What is a high risk business? Merchant risk management explained

April 7, 2026

Tal Miller

CEO

Payment service providers (PSPs) classify merchants as high risk for specific, assessable reasons. The classification reflects industry type, chargeback history, regulatory environment, and business model. It is not a fixed designation: it shifts as a merchant’s circumstances change.

For merchants in CBD, online trading, adult physical goods, and online dating, mismanaging risk can cost more than a fine. It can cost them their ability to process payments entirely.

This article breaks down how PSPs assess risk and how UK and EEA merchants can build a framework that satisfies acquirer expectations.

What is a high risk business?

A high risk business is one that a payment service provider assesses as having an elevated likelihood of chargebacks, friendly fraud, or regulatory non-compliance. The designation is not industry-wide or permanent. It reflects a PSP’s assessment of a specific merchant based on their product category, business model, processing history, and the regulatory environment in which they operate.

In the UK and EEA, merchants in sectors such as CBD, online trading, adult physical goods, and online dating are commonly assessed this way. Not because they are inherently problematic, but because these categories carry specific compliance obligations, higher average dispute rates, or stricter card scheme requirements that make the risk profile more complex to underwrite.

A well-run merchant in any of these sectors can present a lower risk profile than a poorly managed standard retailer. The designation is a starting point for assessment, not a verdict. The goal is not to avoid the designation but to understand and manage the specific risks behind it—which is what the rest of this article addresses.

The two components of risk: Likelihood and impact

Every risk assessment, whether conducted by a merchant or a PSP, reduces to two variables: how likely is an unwanted event to occur, and how damaging would it be if it did?

Likelihood is not fixed. A merchant with strong fraud controls, low dispute rates, and documented compliance procedures presents a different likelihood profile than one without, even in the same product category. PSPs weigh this when assessing onboarding applications and when reviewing accounts on an ongoing basis.

Impact is also business-specific. A chargeback ratio that is manageable for a high-volume merchant may be existential for a smaller one. A regulatory fine that is absorbed by a large operation may trigger a banking relationship review for a merchant with limited reserves.

Understanding both variables—and how they interact for your specific business—is the foundation of a risk assessment that is actually useful rather than a compliance formality.

How to manage risk in business: Three key questions

When approaching business risk management, you need to consider the following three questions:

  1. What is the bad thing that I don’t want to happen?
  2. What is the likelihood of it happening?
  3. What would the impact and implications be for my business?

Take a chargeback spike as an example. The risk is a sustained rise in disputed transactions. The likelihood depends on factors a merchant can measure: product category, fulfilment model, customer communication quality, and historical dispute rates. 

The impact ranges from PSP-imposed reserves at the lower end to Visa VAMP or Mastercard ECP monitoring programme enrolment—and, if unresolved, account termination. Mapping likelihood against impact in this way is the basis of every meaningful risk assessment.

Financial risk and reputational risk: The two categories that matter

For UK and EEA merchants—whether operating in online trading, CBD retail, adult physical goods, or dating services—payment risk falls into two categories that PSPs assess independently: financial risk and reputational risk. Both carry direct consequences for a merchant’s ability to maintain a processing relationship—and in regulated markets, where card scheme monitoring and FCA oversight operate in parallel, both categories are tracked with more rigour than merchants often expect.

  1. Financial damage – loss of capital as a result of an event/incident, such as fraud, breaches of compliance (which can lead to regulators imposing fines), human error or an ongoing event (like the pandemic) that causes your business to close for a period of time.
  2. Reputational damage – something that creates a negative perception of your business for your key stakeholders (clients, customers, business partners, investors, regulators, your employees, or the industry). This will likely damage your company’s capital but in an indirect way. 

Examples of reputational damage include:

  • Negative publicity – perhaps an incident has caused your product to be deemed poor quality or unsafe, or your company to be perceived as immoral or unethical.
  • A security breach that calls into question customer trust, data protection or the company’s intentions.
  • Customer service/relations – perhaps an incident that causes customers to post bad reviews on sites and channels, calling out poor customer service or communications.
  • An internal incident that causes the company’s employee care to be criticised or the business to be viewed as a bad place to work.

In the UK, FCA and PSR enforcement actions are published publicly—meaning a compliance breach or regulatory fine does not remain a financial matter. It becomes a matter of public record, triggering the reputational consequences outlined above and compounding the original financial impact.

How payment service providers assess merchant risk

Payment service providers look at a merchant’s offering and business type and analyse the different elements of risk for their particular business and industry. From a financial risk management perspective and the likelihood of financially damaging events, providers assess how likely they are to incur chargebacks or fraudulent activity. They consider the following:

  • What would be the likely rate of chargebacks?
  • How often would there be any fraudulent activity to investigate? 
  • What would be the impact of this?

If a merchant’s chargeback rate exceeds a certain threshold, they can incur fines or be added to a watch list, which could create reputational damage for the merchant and PSP.

Specialist and regulated industry merchants: payment risk considerations

Merchants operating in regulated or restricted categories face a more detailed onboarding and ongoing risk assessment than those in standard retail categories.

The reasons are specific and practical. Regulatory frameworks governing these industries—covering who can purchase, in which jurisdictions, under what conditions—create compliance obligations that extend to the payment service provider.

An adult physical goods retailer must implement robust age verification. If a merchant fails to meet these obligations and the PSP has not adequately assessed or monitored the relationship, both parties carry exposure. An online dating platform must meet FCA requirements for recurring billing and clear cancellation terms. A CBD merchant selling into the UK must comply with Novel Food regulations and MHRA guidance. 

