The Challenge
When a payment facilitator (PayFac) claims to maintain control over its sub-merchants, the complexity is not in understanding the regulatory requirements. It is in verifying that control actually exists in practice. Unlike traditional merchant acquirers, PayFacs are registered as a single merchant of record but onboard and manage hundreds or thousands of sub-merchants underneath their master merchant identification number (MID). This structure requires functional control mechanisms that many PayFacs describe but do not implement.
This guide walks through the assessment framework we use to evaluate whether a PayFac demonstrates actual sub-merchant control, not just contractual language claiming control.
Understanding PayFac Control Requirements
In our experience, payment card networks expect PayFacs to maintain oversight of sub-merchants comparable to what a traditional acquirer would provide.
This includes:
Underwriting sub-merchants: Assessing risk, verifying business legitimacy, and making approval decisions
Monitoring transactions: Detecting unusual patterns, fraud, and policy violations in real time
Managing risk exposure: Controlling settlement timing, holding reserves, and protecting against losses
Enforcing compliance: Terminating sub-merchants who violate terms or create unacceptable risk
The distinction between a compliant PayFac and a pass-through payment facilitator is not whether these requirements are stated in contracts. It is whether the PayFac has implemented systems, assigned resources, and can demonstrate enforcement history proving these controls function.
The Complete Assessment Framework
Merchant Underwriting and Approval Authority
Why it matters: If a PayFac approves every applicant instantly without verification, it is not exercising underwriting control. True control requires risk-based decisioning with documented rejection criteria.
High-Risk Underwriting Patterns
Instant approval with no verification:
- Sub-merchants approved within seconds or minutes
- No document review before activation
- No business verification beyond basic information entry
- Uniform approval regardless of business type or risk profile
Why this is high risk: Automated approval without verification indicates the PayFac is not assessing risk or making informed decisions about who it allows onto its platform.
No evidence of declined applications:
- PayFac cannot provide statistics on rejection rates
- No documented reasons for declined merchants
- No examples of merchants rejected due to risk concerns
- Approval rate approaches 100%
Why this is high risk: If the PayFac never declines merchants, it is not applying underwriting standards.
Outsourced decision-making:
- Third-party platforms make approval decisions
- PayFac has no internal risk team or underwriting function
- No human review of applications
- PayFac staff cannot explain how approval decisions are made
Why this is high risk: Delegating approval authority to external parties means the PayFac does not control merchant access to its platform.
Minimal documentation requirements:
- No business license verification
- No proof of business operations (website, social media, operational presence)
- No beneficial owner identification beyond name
- No financial information collected
Why this is high risk: Without sufficient information, the PayFac cannot assess risk or verify legitimacy.
Acceptable Underwriting Patterns
Risk-based assessment:
- Documented underwriting criteria based on business type, volume, and risk factors
- Manual review for elevated risk categories
- Tiered approval process with escalation paths
- Evidence of declined applications with documented reasons
Verification procedures:
- Business registration verification
- Website and operational presence review
- Beneficial owner identity verification
- Financial statements or bank statements for higher-risk merchants
- Reference checks or prior processing history verification
Decision ownership:
- Internal risk or underwriting team makes final decisions
- Clear approval authority within the PayFac organization
- Escalation process for edge cases
- Documentation of decision rationale
What to Request from PayFac
Category
Documentation Needed
Underwriting policy
- Written underwriting standards
- Risk categorization criteria
- Approval thresholds and escalation triggers
- Prohibited business types or industries
Application process
- Required documentation from sub-merchants
- Verification steps before approval
- Human review requirements
- Typical approval timeline
Rejection data
- Rejection rate over the past 12 months
- Top reasons for declining merchants
- Examples of declined applications (redacted)
- Appeals process and outcomes
Team structure
- Size and composition of underwriting or risk team
- Decision-making authority and approval workflow
- Training and qualifications of underwriting staff
- Use of third-party tools or services
Testing Protocol
- Submit test application: If permissible, submit a test application with red flags (e.g., incomplete business information, high-risk category) and verify whether it is approved or flagged for revie
- Review sample decisions: Request redacted examples of approved and declined merchants with decision rationale
- Interview underwriting staff: Speak with the team responsible for approvals to assess expertise and process understanding
PayFac Assessment Checklist
- Documented underwriting criteria exist and are applied
- Evidence of merchant rejections (rejection rate >5% for typical portfolios)
- Human review occurs for elevated-risk applications
- Verification of business legitimacy before approval
- Internal team owns approval decisions
- Approval timeline allows for verification (not instant)
- Risk-based tiering with appropriate controls for each level
Red flag threshold:
- Instant approval with no verification = CRITICAL RISK
- Cannot provide rejection statistics or examples = HIGH RISK
- No internal underwriting function = CRITICAL RISK
- Approval rate >95% with no risk-based variation = HIGH RISK
Transaction Monitoring and Velocity Controls
Why it matters: Controlling sub-merchants requires visibility into their transaction activity and the ability to detect anomalies. PayFacs that cannot describe monitoring thresholds or provide examples of alerts they have acted on are not exercising control.
