Related Questions
.png)
Payment facilitator (PayFac) partnerships offer acquirers and payment platforms rapid merchant volume growth and simplified operations. But these relationships introduce distinct risk: when a PayFac partner lacks genuine sub-merchant control, the acquirer or platform inherits liability for fraud, chargebacks, and regulatory violations across hundreds or thousands of merchants it has never directly underwritten.
Unlike traditional merchant relationships where you underwrite each business individually, PayFac partnerships require evaluation of whether your partner maintains adequate oversight of its entire sub-merchant portfolio. This is not a technology verification exercise. It is a controls audit to determine whether the PayFac exercises actual authority over who processes through its infrastructure, how transactions are monitored, and when problematic merchants are removed.
The stakes are immediate: Acquirers remain liable under card network rules for all transactions processed through their PayFac partners, regardless of contractual indemnification. A PayFac with weak controls creates exposure to network fines, elevated chargeback rates, and regulatory scrutiny that flows back to the sponsoring bank or processor.
Visa Acquirer Monitoring Program (VAMP) and Mastercard Excessive Chargeback Merchant (ECM) programs now scrutinize not just individual merchants but entire facilitator portfolios. Acquirers face penalties when PayFac partners fail to control sub-merchant activity.
Card networks increasingly require evidence that PayFacs maintain actual control systems, not just contractual representations of control authority.
Federal regulations including the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) requirements apply through the entire payment chain. When PayFac partners fail to implement adequate know-your-customer (KYC) or transaction monitoring programs, regulatory exposure extends to the acquiring bank.
Office of the Comptroller of the Currency (OCC) examination guidance explicitly requires banks to assess the risk management capabilities of third-party payment processors and facilitators before establishing relationships.
A PayFac processing $50 million monthly across 500 sub-merchants with a 1.2% chargeback rate creates $600,000 in monthly chargeback exposure. If the PayFac maintains insufficient reserves or settles funds immediately to sub-merchants, this liability transfers directly to the acquirer when chargebacks materialize weeks or months later.
Traditional underwriting captures individual merchant risk. PayFac assessment requires understanding portfolio-level risk concentration and control effectiveness across diverse merchant types.
Read the complete assessment framework →
Verification breaks down into five critical control areas:
PayFacs must demonstrate actual decisioning capability, not just application intake. This means documented rejection criteria applied consistently, evidence of declined applications with reasons, internal risk teams making approval decisions, and verification procedures executed before merchant activation.
Red flags include instant approval with no verification, rejection rates below 5% across all merchant types, approval authority delegated to external platforms, and inability to provide examples of declined applications.
The distinction between acceptable and inadequate underwriting is whether the PayFac applies risk-based standards that result in measurable merchant rejections.
Real-time or near real-time visibility into sub-merchant transaction activity is required. PayFacs must maintain monitoring infrastructure that generates alerts for velocity anomalies, unusual patterns, and policy violations at the individual sub-merchant level.
Required capabilities include transaction limits enforced automatically, documented alert thresholds that trigger investigations, evidence of alerts acted upon (not just configured), and examples of sub-merchants suspended or limited due to monitoring flags.
Weekly or monthly transaction review indicates the PayFac lacks monitoring infrastructure. By the time patterns are detected through batch analysis, fraud or abuse has already accumulated significant exposure.
Financial control demonstrates risk management. We see that PayFacs exercising genuine oversight maintain risk-based settlement terms where new sub-merchants receive delayed settlement (T+7 or longer), elevated-risk categories face rolling reserve requirements, and the PayFac retains authority to hold funds when risk is detected.
Critical assessment points include whether settlement terms vary based on risk profile, reserves are actually held and calculated based on portfolio exposure, the PayFac can delay disbursement without sub-merchant consent, and settlement anomalies trigger review.
Immediate settlement with no reserves across all sub-merchants indicates the PayFac is not managing financial risk regardless of contractual liability provisions.
Card network liability ultimately rests with acquirers, but effective PayFacs manage disputes on behalf of their portfolio. This includes handling representments to issuers, monitoring chargeback rates by sub-merchant against network thresholds, and intervening when merchants generate excessive disputes.
Verification requires evidence the PayFac tracks chargeback rates at sub-merchant level, alert thresholds exist and generate action when exceeded, examples of sub-merchants terminated due to chargeback issues, and portfolio chargeback rate remains within network compliance ranges.
If the PayFac passes all chargeback liability immediately to sub-merchants with no management layer, it is not exercising control.
Control without enforcement is theoretical. PayFacs must demonstrate they actually remove problematic sub-merchants, not just retain contractual termination rights.
Essential evidence includes statistics on sub-merchants terminated in the past 12 months with breakdown by reason (chargebacks, fraud, policy violations), examples of enforcement actions before network penalties, documented escalation process from warning to suspension to termination, and unilateral termination authority without external approval requirements.
We see that compliant PayFacs typically terminate 2-10% of their portfolio annually depending on risk profile. Zero terminations indicates either extremely selective onboarding (unlikely with high merchant counts) or lack of enforcement.
Read the complete assessment framework →
Institutions that implement systematic PayFac assessment gain:
Network compliance confidence
Clear evidence your PayFac partners maintain controls that satisfy card network oversight requirements, reducing examination findings and penalty risk.
Risk concentration visibility
Understanding which PayFac partners operate with adequate reserves, monitoring, and enforcement versus those creating unmitigated exposure across large merchant portfolios.
Regulatory defensibility
Documentation demonstrating assessment of third-party controls before establishing processing relationships, satisfying OCC and Federal Reserve examination expectations for third-party risk management.
Informed reserve and exposure decisions
Calculation of appropriate reserves or holdback levels based on actual PayFac control effectiveness, not contractual representations.
Early warning capability
Detection of control degradation at PayFac partners before it manifests as elevated chargebacks, network violations, or fraud losses.
Our detailed framework walks through operational verification for each control area with specific documentation requests, testing protocols, and red flag thresholds.
The fundamental question is whether your PayFac partner has systems that would detect fraud or excessive chargebacks in real time, staff who investigate alerts and apply remediation, and authority plus enforcement history proving they terminate problematic merchants.
Answering this requires requesting operational data: sub-merchant rejection rates, alert generation statistics, examples of terminated merchants with reasons, settlement tier distribution across the portfolio, and chargeback rate monitoring records.
Contracts describe control rights. Operational evidence proves control is exercised.
Ballerine provides infrastructure to make PayFac partner assessment and ongoing monitoring scalable. Our platform automates verification of underwriting processes by detecting whether sub-merchants are approved instantly or after verification steps, analyzes transaction patterns to identify anomalies the PayFac should have detected, and maintains continuous monitoring to verify controls remain effective post-onboarding.
The framework described in this guide enables risk and compliance teams to conduct initial assessments by asking the right operational questions and interpreting responses against evidence-based control standards. For ongoing monitoring at scale, our merchant monitoring and partner oversight solutions provide continuous visibility into PayFac partner portfolios, detecting control lapses before they result in losses or network violations.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.png)
.png)
