Containing E-commerce Risk in Merchant Underwriting

Risk and opportunity are intertwined – one cannot exist without the other. Consequently, the best performing companies are the best at managing risk. This is because businesses that are confident in managing their risks are also more confident in taking calculated decisions to grow and prosper. Nowhere is this clearer than in e-commerce merchant acquiring. Huge opportunities and huge risks exist in this space, which makes adequate balancing of reward and risk very important. 

E-commerce merchant risk

Payment card acquirers guarantee merchant sales at the time of the transaction. They accept the financial risk for liability arising from such a guarantee. Therefore, determining whether the merchant and its owners are a good risk is a crucial part of merchant underwriting and on-boarding.

Many of the risks posed by e-commerce merchants are common to all types of merchants. They include credit, business failure, fraud and data compromise risks. However, the e-commerce channel creates new risks, while also adding additional time pressure on old ones. For example, merchants must not sell goods/services that are illegal, restricted (e.g. proof of age or prescription required) or prohibited by the card schemes. Moreover, sales and marketing practices cannot render the transaction illegal (e.g. misleading claims and negative option sales). However, the cross-border nature of trade and anonymity online exacerbate the risks posed by criminals, unscrupulous merchants and shady cardholders. Transactions must be legal in both the buyer’s and seller’s country to be entered into interchange. ,

Determining the legality of transactions is easier said than done for a sales channel that is global by default. In brick-and-mortar acquiring, it is simple to conduct a site visit to verify that the merchant is conducting a legitimate business, inspect stock, signage, premises and so on. But for e-commerce merchants, ascertaining whether merchants are running a bona fide business and the true nature of the goods and services sold is more difficult. Similarly, while acquirers may have access to credit bureau reports and financial records in domestic markets, performing cross-border due diligence of merchants may be more difficult.

Mad, bad and dangerous to know

Acquirers must contend with cardholder and criminal deceit. Cardholders may dishonestly initiate chargebacks in cases of buyer’s remorse or friendly fraud. Similarly, criminals may commit account takeovers and data compromises against merchants, causing their acquirers to also suffer financially.

However, it’s not just second- and third-party fraud that acquirers must worry about. The unpleasant truth is that merchants can also be dishonest. They may seek merchant acceptance and access to the financial system with the explicit intention of laundering money or transactions or cheating and stealing from their acquirer.

Some merchants are mad, bad or dangerous to know. Web Shield research has found that 17% of merchants don’t disclose all their websites to their acquirers. They simply create new websites or sell new products without informing their acquirer. This is non-compliant aggregation. Alternatively, these merchants aggregate transactions from a different merchant or website under their own merchant account, without the knowledge or permission of their acquirer. This is illegal aggregation, a growing trend in payment fraud.

Merchants also translate real world deceptions onto the online space. For example, after a period of normal trading, a merchant deposits a large volume of illegitimate transactions, withdraws the cash and disappears, leaving their acquirer to cover the chargebacks. This specific example is a form of bust-out fraud. However, refund, own card and transaction inflation frauds are all real-world fraud schemes that can be and are perpetrated by online merchants.

How to underwrite

What can be done given the nature of e-commerce risks? Merchant underwriting, just like a merchant’s risk strategy and risk appetite, is a balance between risk and reward. Acquirers should not turn business away simply because it does not fit the cookie-cutter template of a “good” merchant.

The basis of good underwriting is good due diligence. That is to say, reviewing the merchant’s application form, website(s), location and operations. This involves thoroughly evaluating the background of the merchant’s business and its owners. Underwriters must check the functional set-up and disclosures made on a merchant’s website(s). What is being sold, to whom, how and where? Placing and returning a test order will flag anything unusual around product quality, delivery, sales and marketing practices and so on. This must then be cross-referenced  with information supplied by the merchant and that is independently verified.

Due diligence also extends to the merchant location. Unscrupulous merchants can establish themselves in new locations quickly, overnight in some cases. Underwriters should be aware of merchants trying to set up “shell” companies with the intention of cheating and stealing from them.

Where does the merchant do business and pay taxes? Where are the owners located? Is the business registered in the same place as the merchant’s correspondence address? Where are their customers located? Is this consistent with the language of their website and marketing materials? These are all questions an underwriter should ask.

Continuous merchant monitoring

Underwriting doesn’t just stop at the merchant on-boarding stage. Monitoring is a crucial component of underwriting. After all, it is not until merchants start depositing transactions that acquirers can know if their initial risk assessment was correct. Monitoring allows acquirers to re-evaluate their merchants, as well as determine the strength and accuracy of their own approach.

There are no silver bullets with risk management. Instead, it is best to develop a layered or matrix approach to managing risk. The protection afforded across the combination of various layers or stages becomes greater than the sum of its parts. Ongoing monitoring is part of this layered approach. It provides  multiple chances for acquirers to check that the merchant risk was correctly assessed in the first place  and that it is still applicable.

Continuous monitoring of merchants is necessary because anything and everything can change in the merchant’s business, the acquirer’s business or the economy in general over the course of the underwriting relationship. This ranges from trade sanctions at the macro level to card scheme rule changes. For example, Visa has recently ruled that from December 2018, unlicensed and unregulated trading platforms for binary options, rolling spot forex, financial spread betting and contracts for difference are considered gambling merchants. This impacts acquirer risk assessment, risk management and pricing for the client.

When everything is changing, acquirers need to stay up-to-date and that means both in terms of staff activities and in terms of technology.  Web Shield research shows that 57% of e-commerce merchants change their offering within a month of securing merchant acceptance. 80% of e-commerce merchant non-compliance is found deeper in the merchant’s website – sub-page level 6, to be precise. As these figures show, it is just not feasible for underwriters to stay up-to-date by manually reviewing webpages. The workload would be immense.

An automated system has become indispensable to underwriting in the digital age. It improves both the speed and accuracy of anomaly detection, can analyze thousands of data points and compare them against own and peer data sets to identify patterns for review. This helps contain losses and minimize false positives. Web Shield, where I work, is one such provider. Our on-boarding and monitoring solutions are built to be flexible: Clients can customize every step of the way to fit their needs – or put their trust in the hands of our experienced underwriters. Other actors in the field include the US-based G2 Web Services who pioneered the area of website monitoring and Israeli EverCompliant, whose focus lies on transaction laundering prevention.

Network and get training

However helpful automated tools may be, the future of merchant underwriting still involves humans as well as machines. Acquirers’ underwriting staff must constantly keep abreast of industry developments. They are the humans behind the machines. Constant education and knowledge exchange with peers is at least as crucial to managing risk as developing technological solutions. That is why my company runs the Web Shield Academy, to train merchant underwriters of all levels to better manage risk in their client portfolio. Don’t miss our networking conference, RiskConnect, to be held November 29-30 this year in Frankfurt. For more details on the speakers, agenda and rates take a look at

Viewed 1,048 times / 1 views today
Tagged with:
Posted in:
Author: Christian Chmiel

Christian A. Chmiel, the Chief Innovation Officer and founder of Web Shield, is responsible for the development and implementation of investigation techniques to identify fraudulent or brand-damaging online merchants. He is also a lecturer at the Web Shield Academy and has published several books about fraud, investigations and underwriting.