Merchant Monitoring Case Study: Why Underwriting Isn't Enough

This article originally appeared on The Paypers. It was updated on 18/10/2024. It was updated in October 2024 to reflect new trends and modern practices.

It’s a common misconception that when an acquiring bank or other payment providers want to onboard a merchant, the only thing required is thorough underwriting. In reality, merchant underwriting is just the first step of an ongoing customer due diligence (CDD) process that results in a profitable and risk-conscious portfolio. Often monitoring that merchant is as important as getting them through the door.

To illustrate this, let’s examine a practical example. Due to confidentiality reasons, it is fictionalised here, but it draws heavily from real-life cases that Web Shield’s underwriters investigated.

Understanding a merchant’s business model and risk profile

Consider a common scenario faced by merchant underwriters. A nutraceutical (food-derived products that offer health benefits) merchant requests payment card acceptance. These merchants are typically seen as moderately risky, requiring careful scrutiny.

Merchant underwriting is the bedrock of customer due diligence.

The merchant underwriter then follows best practices for this merchant type and asks the following questions:

• Are all product ingredients named and approved by the corresponding regulator (e.g., the U.S. Food and Drug Administration or the European Commission)?
• Does the merchant make medical claims in their marketing material or on their website? Are the claimed benefits backed by clinical studies?
• Are there prescription drugs listed on the website?
• Does the merchant offer "risk-free trials" or operate a subscription service?

In our example, nothing suspicious was found. The nutraceuticals sold were above board, their marketing material did not include problematic wordings, and the website was set up as a standard eCommerce shop.

The challenge of underwriting recently incorporated merchants

Complicating the investigation was the fact that the merchant had just incorporated and launched a new website. Although this is a common scenario, this makes the merchant’s digital footprint minimal and complicates the investigation.

Newly incorporated merchants are a challenge but there is always something to investigate.

Still, there are various avenues open for underwriters to explore:

• Corporate officer background research: Underwriters might dig into the backgrounds of the people behind the company, looking for any history of fraud or illegal activities. However, experienced fraudsters often use strawmen to hide their real identities.

• Contact details check: Investigating contact details such as phone numbers, addresses, or emails can sometimes reveal connections to networks of fraudulent websites.

• Incorporation country: The country of incorporation can also be a red flag, especially if it’s a secrecy jurisdiction known for obfuscating ownership structures.

Our underwriters used tools to look into all of the above but despite these efforts, the initial investigation did not reveal any immediate red flags. Our example merchant appeared compliant, offering only one-time sales with a product portfolio meeting regulatory standards. In an ideal world, this would suffice. Unfortunately, some merchants change their business over time

Spotting irregularities with the right merchant monitoring setup

Especially for recently incorporated merchants, setting up monitoring is crucial.

On digital platforms, things can change from harmless to illegal very quickly. Take our example merchant: After a few months, their website’s visitor traffic started to pick up. This was natural – they had only recently started their business, after all. What was suspicious was the traffic’s source.

A traffic and backlink analysis revealed that users were funnelled to the merchant’s online shop via affiliate websites with a questionable marketing strategy: pop-ups on shady websites that weren’t even advertising nutraceuticals. Instead, they promoted a lottery which claimed that for a marginal amount of money, you could improve your chances of winning.

Fraudulent merchants are a moving target, always inventing new fraud schemes

Any visitor gullible enough to fall for this scam was sent to the merchant's payment page where they unwittingly signed up for a nutraceutical subscription with their credit card – all the while thinking they were just a click away from their big win. Apart from the illegal pay-to-win lottery scheme, this is deceptive advertising, enabled by a change in the merchant’s terms and conditions that modified their one-time sales model to a subscription.

What happens if a merchant goes rogue

Not surprisingly, this change in the merchant's modus operandi also led to many new complaints by customers who didn’t know they were signing up for a nutraceutical subscription. This was also reflected in a drastic decrease in the merchant’s Better Business Bureau ratings.

Buyers will make their voice heard if they feel duped - with bad reviews, chargebacks. or both.

What’s more, chargebacks took a sudden hike. This had two reasons: the merchant’s fraudulent marketing strategy and their misleading billing descriptor. The billing descriptor didn’t even name the merchant or website but directed baffled customers to a non-descript support website with a customer service hotline that was virtually unreachable around the clock.

Shifting to a new business model

It's important to recognise that some businesses do not maintain a static model. For instance, subscription businesses can be particularly challenging. The FTC recently underscored this by mandating that sellers must make it as easy for consumers to cancel subscriptions as it was to sign up.

Nutraceuticals, in particular, can easily transition into a subscription-based model, which underwriters must be aware of. When a merchant does so, the risk profile can change significantly. Subscription services often experience higher chargeback rates and increased customer dissatisfaction, particularly if the terms are unclear. Moreover, deceptive marketing tactics – such as misleading "risk-free trial" offers – can exacerbate these issues. This transition may also introduce new merchant category codes (MCCs), such as 5968 (Direct Marketing – Subscription), which can trigger high-brand risk registration obligations with the card schemes.

As a result of this shift, ongoing monitoring becomes essential to ensure compliance and mitigate potential risks associated with deceptive practices.

The role of service providers in merchant monitoring

Underwriters should catch all of the above before it's too late, chargebacks go through the roof and Mastercard or Visa’s warning letters start to arrive. The problem is that this kind of monitoring is not easily accomplished without technical solutions – and most existing ones only offer a simple keyword scan on the merchant's website. When it comes to complex problems like deceptive marketing, we need analysis that takes more than one factor into account and empowers underwriters and risk professionals.

Fortunately, the industry is becoming aware of the problem and Mastercard Merchant Monitoring Service Providers like Web Shield have stepped up to the plate with solutions to this problem.

‍