Related Questions
.png)
Affiliate traffic is a risk model, not a channel.
When a merchant's revenue depends on affiliates, influencers, or performance networks, the underwriting question is not about marketing sophistication. It is about who controls what is being said to consumers, and whether that control is real, documented, and enforceable. Affiliates operate at arm's length by design. That distance is also where regulatory and scheme liability tends to accumulate.
This guide is written for risk teams at acquirers, payment service providers (PSPs), payment facilitators (PayFacs), marketplaces, and BIN sponsors who underwrite or monitor merchants with material affiliate dependency. It covers what the risk exposure looks like, what to verify during onboarding and ongoing review, what good governance evidence looks like, and where teams most commonly miss the signals that matter.
When a merchant identifies affiliate, influencer, or performance marketing as a primary customer acquisition channel, the complexity for risk teams is not in understanding the business model. It is in evaluating whether the merchant exercises real control over what those third parties say, and whether that control is operational or purely nominal.
Unlike direct-to-consumer acquisition, affiliate-driven models introduce a structural gap: the merchant controls the product and the payment experience, but the consumer's first impression, the claims they encounter, the urgency they feel, and the promises they are made all occur in an environment the merchant does not own. That gap does not transfer liability. Regulators and card schemes hold the merchant, and by extension the acquirer or PayFac, accountable for consumer harm regardless of where in the acquisition chain it originated.
The verticals where this risk concentrates are, in our experience, not random. Subscription billing with free trial models, health and wellness products, financial lead generation, and gaming-adjacent services all have documented histories of affiliate-driven consumer complaints, chargebacks, and regulatory scrutiny. For merchants in these categories, the underwriting bar should be materially higher, and the evidence standard more rigorous.
Related reading: How to Detect Trial-to-Subscription Controls
Why it matters: "We use affiliates" is not governance. Governance is documented, assigned to a named function, version-controlled, and backed by operational records. The documents tell you what the merchant's rules are. Records tell you whether those rules are followed.
The following should be reviewed as part of underwriting:
Affiliate agreement: The contract between the merchant and each affiliate or, if operating through a network, the master agreement. Key provisions to evaluate include: explicit prohibited claims lists rather than vague catch-alls; the approval process for new creative materials; disclosure requirements consistent with applicable regulation, such as FTC (Federal Trade Commission)-compliant language for sponsored content; consequences for violations including commission clawback, account suspension, and contract termination; and audit rights allowing the merchant to review affiliate materials on demand.
Approved creative library: A defined, version-controlled set of marketing materials approved for affiliate use. We look for evidence that the library is actively maintained, updates are versioned, and affiliates are contractually required to use approved materials, not an informal shared folder with no governance.
Affiliate onboarding and vetting criteria: Minimum participation requirements, an application review process, and evidence that high-risk affiliates, including those with prior violations, those operating in regulated categories, or those with anonymous ownership structures, are either excluded or subject to heightened oversight.
Governance ownership: In well-governed programs, affiliate compliance is assigned to a named individual or team with defined review cadences, escalation paths, and reporting lines. "Our marketing team handles it" is not a governance structure.
Key insight: Ask for the enforcement log from the prior 12 months. Merchants who have run a material affiliate program for over a year and have zero enforcement records are telling you something, whether or not they intend to.
What to request from merchant:
Red flag thresholds:
Why it matters: Governance documentation establishes what rules exist. Compliance controls determine whether those rules are operating. The difference between a merchant with good documentation and no operational follow-through, and a merchant with no documentation at all, is not material from a risk standpoint.
Pre-approval workflows: Does the merchant require affiliates to submit creative materials for review before publishing? Is there a documented review process with turnaround times and approval records? A merchant who claims pre-approval but cannot produce approval records has no pre-approval process in practice.
Compliance monitoring: Does the merchant actively monitor affiliate activity after publication? Monitoring approaches include periodic audits of affiliate landing pages, automated scanning for unapproved claims or prohibited keywords, mystery shopping or test purchase exercises, or analysis of consumer complaint data to identify affiliate-specific patterns. We do not require all of these methods, but we expect at least one systematic approach with documented outputs and a defined review frequency.