High-Risk Monitoring Patterns
No real-time visibility:
- PayFac reviews sub-merchant activity weekly or monthly, not daily
- No automated alerts for unusual patterns
- Transaction data is aggregated and cannot be broken down by sub-merchant
- PayFac cannot identify which sub-merchant generated specific transactions
Why this is critical risk: Without real-time visibility, the PayFac cannot detect fraud, policy violations, or risk events before significant exposure accumulates.
No velocity controls:
- Sub-merchants have no transaction limits
- No controls on daily, weekly, or monthly volume
- First-day processing limits are not enforced
- Volume increases are not monitored or approved
Why this is high risk: Velocity controls are a basic fraud prevention mechanism. Absence indicates no monitoring infrastructure.
No alert rules or thresholds:
- PayFac cannot describe what triggers a review
- No documented monitoring rules (e.g., "alert if daily volume exceeds 300% of historical average")
- No evidence of alerts generated and acted upon
- Monitoring is described as "manual review" with no defined triggers
Why this is high risk: Without systematic monitoring rules, oversight is reactive at best and non-existent at worst.
Lack of enforcement examples:
- PayFac cannot provide examples of sub-merchants flagged for review
- No evidence of suspended or limited merchants due to transaction anomalies
- No record of investigations triggered by monitoring alerts
Why this is high risk: If monitoring has never resulted in action, it is not functioning.
Acceptable Monitoring Patterns
Real-time transaction visibility:
- Dashboard or system showing sub-merchant transaction activity in real time or near real-time
- Ability to drill down to individual transaction details
- Alerts configured to detect anomalies as they occur
Defined velocity controls:
- Transaction limits based on merchant risk profile (e.g., $5,000/day for new merchants, escalating based on history)
- Automated enforcement of limits with suspension or hold if exceeded
- Clear process for approving volume increases
Rule-based monitoring:
- Documented monitoring rules (e.g., chargeback rate thresholds, velocity spikes, geographic anomalies)
- Alerts generated automatically when rules are triggered
- Evidence of alert review and action taken
Enforcement history:
- Examples of merchants flagged, investigated, and either cleared or suspended
- Statistics on alerts generated and outcomes
- Clear escalation process from alert to investigation to action
What to Request from PayFac
Category
Documentation Needed
Underwriting policy
- Written underwriting standards
- Risk categorization criteria
- Approval thresholds and escalation triggers
- Prohibited business types or industries
Application process
- Required documentation from sub-merchants
- Verification steps before approval
- Human review requirements
- Typical approval timeline
Rejection data
- Rejection rate over the past 12 months
- Top reasons for declining merchants
- Examples of declined applications (redacted)
- Appeals process and outcomes
Team structure
- Size and composition of underwriting or risk team
- Decision-making authority and approval workflow
- Training and qualifications of underwriting staff
- Use of third-party tools or services
Testing Protocol
- System demonstration: Request a live demonstration of the transaction monitoring dashboard, showing how the PayFac views sub-merchant activity
- Alert review: Request examples of recent alerts and how they were resolved
- Limit verification: Verify that velocity limits are actually enforced by reviewing examples where limits were exceeded and activity was paused
PayFac Assessment Checklist
- Real-time or near real-time visibility into sub-merchant transactions
- Velocity controls configured and enforced
- Documented monitoring rules with defined thresholds
- Evidence of alerts generated and acted upon (not just configured)
- Internal team responsible for monitoring and alert review
- Examples of enforcement actions resulting from monitoring
- System can identify unusual activity at sub-merchant level
Red flag threshold:
- No real-time transaction visibility = CRITICAL RISK
- No velocity controls = CRITICAL RISK
- Cannot provide enforcement examples = HIGH RISK
- Monitoring described but no evidence of alerts or actions = HIGH RISK
Reserve and Settlement Management
Why it matters: PayFacs absorb chargeback and fraud risk for their sub-merchants. Controlling settlement timing and holding appropriate reserves protects the PayFac and demonstrates risk management. PayFacs that settle funds immediately to all sub-merchants with no reserves are not managing risk.
