Home Technology Traditional Risk Scoring is Dead

Traditional Risk Scoring is Dead

by internationalbanker

ron-teicherBy Ron Teicher, CEO of EverCompliant




An entire industry – card payments acquiring and processing – relies its risk management methodology on chargebacks optimization as its main, if not sole, operational target. Simply put, the higher the likelihood for chargebacks for a given merchant category, the riskier the merchant will be considered by a credit card processor or merchant services department.

It is not all about chargebacks. Many acquirers use a risk-based approach to evaluate merchants with fraud monitoring systems. In addition to chargeback volumes, they also look at weak financial conditions, i.e. credit, the failure to operate a valid business, suspicious activity or sanctioned activity, such as AML (Anti-Money Laundering). And yet, the bare definition of ‘high risk’ vs ‘low risk’ businesses, is mainly derived from the merchant’s perceived exposure to chargebacks.

Reinforcing the doors while the robbers are inside

In today’s financial environment, many acquiring banks are spending considerable effort on looking at high risk merchants, whereas illicit activity is occurring, ironically, with low-risk merchants. These ‘low risk’ merchants more often than not go undetected since everything appears to be running smoothly with them. A situation has been created today where acquirers are investing money and human resources into extra locks on their office doors while the windows are wide open, as the old metaphor goes. The technological advances that spurred the proliferation of payment systems combined with the easiness of establishing online merchants, created loopholes for criminals that can now use ‘transaction laundering’ to process payments for the sales of illicit merchandize and by that conduct their business uninterrupted.

What is transaction laundering?

MasterCard defines transaction laundering as ‘the action whereby a merchant processes payment card transactions on behalf of another merchant’. One example is when a merchant sets up an ecommerce website, for office supplies, or any other low-risk business. It will be labeled with the appropriate MCC (Merchant Category Code), which in this case would indeed be a low risk MCC. This MCC is associated with selling goods with low cash value items, as well as carrying low chargebacks rates, and hence be considered low-risk. However, in a transaction laundering situation, this merchant is actually just a shell-merchant used as a front for funneling transactions from a different, unknown, unregistered, high cash value site, e.g. diamonds. The diamond sales will be routed through the payment page of the office supply site and appear as office supply purchases to the processor.

In this example, the customers – the people actually purchasing the gems – are indeed buying diamonds and receiving their diamonds. Since they bought them, they will not cancel the order, and therefore. – no chargeback. However, their credit card statements will read: “office supplies”. The customers will be notified about this purchased item name in advance so that they will be able to identify the transaction in their statement.  Chargebacks are irrelevant in this example because the customers received the ordered goods and are satisfied.

What actually occurred in this scenario? A consumer who wanted to purchase diamonds placed an order and purchased the products; the goods were delivered to the consumer; the merchant sold diamonds without going through the AML/KYC scrutiny that is defined as required for diamonds dealers. Lastly,, the processor facilitated a high-risk AML transaction without being aware of it, as did the card brand. The problem in this example is transparency –,since the nature of luxury jewelry commerce is different than the office supply business, so are the AML processes different, accordingly.

MCC code violation is only the tip of the iceberg when it comes to transaction laundering. Transaction laundering often masks proceeds stemming from illegal activities such as drugs and weapons trade, illicit pornography, and counterfeit goods. Since transactions are processed through a registered merchant account, MSPs end up unknowingly facilitating this illegal and brand damaging activity. Once again, transparency is missing here– the true nature of the actual selling merchant is unknown to anyone in the processing chain. Anything can be sold.

Even with illicit goods, the pattern is the same –. No chargebacks. When someone purchases marijuana or views child pornography, he or she is actively seeking that product or service.

Why are acquiring banks missing the real risky merchants?

As mentioned above, with traditional scoring, banks consider emerchants risky when there is a higher statistical likelihood of chargebacks, poor credit or poor financial liquidity.  The background behind these three issues is varied, but irrelevant when trying to predict who will commit transaction laundering.

Here’s the catch. Think about a bank customer who is a fraudster but is applying for a loan.  In almost all circumstances, the bank will approve the loan based on a good credit scoring. Fraudsters know the system well and will make sure that they appear to be honorable consumers. They won’t risk having their application rejected on the basis of bad credit. Transaction launderers employ similar tactics. They learn and know the system well, from setting up merchant commerce sites, payment pages and approvals from relevant payment processors. One of the reasons that makes it so easy for them is that there is no cause for suspicion. Transactions appear legitimate and all customers are happy.

Shifting the focus

I would recommend that acquiring banks shift their focus from their “high-risk” clients, i.e. high chargeback rate emerchants, to their entire merchant portfolio, particularly the low cash value seemingly innocent emerchants. The last few years have indicated that transaction launderers are not only spread across the portfolio, but are actually focused on the “low-risk” types.

This may require a solution provider who could monitor all merchants and see their related entities and websites connected to their networks. The sheer magnitude of data is difficult to detect and extract to make action-based decisions regarding the merchants. However, one thing is clear. Traditional risk-scoring tactics are not effective for preventing transaction laundering. It’s time to take other measures to detect risky merchants before the new criminals spin into motion.

Related Articles

Leave a Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.