How to Detect Cross-Border Triangle Risk

‍

"Incorporation, operations, and customers in three places is where surprises live."

‍

Standard underwriting frameworks are built around a single question: where is this merchant? The assumption is that "where" has one answer. For a material subset of merchants, it does not.

‍

The cross-border triangle describes a specific structural pattern: a merchant entity is incorporated in one jurisdiction, runs its operations from a second, and serves customers in a third. This is not inherently suspicious. It is a common architecture for companies optimizing for tax efficiency, talent access, regulatory environment, or cost of operations. But it introduces a layered compliance and risk profile that a standard country-of-incorporation review will not capture.

‍

This guide is for risk teams at acquirers, payment service providers (PSPs), payment facilitators (PayFacs), marketplaces, and BIN sponsors. It sets out what to verify at each jurisdictional node, what good documentation looks like, and where underwriting processes most frequently break down. For a broader treatment of the underwriting process, see Merchant Underwriting Handbook for Compliance Teams.

‍

‍

‍

The Challenge

‍

When a merchant presents with incorporation in a recognized jurisdiction, risk teams often treat that as the primary reference point for compliance, licensing, and consumer obligations. In a single-jurisdiction business, that approach is defensible. In a cross-border triangle structure, it misses two of the three corners where obligations and risk actually reside.

‍

Each corner of the triangle carries distinct legal and regulatory obligations. The incorporation jurisdiction determines the legal entity structure and, in some cases, financial reporting requirements. The operations jurisdiction governs employment law and data processing obligations, and may create a taxable presence (a permanent establishment in tax terms) even if the entity is not locally registered. The customer jurisdiction is where consumer protection law applies, where dispute rights are governed, and where licensing is most likely to be required.

‍

The pattern is most common in online gambling and gaming, cryptocurrency and digital asset services, foreign exchange (forex) and contracts for difference (CFDs), adult content platforms, software-as-a-service (SaaS) subscription businesses, and digital goods marketplaces. All are verticals where operations can be separated from markets served at relatively low cost.

‍

Understanding the risk profile distinction:

‍

Lower-risk cross-border structures: Merchant can clearly explain each jurisdictional node; holds licenses matched to actual customer markets; maintains documented intercompany relationships; UBO (ultimate beneficial owner) information is consistent across all filings; dispute rates are consistent with the operational complexity of the model.

‍

Higher-risk cross-border structures: Incorporation country used as a proxy for all compliance questions; licensing verified without confirming market coverage; operations jurisdiction not assessed for tax or data obligations; customer geography not mapped to applicable consumer protection rules; sanctions screening limited to entity-level and incorporation country only.

‍

The business structure itself is not the risk. The risk emerges from gaps between where obligations exist and where they are verified.

‍

‍

‍

The Complete Assessment Framework

‍

‍

Incorporation Jurisdiction

‍

Why it matters: The incorporation jurisdiction is the starting point, not the conclusion. It establishes the legal entity structure and, in some cases, financial reporting requirements. It does not determine the licensing framework applicable to the merchant's customers, the tax obligations created by its operations, or the consumer protection rules that govern its transactions.

‍

High-risk incorporation signals:

‍

Nominee structures and formation-agent offices:

• Registered office address is shared with a large number of other entities (formation agent office)
• Directors or shareholders are nominees, not persons with effective control
• UBO information is not disclosed or is inconsistent with the incorporation jurisdiction's requirements

‍

Why this is high risk: Nominee structures are widely used for legitimate purposes, but they also obscure beneficial ownership. Where UBO disclosure requirements are minimal (as in many offshore incorporation jurisdictions), risk teams cannot rely on formation documents alone.

‍

Incorporation in FATF-listed jurisdictions:

• Incorporation jurisdiction is on the FATF (Financial Action Task Force) list of jurisdictions under increased monitoring (grey list) or the list of high-risk jurisdictions subject to a call for action (black list)
• Correspondent banking relationships in the incorporation jurisdiction are restricted

‍

Why this is high risk: FATF listing affects the quality of AML (anti-money laundering) and CTF (counter-terrorism financing) oversight in the jurisdiction, and affects the reliability of entity-level documentation sourced from it. FATF maintains and updates these lists publicly at fatf-gafi.org.

