Blogs
>
Why Merchant Risk Teams Still Miss Bad Merchants

Why Merchant Risk Teams Still Miss Bad Merchants

Andy Vrabel
Jul 5, 2026
Share:

Index

The Structural Problem Nobody Names in the Risk Team Meeting

Alert volume is up. The team is working harder. And somehow, a merchant that was never flagged just triggered a card scheme fine.

This is a familiar scenario for risk teams managing large portfolios. A team of analysts processes hundreds of merchant monitoring alerts each week. After investigation, the majority clear as false positives: legitimate businesses flagged for using certain words in their product descriptions, for operating in a sensitive MCC (Merchant Category Code), or for appearing on a broad blocklist. The real investigation time goes to noise.

Then the audit arrives. There it is: a merchant that processed a material volume of transactions outside its declared business model, accumulated chargebacks in a product category it was never approved for, and ran payment flows that should have triggered a review months earlier. The tools said nothing.

This is not a staffing problem. It is a structural one, and it starts with how most merchant monitoring systems are built.

Rule-Based Tools Are Built for the Obvious

Most merchant monitoring infrastructure still operates on the same core logic it used a decade ago:

  • Keyword matching on product descriptions and website text

  • MCC-based filters that flag specific merchant category codes

  • Static blocklists tied to previously identified bad actors

  • Threshold-triggered alerts on transaction volume or chargeback ratios

These tools are effective at catching straightforward cases. A merchant with "CBD" in its product title will flag. A business registered under a restricted MCC will alert. A processor showing sudden transaction volume spikes will surface. These are visible signals, and rule-based systems are reasonably calibrated to detect them.

The problem is that most bad merchants do not look like the obvious cases. Two examples appear repeatedly in practice:

The wellness retailer. A merchant registered as a "wellness and lifestyle" brand. Its onboarding documents are clean. Its MCC is unremarkable. Its website headline reads like a hundred legitimate health brands.

But the product listings, when read by a system that understands content rather than just scanning for trigger words, describe products with claims that cross into regulated pharmaceutical territory. No keyword rule catches it. No blocklist matches. It processes for months.

The consulting business. A merchant that describes itself as a "business consulting service." Its business registration is valid. Its stated MCC generates no flags. But its actual transaction flows, reviewed against its web presence, show payment patterns consistent with a gambling facilitation operation.

The website, examined in context, tells a different story than the form submission at onboarding. Again: no alert. Rule-based systems catch the merchants who make obvious mistakes. They are largely blind to merchants who understand the rules well enough to avoid tripping them.

Onboarding form versus actual merchant activity infographic

The False Positive Trap

The noise problem compounds into something more operationally consequential than wasted analyst time.

Research in transaction monitoring compliance consistently identifies false positive rates in rule-based alert systems as a significant operational burden. As Laurence Hamilton, CCO at Consilient, noted in April 2025: rule-based transaction monitoring systems run with "consistent 95% false positive rates."

We observe a comparable pattern in merchant monitoring: systems calibrated for broad sensitivity generate alert volumes that exceed any team's capacity for thorough investigation.

Alert fatigue is the documented result. When analysts clear the large majority of alerts as benign before lunch, the cognitive threshold for what constitutes a real signal degrades. Investigations become faster and shallower. The team stops expecting to find anything meaningful.

Regulators including the Financial Action Task Force (FATF) and the UK Financial Conduct Authority (FCA) have specifically flagged alert fatigue as a compliance risk, noting that firms are expected to maintain systems that minimise unnecessary alerts while ensuring genuine risks are investigated.

The consequences are compounding:

  • Analyst time diverts to noise. Clearing false positives at scale consumes the capacity that should go to real investigation.

  • Investigation depth drops. High alert volume trains analysts to move fast, not to look carefully.

  • Real risk hides in the low-confidence signals. The merchants who represent actual exposure often generate subtle indicators, not obvious ones. Those are the first to get dismissed.

The false positive problem is not a calibration issue that more rules will fix. Adding more rules typically adds more noise. The underlying issue is that rule matching produces binary outputs, triggered or not triggered, without the contextual understanding needed to distinguish a legitimate wellness brand from an unlicensed supplement operation.

False positive cycle infographic

What the Tools Cannot See

The gap between what rule-based tools flag and what actually represents risk comes down to context. Understanding whether a merchant poses real risk requires reading the full picture:

  • What the merchant's website says across every page, not just the homepage

  • What products are actually listed and how they are described

  • How the checkout and payment flows are structured

  • What the merchant's social presence looks like

  • How its business registration aligns with its actual commercial activity

  • Whether its transaction patterns are consistent with the business model declared at onboarding

No keyword match does this. No MCC filter does this. Blocklists capture merchants who were caught before, not merchants executing novel patterns.

