons). After five years, the record expires.

Visa maintains a parallel list. The effect is the same: merchants on either list are effectively unable to process payments through traditional acquiring channels.

Consequences of Termination

A MATCH listing is devastating to a merchant business. If the merchant is a legitimate business that was terminated in error or for a technical reason, they can appeal to the acquiring bank. If the appeal is accepted, they can be removed from MATCH. But for merchants terminated for fraud or significant violations, the five-year exclusion is often permanent for the business: the business closes or dramatically restricts operations.

This harsh consequence creates incentives for merchants to comply. A merchant knowing that significant violations could lead to a five-year payment processing ban is motivated to maintain low chargeback rates, comply with AML requirements, and avoid high-risk activities.

But MATCH also has fairness critiques. A small business terminated in error faces five years of being unable to process credit cards, even if they successfully appeal. Expungement is possible but rare. This is why merchant advocates have pushed for reform of MATCH standards, shorter terms, and better appeal processes.

---

Platforms and Tools in the Merchant Risk Stack

Merchant risk management has spawned a category of specialist vendors that help acquiring banks and merchants manage risk.

Merchant Risk Intelligence Platforms

Coris is a merchant risk intelligence platform that specializes in KYB verification, fraud monitoring, and merchant risk scoring. Coris aggregates data from multiple sources (business registries, sanctions databases, transaction patterns) and produces a risk score and monitoring profile. Acquiring banks use Coris to supplement their internal KYB processes and to automate merchant onboarding decisions.

Coris and similar platforms have become essential tools for fast-growing acquiring banks and payment facilitators that cannot afford to perform all KYB verification manually. The platform automates the bulk of merchant assessment, allowing human underwriters to focus on edge cases and high-value decisions.

AML Monitoring Platforms

Hawk is an AML monitoring platform that helps acquiring banks detect suspicious transaction patterns, identify merchants engaged in money laundering, and generate Suspicious Activity Reports (SARs) for regulatory authorities. Hawk ingests transaction data from the acquiring bank's systems and applies rule-based and ML-based detection to flag suspicious activity.

Platforms like Hawk connect merchant-level risk management to regulatory compliance. They help banks meet VFMP and BRAM requirements, reduce regulatory risk, and detect money laundering schemes that are hiding behind merchant transactions.

---

---

---