Escalation and takedown capability: If the merchant identifies a non-compliant affiliate, can they act quickly? This means a clear process for suspending affiliate access, demanding removal of non-compliant content, and documenting the action taken. Merchants who describe enforcement as "flagging it to the network" without direct contractual relationship with affiliates have limited practical enforcement capability. That limitation is itself a risk factor.
Key insight: A program with detailed governance documents and no monitoring logs is not a compliant program. It is a well-written program. Ask specifically: "Can you show us a monitoring log or audit record from the past six months?"
What to request from merchant:
Red flag thresholds:
Why it matters: Performance-based affiliate compensation creates predictable behaviors at the margins. Affiliates paid per raw conversion have a direct financial incentive to maximize conversion volume by any means available. The merchant does not need to instruct this behavior. Structuring a high flat commission per conversion without enforcement mechanisms funds it indirectly.
Commission structure review: High commission rates paid per initial conversion, without clawback provisions and without retention-based components, create the strongest incentive misalignment. Recurring commission structures that pay affiliates based on ongoing subscription revenue align incentives differently, because the affiliate's earnings depend on the consumer remaining a customer rather than simply converting once.
Clawback provisions: We look at whether the merchant has commission clawback provisions when a conversion subsequently results in a chargeback or documented complaint. Clawback provisions are not universal, but their presence indicates that the merchant has applied structural thinking to affiliate accountability.
Sub-affiliate layers: Many affiliate programs operate through networks such as CJ Affiliate, Impact, Rakuten, ShareASale, or private network arrangements. When a merchant uses a network, there may be a layer of sub-affiliates who promote the merchant's products without a direct contractual relationship with the merchant. The merchant's agreement with the network may not provide direct enforcement rights over sub-affiliates, and network-level compliance monitoring capabilities vary significantly.
For any program operating through a major network, we verify: whether the merchant's network agreement includes sub-affiliate compliance provisions; whether the network has documented compliance monitoring capability; and whether the merchant has any visibility into sub-affiliate identity and activity.
Key insight: Sub-affiliate exposure is consistently the most underweighted risk factor in affiliate reviews. For large programs operating through major networks, a material share of promotional activity may occur through sub-affiliates who have no direct contractual relationship with the merchant.
What to request from merchant:
Red flag thresholds:
Why it matters: Affiliate governance problems leave traces in consumer complaint and chargeback data before they surface in formal documentation. Chargeback reason code distribution and complaint volume are more informative than aggregate chargeback rate alone.
Chargeback analysis: We review chargeback ratios with particular attention to reason codes associated with consumer disputes, including not-as-described, unauthorized transaction, and subscription cancellation categories. Rates concentrated in consumer dispute categories, rather than fraud or technical failure categories, point toward acquisition-side problems.
Public complaint databases: For U.S.-facing merchants, the CFPB (Consumer Financial Protection Bureau) complaint database (consumerfinance.gov/data-research/consumer-complaints) is a publicly accessible starting point. Equivalent databases exist in other jurisdictions, and structured complaint review platforms provide supplementary signal.
Prior program history: A merchant with elevated complaint or chargeback history in a previous program who attributes the problem entirely to "a few bad affiliates we removed" warrants careful scrutiny. The question is not whether those affiliates were removed. The question is whether the governance structure has changed materially enough to prevent recurrence, and whether evidence of that change exists beyond the assertion.
Key insight: Ask for chargeback data segmented by acquisition channel. Merchants who can segment this data have built the infrastructure to track affiliate-sourced transactions. Merchants who cannot are likely not monitoring at the level the program requires.
What to request from merchant:
Red flag thresholds:
Why it matters: A distinct subset of affiliate-dependent merchants operate on a traffic arbitrage model, purchasing low-cost traffic and routing it through high-converting funnels to extract value from consumers before complaint accumulation reaches scheme thresholds. These programs differ structurally from standard affiliate governance risk and require different detection signals.
We observe this pattern most consistently in merchants with very short operating histories, unusually high initial transaction volumes relative to company size, multiple descriptor or domain variations launched in close succession, and thin operational infrastructure, meaning no verifiable customer service function, no auditable supplier relationships, and no physical presence.
