Every year, over $9 trillion in payment transactions carry merchant risk, yet this critical issue rarely gets the attention it deserves. While consumer risk dominates industry discussions, the challenges faced by merchant acquirers and payment processors remain largely overlooked. This gap matters: risk teams at these companies navigate these complexities daily, with potentially catastrophic consequences for getting it wrong.
What is merchant risk in payments?
Merchant risk is the risk payments companies take on when they process payments on behalf of their merchants, either online via websites and applications or offline via point of sale (POS) devices. There are a number of key questions a payments company faces when onboarding merchants and monitoring their behaviours:
- Credit Risk: Will a deferred delivery merchant (one that accepts payment in advance for goods or services delivered at a much later date) fail, and leave the payments company responsible for chargebacks and outstanding consumer liabilities?
- Merchant Fraud Risk: Is a merchant set up with the intention of defrauding consumers and using the payments ecosystem as a means to do so, leaving the payments company liable for making the consumer whole in many cases where the merchant disappears?
- Regulatory and Payment Network Compliance: Is a merchant operating within the required legislation and payment network requirements? Or are they claiming legitimacy while selling illegal goods or services in the background?
While each of these is a distinct risk, in many cases there is crossover between them, particularly between activity that is fraudulent or sits close to the compliance requirements a merchant and payments company operates in.
All of this risk needs to be managed effectively, while ensuring the payments company grows at a pace that is acceptable to their stakeholders. Managing each of these areas successfully becomes a key requirement for sustainable growth.
Credit risk
The risk created by a merchant that delivers their goods or services only after taking payment is substantial across a wide range of industries. This includes travel (airlines, travel agencies), events (music festivals, concerts), home furnishing, education, services (gyms, fitness classes) and many other sectors where risk teams need to be conscious of the delayed delivery risk. While merchant defaults are relatively rare, they can occur with little warning and result in significant losses, often far exceeding the revenue earned from that merchant. In extreme cases, a single failure can threaten the financial stability of the payments company.
One example is Monarch, a British budget airline, which collapsed in October 2017. It had continued selling tickets for future flights until its shutdown, meaning many travellers never received the flights they paid for. Chargeback claims flowed in for those tickets. One of Monarch’s acquirers suffered such losses from these chargebacks that it was forced to recapitalise by raising new equity to remain solvent. Having better credit risk mitigation in place and more detailed checks on the health of the merchant could have saved the acquirer potentially millions in losses.
Payments companies use a combination of different techniques to mitigate this risk. These include manual underwriting, collateral, rolling reserves, and delayed settlement as some of the legacy approaches, with more dynamic insurance-oriented products (like Envisso’s Protect solution) providing an increasingly merchant-oriented approach to mitigation. This is then combined with continuous monitoring and alerting to ensure any potential loss does not spiral beyond the coverage provided by the risk mitigation tooling in place.
Merchant fraud risk
Fraud is unfortunately a fact of life and the payments ecosystem is no exception. Many fraudsters have identified that setting up fake companies as a means to steal money from customers is a way to make money quickly, with little risk to themselves, particularly online. This generally involves setting up a fake company, or taking over an existing company (merchant takeover) and then using that company’s information to extract value from end customers via the payment ecosystem.
This has been a growing problem in recent years. An example is the recent case of Worldline’s valuation dropping by more than $500M (40% decrease) due to the firm ignoring warnings and maintaining business activities with prohibited and high-risk customers, effectively enabling fraudulent transactions to continue.
Payment companies need to be proactive in monitoring this risk and aware of any sudden changes through vigilant alerting and review. The reality is that fraudsters will often create genuine merchant activity before committing larger frauds, known as bust-out fraud. This allows them to appear perfectly legitimate during onboarding and early processing activity, enabling them to commit much larger fraud at a later date. Having a solution in place to proactively monitor these changes (like Envisso Monitor) enables payments companies to track website content and behaviour, external review data, transactional anomalies and other key risk attributes using AI-generated insights and alerts, ensuring fraud is detected immediately before money is settled to the fraudulent merchant’s account.
Regulatory and payment network compliance risk
The third risk payments companies have to manage is regulatory and compliance risk. They are responsible for ensuring that they are gatekeepers to the payments ecosystem, and abiding by the requirements stipulated by major networks (Visa and Mastercard) and government agencies. This includes staying on top of anti-money laundering requirements, sanctions screenings and high-risk categories, to ensure the payments system we all operate in is a safe and well-managed ecosystem. To add to this, regulations and requirements are not the same across jurisdictions, meaning cross-regional or global payments companies need to manage many different sets of requirements.
Examples of companies not meeting their regulatory requirements are not always public knowledge, however, several cases exist. One example is the 2019 case where the FTC imposed a $110M fine against Allied Wallet, a payment facilitator, and its executives. In this scenario, the payments company knowingly processed payments for merchant-clients engaged in criminal activities, leading to this massive fine.
Three key elements to managing this risk effectively:
- Ensuring thorough checks are completed when onboarding new merchants
- Continuously monitoring the compliance of merchants using comprehensive tooling, such as Envisso’s Monitor solution
- Having clear processes to resolve any breaches of compliance requirements when they do occur
Conclusion
Managing merchant risk is a complex business for payments companies of all shapes and sizes. The problems only grow as payments companies expand into new markets, bringing new challenges, types of potential fraud, and regulations. However, with the right controls and risk prevention solutions in place, payments companies can leverage AI and effective monitoring solutions to generate sustainable growth and avoid major losses from merchant-related risks.
If you would like to learn more, reach out to our team.