The ABC's of Underwriting - Part 1
The ABC of Underwriting – Part 1
In the first of a two-part series, Web Shield’s Andreas Stedry leads us through the alphabet of merchant underwriting for acquiring banks and payment service providers (PSPs).
Underwriters and risk analysts must stay flexible and learn quickly if they want to succeed in the fast-paced world of payments. At the same time, there are some things in underwriting that never change. The ABC of Underwriting summarizes both.
A is for address.
Establishing the address of prospective merchants is integral to customer due diligence. Where does the merchant do business and pay taxes? Where are the directors located? Where is the business registered, and is it the same place as where the merchant has an address for correspondence and judicial process?
Does the address even exist? In 2017, Visa updated its merchant location rules to clarify that a
merchant must have a physical location i.e. address, not merely a virtual one. Physical locations cannot include a post office box, mail-forwarding address, or one associated with a law firm, agent, or vendor.
Sometimes verifying the location can be as simple as reviewing a Google Street View image. If the merchant is claiming to sell furniture from a large showroom, and the address is an apartment complex, then even this simple check has paid off.
B is for billing descriptor.
There must be a direct relationship between the merchant and the billing descriptor that flows through on to the cardholder statement. This helps prevent unnecessary chargebacks for transactions the cardholder does not recognize. An unclear billing descriptor may also indicate to the acquirer that the merchant is aggregating transactions or using undeclared third parties.
C is for contact details.
Be wary if you notice contact details uniquely associated with a merchant, such as telephone numbers, fax numbers, e-mail addresses or Skype names, shared across various websites. Shared contact information can be an indication for third-party billing or miscoding. So, it is important to understand what other businesses or merchants are connected with the contact details.
D is for deceptive marketing.
Deceptive marketing tricks potential customers into purchasing something they don’t really want. This may include false advertising, pre-ticked boxes for ongoing subscriptions or ‘free trials’, high-pressure sales, hidden fees, misleading illustrations, and so on.
Deceptive sales and marketing can render any card transaction illegal, even if the goods and services sold are perfectly legal. Every merchant type is susceptible, because it’s not what the merchant sells, it’s how they sell it that creates acceptance risk for acquirers and PSPs.
E is for entity.
Generally, there is more to an entity than just its name and legal form, although sometimes both are enough to identify a fraudulent merchant with a simple Google search. Beware of so-called clone companies, especially in the financial services sector, who fraudulently piggyback the licenses of legitimate firms.
F is for fake profiles and reviews.
Fake profiles are still common practice in the dating sector. If a dating website generates most of its turnover by using chatbots or fake profiles, we’re back to the issue of deceptive marketing and potential chargebacks. Even if the use of professional chatters is mentioned in the merchant’s terms and conditions, this can nevertheless cause a high number of chargebacks and might still be illegal in many jurisdictions with stricter customer protection laws.
Fake reviews can trick cardholders into believing a product or service is high-quality. Many fake reviews can be identified with a simple Google search or image reverse search on the reviewer’s profile picture. Underwriters should verify customer testimonials whenever they get the chance.
G is for geolocation.
Geolocation is the process of identifying the geographic location of a user when accessing a merchant website. In the context of underwriting, it sometimes makes sense to test if website content changes depending on the user’s country. Test this by changing the IP address from which you access a website. This may also reveal whether a merchant blocks users from countries where their goods and services cannot legally be sold.
H is for high-brand risk merchants.
Merchants can create higher-than-average risks for card schemes and acquirers because their nature of business exposes them to higher content, reputational or money or transaction laundering risks. Gambling, pharmacy, tobacco, adult content, cryptocurrency and cyberlocker merchants are all examples of those listed on the card scheme compliance programs.
For an exhaustive list, be sure to consult the Mastercard Business Risk Assessment and Mitigation Program, or BRAM for short, and the Visa Global Brand Protection Program, or GBPP. It’s crucial for underwriters to follow all updates to these programs to avoid missing any important information.