This pattern is not always visible from onboarding documentation alone. Website infrastructure analysis, descriptor and domain registration history, and early transaction velocity data are important supplementary inputs. Ballerine's Merchant Underwriting platform is designed to surface these signals systematically, including identification of related domains, cross-referenced descriptor variations, and behavioral anomalies that standard document review misses.
Key insight: Any combination of short operating history, descriptor variation, and high initial transaction volume should trigger a deeper review of affiliate structure and traffic sourcing before onboarding proceeds.
Signals that indicate elevated scrutiny is warranted:
A merchant with verifiable affiliate governance will be able to produce the following. Documents establish intention. Records establish operation. Both are required.
Operational records:
Structural evidence:
Prohibited practices specificity: An explicit prohibited practices list, not a catch-all clause. Prohibited practices in well-governed programs include: unauthorized endorsements, unverified claims about regulatory approval or clinical evidence, unapproved urgency or scarcity tactics, testimonials not obtained through a documented compliant process, and placement on inventory categories the merchant has restricted.
Complaint and chargeback profile: Chargeback reason code distribution consistent with a program not generating material consumer harm through acquisition-side claims. No pattern of public complaints referencing advertising claims or enrollment terms.
Regulatory literacy: Practical awareness of the FTC's Guides Concerning the Use of Endorsements and Testimonials (16 CFR Part 255), the EU Directive on Unfair Commercial Practices (Directive 2005/29/EC), and card scheme rules on free trial billing and negative option marketing, translated into affiliate program rules that affiliates can actually follow.
"We do not control affiliates."
This is the most common deflection risk teams encounter. It is not a defensible position for regulatory or scheme purposes. The merchant chose the affiliate channel. The merchant benefits financially from affiliate-driven conversions. The contractual relationship, direct or through a network, exists. "We do not control them" is an operational description, not a legal or regulatory defense. The right response is to ask: "What control do you exercise, and what is your evidence?"
Stopping at document review.
Reviewing an affiliate agreement and noting it includes prohibited practices language is not an affiliate risk assessment. It is a review of affiliate paperwork. The document tells you what the merchant's rules are. It does not tell you whether those rules are monitored, enforced, or effective. In our experience, programs with well-drafted agreements and no monitoring records are common. The document is a starting point, not a conclusion.
Missing the sub-affiliate layer.
Risk teams that review the merchant's direct affiliate agreement without asking about network and sub-affiliate structure may miss a substantial portion of actual traffic-driving activity. For programs operating through major networks, a material share of promotional activity may flow through sub-affiliates with no direct contractual relationship with the merchant.
Treating affiliate risk as a one-time onboarding check.
Affiliate programs change. Affiliates join and leave. Tactics evolve. New channels open. A governance assessment conducted at onboarding and not revisited is a historical snapshot, not ongoing risk management. For affiliate-driven merchants, ongoing monitoring should be structured around specific triggers, including sustained chargeback rate increases in consumer dispute categories, complaint volume changes, and new network relationships added without governance documentation updates.
Conflating marketing sophistication with compliance maturity.
A merchant can operate a technically sophisticated affiliate program with professional attribution analytics and network management while having no systematic oversight of what affiliates are actually saying. Marketing sophistication and compliance governance are different capabilities and do not reliably correlate.
Not asking for enforcement history.
Asking for specific examples of affiliates suspended or terminated for violations is consistently the highest-signal question in affiliate governance review and consistently the least-asked. Merchants who cannot produce any enforcement examples from a program running for more than a year are communicating something meaningful, even if unintentionally.
Regulatory accountability for third-party marketing.
The FTC has been explicit in its Guides Concerning the Use of Endorsements and Testimonials (16 CFR Part 255): disclosures must be clear and conspicuous, claims must be substantiated, and accountability cannot be delegated to the affiliate. In the EU, the Directive on Unfair Commercial Practices (Directive 2005/29/EC) and the Digital Services Act (DSA, Regulation (EU) 2022/2065) impose obligations on businesses to prevent deceptive commercial practices regardless of the distribution channel. For merchants operating in regulated verticals, the expectation is that the merchant builds governance structures adequate to ensure compliance, not that affiliates will spontaneously comply.
Card scheme exposure.