‍

Acceptable incorporation documentation:

• Certificate of incorporation and articles of association (current, not expired)
• UBO disclosure at or above the applicable threshold (25% in most jurisdictions, or lower where required by local law)
• Registered agent and registered office that can be verified as genuine operational addresses or identified as nominee addresses and treated accordingly
• Current financial filing status (no unexplained gaps indicating dormancy or restructuring)
• Any locally held licenses disclosed, even if the entity operates primarily elsewhere

‍

‍

What to request from merchant:

Category

Documentation Needed

Entity formation

Certificate of incorporation, articles of association, any amendments

Beneficial ownership

UBO register, shareholder register, or equivalent disclosure at applicable threshold

Registered presence

Registered office address, registered agent details, evidence of whether address is nominee or operational

Financial compliance

Most recent annual filing, confirmation entity is current on reporting obligations

Local licensing

Any licenses held in the incorporation jurisdiction

‍

Testing protocol:

1. Verify entity on incorporation jurisdiction's company registry (where publicly available).
2. Cross-reference registered office address against known formation agent databases.
3. Check FATF status of incorporation jurisdiction at fatf-gafi.org.
4. Verify UBO disclosure against merchant-provided documents and any publicly available registry.
5. Confirm financial filing status is current.

‍

Merchant assessment checklist:

• Entity can be verified on public registry or equivalent official source
• Registered office is clearly identified as operational or nominee (treated accordingly)
• UBO disclosed at or above applicable threshold with nationality and residency confirmed
• Entity is current on financial reporting obligations
• Incorporation jurisdiction is not FATF grey-listed or black-listed (or risk has been explicitly assessed if it is)

‍

Red flag thresholds:

• UBO not disclosed or inconsistent across documents = HIGH RISK
• Nominee directors only, no transparency on controlling persons = HIGH RISK
• Incorporation jurisdiction on FATF black list = CRITICAL RISK (requires escalated review)
• Incorporation jurisdiction on FATF grey list = MEDIUM RISK (document assessment basis)
• Unexplained gaps in financial filing history = MEDIUM RISK

‍

‍

‍

Operations Jurisdiction

‍

Why it matters: The operations jurisdiction is where the business actually runs: where staff are employed, where technical infrastructure is maintained, where customer service operates, and where management decisions are made. This is the jurisdiction most likely to create tax obligations through permanent establishment, data processing obligations, and local licensing requirements that apply regardless of where the entity is incorporated.

‍

High-risk operations signals:

‍

Undeclared permanent establishment:

• Entity has employees, servers, or management decision-making in a jurisdiction where it has not registered a permanent establishment (PE)
• Tax compliance documentation covers only the incorporation jurisdiction
• Significant gap between incorporation jurisdiction (low-tax) and operations jurisdiction (higher-tax)

‍

Why this is high risk: Permanent establishment is the concept in international tax law that determines where a business has created a taxable presence. It is codified in the OECD Model Tax Convention (Article 5) and applied through bilateral tax treaties. An undeclared PE creates retroactive tax liability that can affect the merchant's financial stability and ability to meet payment obligations. OECD BEPS (Base Erosion and Profit Shifting) Action 7 specifically addresses arrangements that artificially avoid PE status.

‍

Data localization non-compliance:

• Operations are conducted in a jurisdiction with mandatory data localization requirements, with no evidence of compliant infrastructure
• Merchant has not registered with the relevant data protection authority in the operations jurisdiction

‍

Why this is high risk: Several jurisdictions impose mandatory data localization requirements. Non-compliance creates regulatory exposure that can disrupt operations. Risk teams should verify applicable requirements on a market-by-market basis for each operations jurisdiction.

