Risk-Based Approach

A risk-based approach is a compliance and risk management methodology where payment service providers allocate resources and apply controls proportional to the level of risk presented by a merchant, transaction, or counterparty. Rather than applying uniform checks across all merchants, organizations tier their due diligence, monitoring intensity, and review frequency based on quantifiable risk factors including industry vertical, transaction patterns, geographic exposure, ownership structure, and historical compliance behavior.

‍

‍

‍

Why This Matters: The Challenge of Scale and Precision

‍

Implementing a risk-based approach presents several structural challenges for acquirers, PayFacs, and payment facilitators:

‍

• Resource allocation under regulatory scrutiny: Regulators including the Financial Action Task Force (FATF), FinCEN, and card scheme compliance programs expect defensible risk segmentation. Teams must demonstrate how their tiering model connects observable risk indicators to control intensity, a process that requires both technical infrastructure and documented decision frameworks.

‍

• False positives and friction costs: Overly broad risk categorization pushes low-risk merchants into enhanced review queues, creating operational bottlenecks and merchant attrition. We see this show up when risk models treat entire merchant category codes (MCCs) as high-risk without distinguishing between business models within that category (e.g., treating all nutraceutical sellers identically despite vastly different risk profiles).

‍

• Inconsistent enforcement across teams: When risk segmentation relies on subjective judgment calls rather than codified rules, outcomes vary by reviewer. One analyst may classify a cross-border software merchant as moderate risk while another flags it as high-risk based on personal interpretation, creating compliance exposure and merchant experience inconsistency.

‍

• Dynamic risk profiles: Merchant risk is not static. A business that onboards as low-risk may shift to high-risk status based on changes in ownership, transaction velocity spikes, or entry into restricted product categories. Continuous monitoring frameworks must detect these transitions and trigger appropriate review workflows without manual oversight.

‍

‍

‍

How to Implement an Effective Risk-Based Framework

‍

‍

Step 1: Define risk tiers with explicit criteria

Establish three to five risk tiers (e.g., Low, Moderate, High, Prohibited) with documented thresholds for each. Low-risk merchants might include established domestic businesses in non-restricted MCCs with transaction volumes below defined limits, verified business registration, and clean background checks on Ultimate Beneficial Owners (UBOs). High-risk merchants typically operate in industries such as online gambling, forex trading, nutraceuticals, or adult content, involve cross-border transactions, or present sanctions screening hits or adverse media findings. Document the specific factors (e.g., "monthly transaction volume exceeds $500,000" or "UBO has prior regulatory enforcement action") that drive tier assignment to create defensible audit trails.

‍

‍

Step 2: Calibrate controls to each tier

Map due diligence requirements, verification depth, and monitoring cadence to each risk tier. For low-risk merchants, automated Know Your Business (KYB) checks including business registry verification, basic UBO screening, and website review may suffice for onboarding. Moderate-risk merchants require enhanced documentation such as bank statements, supplier contracts, and detailed business model explanations. High-risk merchants warrant comprehensive due diligence including multi-source UBO background checks, proof of regulatory licenses, site visits or video verification, and documented evidence of legitimate business operations. Transaction monitoring sensitivity should increase with risk tier—high-risk merchants require real-time anomaly detection while low-risk accounts may use batch review processes.

‍

‍

Step 3: Automate risk scoring where possible

Manual risk classification does not scale. Deploy workflow automation that ingests structured data (business registration details, transaction history, sanctions lists, adverse media feeds) and assigns preliminary risk scores based on your documented criteria. We recommend rule-based scoring for transparent tier assignment (e.g., "if MCC = 7995 AND monthly volume > $100K AND cross-border transactions > 30%, then tier = High") combined with machine learning models to detect behavioral anomalies that suggest risk profile changes. Ensure the system surfaces the specific factors driving each risk decision to support analyst review and regulatory examination.

‍

‍

Step 4: Establish review and escalation workflows

Create clear ownership for risk decisions at each tier. Low-risk merchants may receive automated approval with spot-check audits. Moderate-risk cases require analyst review but can proceed with standard documentation. High-risk merchants need senior risk officer approval and may require committee review for acceptance. Document rejection rationales with specific references to policy violations or unresolved risk factors (e.g., "rejected due to UBO match on OFAC sanctions list" rather than vague "compliance concerns"). Build escalation paths for edge cases where the risk tier is ambiguous or where analysts disagree with automated scoring.

