ditor's note: ETA published this white paper April 17, 2006. It is reprinted with permission. Because of limited space, we divided the document into two parts. Part I appeared in The Green Sheet June 12, 2006, issue 06:06:01. You can download the entire white paper at www.electran.org/info/white_papers.asp

Executive summary

The purpose of this paper is to share information and strategies for improving risk management practices and reducing fraud in the acquiring side of the payments industry.

Acquirers are at financial risk from merchant performance in several ways. While many industry initiatives are focused on fraud and identity theft, a significant percentage of the financial loss associated with credit and debit payments comes from organized fraud, business failures, unfunded chargebacks and inadequate monitoring of merchant accounts.

Acquirers need to focus on the performance and financial strength of their merchants as part of their overall risk strategy.

One of the key areas of focus for any merchant acquiring risk management program should be the subset of accounts that can cause the most harm. The higher-volume processing accounts, low-volume/high-ticket retailers, merchants who are prone to chargeback activity and merchants who provide future delivery of products and services can create larger losses if they incur financial difficulties.

Acquirers need to have an effective review of their existing merchants on a regular basis, in addition to a thorough due diligence process for new merchants.

This paper will focus on providing the reader with an overview of the various types of payments fraud existing in the marketplace today and will examine some of the strategies and tactics organizations can consider in order to develop an effective acquiring payments risk management program.

4. Risk mitigation techniques

Some acquirers conduct high-risk reviews by a risk committee in the same way a credit committee may be used to approve accounts. The focus of these risk reviews is to better access merchant performance and financial activity.

While the frequency of the review may vary from merchant to merchant, a good approach is to review well-performing accounts annually, and underperforming accounts quarterly, monthly or when the account has surpassed the merchant monitoring criteria. Most reviews include the following:

4.1. Volume analysis: If a merchant's volume increases 25% or more unexpectedly, it may be necessary to contact the merchant to understand why the volume has increased. Usually, it will be due to unexpected growth of their business. In most cases, it is desirable to re-underwrite the merchant to ensure the volume increase will meet your credit criteria and expectations.

4.2. Product sold: It is important to understand what products and services a merchant is selling. If an acquirer observes a change in the average ticket value (e.g., volumes, credits, etc.), this may be an indication that the business plan has changed, and the merchant may be selling a different product or service.

4.3. Business practices: If a merchant sells a product or service that will not be shipped or provided until a future date, this will add time liability to the transaction. Various regulations allow cardholders to dispute transactions (chargeback) for goods or services not received.

Pursuant to the card company rules/regulations, many of the timelines associated with these chargeback rights do not start until after the expected delivery date of the product or service. For example, if a merchant states in the promotional material, "Please allow four to six weeks for delivery," the chargeback rights for that transaction do not start until the day after the sixth week from the transaction.

This will add additional liability to the merchant's processing. Acquirers need to assess the overall risk for the merchant account based on when the merchant fulfills the order. In the example above, some merchants will not bill the cardholder until the date of delivery of the product or service, which eliminates the additional timeframe risk.

4.4. Ghost shopping: Ordering products or services can provide a genuine indication of how a merchant performs. If the merchant states a product or service will be shipped in two days, and the actual delivery time is three to four weeks, it may help to understand what challenges the merchant has in reducing chargebacks due to nonfulfillment.

4.5. Credit percentage: Monitoring and reporting on a merchant's credit percentage versus their monthly volume may be an indicator of the quality of the product/service sold. It also may be a gauge for the level of chargeback activity increase that may occur if the merchant were to close or file for bankruptcy protection.

While the percentage of acceptable credits will vary from merchant to merchant, credit percentage above 10% to 15% is considered excessive (though some direct marketers, catalogue merchants, and Internet merchants have credit percentages over 30%). This type of analysis is supported by effective know-your-customer techniques.

4.6. Business financial review: The business financial review is generally based on cash flow, asset review and the overall value of the business. The combination of these three elements, as well as other factors, will help assess the overall financial strength of the business.

Analyzing cash flow is important to ensure that fees and chargebacks will be honored when presented to the operating account. Positive cash flow is essential for merchants who conduct future delivery of products and services. A thorough asset review will help determine the ability of the merchant to conduct business. Acquirers should ensure that there are adequate cash, inventory and tangible assets to sustain the merchant activity.

Another key evaluation criterion is the net worth of the business (retained earnings), which is a good indication of the overall financial health of the business. Analyzing the value of the business, the liabilities and the net income help in the understanding of the financial risk compared to the operational risk of the business.

4.7. Guarantor financial review: Understanding the net worth of a personal guarantee will help determine if the guarantee is a strong mitigating factor to the risk of the account. Personal guarantor accounts that have a solid asset base tend to perform better too. Guarantors that are generally well-established in their community are less likely to commit fraud, skip out or not cover their merchant processing obligations.

4.8. Reserves: Once an acquirer or processor understands the risk associated with a merchant account, it is important to weigh the strength of business financials and personal financials (if applicable) to determine the overall risk. To mitigate risk further, consider establishing a reserve account.

Merchants can fund reserve accounts with upfront cash, letters of credit, or fund the reserve over time from daily merchant deposits. Reserves are a great way to mitigate risk exposure and allow an acquirer to accept an account they may not otherwise approve. Knowing how much to reserve will depend on the comfort level with the account.

