Model Risk Governance for Acquirers and PSPs for Fraud

An Expanding Payment Landscape Comes with New Fraud Threats

Today’s consumers have a strictly convenience-first mindset. They expect to use the payment option of their choice easily. At the same time, the number of new payment methods available to consumers has exploded in recent years. Consumers have multiple ways to pay for goods and services from credit and debit cards to mobile wallets to buy now, pay later (BNPL) options, and more. Thanks to the rise of eCommerce and mobile devices, today’s consumers can make even more transactions from anywhere in the world. 

Naturally, merchants want shopping to be as convenient, swift, and frictionless as possible for their customers. But each new payment method has its own complex business models and risks. Acquirers and PSPs must understand each payment type’s complexity and apply the appropriate risk management framework.

Top Merchant Fraud Risks for Acquirers and PSPs

Each new payment type comes with its own unique set of risks. As new payment methods expand, here are the key threats acquirers and PSPs must keep in mind.

• Liability issues: Acquirers and PSPs are not liable when a merchant experiences chargeback fraud. But that doesn’t mean they should wash their hands entirely. If a merchant experiences fraud losses, so do the acquiring organization that supports them. As an acquiring organization, you are providing a service designed to support merchants. If the fraud is too overwhelming, the merchant might even go bankrupt and be unable to fulfill its contractual obligations to its acquiring partner. If chargebacks are too high on card-based transactions, for example, acquirers and PSPs could face fines from payment card networks like Visa and Mastercard. 
• Bust-out merchant fraud risks: Acquirers and PSPs must look out for collusive merchants involved in financial crime like bust-out fraud. Merchants accepting stolen credit cards or seeking advanced settlements from acquirers could be red flags for bust-out fraud. If the merchant files for bankruptcy and disappears, its acquiring partner may be on the hook for its losses.
• Merchants seen as easy fraud targets: Not every merchant is intentionally involved in bust-out fraud, of course. But honest merchants can be easy targets by fraudsters if fraud controls are too lax. If fraudsters realize that it’s easy to get chargebacks or commit first-party fraud, the merchant could see substantial losses. This will ultimately eat into the acquirer’s or PSP’s bottom line.

New Rules for Model Risk Governance for PSPs and Acquirers to Manage Fraud

Here’s how acquirers and PSPs can upgrade their model risk governance frameworks for new fraud threats with machine learning.

Make model risk management part of the process

Some acquirers and PSPs already have a governance process in place. But their processes need to evolve over time to deliver optimal risk strategies while catering to their merchants’ needs. Machine learning technology is critical to helping acquirers and PSPs track these shifts. By paying close attention to how the model behaves in production, acquirers and PSPs can follow chargeback patterns more closely and assess if merchants are behaving as expected. Oversight is critical to ensuring risk models perform as expected and offsets potential fraud losses. 

Ensure the framework aligns with key customer business agreements

When implementing new model risk governance frameworks, acquirers and PSPs must make sure their new models do not violate the agreements they have in place with their existing customer base. For example, some merchants may have a whitelisting agreement or a maximum decline rate built into their contracts. Any new model risk governance framework work must ensure acquirers or PSPs are able to fulfill their existing commercial obligations.

Remember to watch out for your smaller merchants 

Many acquirers and PSPs have a few hundred larger merchants in their portfolios. But they also work with considerably more – if not thousands – of smaller merchants as well. These merchants are not as advanced as their larger counterparts and any spike in transaction declines will largely impact their operations while risk passing under the Acquirers’/PSPs’ radar. A false positive decline rate of 30-40% in a smaller merchant might not change the bottom line for the acquirer’s business but might mean the end of the smaller merchants’ business viability. With any change in model risk governance, acquirers and PSPs must ensure their changes do not harm smaller clients.

Follow industry-based standards for merchant risk

Acquirers and PSPs must also follow how their merchants behave after onboarding to ensure they are not engaging in risky patterns. Acquiring organizations should design their governance framework to ensure that their risk strategy aligns with the level of risk of different merchant category codes (MCCs). MCCs are a proxy to see how much risk a merchant is assuming. For example, a merchant that is onboarded as an online bookshop should have a tailored set of decline rates and a managed level of risk that is much lower than merchants that are selling riskier products (e.g., regulated drugs, CBD products, etc.). This should be continuously monitored to ensure the business properly maps each merchant’s risk level.

As payment methods change, so are criminals’ fraud methods targeting merchants. Acquirers and PSPs need to be able to respond quickly to new risk types. Machine learning solutions are critical to detecting and responding to new patterns. These model risk governance frameworks must also be stable enough to give organizations time to adjust their fraud models quickly to respond to new fraud trends. Any new framework should be stress-tested to see how it responds to new payment methods and new market conditions.