The OCC Merchant Processing Comptroller's Handbook addresses acquirer obligations for ongoing evaluation of merchant activity throughout the merchant lifecycle, not only at onboarding. The regulatory expectation is continuous, risk-based assessment. For most portfolios, the operational reality is periodic review supported by tools that flag surface-level signals and miss contextual ones.

Visa's Acquirer Monitoring Program (VAMP), effective June 1, 2025, consolidates fraud, dispute, and enumeration monitoring into a single portfolio-level program. Acquirers are now evaluated against a unified VAMP ratio covering fraud (TC40) and disputes (TC15) relative to settled transactions.

The Excessive Merchant threshold tightens further in April 2026. Merchants that slip through monitoring gaps do not just create operational headaches. They move an acquirer's portfolio ratio in the wrong direction.

The Shift That Needs to Happen: From Reactive to Continuous

Periodic merchant reviews create a structural blind spot. A merchant that passes a quarterly review can, within the next 90 days:

  • Materially change its business model or product mix

  • Add product categories outside its approved MCC scope

  • Restructure payment flows to obscure transaction origin

  • Begin serving a customer base entirely different from its onboarding profile

All of that can happen without triggering a single alert under a periodic, rule-based review.

We see this pattern consistently. The merchants that appear in post-incident reviews are rarely the ones that looked problematic at onboarding. They are the ones that changed after onboarding, in a window between review cycles when no active monitoring was running.

Continuous monitoring closes this gap, but only if the monitoring itself can detect behavioral change rather than just threshold breaches. A merchant whose transaction volume stays flat but whose product catalog shifts from legal supplements to unregulated compounds will not trigger a volume anomaly. It will only surface if something is actively reading and classifying its content over time.

Blind spot between review cycles infographic

What Contextual Merchant Monitoring Actually Looks Like

The monitoring approach that addresses these gaps operates differently from rule-based systems at a fundamental level. Instead of asking "does this merchant match a known-bad pattern," it asks "does what this merchant is actually doing match what it told us it does."

That question requires:

  • Reading website content in full, not scanning for trigger words

  • Classifying business activity dynamically, rather than relying on a fixed MCC assigned at onboarding

  • Evaluating product listings for risk signals, including regulatory category indicators, prohibited content, and mismatches with the declared business model

  • Tracking changes over time, so a shift in product catalog, checkout flow, or domain structure triggers a contextual review, not just a volume alert

  • Cross-referencing transaction patterns with digital footprint, to surface the merchant whose numbers look normal but whose business model no longer matches what it is processing

We have found that risk teams applying contextual analysis consistently identify a different distribution of problems than rule-based alert review surfaces. High-volume false positives diminish. Subtle behavioral shifts become visible: merchants quietly expanding into regulated categories, merchants whose transaction flows no longer match their declared model.

The result is fewer alerts, better signal accuracy, and coverage of the changes that matter.

Ballerine’s Approach To Merchant Monitoring

Ballerine builds merchant monitoring infrastructure for acquirers who need to move beyond rule-based systems without adding headcount or slowing portfolio reviews.

The monitoring layer uses AI agents to analyze each merchant's actual web presence on a continuous basis. Key capabilities:

  • Website and product content analysis across the full merchant domain, not just the landing page

  • Business model classification, updated continuously as merchant content changes

  • MCC and regulated-category detection, grounded in what the merchant actually sells

  • Domain and social presence monitoring for signals that emerge outside the checkout flow

  • Licensing and compliance signal detection, including indicators of unlicensed regulated activity

Rather than matching keywords against a trigger list, the system reads and interprets merchant content to evaluate whether what the merchant is doing aligns with what it is approved to do. When the system generates an alert, it reflects a meaningful contextual signal, not a keyword match.

For acquirers managing large portfolios, merchant onboarding feeds directly into the continuous monitoring layer. The contextual understanding established during underwriting is maintained and updated throughout the merchant lifecycle, rather than discarded after approval.

The system also supports transaction analysis that flags inconsistencies between transaction patterns and declared business models. This is where many of the cases that survive onboarding reviews ultimately surface.

If your risk team is clearing the large majority of its alerts as false positives and still finding problems in audits, the issue is not the team. It is what the tools are looking at.

