Related Questions
.png)
Merchant underwriting compliance requires documented policies, robust governance, and comprehensive audit trails to satisfy card schemes, regulators, and internal oversight. Compliance teams must ensure underwriting programs meet Visa VARS, Mastercard Security Rules, and anti-money laundering obligations under FATF standards.
This includes maintaining written policies, recording decision rationale, performing sanctions and adverse media screening, and documenting ongoing monitoring activities. Effective compliance programs balance regulatory adherence with operational efficiency, using technology to capture evidence and ensure consistency.
This handbook outlines core documentation, screening, governance, and audit requirements for merchant underwriting compliance, with practical guidance for building and maintaining a compliance-ready underwriting program.
Card schemes require documented underwriting programs that verify merchant legitimacy, assess risk, and maintain ongoing oversight. Visa's Acceptance Risk Standards (VARS), effective October 2024, replaced the Global Acquirer Risk Standards with updated requirements emphasizing continuous monitoring and proactive risk detection.
Mastercard's Security Rules and Procedures mandate that acquirers maintain adequate due diligence controls, screen merchants for compliance risks, and respond promptly to identified issues. Failure to meet scheme standards results in fines, operational restrictions, or program termination.
For organizations serving high-risk portfolios, understanding BRAM and VIRP compliance requirements is essential. These programs specifically target illegal activity, intellectual property infringement, and deceptive marketing practices that damage card brand integrity.
Anti-money laundering regulations require payment service providers to perform customer due diligence. FATF international standards require payment providers to verify customer identity, understand business activities, and monitor transactions for suspicious patterns.
Underwriting satisfies these obligations by verifying business legitimacy, identifying beneficial owners, screening against sanctions lists, and assessing transaction risk. Regulatory authorities expect documented underwriting policies, screening records, and audit trails demonstrating consistent application of risk-based controls.
Banking regulators and supervisory authorities review payment provider compliance programs during examinations. They expect robust governance, documented risk appetite, clear approval authorities, comprehensive screening procedures, and structured ongoing monitoring.
Compliance teams must demonstrate that underwriting programs are adequate for portfolio size, risk profile, and jurisdictional requirements. Deficiencies identified during exams result in mandatory remediation, increased oversight, and potential enforcement actions.
Strong underwriting programs begin with written policies defining risk appetite, approval criteria, and escalation rules. Policies document: acceptable industry categories and prohibited businesses, documentation requirements by risk level, sanctions and adverse media screening procedures, financial assessment standards and reserve calculations, approval authorities for standard, high-risk, and exception cases, and ongoing monitoring frequency and review triggers.
Policies must be reviewed and updated periodically to reflect regulatory changes, scheme updates, portfolio evolution, and lessons learned from past issues. Board or senior management approval demonstrates executive commitment to risk management.
Clear approval authorities ensure appropriate oversight. Junior underwriters approve low-risk merchants meeting standard criteria. Senior underwriters approve high-risk merchants or complex cases. Risk committees or executive management approve merchants exceeding volume thresholds or presenting unique risk profiles.
Escalation paths define when and how applications move to higher authority. Unclear escalation creates inconsistency and delays. Well-defined paths support audit and compliance by showing that appropriate expertise reviewed each decision.
Every underwriting decision must be documented with: merchant application and supporting documents, verification and screening results, risk assessment and decision rationale, approval authority and decision date, and ongoing monitoring records and periodic reviews.
Record retention aligns with regulatory and scheme requirements, typically five to seven years. Electronic storage with access controls, audit trails, and backup procedures ensures records remain available for compliance reviews and scheme audits.
Complete applications include: legal business name, incorporation jurisdiction and date, tax identification number, business address and operating locations, ownership structure and beneficial owners, operating website and product descriptions, and projected transaction volumes, average ticket size, and processing currencies.
Supporting documents verify application claims: incorporation certificates or business registrations, government-issued identification for beneficial owners, bank statements demonstrating revenue and cash flow, proof of business address, licenses or regulatory approvals for restricted industries, and prior processing statements or chargeback reports if available.
Incomplete applications create compliance risk. Underwriters must obtain missing information before approval to ensure adequate due diligence.
Documentation must prove that verification and screening occurred. This includes: incorporation verification confirming business registration with government authorities, website validation showing operational status and content review, sanctions screening results from OFAC, UN, EU, and other watchlists, PEP screening identifying politically exposed persons, adverse media results documenting news and regulatory checks, and beneficial ownership verification confirming ultimate controlling parties.
