Ignorance may be bliss for some but not for ISO risk managers. ISOs that shoulder financial responsibility for their merchant accounts should gather as much information about their clients as they can, experts agree.
“Fraud wears many hats,” cautions Melissa Sutherland, senior vice president of risk and underwriting for CardReady International Inc., a Los Angeles-based ISO. That complexity keeps Sutherland and her staff working hard to achieve “intimate knowledge” of the company’s merchants to head off charge-backs.
ISOs that fail to amass such customer knowledge may find themselves on the hook for tens of thousands of dollars in bad debt, experts warn.
Smaller ISOs tend to avoid that fate by assigning risk to their processors in exchange for higher processing fees than they would pay otherwise, says Steve Citarella, senior vice president of credit and risk for First Data Corp., an Atlanta-based processor. “Smaller ISOs are sometimes content to sell the account and do the customer service,” he says.
Larger ISOs often choose to take on the risk themselves to lower their processing costs, Citarella says. The bigger ISOs “tend to be more full-service,” he notes.
“At some point when you get large enough it is cheaper to do it yourself, and some vendors have [products and services] that are cheaper” than the cost of building them internally, says Richard Parrott, director of risk at Litle &Co., a Lowell, Mass.-based ISO.
ISOs that take on risk typically build an in-house staff to deal with the complexity, says Deana Rich, president of Deana Rich Consulting Inc., a Los Angeles-based consultancy. Such staffs should hire a risk specialist for each 2,500 to 3,000 merchants in the portfolio, she says.
The risk those staffs encounter falls into two categories: fraud and credit, says Citarella. Fraud occurs when so-called “merchants” knowingly submit false transactions, and credit risk refers to merchants in financial trouble who no longer possess the financial wherewithal to cover charge-backs, he notes.
To guard against both types of fraud, ISOs should use underwriting to determine how a potential client operates the business. They also should perform due diligence by making sure prospective clients comply with the myriad laws, statutes, guidelines, rules and regulations generated by the card brands, and state and federal governments and agencies, observers agree.
A part of the underwriting task involves evaluating a merchant’s credit standing, says Parrott. ISOs should assess whether the merchant has the financial backing to cover potential problems, he says.
Risk Evaluation
If the merchant generates a heavy volume of transactions, an ISO may decide against signing the contract. “He may not have the ‘credit appetite’ to take it on,” says Parrott.
The evaluation also should include credit and background checks of the business owners and not just the business itself, observers say. Owners’ payment habits tend to carry over into their business lives, they say.
Regarding due diligence, ISOs should get to know the merchant’s reputation, which can help them avoid anything unseemly or illegal, such as gambling, X-rated entertainment or even money laundering, Parrott says.
Making sure the merchant is who he says is also is important, says Parrott. Several software tools are available to help, he notes.
Before the underwriting process begins, ISOs should create a written credit policy that states the kind businesses the it wants to take on as accounts and the types it would prefer to avoid, Citarella says.
High-risk merchants include those where time elapses between the sale and delivery of the goods or services, Citarella says. Examples range from airlines, which often take reservations weeks in advance, to furniture stores, which make a sale and then take up to several weeks to deliver, he says.
Low-risk categories include restaurants, where patrons receive the meal and then pay, usually before leaving the premises, Citarella says.
ISOs sometimes find themselves attracted to higher-risk merchants because such clients often pay higher fees, observers agree.
ISOs can examine their strengths and weaknesses to assess their capacity to handle higher-risk clients, suggests Citarella. If the ISO has not invested in automated systems to monitor merchants, it might do well to stick with lower-risk accounts, he says.
Whatever the level of risk, experts agree on one aspect of underwriting: Do not allow the sales agent to make the decision on whether to accept a merchant for card acceptance. Commission-driven sales agents would feel tempted to accept just about anyone willing to claim the title of merchant, they say.
“A sales rep may be happy to have a three-word description of the business,” says Rich, the risk consultant.
And sometimes an ISO’s top managers can make an error similar to those reps’ mistakes by ignoring the warnings of their own in-house risk-management experts, she says.
“When I see shops that have taken large losses, senior management has over-ridden an underwriter or risk manager. Let them do their jobs,” Rich says.
Navigating those underwriting pitfalls, however, is only the beginning. Once a merchant signs up, the work of monitoring transactions begins.
Monitoring to manage risk begins as soon as underwriting finishes, observers say.
First Data, for example, uses software that monitors every transaction by every merchant, kicking out anything unusual so it can receive human scrutiny, says Citarella.
The system chooses anomalies–anything unusual–based on rules First Data has set.
Risk assessors examine each transaction that the system finds unusual and pass them through for processing if everything checks out, Citarella says.
“False positives” occur when the system highlights valid transactions as possible problems, says Citarella. If a system singles out too many false positives, valuable staff time is wasted investigating them, he says.
Vendors offer software to help with parts of underwriting and monitoring, and some even offer full-service systems, Parrott says.
A huge influx of vendors has emerged in the past five years offering an array of software packages, and the trend appears likely to continue as risk increases and technology comes down in price, Parrott says.
When choosing software, Parrott recommends starting with an evaluation of the company’s long-term goals. “Not every risk system is for everybody,” he says.
Hiring a consultant to help evaluate vendors can help, Parrott says.
However, ISOs seldom turn over all of their risk-management duties to a third party, observers agree.
Indeed, besides the importance of knowing clients well for customer-relationship and risk management, cost plays a role in that decision.
An ISO would have to be large enough to afford third-party help, but that help would still have to produce a return on investment, says David Fish, senior analyst at Maynard, Mass.-based Mercator Advisory Group Inc.
In any case, deciding on software vendors could gain added importance, Parrott maintains. ISOs could feel pressure to tighten control of risk as the Durbin amendment squeezes banks’ revenues, he says. The amendment capped debit card interchange fees at about 24 cents, compared with today’s average of 44 cents per transaction.
Moreover, continued difficult economic times also could increase the incidence of fraud as the population becomes more desperate, Parrott says.
Even with those potential challenges, however, ISOs that know their customers well enough should prosper. ISO