High-Risk Settlement Patterns
Immediate settlement with no holds:
- All sub-merchants receive funds within 24 hours regardless of risk profile
- No rolling reserves or holdback percentages
- New merchants receive same settlement terms as established merchants
- No ability to delay settlement when risk is detected
Why this is critical risk: Immediate settlement with no reserves means the PayFac has no buffer against chargebacks, fraud, or disputes. This indicates the PayFac is not managing financial risk.
No risk-based reserve strategy:
- All sub-merchants have identical settlement terms
- No reserves for high-risk categories, new merchants, or volume spikes
- PayFac cannot explain how reserve levels are determined
- No documented reserve policy
Why this is high risk: Uniform settlement regardless of risk profile indicates no risk assessment or tiered control.
Settlement controlled by sub-merchant:
- Sub-merchants can request immediate payout at will
- No PayFac authority to delay or hold funds
- Sub-merchants control settlement schedule
- PayFac has no discretion over fund disbursement
Why this is critical risk: If the PayFac cannot control settlement, it cannot manage risk exposure.
No monitoring of settlement anomalies:
- PayFac does not review unusual settlement requests
- No alerts for large or sudden withdrawals
- Sub-merchants can drain reserves before chargebacks appear
- No analysis of settlement patterns
Why this is high risk: Even if reserves exist, failure to monitor settlement behavior negates their protective value.
Acceptable Settlement Patterns
Risk-based settlement terms:
- New sub-merchants have delayed settlement (e.g., T+7 or T+14)
- Established merchants graduate to faster settlement based on performance
- High-risk categories have longer holds or rolling reserves
- Clear criteria for settlement tier assignment
Reserve requirements:
- Rolling reserve (e.g., 10% held for 180 days) for elevated-risk merchants
- Upfront reserves for very high-risk categories
- Reserve levels calculated based on chargeback history, volume, and risk category
- Documented reserve policy with justification for levels
PayFac control over settlement:
- PayFac can delay settlement if risk is detected
- Holds can be applied based on monitoring alerts
- Sub-merchants receive settlement terms at onboarding but PayFac retains discretion
- Clear policy on when holds or delays are applied
Settlement monitoring:
- Unusual settlement patterns trigger review
- Large payouts are manually approved
- Correlation between settlement requests and chargeback patterns is monitored
- Ability to freeze settlements if fraud is suspected
What to Request from PayFac
Category
Documentation Needed
Settlement policy
- Standard settlement terms by risk tier
- New merchant settlement schedule
- Process for graduating to faster settlement
- Authority to delay or hold settlements
Reserve requirements
- Reserve policy document
- Calculation methodology for reserve levels
- Rolling reserve percentages and durations
- Upfront reserve requirements by category
Settlement data
- Distribution of settlement terms across portfolio (T+1, T+7, etc.)