Automated systems generate structured evidence. Manual checks require documented procedures showing who performed verification, what sources were consulted, when checks occurred, and what results were found.
Compliance teams need clear explanations for approval decisions. Documentation includes: risk scoring results and contributing factors, financial assessment conclusions on cash flow and repayment capacity, compliance risk evaluation based on screening results, mitigation measures such as reserves, monitoring frequency, or volume caps, and approval authority identity and decision date.
Declined applications require documented rationale explaining what criteria were not met, what red flags were identified, and why risk was deemed unacceptable. This protects against discrimination claims and demonstrates consistent policy application.
Underwriting does not end at onboarding. Continuous monitoring generates records demonstrating ongoing oversight: transaction monitoring alerts and investigation results, periodic review outcomes and risk reassessments, triggered re-underwriting when risk indicators surface, adverse information identified after onboarding, and merchant communications regarding policy changes or compliance issues.
These records prove to schemes and regulators that acquirers maintain oversight throughout merchant relationships, not just at onboarding.
All merchants and beneficial owners must be screened against sanctions lists at onboarding and periodically during the merchant lifecycle. Required sources include: Office of Foreign Assets Control (OFAC) Specially Designated Nationals list, United Nations Security Council sanctions, European Union sanctions, and jurisdiction-specific watchlists relevant to merchant location or target markets.
Screening must cover both exact and fuzzy name matches to account for spelling variations, transliterations, and aliases. False positive management procedures distinguish genuine matches requiring action from coincidental name similarities.
Politically exposed person screening identifies individuals with significant public positions: government officials and political leaders, senior executives of state-owned enterprises, high-ranking military officers, and judicial officials.
PEP status does not automatically disqualify merchants but triggers enhanced due diligence. Compliance teams assess: nature and level of political exposure, potential for corruption or misuse of position, business relationship legitimacy, and reputational risk to the acquirer.
Adverse media screening searches news sources, regulatory announcements, and public records for: fraud allegations or criminal activity, regulatory enforcement actions, consumer complaints or class actions, and reputational issues damaging to card brands.
Findings require manual review to determine relevance and severity. Recent, credible allegations typically result in decline. Historic or unsubstantiated mentions may be acceptable with documented risk assessment.
Card schemes and acquirers maintain lists of prohibited or restricted industries: illegal gambling or unlicensed gaming, weapons and munitions, narcotics or controlled substances, certain adult content, counterfeit or IP-infringing goods, and multi-level marketing or pyramid schemes.
Industry validation confirms merchant category alignment with approved industries. Merchants operating in borderline categories require additional documentation justifying approval and demonstrating compliance with applicable regulations.
Initial screening occurs at onboarding. Ongoing screening detects changes: watchlist additions requiring immediate merchant review, adverse media emerging after onboarding, and ownership changes triggering rescreening of new principals.
Screening frequency depends on risk profile. High-risk merchants may require quarterly rescreening. Low-risk merchants may be rescreened annually or when triggered by specific events. Compliance teams must document screening schedules and ensure consistent execution.
Every approval and decline must document: who made the decision, when the decision occurred, what information was considered, and why the outcome resulted.
Automated systems record these details systematically. Manual processes require underwriters to document rationale in case management systems or structured forms. Ambiguous or missing documentation creates audit findings and compliance risk.
Risk scoring models must be documented and auditable. Compliance teams need visibility into: what factors contribute to risk scores, how rules apply to specific merchants, what thresholds trigger escalation or decline, and how models evolve over time.
Black box models lacking explainability create regulatory risk. Organizations must be able to articulate decision logic to merchants, regulators, and card schemes.
Exceptions occur when underwriting policies allow deviations for valid business reasons. A merchant slightly exceeding volume thresholds or operating in a borderline category may merit approval with enhanced monitoring.
Exceptions require documented justification: what policy was overridden, why the exception was warranted, what additional controls mitigate risk, and who authorized the exception.
Exception tracking identifies patterns suggesting policy adjustments or inappropriate risk tolerance. High exception rates indicate policies disconnected from portfolio reality.
Ongoing transaction monitoring detects issues after onboarding: volume spikes exceeding projections, chargeback rate increases, unusual refund patterns, geographic shifts in transaction origins, and ticket size changes indicating business model drift.