‍

No documented operational presence:

• Merchant claims remote operations but cannot produce any supporting documentation (lease, utility bills, employment contracts, payroll)
• Physical address provided is a residential address or virtual office with no staff

‍

Why this is medium risk: Undocumented presence makes it impossible to assess operational stability, regulatory compliance, or the reality of the claimed operational structure.

‍

Acceptable operations documentation:

• Physical address of operational premises with supporting documentation
• Local business registration or equivalent filing where required
• Evidence of employment or contractor relationships in the operations jurisdiction
• Tax registration confirming PE status has been assessed
• Evidence of data protection registration where required by local law
• Local banking relationships supporting operational expenses

‍

‍

What to request from merchant:

Category

Documentation Needed

Physical presence

Lease agreement or utility bills for operational premises

Local registration

Business registration certificate in operations jurisdiction, where required

Employment

Sample employment or contractor agreements, payroll evidence

Tax compliance

Evidence of PE assessment or local tax registration

Data protection

Registration with local data protection authority, where required

Banking

Bank account statements showing operational expense payments in the jurisdiction

‍

Testing protocol:

1. Verify business registration in operations jurisdiction on local company registry where accessible.
2. Confirm physical address against lease or utility documentation.
3. Assess whether the operations jurisdiction has data localization requirements applicable to the merchant's activity.
4. Assess gap between incorporation jurisdiction and operations jurisdiction for PE risk exposure.
5. Verify banking relationships are operational (not dormant).

‍

Merchant assessment checklist:

• Operational address is documented and verifiable
• Employment or contractor presence is evidenced
• Tax compliance position in the operations jurisdiction has been assessed and documented
• Data protection obligations in the operations jurisdiction have been identified and addressed
• Local banking relationships are active

‍

Red flag thresholds:

• No documentation of operational presence = HIGH RISK
• Significant PE risk with no tax compliance evidence = HIGH RISK
• Data localization non-compliance in a jurisdiction with active enforcement = HIGH RISK
• Operations in a jurisdiction with elevated sanctions risk, no counterparty screening = HIGH RISK
• Residential or virtual office only = MEDIUM RISK (dependent on operational model)

‍

‍

‍

Customer Jurisdiction

‍

Why it matters: The customer jurisdiction is the highest-risk corner of the triangle from a compliance and consumer protection perspective. Consumer protection requirements are generally determined by where the customer is located, not where the merchant is incorporated. This is the jurisdiction where licensing is most likely to be required, where mandatory refund and cancellation rights apply, and where dispute rights are governed.

‍

High-risk customer jurisdiction signals:

‍

Licenses verified in incorporation jurisdiction only:

• Merchant holds a license in its incorporation jurisdiction, but that license does not extend to the markets where customers are located
• No assessment of whether the merchant's activity requires local authorization in the customer markets

‍

Why this is critical risk: A license confirms what it confirms: authorization to operate in the issuing jurisdiction, or in markets explicitly covered by that license. A Malta Gaming Authority (MGA) license covers EU players. It does not substitute for a Northern Territory license in Australia or a state-level license in a regulated US state. Accepting players in unlicensed markets is prohibited activity regardless of what licenses are held elsewhere.

‍

No mechanism to document customer geography:

• Merchant claims to operate in broad geographic regions but cannot produce transaction data by customer country
• Geoblocking is claimed but not verified
• Stated customer markets do not match descriptor data, website language, or pricing currencies

‍

Why this is high risk: Without verified customer geography, it is not possible to assess which licensing, consumer protection, or sanctions obligations apply.

‍

Consumer terms not calibrated to customer markets:

• Terms of service are governed by the law of the incorporation jurisdiction only
• Refund, cooling-off, and cancellation rights do not reflect obligations in the EU, UK, Australia, or US
• No documentation of how chargebacks from multiple jurisdictions are handled

‍

Why this is high risk: Terms of service governed by incorporation jurisdiction law are generally unenforceable against customers in jurisdictions with mandatory consumer protection rules. This drives chargebacks and regulatory referrals.