- Examples of delayed settlements due to risk
- Reserve balances held currently
- Settlement pattern analysis
Risk management
- Process for applying holds based on alerts
- Examples of settlement freezes or delays
- Settlement monitoring rules
- Criteria for releasing or increasing holds
Testing Protocol
- Portfolio analysis: Request breakdown of settlement terms across all sub-merchants to verify risk-based tiering
- Reserve verification: Verify that reserves are actually held by reviewing financial records or processor statements
- Enforcement examples: Request cases where settlement was delayed or held due to risk detection
PayFac Assessment Checklist
- Risk-based settlement terms exist and are enforced
- New merchants have delayed settlement or reserves
- Reserve policy documented with clear calculation methodology
- PayFac demonstrates control over settlement timing
- Evidence of holds or delays applied based on risk
- Settlement patterns are monitored for anomalies
- Reserve levels are adequate for portfolio risk profile
Red flag threshold:
- All merchants settled T+1 with no reserves = CRITICAL RISK
- No risk-based settlement differentiation = HIGH RISK
- PayFac cannot delay settlement when risk detected = CRITICAL RISK
- No reserves held for any sub-merchants = CRITICAL RISK
Chargeback and Dispute Resolution
Why it matters: A PayFac is liable for sub-merchant chargebacks. Control requires handling disputes, representing sub-merchants to card issuers, and recovering losses from sub-merchants when necessary. PayFacs that immediately pass all chargeback liability to sub-merchants without management are not exercising control.
High-Risk Chargeback Patterns
No chargeback management process:
- Sub-merchants handle chargebacks directly with no PayFac involvement
- PayFac has no visibility into chargeback details or resolution
- No process for representing sub-merchants in disputes
- PayFac immediately debits sub-merchants for all chargebacks without review
Why this is critical risk: We see that card networks expect PayFacs to manage disputes as part of their oversight responsibilities. Fully delegating this responsibility to sub-merchants indicates the PayFac is not fulfilling its role.
No monitoring of chargeback rates:
- PayFac cannot report chargeback rates by sub-merchant
- No alerts or thresholds for elevated chargeback activity
- Sub-merchants with excessive chargebacks are not flagged
- No historical analysis of chargeback trends
Why this is high risk: Chargeback rates are a primary risk indicator. Failure to monitor them means the PayFac is not managing risk.
No intervention for high chargeback merchants:
- PayFac does not review sub-merchants exceeding network thresholds
- No remediation process for problematic merchants
- No termination or restriction based on chargeback performance
- Merchants can continue processing despite excessive chargebacks
Why this is critical risk: In our experience, card networks may impose penalties on PayFacs with excessive portfolio chargeback rates. A PayFac that does not control high-chargeback merchants creates network compliance risk.
Unlimited chargeback passthrough:
- All chargeback costs passed to sub-merchants immediately
- PayFac bears no chargeback liability
- No recovery process if sub-merchant account is depleted
- Sub-merchants can offboard and avoid chargeback liability
Why this is high risk: While recovering costs from sub-merchants is acceptable, complete liability avoidance suggests the PayFac is not managing risk exposure.
Acceptable Chargeback Patterns
PayFac manages dispute process:
- PayFac team reviews chargebacks and decides whether to represent or accept
- PayFac submits representment documentation to card networks
- Sub-merchants provide evidence, but PayFac manages the process
- PayFac tracks dispute outcomes and win rates
Chargeback rate monitoring:
- Real-time or daily chargeback rate calculation by sub-merchant
- Alerts when sub-merchants approach or exceed network thresholds (we commonly observe warnings around 0.9% and enforcement action around 1%)
- Monthly or quarterly chargeback reporting to sub-merchants
- Historical trend analysis to identify emerging patterns
Intervention and remediation:
- Sub-merchants exceeding thresholds receive notice and remediation plan
