Merchant acquisition has undergone major disruption in the past decade. Acquirers have consolidated, and an entire ecosystem of fintechs have emerged to eat away at those acquirers’ revenues and positions in the market.
Today, we see progressive acquirers branching out to provide new services to merchants. At the same time, the core business has become increasingly challenging. And as with every other link in the payments value chain, new innovations open new doors to financial criminals. The merchant acquiring fraud landscape has expanded rapidly.
Featurespace has years of experience as a technology partner to both merchants and acquirers, and we understand the threats these businesses face.
Below, we outline what those threats are and how merchant acquirers can deploy machine learning to protect themselves from sophisticated scams.
Table of contents
- The role of merchant acquirers
- The risks facing merchant acquirers
- Our merchant acquiring financial crime protection services
- See how we’ve helped other acquirers
- Stop financial crimes, not authentic transactions
What is merchant acquiring?
Merchant acquiring is a key step in processing transactions from card payments. Acquirers act as a link between merchants, card issuers and payment networks. They authorize payments, provide clearing and settlement services, and help manage payment disputes on behalf of merchants.
This is all activity that takes place long after a customer pays with a card and has that payment accepted. Merchant acquirers ensure that the funds from those transactions go to the various stakeholders in that chain. These stakeholders include:
- Cardholders, who pay for their purchases with a card.
- Merchants, who accept payments from cardholders and ultimately need to receive the cash represented in that card transaction.
- Acquirers, who offer payment processing services to the merchant for a fee. Merchants pay that fee so their card transactions will get reimbursed in cash.
- Issuing banks, who hold all of the cash to back up card payment networks.
- Card providers, whose networks facilitate the link between the acquirer and the issuing bank. It’s this connection that ultimately ensures the merchant will receive cash for the card payments they accept.
The role of merchant acquirers
It’s worth looking into all of those payment processing services that merchant acquirers offer because these services can open up various vectors of fraud.
There are a handful of crucial functions that a merchant acquirer performs:
- Merchant onboarding. This is the process that merchants follow when they apply to accept credit and debit card payments. Data flows back and forth among merchants, acquirers and providers during merchant onboarding, and a breach of that data or a fraudulent application can create an opportunity for financial criminals.
- Underwriting. Acquirers underwrite a merchant to ensure the merchant’s financial stability and creditworthiness. They might look at the merchant’s business format or delivery times, for example, to determine how likely it is that a customer would ask for a chargeback. The acquirer will also perform checks for fraud and anti-money laundering at this stage.
- Authorizing transactions. Here’s why merchant underwriting is important in the onboarding stage. Acquirers must ensure that a payment to a merchant is guaranteed and that it won’t be disputed at a later time. Once a transaction receives authorization, the card provider ensures funds are available from the issuing bank so that the merchant can receive cash for this transaction.
- Payment clearing and settlement. The merchant does not receive funds immediately after a transaction is authorized. Instead, the acquirer sends each merchant’s transaction data via the card’s payment network to the issuer, who sends the funds back along those same channels. The acquirer and the card provider both charge their fees at this step.
- Dispute management. Sometimes, a customer will dispute a payment. Acquirers help facilitate the management of these disputes, which could result in a card chargeback or a refund from the merchant. In either case, the acquirer and the card provider tap their same networks to ensure those funds are available from the issuing bank. No one in that payments chain wants to have to ping the issuer for a chargeback or a refund, which is why part of the acquirer’s job is to assess how risky it is to do business with each merchant.
The risks facing merchant acquirers
Financial criminals have sophisticated methods for finding opportunities within the complex transaction flows that merchant acquirers facilitate.
Financial crime in this space is especially dangerous because it can impact each of the stakeholders massively. What’s more, the crime can be hard to detect. Nonetheless, instances of fraud, abuse or money laundering can expose the merchant acquirer to risks that include chargebacks, reputation damage and regulatory action.
Put simply, the stakes are high.
Among the merchants and financial institutions we work with, these are some of those most common risks that businesses face:
Merchant bust-out fraud
This is a type of identity fraud in which criminals apply for credit and debit card payment services, and they knowingly use incorrect data to make their fake business appear more trustworthy.
Once approved, the criminals sell goods to customers without ever actually shipping any product, and the acquirer settles those transactions in the interim. The customers will eventually request a chargeback, but by that point the fraudulent merchant will be long gone, and the acquirer will be on the hook for the money that the issuer paid to the merchant.
