Suspicious Merchant Activity

Suspicious merchant activity refers to transaction patterns, operational behaviors, or business characteristics that deviate from expected norms and may indicate fraud, money laundering, regulatory violations, or other financial crimes. These activities require investigation by risk teams to determine whether the deviations represent benign anomalies or genuine threats.

‍

Why This Matters: The Dual Challenge of Detection and Precision

‍

Identifying suspicious merchant activity presents two competing risks:

‍

Under-detection: Missing genuine fraud exposes acquirers, payment facilitators (PayFacs), and marketplaces to financial loss, regulatory penalties, and reputational damage. Card schemes impose fines for excessive fraud rates. Regulators can revoke licenses for failing to detect money laundering or sanctions violations.

‍

Over-detection (false positives): Flagging legitimate merchants as suspicious creates friction, delays onboarding, and can drive good business elsewhere. We see risk teams spend 40-60% of their time investigating false positives, reducing capacity for genuine threat response.

‍

The difficulty lies in distinguishing between legitimate business volatility (seasonal spikes, marketing campaigns, expansion into new markets) and patterns that genuinely warrant concern. A merchant processing 10x their normal volume could be running a successful promotion or testing stolen cards at scale.

‍

How to Identify and Manage Suspicious Merchant Activity

‍

We recommend a layered approach combining automated detection with human judgment:

‍

1. Establish baseline behavior profiles

‍

Document normal transaction patterns for each merchant: average transaction value, daily volume, geographic distribution, transaction times, refund rates, and chargeback ratios. Deviations become measurable against these baselines rather than arbitrary thresholds.

‍

For new merchants without history, use industry benchmarks and peer cohorts. A restaurant processing $50,000 in jewelry sales should trigger review even without a prior baseline.

‍

2. Monitor for specific risk indicators

‍

We look for evidence such as:

‍

Velocity anomalies: Sudden increases in transaction volume (3x-5x baseline) without corresponding business explanation

‍

Card testing patterns: High decline rates (>15-20%) followed by successful transactions, particularly with sequential card numbers or similar BINs (Bank Identification Numbers)

‍

Geographic inconsistencies: Transactions from locations inconsistent with stated business model (a local bakery processing payments from 15 countries)

‍

Structured transactions: Multiple transactions just below reporting thresholds ($9,500-$9,900 when the threshold is $10,000)

‍

Timing irregularities: High-value transactions during unusual hours (2-4 AM for retail businesses)

‍

Refund abuse: Refund rates exceeding 10-15% or patterns suggesting money laundering through refunds to different cards

‍

3. Implement tiered response protocols

‍

Not all flags require the same response. We usually advise teams to establish:

‍

Low-risk flags: Automated review with no merchant disruption (monitoring continues)

‍

Medium-risk flags: Manual review within 24-48 hours; may trigger requests for documentation

‍

High-risk flags: Immediate holds on settlements, contact merchant for explanation, escalate to compliance team

‍

This prevents the extremes of ignoring signals or disrupting every merchant with a minor anomaly.

‍

4. Conduct contextual investigations

‍

When reviewing flagged activity, risk teams should:

Review merchant website and social media presence for consistency with stated business
Check for recent changes in business model, ownership, or processing patterns
Verify the merchant operates the claimed business (not a shell or front)
Cross-reference against sanctions lists, PEP (Politically Exposed Persons) databases, and adverse media
Request supporting documentation (invoices, shipping records, customer communications)
Map the full ecosystem of related entities, domains, and Ultimate Beneficial Owners (UBOs) as outlined in Ballerine's merchant underwriting framework

‍

5. Document decisions and maintain audit trails

‍

Regulators expect documentation showing what was reviewed, what factors influenced the decision, and who approved continuing or terminating the merchant relationship. This protects against enforcement actions and demonstrates a functioning compliance program.

‍

Real-World Scenario: Volume Spike Investigation

‍

A small electronics retailer averaging $40,000 in monthly processing suddenly records $380,000 over five days.

‍

The transactions show:

200+ transactions averaging $1,800 each
Cards from 15 different countries
60% of transactions between 11 PM and 4 AM
Shipping addresses span 40 different cities

‍

Initial assessment: High-risk pattern consistent with stolen card monetization.

‍

Investigation steps:

Contact merchant: They claim a viral social media post drove international demand for a rare gaming console
Review online presence: Website traffic analytics confirm a 50x traffic spike from gaming forums
Examine transaction details: Multiple transactions to same shipping addresses (resellers), which explains the pattern
Request documentation: Merchant provides shipping manifests and customer email confirmations
Verify inventory: Merchant sources product from authorized distributor (verified via supplier invoice)

‍

Outcome: False positive. The pattern was legitimate but required human judgment to distinguish from fraud. The risk team adjusted the merchant's baseline profile and added context notes to prevent repeated flags.

‍

Alternative outcome scenario: If the merchant could not provide documentation, the website appeared hastily constructed, or the products shipped to freight forwarders known for money laundering, the team would file a Suspicious Activity Report (SAR) and potentially terminate the relationship.

‍

The Ecosystem View: Mapping Related Entities

‍

Suspicious activity often extends beyond a single merchant account.

‍

Risk teams must map:

Other domains or storefronts operated by the same UBOs or principals
Shared infrastructure (IP addresses, payment gateway configurations, customer service contacts)
Related corporate entities in the ownership chain
Historical processing relationships (previous acquirer terminations)

‍

This ecosystem mapping, a core component of Ballerine's merchant monitoring capabilities, reveals patterns invisible at the individual merchant level. Three seemingly unrelated merchants processing electronics, jewelry, and luxury goods may share the same UBO and collectively exhibit money laundering typologies.

‍

Regulatory and Scheme Obligations

‍

Acquirers and PayFacs face specific requirements:

‍

Bank Secrecy Act (BSA) and Anti-Money Laundering (AML): U.S. financial institutions must file SARs within 30 days of detecting suspicious activity involving $5,000 or more. The threshold is $2,000 for money services businesses. Failure to file carries civil and criminal penalties.

‍

Card scheme rules: Visa and Mastercard impose merchant monitoring obligations under programs like the Visa Integrity Risk Program (VIRP) and Mastercard Merchant Monitoring Program Standards (MMSP). Acquirers exceeding fraud thresholds face fines, audits, or loss of processing rights. Ballerine's platform supports MMSP compliance workflows.

‍

OFAC and sanctions screening: All merchants must be screened against Office of Foreign Assets Control (OFAC) lists at onboarding and monitored for changes. Processing payments for sanctioned individuals or entities creates strict liability exposure.

‍

Ballerine's Approach to Merchant Risk Management

‍

Ballerine provides risk and compliance teams with tools to detect, investigate, and document suspicious merchant activity at scale.

‍

The platform combines:

Automated transaction monitoring with configurable risk rules
Business intelligence gathering (web scraping, corporate registry lookups, UBO mapping)
Case management workflows for investigation and escalation
Audit trail documentation for regulatory examinations

‍

Rather than relying solely on transaction data, Ballerine incorporates merchant website analysis, social media verification, adverse media screening, and ecosystem mapping to provide context that distinguishes legitimate businesses from sophisticated fraud operations. This reduces false positives while improving detection of genuine threats.

‍