About the Author
Andy Vrabel
Payments Risk & Compliance Expert
@
Ballerine
Andrew Vrabel is a payments risk and compliance expert with deep expertise in merchant risk intelligence, merchant monitoring, anti-money laundering, and fraud prevention across the payments ecosystem. He works with payment companies, acquirers, payfacs, and other financial services stakeholders to help strengthen merchant onboarding, improve ongoing monitoring, and identify high-risk activity through data-driven risk and compliance strategies.

Related Questions

Reeza Hendricks

The Structural Problem Nobody Names in the Risk Team Meeting

Alert volume is up. The team is working harder. And somehow, a merchant that was never flagged just triggered a card scheme fine.

This is a familiar scenario for risk teams managing large portfolios. A team of analysts processes hundreds of merchant monitoring alerts each week. After investigation, the majority clear as false positives: legitimate businesses flagged for using certain words in their product descriptions, for operating in a sensitive MCC (Merchant Category Code), or for appearing on a broad blocklist. The real investigation time goes to noise.

Then the audit arrives. There it is: a merchant that processed a material volume of transactions outside its declared business model, accumulated chargebacks in a product category it was never approved for, and ran payment flows that should have triggered a review months earlier. The tools said nothing.

This is not a staffing problem. It is a structural one, and it starts with how most merchant monitoring systems are built.

Rule-Based Tools Are Built for the Obvious

Most merchant monitoring infrastructure still operates on the same core logic it used a decade ago:

  • Keyword matching on product descriptions and website text

  • MCC-based filters that flag specific merchant category codes

  • Static blocklists tied to previously identified bad actors

  • Threshold-triggered alerts on transaction volume or chargeback ratios

These tools are effective at catching straightforward cases. A merchant with "CBD" in its product title will flag. A business registered under a restricted MCC will alert. A processor showing sudden transaction volume spikes will surface. These are visible signals, and rule-based systems are reasonably calibrated to detect them.

The problem is that most bad merchants do not look like the obvious cases. Two examples appear repeatedly in practice:

The wellness retailer. A merchant registered as a "wellness and lifestyle" brand. Its onboarding documents are clean. Its MCC is unremarkable. Its website headline reads like a hundred legitimate health brands.

But the product listings, when read by a system that understands content rather than just scanning for trigger words, describe products with claims that cross into regulated pharmaceutical territory. No keyword rule catches it. No blocklist matches. It processes for months.

The consulting business. A merchant that describes itself as a "business consulting service." Its business registration is valid. Its stated MCC generates no flags. But its actual transaction flows, reviewed against its web presence, show payment patterns consistent with a gambling facilitation operation.

The website, examined in context, tells a different story than the form submission at onboarding. Again: no alert. Rule-based systems catch the merchants who make obvious mistakes. They are largely blind to merchants who understand the rules well enough to avoid tripping them.

Onboarding form versus actual merchant activity infographic

The False Positive Trap

The noise problem compounds into something more operationally consequential than wasted analyst time.

Research in transaction monitoring compliance consistently identifies false positive rates in rule-based alert systems as a significant operational burden. As Laurence Hamilton, CCO at Consilient, noted in April 2025: rule-based transaction monitoring systems run with "consistent 95% false positive rates."

We observe a comparable pattern in merchant monitoring: systems calibrated for broad sensitivity generate alert volumes that exceed any team's capacity for thorough investigation.

Alert fatigue is the documented result. When analysts clear the large majority of alerts as benign before lunch, the cognitive threshold for what constitutes a real signal degrades. Investigations become faster and shallower. The team stops expecting to find anything meaningful.

Regulators including the Financial Action Task Force (FATF) and the UK Financial Conduct Authority (FCA) have specifically flagged alert fatigue as a compliance risk, noting that firms are expected to maintain systems that minimise unnecessary alerts while ensuring genuine risks are investigated.

The consequences are compounding:

  • Analyst time diverts to noise. Clearing false positives at scale consumes the capacity that should go to real investigation.

  • Investigation depth drops. High alert volume trains analysts to move fast, not to look carefully.

  • Real risk hides in the low-confidence signals. The merchants who represent actual exposure often generate subtle indicators, not obvious ones. Those are the first to get dismissed.

The false positive problem is not a calibration issue that more rules will fix. Adding more rules typically adds more noise. The underlying issue is that rule matching produces binary outputs, triggered or not triggered, without the contextual understanding needed to distinguish a legitimate wellness brand from an unlicensed supplement operation.