‍

Sanctions exposure in customer base:

• Transaction data includes customers from OFAC (Office of Foreign Assets Control)-listed or UN-sanctioned territories
• No screening of customer geography against applicable sanctions programs

‍

Why this is critical risk: Processing payments from sanctioned territories exposes the entire payment chain, not only the merchant.

‍

Acceptable customer jurisdiction documentation:

• Transaction volume by customer country (actual data, not stated estimates)
• Licensing verification matched to customer geographies, not just incorporation jurisdiction
• Terms of service and refund policy that reflect consumer rights in the customer markets
• Documented process for handling chargebacks across multiple jurisdictions
• Evidence of geoblocking for restricted markets (where applicable)
• Age verification and access controls where product category requires them

‍

‍

What to request from merchant:

Category

Documentation Needed

Customer geography

Transaction volume by country (minimum last 3 months)

Licensing

Licenses held, with issuing jurisdiction and geographic scope explicitly confirmed

Consumer terms

Terms of service, refund policy, and cancellation policy applicable in each major customer market

Dispute handling

Documented chargeback process, including cross-jurisdiction handling

Geoblocking

Technical documentation of market restrictions where applicable

Sanctions

Screening process for customer geographies against applicable sanctions programs

‍

Testing protocol:

1. Request and review transaction data by customer country for the most recent 90 days.
2. For each material customer market (representing more than 5% of volume), confirm whether the merchant's activity requires local licensing.
3. Review terms of service against mandatory consumer rights in the top three customer markets by volume.
4. Test geoblocking claims for declared restricted markets.
5. Cross-reference customer countries against OFAC and UN sanctions lists.

‍

Merchant assessment checklist:

• Customer geography is documented by transaction data, not stated estimates
• Licenses cover the customer markets where revenue is generated
• Consumer terms reflect mandatory rights in the customer markets
• Chargeback process is documented and accounts for cross-jurisdiction handling
• No revenue from OFAC-listed or UN-sanctioned territories
• Geoblocking is implemented and verifiable where claimed

‍

Red flag thresholds:

• Licensing confirmed for incorporation jurisdiction only, no coverage assessment for customer markets = CRITICAL RISK
• No transaction data by customer country = HIGH RISK
• Consumer terms governed only by incorporation jurisdiction law = HIGH RISK
• Revenue from sanctioned territories = CRITICAL RISK
• Claimed geoblocking not verifiable = MEDIUM RISK

‍

‍

‍

Fulfillment Chain

‍

Why it matters: The fulfillment chain introduces jurisdictional contact points beyond the three nodes of the triangle. For physical goods, each point in the logistics chain (warehouse location, shipping origin, customs documentation) may carry licensing, tax, or regulatory implications. For digital goods and services, the fulfillment chain determines where delivery evidence is generated, how access is controlled, and how VAT (value-added tax) or GST (goods and services tax) obligations are determined.

‍

The fulfillment chain is also where transaction laundering risk concentrates in cross-border structures. A merchant may process payments for goods or services that appear to originate from the declared jurisdiction, while actual delivery occurs through a different entity in a third jurisdiction that was not disclosed at onboarding. We look for alignment between stated fulfillment processes and transaction-level evidence.

‍

For physical goods merchants, examine:

• Warehouse and inventory locations
• Shipping carrier relationships and customs documentation standards
• Import and export licenses where applicable
• Product certifications required in customer markets (for example, CE marking in the EU and FCC equipment authorization in the US)
• Returns logistics and the jurisdiction governing returns obligations

‍

For digital goods and services merchants, examine:

• Infrastructure hosting location and provider
• Access control and delivery confirmation methodology
• Subscription management and cancellation workflow
• Cross-border VAT and GST compliance. In the EU, UK, and Australia, VAT and GST on digital services is determined by the customer's location, not the merchant's location.