This occurs when a criminal gets the credentials of a legitimate merchant and processes payments without the acquirer’s knowledge. In some cases, the merchant is totally unaware that this is happening. In other cases, the merchant might have some knowledge of the crime or even actively be collaborating with the criminal.
In any case, the criminal is using a legitimate business as a front to move things like stolen or illegal goods. This can expose the merchant and the acquirer to heavy criminal consequences.
Exemption management abuse
The European Payment Services Directive (PSD2) has strong customer authentication protocols for acquirers. Most transactions over a certain value require an added authentication step before the payment can be authorized.
However, there are exemptions in the law for certain types of transactions:
- Low value transactions of less than 30 euros.
- Recurring transactions, such as for a subscription in which the value is the same payment after payment.
The acquirer gets to decide whether to apply these exemptions. In doing so, the acquirer will assess what the right balance is between payment security and frictionless customer experiences.
This also puts the acquirer on the hook for exemption management in most cases. They must identify and respond to merchants who display risky behaviors. Continuous merchant monitoring is therefore crucial for acquirers.
Business format change
Acquirers assess each business’s risk and trustworthiness when they onboard. Of course, what each business sells informs that assessment. A walk-up gelato counter, for example, is less likely to experience chargeback requests than a travel agency, and the acquirer will onboard the gelato shop accordingly.
Now, imagine someone opens a business that they claim will sell gelato, then they start selling plane tickets and booking cruises for customers. It’s an exaggerated version of a common scam. Some merchants know they will be subject to tighter controls because of the perceived risk of the business they’re in. So, they pose as a different type of business when they make the application through the acquirer.
It’s up to the merchant acquirer to be vigilant about this type of scam because it’s ultimately the merchant acquirer who carries the financial and reputational risk.
Our merchant acquiring financial crime protection services
Here is where recent developments in merchant acquisition come into focus — and up the stakes for acquirers everywhere.
In October 2021, McKinsey pointed out how merchant acquirers were facing a major opportunity with the growth of small businesses. SMBs grew rapidly during the pandemic, and they are looking for financial services that can bring immediate value to their businesses.
If an acquirer focuses too narrowly on card payments alone, they miss the big picture, McKinsey’s researchers argued. Instead, they need to be offering new payment tools, commerce enablement and services to shore up those SMBs’ balance sheets. It’s a whole financial spectrum of opportunity.
And where there’s opportunity, there’s risk.
Spotting those risks can be difficult, especially at the economy’s current speed of development, and even more so at scale. That’s why in recent years we have seen acquirers invest in fraud and anti-money laundering (AML) tools that offer real-time monitoring, which lets the acquirer spot anomalous behavior as early as the application stage. Bot attacks, duplicate applications, suspicious IP addresses — acquirers need to be able to recognize such threats.
Featurespace goes further with advanced machine learning, which uses behavioral profiling to analyze merchants at the moment of application. Our Adaptive Behavioral Analytics learns what behaviors are normal and which are aberrant, and this allows acquirers to investigate suspicious applications almost immediately.
The ARIC™ Risk Hub protects both acquirers and merchants against financial crimes just like those listed above — bust-out fraud, exemption management abuse, transaction laundering. It does this by:
- Learning what represents normal behavior among merchants.
- Identifying trends that could suggest risky or fraudulent behavior.
- Detecting new types of fraud as they emerge.
- Providing a single interface for managing each and every alert.
See how we’ve helped other acquirers
One Featurespace customer, one of the largest credit card processors in the United States and one of the top acquirers in Europe, reached out to us for help with monitoring transactions and merchant activity.
The company supports payments for more than 1 million merchants and processes more than 3 billion transactions each year. Its teams needed a tool that could scale accordingly.
That customer implemented the ARIC™ Risk Hub, and the results were transformational. The company saw:
- A 98 percent reduction in card-not-present transactions being declined.
- An 81 percent reduction in genuine transactions being declined.
- A 50 percent reduction in fraud losses.
That means more authentic transactions were going through seamlessly, and more instances of fraud were getting caught.
Stop financial crimes, not authentic transactions
The Adaptive Behavioral Analytics in the ARIC™ Risk Hub give acquirers the ability to onboard merchants seamlessly, monitor high-risk accounts and prevent fraud losses without interrupting people’s shopping experiences.
There is no degradation in the model, either. It keeps learning, and keeps discovering types of fraud and other financial crimes as they emerge.