‍

‍

Step 5: Review and recalibrate periodically

Risk-based models require ongoing validation. Quarterly reviews should examine whether risk tier assignments correlate with actual loss events, regulatory findings, or chargebacks. If a substantial portion of fraud or compliance breaches originates from merchants classified as low or moderate-risk, the model requires recalibration. Similarly, if high-risk merchants consistently perform without incident, the criteria may be overly conservative and create unnecessary friction. Maintain version control of risk policies to demonstrate supervisory oversight and model evolution during regulatory examinations.

‍

‍

‍

Strategic Impact: Balancing Compliance, Efficiency, and Growth

‍

A properly implemented risk-based approach generates three organizational benefits:

‍

Regulatory alignment: FATF Recommendation 1 explicitly requires financial institutions to identify, assess, and understand money laundering and terrorist financing risks, then take measures commensurate with those risks. Card schemes including Mastercard (through the Mastercard Merchant Monitoring Program) and Visa impose risk-based requirements for acquirers managing high-brand-risk merchants. Demonstrating a documented, consistently applied risk-based framework is foundational to passing regulatory examinations and scheme audits.

‍

Operational efficiency: Resource allocation follows risk concentration. Teams spend investigative capacity on the subset of merchants that present actual exposure rather than applying identical review effort across the entire portfolio. We usually advise teams to target 80% of due diligence hours toward the 20% of merchants that represent elevated risk, enabling faster onboarding for low-risk applicants while maintaining control density where it matters.

‍

Portfolio quality and merchant experience: Low-risk merchants experience streamlined merchant onboarding with reduced documentation burdens and faster time-to-activation, improving conversion rates. High-risk merchants receive appropriate scrutiny, reducing the likelihood of accepting businesses that later generate fraud losses, regulatory actions, or reputational damage. This segmentation supports sustainable growth by balancing acceptance rates against portfolio risk.

‍

‍

‍

Example: Risk-Based Segmentation in Practice

‍

Consider an acquirer onboarding three merchant applications in a single day:

‍

Merchant A: A domestic software-as-a-service company incorporated five years ago, selling productivity tools to small businesses. Monthly processing volume is $80,000, all domestic transactions. UBO background checks return no adverse findings. The website displays clear refund policies and customer support contact information. The acquirer's risk model assigns this merchant to the Low tier, triggering automated KYB checks, basic sanctions screening, and website verification. The merchant is approved within 24 hours with standard transaction monitoring thresholds.

‍

Merchant B: An e-commerce business selling dietary supplements, incorporated two years ago. The business processes $300,000 monthly with 40% of transactions originating from international customers. The product category (nutraceuticals) carries elevated chargeback risk and regulatory complexity across jurisdictions. The acquirer's system flags this as Moderate risk, requiring enhanced due diligence including submission of supplier agreements, inventory documentation, and regulatory compliance attestations. An analyst reviews the application, verifies the documentation, and approves the merchant with tighter transaction monitoring parameters including velocity limits and hold schedules.

‍

Merchant C: An online casino operator incorporated in an offshore jurisdiction, processing $2 million monthly. The UBO screening identifies a prior regulatory enforcement action from a gaming authority in another country. The merchant operates in a Prohibited or High-risk category depending on the acquirer's risk appetite. The application escalates to a senior risk committee, which requests a detailed compliance program review, proof of valid gaming licenses, and evidence of anti-money-laundering controls. Approval requires sign-off from the Chief Risk Officer and may include enhanced reserve requirements or processing limits.

‍

This segmentation allows the acquirer to process Merchant A efficiently, apply appropriate controls to Merchant B, and make an informed, documented decision about whether to accept Merchant C based on the institution's risk tolerance and compliance capabilities.

‍

‍

‍

How Ballerine Supports Risk-Based Frameworks

‍

Ballerine provides a merchant risk management platform designed to automate and standardize risk-based decisioning for acquirers, PayFacs, and banking institutions. The platform ingests merchant data from onboarding applications, runs multi-source verification checks including business registry lookups, UBO screening, website analysis, and adverse media monitoring, and then assigns risk scores based on configurable rule sets that reflect your institution's risk appetite and regulatory requirements.

‍

Ballerine's merchant underwriting workflows enable teams to define custom risk tiers with specific due diligence requirements for each tier, then automatically route cases to the appropriate review queue based on calculated risk scores. The system maintains audit logs showing which data points contributed to each risk decision, supporting regulatory examination requirements for defensible, documented risk-based controls. For ongoing merchant monitoring, Ballerine continuously evaluates transaction patterns, ownership changes, and external risk signals to detect merchants whose risk profile has shifted, triggering re-review workflows when warranted.

‍