- PayFac may limit transaction volume, delay settlement, or increase reserves
- Continued excessive chargebacks result in termination
- Evidence of terminated merchants due to chargeback issues
Risk absorption and recovery:
- PayFac absorbs initial chargeback risk
- Recovery from sub-merchants via reserve deduction or direct billing
- Process for handling chargebacks when sub-merchant account is depleted or offboarded
- PayFac maintains reserve to cover unrecoverable chargebacks
What to Request from PayFac
Category
Documentation Needed
Dispute management
- Chargeback handling workflow
- Party responsible for representment
- Team managing disputes
- Win rate on representments
Monitoring and thresholds
- Chargeback rate calculation methodology
- Alert thresholds configured
- Frequency of chargeback reporting
- Network threshold compliance (Visa, Mastercard programs)
Intervention process
- Actions taken when sub-merchant exceeds thresholds
- Remediation plan requirements
- Escalation from warning to limitation to termination
- Examples of enforcement actions
Portfolio chargeback data
- Overall portfolio chargeback rate
- Distribution of chargeback rates across sub-merchants
- Number of sub-merchants exceeding thresholds
- Trend over the past 12 months
Liability and recovery
- Process for recovering chargeback costs from sub-merchants
- Handling of unrecoverable chargebacks
- Reserve levels maintained to cover portfolio risk
- Financial exposure currently outstanding
Testing Protocol
- Chargeback data review: Analyze portfolio chargeback rates to verify monitoring occurs and data exists
- Enforcement verification: Request examples of sub-merchants terminated or limited due to chargebacks
- Process walkthrough: Have the PayFac walk through how a chargeback is handled from notification to resolution
PayFac Assessment Checklist
- PayFac manages chargeback dispute process
- Chargeback rates monitored by sub-merchant in real time or daily
- Alert thresholds configured and enforced
- Evidence of intervention when sub-merchants exceed thresholds
- Examples of terminated merchants due to chargeback issues
- PayFac absorbs initial risk and has recovery process
- Portfolio chargeback rate is within network compliance thresholds
- Documented chargeback management policy
Red flag threshold:
- Sub-merchants handle chargebacks with no PayFac involvement = CRITICAL RISK
- No chargeback rate monitoring = CRITICAL RISK
- No examples of enforcement due to chargebacks = HIGH RISK
- Portfolio chargeback rate exceeds 0.9% = HIGH RISK
Termination Rights and Enforcement
Why it matters: Control includes the authority to remove sub-merchants who create unacceptable risk. PayFacs that cannot or will not terminate problematic sub-merchants are not exercising control.
High-Risk Termination Patterns
No termination authority:
- Sub-merchants have guaranteed processing rights
- PayFac cannot terminate without sub-merchant consent
- Contracts do not include termination for risk or policy violations
- External party controls termination decisions
Why this is critical risk: If the PayFac cannot remove risky sub-merchants, it does not control its portfolio.
No evidence of enforced terminations:
- PayFac has never terminated a sub-merchant for risk or policy violations
- Terminations only occur when sub-merchants choose to leave
- Cannot provide statistics on terminated merchants
- No documented reasons for historical terminations
Why this is high risk: Termination authority without enforcement history suggests the authority is not real or is not used.
Termination requires external approval:
- PayFac must get approval from parent company, partner, or platform provider
- Long approval process delays removal of risky merchants
- Decision authority is outside the PayFac organization
Why this is high risk: External approval requirements mean the PayFac does not have operational control.
No proactive termination for risk:
- Terminations only occur reactively after network fines or enforcement
- No terminations for policy violations, excessive chargebacks, or fraud detection
- PayFac waits for external pressure before acting
Why this is high risk: Reactive termination indicates the PayFac is not managing risk proactively.