I is for Internet Watch Foundation.
As underwriters, we work to ensure merchants comply with card scheme rules as well as prevent potential reputational or financial damage to our organizations. But in my opinion, we also have a personal responsibility.
The Internet Watch Foundation is a registered charity based in England. Its aim is to remove child sexual abuse content from the internet, no matter where it is hosted. For that, they employ and develop cutting-edge technological solutions in cooperation with the private sector.
Whenever you underwrite an adult, dating or even a photography website, where you have doubts about the age of people shown, please take the extra minute to submit a report to the IWF. Even if only one of the images you report leads to criminal consequences for the content producer and help for the victim, it would definitely have been worth it.
J is for John Doe.
John and Jane Doe are common placeholders for unknown individuals. We sometimes encounter them in underwriting in the shape of nominee directors, front men or women who are paid to act as directors of a company on paper.
Nominee directors can be used to provide anonymity, conceal beneficial ownership and disguise the origin and audit trail of funds. They can also be used to hide directors’ involvement with past scams. So, when researching individuals, always look beyond complaints, lawsuits and a clean sanctions list check. For example, does the social media profile of the individual’s lifestyle match their business turnover?
A typical indicator of a shell company, especially in combination with a verified virtual address is a director with a lot of further appointments. As an underwriter, always look for the real people behind a John Doe.
K is for knuckle-buster
A knuckle-buster is an old manual card imprinter, which merchants used to record card sales before the advent of electronic point-of-sales terminals. It’s a fun fact that proves how far and how fast the payment industry has evolved during the last decades. Imagine a world with the card transaction volume of today recorded through manual devices!
L is for license.
Certain businesses require a license to operate, typically if merchants are engaged in gambling, pharmaceutical sales or financial services.
If you receive a copy of the license directly from the merchant, it might look fine at first glance, but always take a deeper look. What kind of license is it? Is it real? How good is the reputation of the regulatory body? And what’s the validity of the license?
M is for monitoring.
An underwriter’s work does not stop at the on-boarding stage. Continuous ongoing monitoring helps ensure long-term compliance.
After all, it’s not until the merchant starts to deposit transactions that you can evaluate whether they are using their account according to the purpose and intended nature they declared at boarding. And secondly, whether your assessment of the risks they pose is still appropriate.
Content and transaction laundering risks should always be of the highest priority for any monitoring regime. You can expect fines and sanctions by the card schemes if any issues aren’t rectified immediately. Reputation risk comes next. Ignoring alerts in this area may have a negative financial impact. Yet further investigation or a discussion with the merchant can often solve these issues.
Although AML, financial, and transaction risk can be classified as a lower relative risk, always investigate alerts further, especially when it comes to sanctions or PEP list hits.
Adapt your individual monitoring regimes based on the information from your initial merchant due diligence. And consider it in the context of continuous regulatory monitoring to ensure the rules and laws you are operating under are current.
About Web Shield
Web Shield – a ZignSec company, has been equipping the payments industry with tools to protect businesses from merchants involved in illegal or non-compliant activities since 2010. Our highly precise solutions enable acquirers, PSPs, and other financial organizations to evaluate new merchants and monitor existing ones, thereby saving both time and money.
Web Shield also organizes RiskConnect, a networking conference for risk management professionals. Delegates can access hours of great keynotes, presentations, and panels featuring industry experts online for free from 26 October 2021 and 12 months thereafter. Registration is now open.
SPONSOR DISCLOSURE: MAC is an independent, sponsor-supported membership organization. MAC has relationships with multiple card brands and industry vendors, but those relationships do not span the universe of possible solution providers within the industry. The article that appears in this blog post is from an organization from which MAC receives financial support. This blog post does not represent an endorsement by MAC of a product or service. Outside of defined sponsorship activities, MAC requests that content for our blog be educational in nature, but acknowledges that on occasion some educational content may also contain promotional material.