‍

‍

What to request from merchant:

Category

Documentation Needed

Physical goods

Warehouse locations, carrier agreements, product certification documentation

Digital goods

Hosting provider and location, delivery confirmation methodology

Tax compliance

VAT/GST registration in customer markets where applicable

Transaction laundering controls

Evidence of alignment between stated and actual fulfillment entities

‍

Red flag thresholds:

• Fulfillment entity differs from contracting entity with no documented intercompany relationship = HIGH RISK
• No VAT/GST registration in EU, UK, or Australia where digital services revenue is material = HIGH RISK
• Product certifications absent for customer markets with mandatory requirements = MEDIUM RISK
• Descriptor or shipping origin data inconsistent with stated fulfillment location = HIGH RISK

‍

‍

‍

Sanctions Exposure

‍

Why it matters: Sanctions screening limited to the incorporation jurisdiction misses the operational and customer-facing exposure created by the triangle structure. A merchant may be incorporated in a neutral jurisdiction, but if its beneficial owners are nationals of a sanctioned country, if its operational counterparties include sanctioned entities, or if its customer base includes residents of sanctioned territories, those exposures exist regardless of where the company is registered. For a detailed treatment of screening methodology when documentation is incomplete, see Sanctions Screening When Data Is Incomplete.

‍

Screening should cover all three nodes:

• The legal entity and its aliases in all three jurisdictions
• All UBOs: nationality, current residency, and prior nationalities or residencies
• Key Management Personnel (KMPs): directors, officers, and any persons with effective control
• Counterparties in the operations jurisdiction: suppliers, vendors, payment processors, banking relationships
• Customer geography: whether any portion of the revenue base originates from sanctioned territories
• Transaction routing: whether fund flows touch jurisdictions, institutions, or individuals subject to sanctions

‍

A note on indirect exposure: Sanctions risk is not always direct. A merchant may have no direct relationship with a sanctioned entity but may process payments that originate from a jurisdiction where the card-issuing bank is subject to secondary sanctions considerations. Risk teams should assess the full routing of funds through the acquiring chain.

‍

Red flag thresholds:

• UBO or KMP matches a sanctions list = CRITICAL RISK
• Revenue from OFAC-listed or UN-sanctioned territories = CRITICAL RISK
• Operational counterparties in the operations jurisdiction not screened = HIGH RISK
• Operations jurisdiction with elevated sanctions risk, no counterparty documentation = HIGH RISK
• Transaction routing through restricted correspondent banking relationships = HIGH RISK

‍

‍

‍

Dispute Handling Across Borders

‍

Why it matters: Chargeback management becomes structurally more complex when a merchant operates across three jurisdictions. The card scheme rules governing chargebacks (primarily Mastercard and Visa rules) set the baseline procedural framework. The practical ability of a merchant to win disputes, document its position, and meet response deadlines is shaped by its operational structure.

‍

High-risk dispute handling signals:

‍

Evidence inaccessible due to cross-border data constraints:

• Customer records are maintained in a jurisdiction with data protection rules that restrict their use as dispute evidence in other jurisdictions
• Merchant cannot produce customer-specific consent or delivery evidence on demand

‍

Why this is high risk: Without accessible evidence, dispute representment fails. Card networks require documentation, not assertions.

‍

Time zone and staffing misalignment:

• Dispute handling is staffed from a jurisdiction with a significant time zone offset from the customer base
• Response time windows defined by scheme rules cannot be consistently met

‍

Customer-facing entity and contracting entity differ:

• Customers contract with a local operating entity; the acquiring relationship is with a different entity in a different jurisdiction
• Chargebacks reference a different legal entity than the one in the merchant agreement

‍

Why this is critical risk: Disputes against a non-contracting entity create structural representment failures and may constitute undisclosed related-party activity.

‍

What to request from merchant:

Category

Documentation Needed

Dispute process

Documented chargeback handling process, including cross-jurisdiction workflow

Evidence availability

Sample dispute response package; confirmation that customer consent and delivery evidence is retrievable on demand

Metrics

Monthly dispute rate and reason code breakdown; representment win rate

Entity alignment

Confirmation that the entity presented to customers is the contracting entity in the merchant agreement

‍

Red flag thresholds:

• Dispute rate above card network monitoring thresholds = CRITICAL RISK
• Cannot produce dispute evidence on demand = HIGH RISK
• Customer-facing entity differs from contracting entity with no disclosure = HIGH RISK
• Representment win rate below 30% = HIGH RISK
• Dispute handling staffed with no ability to meet scheme response windows = MEDIUM RISK

‍

‍

‍

What Good Looks Like

‍

When all elements align properly, a well-structured cross-border merchant presents a coherent legal and operational story that holds up across all three jurisdictions. The presence of multiple jurisdictions is not a red flag. The absence of a clear, documented explanation for each node is.

