EI-072221-TTweb-featured

Expert Insights: What Would You Do? Best Practices for High-Risk Merchants Using Real-Life Scenarios


By Members of the High-Risk Merchant Working Group • ETA Risk, Fraud & Security Committee

As an underwriter, there are many approaches and questions to consider when onboarding new merchants — and when dealing with high-risk merchants, the scope of scrutiny applied is even more rigorous. The High-Risk Merchant Working Group, which sits inside of ETA’s Risk, Fraud, and Security Committee, has drafted several hypothetical situations that an underwriter onboarding a new merchant might face, with suggested appropriate responses for each scenario.

Scenario 1: E-Gadgets & Copyright Circumvention Gadgets

Hypothetical Scenario: An underwriter is reviewing a new merchant application for a merchant that sells various electronic gadgets. The application indicates that the merchant recently moved from selling on Amazon to a custom Magento ecommerce platform named Gadgets&Gizmos.com. An initial boarding scan of the website returns that the merchant is offering IP circumvention devices called Kodi Boxes in their Magento site. The product description does not clearly state that this is an IP circumvention device, but if you are familiar, you’ll know that it is.

Response: Immediate approval is not recommended. Suggestion is to have a conversation with the merchant to determine if they are aware that the devices are IP circumvention devices. If the merchant is willing to remove the devices from the site, and not add new IP circumvention devices, that would be an acceptable resolution to the issue. This merchant should be added to the merchant-monitoring program to verify compliance.

Scenario 2: CBD Companies

Hypothetical Scenario: An underwriter is reviewing a new client specializing in online CBD sales. The application indicates that the merchant has been in business for over 12 months and that processing activity appears normal (including chargeback ratios). Client has provided Certificates of Analysis (COAs) for 10 products. The underwriter noted that they have 10 products each with three different quantity sizes (30 unique products). In addition, certain products available for sale have .5% THC content. The underwriter also noted that one of the products is marketed to support sleep health, and the website indicates that the product can help treat narcolepsy, insomnia, and other sleep disorders.

Response: Approval is not recommended. The current level of THC content in some of the products is greater than the .3% maximum allowable THC content per federal regulations. In addition, the website advertises the product as a medical treatment, which significantly increases risk of FDA enforcement. The current COAs for varying product quantities may be acceptable, but the underwriter must ensure that the COAs cover all products offered for sale on the website.

Scenario 3: Nutraceuticals

Hypothetical Scenario: An underwriter receives a merchant processing application for the selling of supplements. The product is a diet supplement with an average ticket of $59.95, a high ticket of $135, and requested monthly volume of $100,000. The application states that the merchant has been in business less than a month, so there are no previous processing statements or business banking history. The personal banking statements provided show a minimal balance with small deposits twice a month from a known fast-food establishment and daily use withdrawals; the only exception is a $500 deposit from the same company (Company A) on each of the provided statements. The URL provided appears to be the normal cookie-cutter supplement site with price points of $6.95 for a travel pack, $59.95 for a single-sale option of the supplement (one bottle), $89.95 for a single-sale option (two bottles), and $125 for a single-sale option (three bottles). The terms and conditions match the price points, there is no indication of trial or continuity, and the refund policy reads as a typical nutraceutical refund policy requiring a RA number. The checkout page does not reflect any deviations from the terms and conditions or price points. The assigned descriptor is generic (reads as XXXXXXXX), and this is reflected in the terms and conditions and at checkout. The search of the business and principal name as well as the business and principal address did not identify any concerns. A check of the application information against the BBB, Complaints Board, and Ripoff Report did not uncover any issues. The only hiccup was the depository account validation: The account was open, but either the business name or owner name did not match. The underwriter spoke to the sales agent who obtained a bank letter to validate the business and principal name. Is the underwriter ready to approve the application?

Response: The simple answer is no. There are still questions about the deposits from Company A and why the initial banking verification did not match the principal or business. Additional due diligence can be done. The underwriter should conduct searches of all provided phone numbers and email addresses as well as social media. The email and phone search can help identify potential businesses tied to the submitted business/URL. In recent cases, email addresses linking to CBD and dating sites were identified, with the same price points and a generic descriptor very similar to the submitted descriptor. Social media sites can also provide valuable information when conducting due diligence on a potential merchant. A search of the Secretary of State (SOS) filing and a Whois search on the URL should also be conducted. These searches will help validate the length of time in business for the merchant and the URL.

There have been cases where the name associated with returns or CRM has matched the name of Company A that is making electronic deposits to the principal’s personal bank account. This should set off flags requiring more research. Finally, when your initial depository bank account verification fails and the merchant provides a bank letter, it is good practice to place a call to the financial institution to confirm. There have been many cases where the bank letter has been modified to cover up a straw scenario in which the principal was being paid to use his identity to obtain merchant accounts. This usually happens due to MATCH listing for the true principal or in an effort to obtain multiple accounts for transaction laundering of unauthorized products such as CBD or to load balance disputes.

Scenario 4: Crypto

Hypothetical Scenario: An underwriter is reviewing a new merchant application for a merchant that offers various cryptocurrencies for sale, accepting Visa and Mastercard for payment. The merchant website does not contain details about any restrictions on the sale, does not require users to register an account or provide identification, and supports initial coin offerings (ICOs) for new cryptocurrencies without broad acceptance.

Response: Immediate approval would not be recommended. Mastercard requires all crypto merchants to be researched and submitted to Mastercard for approval before processing on the Mastercard network is allowed. Mastercard rules 9.4.9 require evidence of legal authority, legal opinion that the business is legal (along with continuous monitoring of compliance), third-party certification of effective controls, a commitment to notify Mastercard of changes, and formal acceptance of responsibilities. Before accepting this merchant, the proper due diligence would need to be performed along with approval from Mastercard and registration as a high-risk merchant with all card brands. If the merchant passes all of the due diligence checks for cryptocurrency merchants required by the card brands, then the merchant can be onboarded.

Scenario 5: Content Creator Platforms

Hypothetical Scenario: An underwriter is reviewing a new opportunity for a merchant that operates a platform where content creators can share and post content for subscribers. This is a new business without processing history and lacking a significant user base. Cardholders can purchase “coins” or credits they can use to tip content creators and can enroll in recurring monthly subscriptions for individual content creator’s sites. A review of the terms and conditions does not clearly specify how the merchant monitors and vets creator content, especially livestreaming content, to ensure that it meets compliance requirements.

Response: Although the merchant does meet the criteria to be considered a marketplace as opposed to a payment facilitator (specifically that the merchant of record does not change during the cardholder experience and the merchant is responsible for handling all customer service, fulfillment, and disputes), there remain too many concerns regarding compliance and future delivery exposure. Due to the lack of an expiration policy on purchased coins and the recurring subscription element, the merchant is reliant on the content creators to continue to provide content to avoid cardholder disputes. Additionally, the merchant does not have an established process and procedure in place for effectively reviewing and monitoring content from creators to ensure that no prohibited or illegal content is being generated and broadcasted. This would not be an approvable merchant without significant revisions to their terms and reviewable processing history showing that the merchant can manage the future delivery element.