Acceptable Termination Patterns
Clear termination authority:
- PayFac retains right to terminate for risk, policy violations, or business reasons
- Termination authority documented in sub-merchant agreements
- Internal decision-making without external approval required
- Short notice period (e.g., immediate for fraud, 30 days for policy violations)
Enforced terminations:
- Evidence of sub-merchants terminated for excessive chargebacks, fraud, or policy violations
- Statistics on termination reasons and frequency
- Examples of proactive termination before network enforcement
Risk-based termination criteria:
- Documented grounds for termination (e.g., chargeback rate >1%, fraud detection, prohibited products)
- Escalation path from warning to suspension to termination
- Clear communication of violations to sub-merchants
- Consistent enforcement of termination policy
What to Request from PayFac
Category
Documentation Needed
Termination authority
- Contract provisions allowing termination
- Grounds for termination
- Notice period required
- Internal approval process
Termination history
- Number of sub-merchants terminated in the past 12 months
- Breakdown of termination reasons
- Examples of terminated merchants (redacted)
- Proactive versus reactive terminations
Enforcement policy
- Written policy on when termination is required
- Escalation process before termination
- Appeal or remediation options for sub-merchants
- Consistency of enforcement
Network compliance
- Terminations due to network violations or VFMP/VCFP listings
- Response time to network enforcement actions
- Process for preventing network penalties
Testing Protocol
- Contract review: Verify termination clauses exist and provide discretion to PayFac
- Enforcement verification: Review examples of terminated sub-merchants and verify reasons align with risk management
- Statistics analysis: Assess whether termination rate is reasonable for portfolio risk (low termination rates may indicate lack of enforcement)
PayFac Assessment Checklist
- PayFac has unilateral termination authority in contracts
- Evidence of terminations enforced for risk or policy violations
- Termination rate indicates active enforcement (we see 2-10% annually depending on portfolio)
- Clear termination criteria documented and applied consistently
- Proactive terminations occur before network enforcement
- Internal team makes termination decisions without external approval
- Examples of various termination reasons (chargebacks, fraud, policy violations)
Red flag threshold:
- No termination authority in contracts = CRITICAL RISK
- Zero terminations in past 12 months = HIGH RISK
- Cannot provide termination examples or reasons = HIGH RISK
- Terminations require external approval = MEDIUM RISK
What Good Looks Like: The Compliant PayFac Relationship
When all elements align properly, a PayFac with actual sub-merchant control demonstrates:
Documentation Package
Business Structure
- Registered as PayFac with card networks
- Clear regulatory status and sponsoring bank relationship
- Documented master MID and sub-merchant structure
- Appropriate licensing for payment facilitation
- Compliance with card network PayFac programs (Visa, Mastercard)
Sub-Merchant Oversight
- Documented underwriting standards with evidence of enforcement
- Rejection rate of 5–20% indicating risk-based decisioning
- Risk categorization framework applied to all sub-merchants
- Manual review for elevated-risk applications
- Verification procedures for business legitimacy
Transaction Control
- Real-time visibility into sub-merchant transaction activity
- Velocity controls configured and enforced
- Monitoring rules with documented thresholds
- Evidence of alerts generated and acted upon
- Examples of suspended or limited sub-merchants
Financial Risk Management
- Risk-based settlement terms (new merchants on T+7 or longer)
- Reserve requirements for elevated-risk merchants
- PayFac control over settlement timing
- Adequate reserves to cover portfolio chargeback exposure
- Documented reserve calculation methodology
Chargeback Management
- PayFac manages dispute representment process
- Chargeback rate monitoring by sub-merchant
- Alert thresholds enforced for excessive chargebacks
- Evidence of sub-merchant terminations due to chargeback issues
- Portfolio chargeback rate within network thresholds
Enforcement History
- Examples of sub-merchants terminated for risk or policy violations
- Statistics on enforcement actions (suspensions, limitations, terminations)
- Proactive enforcement before network penalties
- Consistent application of policies
Example: Compliant PayFac Profile
Company: SubMerchant Payment Services LLC
Model: Payment facilitator for e-commerce and service businesses
Portfolio size: 450 sub-merchants
Services provided:
- Payment processing infrastructure
- Merchant onboarding and underwriting
- Transaction monitoring and fraud detection
- Chargeback management and representment
- Compliance support and reporting
Underwriting:
- 60-72 hour approval process for standard merchants
- Business verification required (website, registration, beneficial owner ID)
- Rejection rate: 12% over past 12 months
- Risk categories: Low (instant approval), Medium (manual review), High (enhanced due diligence)
- High-risk merchants require additional documentation and reserves
Transaction monitoring:
- Real-time dashboard with sub-merchant level visibility
- Velocity controls: New merchants limited to $5,000/day for first 30 days
- Alert rules configured for velocity spikes (>300% of average), unusual patterns, geographic anomalies
- 47 alerts generated in past 90 days, all reviewed within 24 hours
Settlement and reserves:
- Low-risk merchants: T+2 settlement, no reserves
- Medium-risk merchants: T+7 settlement, 5% rolling reserve for 90 days
- High-risk merchants: T+14 settlement, 10% rolling reserve for 180 days
- Total reserves held: $340,000 (adequate for portfolio chargeback exposure)
- PayFac retains authority to delay settlement if risk detected
Chargeback management:
- Internal team handles all representments
- Chargeback rate monitoring with alerts at 0.65% (warning) and 0.9% (action required)
- Portfolio chargeback rate: 0.41%
- 8 sub-merchants flagged for elevated chargebacks in past 12 months (5 remediated, 3 terminated)
Enforcement:
- 23 sub-merchants terminated in past 12 months
- Reasons: Excessive chargebacks (8), fraud (6), policy violations (5), business model changes (4)
- 11 sub-merchants suspended temporarily for investigation
- Clear escalation from warning to limitation to termination
This profile represents acceptable PayFac control.
