How much information in a payment acquirer’s merchant portfolio is missing or just plain wrong? Our data shows that it’s likely almost half. Yet, many acquirers still take the information provided to them at face value.
Given that bad merchant data is so prevalent, it should matter greatly to acquirers, perhaps more than many realize. Assigned dollar value to the increased risk and potential for card brand assessments can easily reach millions.
Where Do Acquirers Feel the Pain of Wrong Merchant Data the Most?
All payment acquirers monitor merchant portfolios. However, their thoroughness and effectiveness varies widely. This can be due to the portfolio size, complexity of merchant businesses, technology limitations, and the acquirer’s own perception or tolerance of risk.
Any one of these factors can obscure lurking risks and result in significant financial damage for an acquirer. In the wake of 2023 updates to card brand standards, assessments have been on the rise. Some acquirers feel blindsided by staggering amounts, which are reaching seven figures.
Where are some of the greatest risks hiding? Our analysis of 2022 assessment trend data from North America showed more than 40% of all assessments stemmed from illegal pharmaceuticals—and this is on pace to rise considerably in 2023. Since the pandemic, there are significantly more online pharmacies compared to a few years ago. Among the legitimate businesses, industry experts estimate that at any given time, there are also between 30,000 and 40,000 active illegal online pharmacies. What’s more, there is a growing segment of merchants that attempt to hide drug sales within e-commerce sites or bad actors laundering transactions through innocuous-looking shell sites.
Other key categories where acquirers are feeling the pain of assessments are illegal or miscoded gambling, selling unauthorized goods and services, high-risk negative option billing, and animal welfare.
The reality for payment acquirers is that they may not commit the crime, but they will pay the fine. Violative and illegal transactions hide beneath inaccurate merchant category codes (MCCs) and the penalties compound based on the number of instances and length of time. When it comes to the financial consequences for violative transactions, it’s payment acquirers that bear the risk, and there is often much more risk than is readily apparent. Payment providers must respond accordingly by acting quickly when it comes to verifying merchant codes in their portfolio and maintaining oversight.
Finding Fraud Requires Minds and Machines
MCCs play a central role in risk management for payment acquirers, but only if they are accurate. The reasons for wrong MCCs are multi-fold—some innocuous and others intentionally deceptive. A common example of unintentional error involves a merchant that provides an MCC that is initially accurate but becomes less so over time as they expand their offerings beyond the code’s original definition. For example, a merchant may purposely conceal riskier transactions to garner a more favorable rate with payment processors or to hide illegal activity. Sometimes, these merchants present benign-looking shell businesses to hide transaction laundering.
Payment acquirers must engage in continuous merchant monitoring, but often find themselves overwhelmed by the volume of potentially suspicious activity. As soon as the pendulum of information swings too far, acquirers lose the ability to quickly and appropriately take action. That’s why the most effective approaches blend artificial and human intelligence.
Leveraging automation helps payment acquirers to quickly capture all possible existing and potential violations. This broad dataset provides the foundation upon which to layer human intelligence. Expert analysts who live and breathe merchant risk monitoring make connections between data points that signal dangerous patterns. This critical human review of AI-driven data culls false positives and identifies the real risks for acquirers to act upon.
In one recent example, an acquirer submitted a merchant with a missing URL for monitoring. Automation technology matched it to a website for a purported bookkeeping service. Further investigation by a human analyst found the site shared registrant data with a confirmed launderer, which further revealed the site was running payments for DEA-scheduled drugs as part of a larger transaction laundering ring. Researching a single missing URL unearthed a web of illegal activity. The result of pairing minds with machines allowed the acquirer to stop processing payments immediately.
Since the size of an assessment is influenced by both the number of occurrences and length of time, it is critical that acquirers be armed with accurate information to take fast action to mitigate risks and the potential financial consequences.
While the topic of wrong merchant data can warrant lengthy discussion, but it’s evident that payment acquirers should care a great deal. The solution is to join the speed, scale, and consistency of technology with the critical thinking and contextual understanding of humans to protect themselves from often-hidden, ever-changing risks.