‍

‍

Documentation package: compliant cross-border triangle structure

Category

Requirements

Incorporation

Entity verified on public registry; UBO disclosed at applicable threshold; registered office identified as operational or nominee; financial filings current; FATF status assessed

Operations

Physical presence documented; employment or contractor evidence available; tax compliance assessed for PE risk; data protection obligations met; local banking active

Customer markets

Licensing confirmed per customer geography; consumer terms reflect mandatory rights in customer markets; transaction data by country available; no revenue from sanctioned territories

Fulfillment

Fulfillment entity is the contracting entity or relationship is documented; VAT/GST compliance in place for digital services; delivery evidence retrievable

Sanctions

Entity, UBOs, KMPs, and operational counterparties screened; customer geography screened; fund routing assessed

Dispute handling

Documented process; evidence retrievable on demand; dispute rate within scheme thresholds; contracting entity matches customer-facing entity

‍

Illustrative example: compliant cross-border structure profile

The following is a composite illustrative example based on common structural patterns. It does not represent a specific client or case.

‍

Company: A SaaS analytics platform

‍

Structure: Incorporated in Ireland (EU), operational team in Poland, customers primarily in the US, UK, and DACH region.

‍

Incorporation: Company registered with Ireland's Companies Registration Office. UBO disclosed (two founders above 25% threshold). Registered office is the company's Dublin office, confirmed by lease agreement. Annual filings current. Ireland is not FATF-listed.

‍

Operations: Lease for Warsaw office confirmed. Polish employment contracts provided for 14 staff. Polish tax registration includes PE declaration. GDPR (General Data Protection Regulation) registration with Ireland's Data Protection Commission as lead supervisory authority. Active EUR and PLN bank accounts provided.

‍

Customer markets: Transaction data by country provided for prior 6 months. US represents 52% of revenue. UK represents 18%. No licensing requirement for SaaS analytics in these markets. Terms of service reflect US, UK, and EU consumer rights including GDPR data rights. Chargeback process documented. No revenue from sanctioned territories confirmed by transaction data review.

‍

Fulfillment: Hosted on AWS EU (Frankfurt). Delivery confirmation via access log. VAT registered in Ireland (covers EU under OSS scheme), UK VAT registered. Subscription cancellation via account dashboard, self-service.

‍

Dispute handling: Dispute rate 0.2% over prior 12 months. Representment win rate 61%. Evidence package includes checkout screenshots, consent timestamps, and access logs. Contracting entity matches customer-facing entity.

‍

This profile represents acceptable risk for payment processing.

‍

‍

‍

Common Underwriting Errors

‍

Error: Using the incorporation country as a proxy for all compliance questions

‍

The problem: An entity incorporated in a well-regulated jurisdiction (the EU, UK, US, or Australia) is assumed to be subject to the standards of that jurisdiction across all of its activities. In practice, incorporation establishes the legal entity structure. It does not determine the licensing framework applicable to the merchant's customers, the tax obligations created by its operations, or the consumer protection rules that govern its transactions.

‍

What to do: Assess each corner of the triangle independently. Do not carry over compliance conclusions from the incorporation jurisdiction to the operations or customer jurisdiction.

‍

Error: Verifying licenses without verifying market coverage

‍

The problem: A merchant holds a legitimate license in its incorporation jurisdiction. The review confirms the license and moves on. The license may not cover the markets where the merchant's customers are located.

‍

What to do: For every license verified, confirm its geographic scope explicitly. Identify the top customer markets by revenue and confirm whether the license covers them, or whether separate local authorization is required.

