Best practices in merchant onboarding, KYC and monitoring

Tags: Business verificationCustomer onboardingFraud prevention
Merchant onboarding

If you’re a merchant acquirer or payment service provider (PSP), onboarding merchants is essential for continued growth. Of course, you want more merchants, bringing in more transactions. However, onboarding questionable merchants that are likely to authorize fraudulent transactions only results in charges and losses that impact your bottom line.

The global payments space is growing rapidly and constantly evolving as fraudsters become more sophisticated and fraud attacks increase. So, how can you balance these trade-offs, ensuring that you can quickly and seamlessly onboard good merchants while preventing bad merchants from harming your business? The Balancing Risk and Return: Best Practices in Merchant Onboarding and Monitoring report by the Aite group examined the best methods and technologies that you can use now to improve risk assessment, monitoring and management.

As the COVID-19 pandemic has dramatically increased use of digital channels globally, there’s also been a corresponding rise of micro-merchants, who are more used to quick and convenient consumer onboarding. Getting merchants onboarded and transacting quickly delivers a positive initial experience to help enable long-term success, but it’s essential to make sure that onboarding processes are also thorough and prevent bad actors entering your payments system.

Before jumping into the report, let’s consider other, related best practices. For U.S. banks, the Office of the Comptroller of the Currency (OCC) provides Risk Management Guidance. One of the major recommendations of the guidance is to

Adopt risk management processes commensurate with the level of risk and complexity of third-party relationships.”

Merchant risk management

This risk management approach is very applicable for onboarding merchants:

  • What is the transaction level of the merchant and its network?
  • What industry and segments does it do business in?
  • What transaction amounts and range?
  • What channels will it use?
  • What countries does it operate in?
  • What resources are necessary to properly vet and monitor the merchant?

As not all merchants are the same, the level of risk and amount of due diligence checks necessary change accordingly.

Consider so-called high-risk industries, like gaming, online brokers or foreign exchange. While these industries do offer the potentials of huge transaction volumes, the amount of money that flows in these industries is also very attractive to money launderers and fraudsters. Understanding the risks and the necessary countermeasures is a key factor in determining the right level of onboarding friction.

While there are differences in the level of due diligence, there are standards that must be met. There are legal compliance factors, like Anti-Money Laundering (AML), Know Your Customer (KYC) and Know Your Customers Customer (KYCC). There are standards and rules of the card networks; they demand that there are specific legal contracts with all merchants that control the relationship with all third parties. There are also rules for credit underwriting, as the merchants are in effect offering unsecured loans.

Merchant onboarding

There’s a seven-step process to successfully onboard a merchant:

  • Prescreening
  • Merchant KYC/identity verification
  • Merchant history check
  • Business and operational model analysis
  • Web content analysis
  • Information security compliance
  • Credit risk underwriting
Merchant onboarding process

One key component to creating a more successful onboarding process is automation. A major pain point for the industry is manual work like data entry, which might have to be done multiple times. Manual work slows the process down and also introduces inevitable human error. Manual work also adds a significant cost to the process. This isn’t to say that people shouldn’t be in the process at all. Rather, people should be focused on detecting fraud, rather than on data entry.

Automation also enables smoother integration between the steps. If data is digital from the start, then the entire process has the potential for automation, especially in the case of smaller merchants. New risk assessment automation, as well as integration and optimization tools, are on the market, so dramatic improvements are already possible.

Merchant KYC

A critical part of the merchant onboarding process is ensuring the legitimacy of the account by performing KYC procedures on the entity. The business must exist, be currently operational, and the account submission must be authorized.

While the specific information required to verify a merchant will depend on jurisdictional requirements, information commonly collected includes company name, registered business and/or tax identification number and registered business address. To help with the due diligence process, information like type of business, sales turnover, bank account details and beneficial ownership might also be collected at the initial form-fill stage.

This KYC process not only provides information to fulfill the bare minimum legal requirements, but also can provide insight into what further due diligence requirements are necessary. By adding fraud checks and individual ID requirements into the merchant identity assessment, the anonymous nature of questionable accounts becomes more transparent.

Merchant Monitoring

Merchant acquirer’s or PSPs can’t stop their risk management after onboarding. What if a merchant fundamentally changes the nature of their business, or the volume of transactions or transaction amounts dramatically change? A change in the risk criteria requires reassessing the merchant; as they can already be doing damage, the quicker this is completed, the better.

Ongoing monitoring should watch for:

  • Spikes in activities
  • Exceeding thresholds
  • Out-of-area or unusual cross-border activities
  • Changing website products or links
  • Inclusion of people on sanction lists
  • Adverse media mentions

While monitoring automation has already seen great success, there’s an issue with false positives. It’s difficult to fine-tune the matches, so the industry seems to accept that it’s better than the alternative. There’s also issues when merchants go into new segments, or offer new channels as the technology doesn’t seem to keep up with these changes.

The industry is getting tougher to compete in. There’s more competition, encouraging growth in higher-risk segments and markets. There’s a rise in Card-Not-Present (CNP) fraud, as counterfeit fraud becomes more difficult. There’s a demand for new channels as eCommerce and mobile commerce gains ground. The complexity and breadth of compliance requirements are expanding. As Aite notes:

Risk and compliance projects will take an increasing share of the investment budget available for business innovation.

But technology offers hope to the situation. The ability to digitalize procedures that were previously paper-driven, to automate manual processes, and to analyze and assess risk using advanced data analysis tools provides opportunities to dramatically improve the merchant onboarding process. Merchant acquirers and PSPs that embrace new technologies can lower costs and generate better returns while successfully managing risk.

As the global payments space continues to grow in size and complexity, merchant acquirers and their partners face new challenges to manage risk. On a global level, fraud continues to migrate from the physical world to the fast-growing CNP environment. At the same time, the acquiring value chain has become more complex with the growth of payment facilitators and marketplaces.

Understanding the risks that a merchant poses and how best to minimize the friction for that specific case offers a way to properly balance speed and security. Through careful use of automated workflows, effective merchant risk management and KYC processes can help speed up onboarding of good merchants while helping prevent the creation of problematic accounts.

This post was originally published on March 30, 2017. It has been updated to reflect the latest industry developments and best practices.


Like this article




Stay informed with the Identity Insider.

Receive relevant compliance updates, industry best practices, and top trends in identity verification straight to your inbox.