Page 36 - gs251102
P. 36
Insights and Expertise
Merchant monitoring efficiencies
– Rules are not the answer
Business risk is based on the processor's risk profile and
policy framework. For example, how aggressive or risk
averse is the processor? Are team members well trained,
and do their procedures comply with their policies? Op-
erational risk, including financial risk, is what monitoring
is most directly mitigating. Legal and regulatory risk is
critical, but similar to business risk, is intertwined with
how the processor does business.
Onboarding standards
Within VARS is an onboarding requirement. Acquirers
must have an onboarding standard that enables risk-
By Ken Musante
Napa Payments and Consulting Why AI matters now in
acquirerrisk management
or decades, acquirers and processors have relied
on static rule-based systems to manage mer- The shift from static, rule-based monitoring to
chant risk. But the world has changed and so, adaptive, data-driven intelligence isn't just a
F too, must our tools. Most parameters are set technological upgrade. It's becoming a competitive
either at the merchant level or the portfolio level. These and compliance imperative.
are static rules and updates are manual. For example: If a
transaction is over $5,000 and the merchant was acquired Rule-based systems helped define the early era
less than six months ago, provide an alert. of merchant risk management, but their inherent
limitations are more visible than ever: they
The limits of rule-based monitoring depend on manual updates, generate excessive
false positives, and struggle to engage with the
As processors scale, they often develop custom rule-based multidimensional risk signals that acquirers are
systems tailored to their risk profile. Doing so allows for now expected to evaluate.
a solution better tailored to their own portfolio and risk
tolerance. Updates are easier and reporting is superior. AI changes that equation. Instead of relying
on fixed parameters that flag only known
Because the system designers fear missing fraudulent patterns, AI models learn from historical activity,
activity, these home-grown rule-based platforms typically continuously refine their understanding of
over identify alerts. After all, a designer reasons, it is merchant behavior, and highlight anomalies that
better to over identify and allow a human to intervene simply wouldn't register in a static environment.
than under identify and risk missing the fraud entirely. This cuts down on noise, enabling analysts to
Lost in that thought track however is how over-identifying focus on the outliers that genuinely matter.
leads to extra work, which requires extra staff.
Importantly, AI does not eliminate the need for
Over identification of alerts along with substantial manual experienced risk professionals. It enhances their
work to weed out false positives was the norm. Now, decision-making, absorbing the heavy lift of
however, with the application of AI, we can have continual pattern recognition, cross-referencing onboarding
refinement to lessen false positives and properly identify data, and surfacing deeper insights across
anomalies to minimize losses. thousands of variables. With VARS requirements
growing more rigorous—and with processors
If it were easy, everybody would be doing it accountable for business, operational, and legal
Processors have a heavy burden. They must adhere to risk—AI provides both scale and auditability that
their acquirer bank requirements and the card networks' rules alone cannot match.
requirements. Visa lays out requirements within its Visa Acquirers that integrate AI into risk-based
Acceptance Risk Standards (VARS) the three risk domains: underwriting and monitoring will be better
business, operational, and legal and regulatory. All equipped to minimize losses, satisfy auditors and
acquirers, and by proxy, their third-parties must comply support sustainable portfolio growth.
with this document.
36