Alert thresholds balance sensitivity and operational burden. Too sensitive generates false positives overwhelming review teams. Too lenient misses genuine risks. Compliance teams must calibrate thresholds based on portfolio characteristics and scheme expectations.
Modern merchant risk requires correlating transaction data with web intelligence. Orchestrating these signals reveals inconsistencies invisible to isolated checks: catalog misalignment between website products and transaction amounts, language discrepancies between site content and customer geographic origins, multiple URLs linked to single entities, and virtual addresses contradicting actual transaction sources.
Ballerine's merchant risk platform helps compliance teams automate this orchestration, surfacing complex patterns requiring investigation while reducing false positives that slow operations.
High-risk merchants require periodic re-underwriting regardless of transaction alerts: review updated financial statements, rescreen against sanctions and adverse media, assess business model changes or ownership shifts, and validate compliance with enhanced monitoring requirements.
Re-underwriting frequency depends on risk profile. Very high-risk merchants may require quarterly reviews. Medium-risk merchants may be reviewed annually. Documentation of periodic reviews demonstrates ongoing oversight to schemes and regulators.
Event-driven reviews occur when external information surfaces: media reports of fraud or regulatory action, customer complaints indicating deceptive practices, scheme notifications of BRAM or VIRP concerns, and ownership changes requiring new beneficial owner screening.
Compliance teams must have procedures for receiving and escalating adverse information. Delays responding to scheme notifications or media reports create regulatory findings and damage acquirer-scheme relationships.
Card schemes periodically audit acquirer underwriting programs. Audit requests require documentation packages: underwriting policies and procedures, sample merchant files with complete decision rationale, screening records and verification evidence, high-risk merchant approvals with enhanced controls, and remediation plans addressing prior findings.
Compliance teams must maintain audit-ready documentation. Scrambling to assemble records during audits creates negative impressions and increases finding risk.
Banking regulators review compliance programs during safety and soundness examinations. They assess: policy adequacy for portfolio risk, documentation completeness and consistency, screening effectiveness and coverage, and management oversight and governance.
Examination findings require written responses and remediation plans. Compliance teams must demonstrate corrective actions, enhanced controls, and sustained improvements. Repeated findings on similar issues escalate regulatory concern.
Significant incidents require prompt notification to schemes and regulators: merchant fraud impacting cardholders, scheme rule violations or BRAM/VIRP findings, data breaches or security incidents, and compliance failures identified through internal reviews.
Incident reports must be accurate, complete, and timely. They demonstrate transparency and commitment to resolution. Concealing incidents or delayed reporting severely damages relationships and increases penalties.
Compliance programs require collaboration across risk, operations, technology, and legal teams. Alignment ensures: policies reflect operational reality, technology platforms support evidence capture, risk teams understand compliance obligations, and legal counsel reviews policy changes.
Siloed functions create gaps where compliance obligations fall through cracks. Regular cross-functional meetings maintain alignment as requirements evolve.
For banking institutions and fintech companies, integrating compliance into underwriting workflows from the start prevents costly retrofitting when audits or exams reveal deficiencies.
Compliance-ready underwriting requires technology that: captures structured evidence for all verification steps, maintains audit trails of approvals and decision rationale, integrates sanctions and adverse media screening, generates reports for scheme audits and regulatory exams, and supports continuous monitoring and triggered reviews.
Manual processes create documentation gaps and inconsistency. Investing in proper underwriting platforms reduces compliance risk and operational burden.
Underwriters need training on: current policies and approval criteria, sanctions screening procedures and false positive management, scheme requirements including BRAM and VIRP, documentation standards and audit expectations, and escalation procedures for complex cases.
Quality assurance reviews sample merchant files to ensure: policy compliance and consistent application, documentation completeness, appropriate decision rationale, and timely response to monitoring alerts.
Regular training and QA maintain program quality as staff changes and requirements evolve. Organizations should assess whether their risk management capabilities keep pace with portfolio growth and threat evolution.
Merchant underwriting compliance requires documented policies, robust governance, and comprehensive audit trails.
Compliance teams ensure programs meet card scheme standards, AML obligations, and supervisory expectations.
Core requirements include written policies with clear approval authorities, complete merchant documentation and screening evidence, risk assessment and decision rationale, ongoing monitoring records, and structured escalation procedures.
Effective programs balance regulatory adherence with operational efficiency using technology to capture evidence and ensure consistency. Organizations that integrate compliance into underwriting from the start avoid costly remediation when audits reveal deficiencies.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.png)
.png)