False positive cycle infographic

What the Tools Cannot See

The gap between what rule-based tools flag and what actually represents risk comes down to context. Understanding whether a merchant poses real risk requires reading the full picture:

  • What the merchant's website says across every page, not just the homepage

  • What products are actually listed and how they are described

  • How the checkout and payment flows are structured

  • What the merchant's social presence looks like

  • How its business registration aligns with its actual commercial activity

  • Whether its transaction patterns are consistent with the business model declared at onboarding

No keyword match does this. No MCC filter does this. Blocklists capture merchants who were caught before, not merchants executing novel patterns.

The OCC Merchant Processing Comptroller's Handbook addresses acquirer obligations for ongoing evaluation of merchant activity throughout the merchant lifecycle, not only at onboarding. The regulatory expectation is continuous, risk-based assessment. For most portfolios, the operational reality is periodic review supported by tools that flag surface-level signals and miss contextual ones.

Visa's Acquirer Monitoring Program (VAMP), effective June 1, 2025, consolidates fraud, dispute, and enumeration monitoring into a single portfolio-level program. Acquirers are now evaluated against a unified VAMP ratio covering fraud (TC40) and disputes (TC15) relative to settled transactions.

The Excessive Merchant threshold tightens further in April 2026. Merchants that slip through monitoring gaps do not just create operational headaches. They move an acquirer's portfolio ratio in the wrong direction.

The Shift That Needs to Happen: From Reactive to Continuous

Periodic merchant reviews create a structural blind spot. A merchant that passes a quarterly review can, within the next 90 days:

  • Materially change its business model or product mix

  • Add product categories outside its approved MCC scope

  • Restructure payment flows to obscure transaction origin

  • Begin serving a customer base entirely different from its onboarding profile

All of that can happen without triggering a single alert under a periodic, rule-based review.

We see this pattern consistently. The merchants that appear in post-incident reviews are rarely the ones that looked problematic at onboarding. They are the ones that changed after onboarding, in a window between review cycles when no active monitoring was running.

Continuous monitoring closes this gap, but only if the monitoring itself can detect behavioral change rather than just threshold breaches. A merchant whose transaction volume stays flat but whose product catalog shifts from legal supplements to unregulated compounds will not trigger a volume anomaly. It will only surface if something is actively reading and classifying its content over time.

Blind spot between review cycles infographic

What Contextual Merchant Monitoring Actually Looks Like

The monitoring approach that addresses these gaps operates differently from rule-based systems at a fundamental level. Instead of asking "does this merchant match a known-bad pattern," it asks "does what this merchant is actually doing match what it told us it does."

That question requires:

  • Reading website content in full, not scanning for trigger words

  • Classifying business activity dynamically, rather than relying on a fixed MCC assigned at onboarding

  • Evaluating product listings for risk signals, including regulatory category indicators, prohibited content, and mismatches with the declared business model

  • Tracking changes over time, so a shift in product catalog, checkout flow, or domain structure triggers a contextual review, not just a volume alert

  • Cross-referencing transaction patterns with digital footprint, to surface the merchant whose numbers look normal but whose business model no longer matches what it is processing

We have found that risk teams applying contextual analysis consistently identify a different distribution of problems than rule-based alert review surfaces. High-volume false positives diminish. Subtle behavioral shifts become visible: merchants quietly expanding into regulated categories, merchants whose transaction flows no longer match their declared model.

The result is fewer alerts, better signal accuracy, and coverage of the changes that matter.

Ballerine’s Approach To Merchant Monitoring

Ballerine builds merchant monitoring infrastructure for acquirers who need to move beyond rule-based systems without adding headcount or slowing portfolio reviews.

The monitoring layer uses AI agents to analyze each merchant's actual web presence on a continuous basis. Key capabilities:

  • Website and product content analysis across the full merchant domain, not just the landing page

  • Business model classification, updated continuously as merchant content changes

  • MCC and regulated-category detection, grounded in what the merchant actually sells

  • Domain and social presence monitoring for signals that emerge outside the checkout flow

  • Licensing and compliance signal detection, including indicators of unlicensed regulated activity

Rather than matching keywords against a trigger list, the system reads and interprets merchant content to evaluate whether what the merchant is doing aligns with what it is approved to do. When the system generates an alert, it reflects a meaningful contextual signal, not a keyword match.

For acquirers managing large portfolios, merchant onboarding feeds directly into the continuous monitoring layer. The contextual understanding established during underwriting is maintained and updated throughout the merchant lifecycle, rather than discarded after approval.

The system also supports transaction analysis that flags inconsistencies between transaction patterns and declared business models. This is where many of the cases that survive onboarding reviews ultimately surface.

If your risk team is clearing the large majority of its alerts as false positives and still finding problems in audits, the issue is not the team. It is what the tools are looking at.