Many acquirers fund reserves with a percentage of daily deposits (e.g., 3% to 10%) over a period of time. This is called a rolling reserve. Merchant accounts with reserves require continual analysis to ensure that monthly reserves are adequate for the additional risk associated with the account.

4.9. Data security education: When an assessment of the merchant is complete, it is important to educate merchants about the importance of data security and applicable legislation and compliance mandates. Safeguards should be put in place to protect the personally identifiable information of consumers and mitigate the risk of a data compromise.

Moreover, many states have implemented data notification laws in the event a consumer's personally identifiable information is exposed, and it is important that merchants understand their responsibility pursuant to state law.

In addition to federal/state legal requirements, the Payment Card Industry's (PCI) Data Security Standard defines a standard of due care for protecting cardholder data for any entity who stores, processes, or transmits cardholder data. For more information, visit:

• State data security laws: www.electran.org/info/industry_info.asp
• Visa: www.visa.com/cisp
• MasterCard: www.mastercard.com/us/merchant/security
• American Express: www.americanexpress.com/fraudinfo

5. Merchant monitoring

The risk department is responsible for monitoring the merchant's processing to guard against fraud and loss. The monitoring not only protects the company but also protects the merchant from possible fraud and loss. Additionally, through the monitoring process, customer service and training should be provided to the merchant. This enables the merchant to process positively with the additional knowledge and training provided by the risk department.

The risk department monitors the merchant's processing based on certain criteria and patterns. Some of the more common monitoring criteria include:

5.1. Processing limits: The merchant is granted a monthly processing limit. This limit allows the merchant to accept credit card transactions up to that approved limit. The merchant's processing volume is monitored throughout the month to ensure the limit is not exceeded.

5.2. Average tickets: During the merchant account approval process, an average ticket is calculated. This is the average of the prices of the product or service offered by the merchant. Any transaction that exceeds the average ticket is investigated.

5.3. Chargebacks: The number of chargebacks, percentages and reason codes are monitored to ensure compliance with card company rules and regulations. This allows for the profiling of a merchant's processing and business practices, which in turn allows the risk department to work with the merchant to reduce average tickets.

During the merchant account approval process, an average ticket is calculated. This is the average of the prices of the product or service offered by the merchant. Any transaction that exceeds the average ticket is investigated.

5.4. Credits: Credits are monitored to gauge possible loss. The credit percentage and dollar amounts are monitored to ensure compliance with all rules/regulations, and that credits are being performed appropriately to reduce the potential for unnecessary chargebacks.

This also ensures that fraudulent credits are not issued. Credited transactions are also forecasted in the event a merchant declares bankruptcy. Combining credits and chargebacks, an acquirer can estimate how much reserve may be needed to cover any potential loss.

5.5. Batch monitoring: After each day's processing, the risk department will monitor each batch submitted. Numerous items are reviewed including, but not limited to, transactions that exceed the average ticket, excessive authorizations, credit and chargebacks, proper usage of address verification services (AVS), and correct card validation (CV) code acceptance, just to name a few.

5.6. Four D's of monitoring: One approach to remembering the key factors of risk monitoring is to consider the four D's of monitoring - data, document, dial and delivery:

· Data: Review the transactional data. Was the transaction swiped or keyed? Did the merchant obtain a positive AVS response or CV code? Was a valid authorization obtained? Were there multiple authorization attempts?

· Document: Request a copy of a document (sales draft) from the merchant. Review the document for validity. Is the charge correct? Is the charge full payment, a deposit or a split sale? Did the cardholder sign the document? Is there any long-term liability? What are the shipping procedures? Did the merchant get signed delivery confirmation?

· Dial: Request a dial to be performed. A dial is just that: a call dialed to the cardholder and/or issuing bank to verify the transaction. Sometimes it is good to get the merchant involved. Request that the merchant have the cardholder contact the issuing bank to provide fulfillment on the dial request.

Upon receipt of the dial verification, act accordingly. Note the file with the dial results. Contact the merchant, provide results and inform them of the next action (i.e., release of funds, credit, further holds, etc.).

· Delivery: Request a delivery confirmation from the merchant if the sale was not cash-and-carry. Perform a dial for delivery confirmation from the issuing bank and/or cardholder.

For certain business types, acquirers might be forced to require the merchant to request a signed delivery confirmation when shipping product. These business types may include computers, electronics and full furniture suites to name a few. The requirement for a signed delivery should be discussed internally and then be required of the merchant if determined that it is needed.

During the monitoring process, exception items are investigated based on certain risk criteria. Once the issues are identified, the merchant is contacted and issues are discussed. In working with the merchant, the issues discussed may range from requesting a copy of a transaction to analyzing and preparing a chargeback reduction plan.

An effective risk management program will include documentation of the issues and outcomes in order to develop a merchant history.

6. Conclusion/Summary

The key to any effective risk management program is follow-up. Once a merchant is identified as a concern, there is usually additional work to be done. A remediation plan may include obtaining additional information, implementing chargeback reduction plans, obtaining updated financial statements and possibly increasing reserve requirements. In almost all cases a detailed conversation with the merchant is necessary.

The value of a risk management plan is to mitigate the financial exposure to the acquirer. This is done through improved processing performance or increased reserves if the merchant continues to underperform. In most cases, if the merchant understands the financial risk involved, they will appreciate the need for an acquirer to mitigate transactional risk.