Common Verification Errors
Mistake: Accepting contracts without operational verification
The problem: PayFac agreements describe extensive control rights, monitoring systems, and enforcement policies. Actual operations may not implement any of these controls.
What to do: Request evidence that systems exist and are used. Contracts describe rights; operational data proves exercise of those rights.
Mistake: Confusing technology capability with actual control
The problem: A PayFac may have access to a monitoring system or dashboard but never review it or act on alerts.
What to do: Verify not just that systems exist, but that the PayFac uses them. Request alert statistics, investigation examples, and enforcement actions taken based on monitoring.
Mistake: Not requesting enforcement statistics
The problem: PayFac describes underwriting standards, monitoring rules, and termination authority, but has never rejected an application, flagged unusual activity, or terminated a sub-merchant.
What to do: Ask for numbers. What percentage of applications are declined? How many alerts were generated last quarter? How many sub-merchants were terminated last year and why?
Mistake: Ignoring settlement terms
The problem: Focusing on monitoring and underwriting while overlooking that all sub-merchants are settled T+1 with no reserves, meaning the PayFac has no financial control.
What to do: Examine settlement and reserve structures as evidence of risk management. Immediate settlement with no holds indicates lack of control.
Mistake: Not differentiating between new and established sub-merchants
The problem: Evaluating the PayFac's controls based on how they treat their longest-tenured, lowest-risk sub-merchants, which may have graduated to less restrictive terms.
What to do: Focus assessment on how new sub-merchants are onboarded and controlled. Risk-based tiering is acceptable, but initial controls must be rigorous.
Mistake: Accepting aggregated data
The problem: PayFac provides portfolio-level statistics (overall chargeback rate, average settlement time) without sub-merchant level breakdown.
What to do: Request sub-merchant level data distribution. What percentage of sub-merchants are on each settlement tier? How many exceed chargeback thresholds? Aggregated data can hide risk concentration.
The Critical Question
When evaluating whether a PayFac has actual sub-merchant control, ask:
"If a sub-merchant engages in fraud or generates excessive chargebacks, can you show me that your systems would detect it, your team would investigate it, and you have the authority and history of terminating merchants for it?"
If yes - because the PayFac has monitoring infrastructure generating alerts, documented enforcement history including terminations, and financial controls like reserves and settlement discretion - it likely exercises adequate control.
If no - because the PayFac cannot demonstrate detection capability, has never terminated a sub-merchant for risk, or lacks financial control mechanisms - it is not exercising control regardless of contract language.
This question focuses on capability, evidence, and authority rather than stated intentions.
Ballerine's Role
Ballerine provides infrastructure to make sub-merchant control assessment scalable: automated verification of underwriting processes by detecting whether merchants are approved instantly or after verification steps, transaction pattern analysis to identify sub-merchants exhibiting anomalies the PayFac should have detected, and ongoing monitoring to verify that PayFac controls remain in place post-onboarding.
But the foundational knowledge in this guide enables risk teams to ask the right questions during PayFac evaluation: what is your sub-merchant rejection rate, can you show me examples of terminated merchants, what are your settlement terms for new sub-merchants, and how do you monitor chargeback rates. These operational realities determine whether a PayFac exercises control, regardless of what its contracts claim.
For comprehensive PayFac and marketplace monitoring at scale, our merchant monitoring capabilities provide continuous oversight of sub-merchant portfolios, detecting control lapses before they result in network violations or financial losses.
.png)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.png)