‍

Error: Skipping permanent establishment assessment

‍

The problem: Tax liability is a financial stability risk. An entity with an undeclared or disputed permanent establishment may face retroactive tax assessments that affect its ability to operate and meet payment obligations.

‍

What to do: Flag when the gap between incorporation jurisdiction (low-tax) and operations jurisdiction (higher-tax) is significant. Request evidence that the tax compliance position has been assessed.

‍

Error: Screening the entity but not the operational counterparties

‍

The problem: Sanctions screening covers the legal entity and its UBOs but does not extend to the banks, vendors, and fulfillment partners in the operations jurisdiction. This is where indirect sanctions exposure concentrates in cross-border structures.

‍

What to do: Extend screening to material operational counterparties, with particular attention to banking relationships and any counterparties in elevated-risk regions.

‍

Error: Treating the onboarding assessment as permanent

‍

The problem: Cross-border structures evolve. A merchant may have added customer markets, changed operational locations, or restructured its corporate entities since onboarding. None of these changes are visible without ongoing monitoring. Ballerine's Merchant Monitoring solution is designed to surface exactly these changes across live portfolios.

‍

What to do: Include in ongoing monitoring: transaction data by customer country (to detect geographic expansion), website and storefront review (to detect product or market changes), and corporate filing review (to detect UBO or entity changes).

‍

Error: Not verifying which entity customers actually contract with

‍

The problem: In some cross-border structures, customers contract with a local operating entity while the acquiring relationship is with a different entity in a different jurisdiction. Chargebacks then reference an entity that is not in the merchant agreement.

‍

What to do: Confirm that the entity presented to customers in terms of service, receipts, and transaction descriptors is the same entity in the merchant agreement. Where they differ, require an explanation and document it.

‍

‍

‍

The Critical Question

‍

Which "country" do you underwrite first, and why?

‍

The answer reveals the assumptions built into the underwriting process. If the answer is always "the incorporation country", it is worth examining what that assumption costs. Incorporation is the easiest corner to verify: it produces a formal document from a known registry. Operations and customer markets require more investigative work. The compliance obligations that generate adverse outcomes (licensing violations, consumer protection failures, sanctions exposure) live in the corners that require more work to examine.

‍

For risk teams building or refining underwriting programs, the cross-border triangle scenario is a practical test of whether the program is calibrated for how merchants actually structure their businesses. A program that produces the same risk output for a merchant incorporated in the EU, operating from Southeast Asia, and serving customers in North America as it does for a merchant incorporated, operating, and serving customers all within the EU has a structural gap.

‍

The triangle framework in this guide is not a checklist to be applied mechanically. It is a structure for asking whether each corner of the merchant's structure has been examined independently, and whether the conclusions from one corner have been verified rather than assumed to apply to the others.

‍

‍

‍

About Ballerine

‍

Ballerine builds AI-powered merchant underwriting, KYB (know your business), KYC (know your customer), and ongoing monitoring infrastructure for payment companies: acquirers, PSPs, PayFacs, marketplaces, BIN sponsors, and banks. We focus on high-risk and fast-changing merchant categories, including gambling, cryptocurrency, adult content, CBD/THC, forex/CFD, and adjacent risk-heavy verticals.

‍

We help payment companies build and demonstrate control over merchant portfolios, not just rely on onboarding paperwork and MCC (Merchant Category Code) labels. Our platform helps teams detect and investigate transaction laundering signals, prohibited activity and AUP (Acceptable Use Policy) drift, sanctions/PEP and adverse media risk, consumer-harm patterns, and fraud spikes. We compress the time and effort required to do deep underwriting and monitoring at scale, while maintaining governance and auditability.

‍

Ballerine is a Mastercard MMSP (Mastercard Merchant Monitoring Service Provider) certified partner. Our platform is designed to produce outputs that are defensible in scheme and regulatory inquiries, with configurable risk rules and workflow building blocks that can be adapted to the requirements of each acquiring or PayFac program.

‍