Card scheme rules under both Visa and Mastercard frameworks establish merchant liability for consumer harm arising from transactions on their accounts. That liability does not include a carve-out for harm originating in affiliate marketing materials. Scheme monitoring programs focus on merchant-level chargeback ratios, consumer complaint rates, and marketing practices in designated high-risk categories. Risk teams should maintain current familiarity with scheme program documentation for the merchant categories they underwrite, as thresholds and requirements are updated periodically.
Acquirer and PayFac downstream exposure.
For acquirers and PayFacs, the risk extends beyond individual merchant exposure. A program's standing with card schemes can be affected by persistent problems in the merchant portfolio as a whole. Programs with elevated portfolio-level chargeback rates, unresolved consumer harm patterns, or documented governance deficiencies can attract scheme compliance scrutiny. Demonstrating that affiliate governance is evaluated systematically, with documented evidence and consistent standards, positions the acquiring program as a defensible operator. Ballerine's Mastercard MMSP Compliance framework is designed specifically to help acquiring programs build that defensibility.
The framing of questions at onboarding matters as much as the questions themselves. Asking "do you have an affiliate agreement?" invites a binary answer. Asking for the agreement, the current approved creative library, and the enforcement log from the prior 12 months requires the merchant to produce evidence, not assertions.
The following questions are most diagnostic in affiliate governance reviews:
The question that should be asked explicitly at onboarding: "Do you require affiliate policy enforcement evidence as a condition of affiliate program participation?" The answer reveals whether the merchant treats governance as a real operational requirement or a formality completed at setup.
Risk tiering:
Not all affiliate-dependent merchants present equivalent risk. We recommend a tiered approach based on affiliate dependency, vertical risk, and governance evidence.
Conditions and covenants:
For merchants onboarded conditionally, conditions must be documented, time-bound, and verifiable. Examples include: implementing a documented pre-approval process within a specified period with evidence delivered to the acquirer; conducting a compliance audit of all active affiliates within a specified period; and notifying the acquirer of any material changes to affiliate program structure or network relationships.
Conditions that are set but not followed up on provide no protection. The monitoring and follow-up process for conditional onboardings should be as structured as the initial review.
Documentation and audit trail:
For all affiliate-related underwriting decisions, decision rationale and supporting evidence should be documented in a retrievable, reviewable format. This supports scheme compliance program scrutiny, internal audit reviews, and regulatory inquiry defense. Documentation standards should be applied consistently across the portfolio, not selectively to high-profile cases.
Affiliate-driven merchants are not inherently high-risk. Many operate well-governed programs that drive legitimate revenue without generating material consumer harm. The risk is not in the channel. It is in whether the merchant has built real governance infrastructure around it, and whether that infrastructure is operational, not merely documented.
The failure mode we observe most consistently is not bad intent. It is abdication: merchants who treat affiliate governance as a formality, who rely on network policies as a substitute for their own controls, and who respond to compliance questions with "we do not control what affiliates do" have effectively delegated a material portion of their consumer risk to parties whose incentives are not designed for compliance.
For risk teams, the discipline comes down to two principles: ask for evidence rather than accepting assertions, and treat governance documentation as a starting point rather than a conclusion.
A well-governed merchant will have records. An under-governed merchant will have documents.
Ballerine builds AI-powered merchant underwriting, KYB (Know Your Business), KYC (Know Your Customer), and ongoing monitoring workflows for acquirers, PSPs, PayFacs, marketplaces, BIN sponsors, and banks, with a focus on high-risk and complex merchant categories.
For affiliate-driven merchant categories, Ballerine supports monitoring across affiliate-facing content surfaces, identification of prohibited claims language, and structured evidence packaging that supports both internal governance and external compliance defensibility. The platform is designed to help risk teams move from documentation review to evidence-based underwriting, collecting signals across merchant websites, affiliate ecosystems, consumer complaint databases, adverse media sources, and transaction behavior patterns, and organizing them into structured, auditable decision records.
Ballerine is a Mastercard Merchant Monitoring Service Provider (MMSP)-certified partner, designed to support acquiring programs in meeting scheme-level monitoring expectations through the Mastercard MMSP Compliance framework, with consistent, documented evidence.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.png)
