How Acquirers Are Assessing Merchant Risk


How Acquirers Are Assessing Merchant RiskMerchant acquirers and payment processors often toil behind the scenes, invisible to individuals purchasing goods and services from an ever-increasing number of in-store and online merchants. But these acquirers and processors (collectively referred to as acquirers here) are facing unprecedented risks across a number of fronts.

Aite-Novarica recently interviewed 20 acquirers across North America and Europe to understand their current risk environment, how it has changed over the past five years, and what concerns they have about the future. The results of these interviews were published in our latest report Managing Merchant Risk: Best Practices for Underwriting, Onboarding, and Monitoring.

The risk profile for acquirers has substantially changed over the past several years due to a variety of industry forces, many of which are beyond their control. Some of those industry forces include:

  • Disintermediation of the typical acquirer-merchant relationship: Historically, merchants would work directly with an acquirer to establish a payment processing relationship. Today, a number of new entities sit between the acquirer and the merchant, such as payment facilitators (payfacs), independent software vendors (ISVs), and marketplaces. As a result, acquirers do not directly interact with the merchants for which they process. Understanding merchants’ underlying business fundamentals and assessing their risk becomes more difficult.
  • Higher fraud losses chasing growth and profitability: Acquirers are under pricing pressures from enterprise merchants, which is lowering their profit margins. To find new merchant relationships that are more profitable and provide growth, acquirers are focusing on small/medium businesses (SMBs) and higher risk merchant categories. However, acquirer fraud losses in these areas are considerably higher. For example, while fraud losses with enterprise merchants are sub one basis point, losses with SMBs average between two and three basis points.
  • Increasing challenges with SMB applications and onboarding: Many small businesses are being started by sole proprietors and young professionals who are heavily influenced by online experiences of digital-first companies. In an effort to attract SMBs, acquirers are having to overhaul their application and onboarding processes to make them digital, streamlined, and efficient while also delivering near-real-time decisions. Gone are the days when humans reviewed each application. Decisions today are mostly automated without human intervention, which is a fraudster’s dream. Leveraging stolen personally identifiable information and creating synthetic identities, fraudsters can easily fly under the radar and obtain processing relationships to begin their attacks.
  • Dynamic nature of fraud and risk: Fraudsters are clever and always evolving their attack vectors. They may nurture a relationship with an acquirer for weeks or months before committing fraud. As such, acquirers need to constantly monitor merchant behavior and transaction activity, looking for deviations from past behaviors and new, suspicious patterns. Fraud and risk assessment no longer ends at the time of the application; it is dynamic and lasts throughout the processing relationship with the merchant.

Acquirers should revisit their control framework to adapt to an ever-changing risk landscape. Modernizing risk frameworks should focus on key technologies to address current limitations and future-proof them.

Acquirers use multiple tools in both merchant onboarding and ongoing monitoring. While point solutions can be effective, they are narrow in scope and function. To unlock their potential, acquirers should identify ways to integrate them via data sharing. Risk signals in one solution can add value to other solutions, thereby increasing fraud detection and reducing false positives.

Some of the interviewed acquirers report opening thousands, and even tens of thousands, of applications monthly. And in the case of a traditional payment processor that caters to payfacs and ISVs, the number of new monthly merchants can grow exponentially. It is nearly impossible to manage ongoing risk across such a large merchant base. It is imperative for acquirers to deploy automated tools that can monitor and assess the risk of behaviors at scale and generate alerts of abnormal activity for further investigation.

Traditionally, acquirers have focused on financial risks and potential fraud losses of their merchant clients. In today’s world, risk has a broader definition. While fraud losses are still important, other forms of risk such as anti-money laundering, sanctions screening, cyber, geopolitical, the acquirer’s reputation, and others are gaining more attention. Tools are needed that are both broad enough to cover multiple forms of risk types and deep enough to do this across very large merchant portfolio sizes.

Concluding Thoughts

The acquiring market is changing quickly, and risk control frameworks need to evolve to keep pace. Legacy solutions that were effective when initially deployed may not meet current needs. Acquirers need to monitor changes in the payment processing industry and adapt their frameworks to effectively manage risk in a diverse ecosystem. By having a robust risk control framework in place, acquirers can better position themselves for the future and allow them to respond to new threats and capture new business opportunities.

Successful acquirers will be those that have best-in-class risk management processes, enabling them to gain market share in higher-margin merchant segments while keeping firm control on the risk exposure of their portfolios. To learn more about how acquirers are adapting to evolutions in their industry, read our full report Managing Merchant Risk: Best Practices for Underwriting, Onboarding, and Monitoring or reach out to me at [email protected] or my colleague David Mattei at [email protected]