» Selling CBD in the UK? See how Fibonatix handles CBD merchant accounts

The risk profile for these merchants is not inherently worse—it is more specific. Chargeback rates, fraud patterns, and regulatory scrutiny vary by vertical and by the individual merchant’s controls, not by category alone.

A well-run specialist merchant with strong fraud tooling and clear consumer communications can present a lower financial risk profile than a poorly managed standard retailer. PSPs that understand this distinction assess merchants on their actual controls and performance data rather than applying blanket category-level judgements.

Using data to inform your risk assessment

Effective risk assessment depends on data, not intuition. For UK and EEA merchants, the relevant sources are specific: Visa and Mastercard scheme documentation sets out chargeback and fraud thresholds; UK Finance publishes annual fraud data by sector; the FCA register documents enforcement actions that reveal how compliance failures have played out for comparable businesses. 

Industry reports and acquirer data round out the picture. The more precisely a merchant can benchmark their own exposure against these sources, the more credible their risk assessment becomes—both internally and in the eyes of a PSP.

Best practices for carrying out a risk assessment

Make it personal

Your risk assessment should be based on your company’s specific characteristics. The impact of events varies from business to business and different industries. For merchants operating under FCA-regulated payment relationships, this is not only a commercial consideration—card scheme thresholds and AML obligations under the Money Laundering Regulations 2017 set externally defined limits that must anchor the matrix regardless of how a merchant internally weighs the likelihood of breaching them.

The same risk carries different weight depending on the business. A chargeback rate that sits comfortably within scheme thresholds for a low-volume retailer may be operationally damaging for a high-volume subscription merchant processing the same ratio across a much larger transaction base. The likelihood of that risk materialising also varies: a merchant with robust pre-authorisation fraud tooling and clear cancellation terms faces a materially different exposure than one without, even in the same product category.

A CBD merchant’s risk profile is shaped by Novel Food compliance status and cross-border sales restrictions. An online dating platform’s profile is shaped by recurring billing dispute rates and cancellation term clarity. The variables are industry-specific—a risk assessment that does not reflect them is not fit for purpose.

Be thorough and organised

Put your risk assessment details in a chart. Using a chart makes it easier to organise and rationalise your thought process. Here are some simple steps:

  • Create a table and populate it with your potential risks.
  • Put a number beside your unwanted events (perhaps between 1 and 10) for the likelihood of them occurring.
  • Add a column for the impact and then another column score on the level of impact. 
  • In another column, multiply the two scores – this will be your overall risk score for each potential event.
  • Rank them in importance, based on their scores.

This is one method, there are other approaches to scoring risks, from colour coding or using different formulas for incorporating additional factors. But this is the simplest approach to documenting your risk assessment. The scoring system and the chart-based approach to business risk assessment will make it easier to create a mitigation plan for each of the risks.

Listen to our Pay Attention podcast for more insights about risk management and advice for merchants from our payments experts.

Managing payment risk as a UK or EEA merchant

Payment risk management is not optional for UK and EEA merchants. It is a condition of maintaining a processing relationship. Card scheme monitoring, FCA obligations, and acquirer due diligence operate continuously. Merchants who treat risk assessment as a one-time exercise are the ones who encounter account reviews or termination notices without warning.

Understanding the framework in this article closes the information gap that causes most risk management failures: merchants discovering a problem only after their PSP already has.

Fibonatix is an FCA-regulated payment service provider specialising in merchant accounts for businesses in regulated and specialist industries across the UK and EEA. Where most PSPs decline these merchants outright, Fibonatix structures processing relationships around the compliance and risk profiles specific to your industry.

» Ready to get started? Get a merchant account built for regulated industries

Disclaimer: Fibonatix is a UK-based, FCA-regulated payment service provider (FRN 768776) specialising in merchant accounts for B2C businesses globally, but B2B exclusively to the UK and EEA. Verify our regulatory status on the FCA Financial Services Register.

FAQs

What is merchant risk management in payment processing?

Merchant risk management is the process of identifying, assessing, and mitigating the financial and reputational risks associated with accepting card payments. Payment service providers (PSPs) evaluate the likelihood that a merchant will generate chargebacks, attract fraud, or breach card scheme rules. Merchants need to understand how they will be assessed, what thresholds govern their account, and what controls they need to maintain their processing relationship.

How do payment service providers assess merchant risk?

PSPs assess merchants across two dimensions: financial exposure and reputational exposure. Financially, they examine industry type, transaction values, processing volumes, and chargeback history. Reputationally, they assess regulatory compliance, business model transparency, and whether the merchant’s category carries regulatory scrutiny that creates indirect PSP exposure. Assessment happens at onboarding and continues throughout the relationship.

What are the two main categories of payment risk for merchants?

Financial risk covers direct monetary losses—chargebacks, fraud, scheme fines, and regulatory penalties. Reputational risk covers damage to how customers, regulators, card schemes, and partners perceive a merchant, which affects the merchant’s ability to retain processing relationships and attract customers. The two interact: reputational damage generates financial consequences, and public regulatory penalties compound reputational damage.

What makes a business more difficult to onboard with a payment service provider in the UK?

Operating in a regulated category, using subscription billing, selling cross-border, or lacking a trading history all increase onboarding complexity. FCA-authorised PSPs must also conduct anti-money laundering checks under the Money Laundering Regulations 2017 regardless of merchant category. Merchants who cannot provide compliance documentation or demonstrate fraud controls face longer timelines or decline.

How do chargebacks affect a merchant’s standing with their PSP under UK card scheme rules?

Visa monitors chargeback ratios under the Visa Acquirer Monitoring Programme (VAMP). Mastercard operates the Excessive Chargeback Programme (ECP). Breaching scheme thresholds triggers monitoring, fines, and potential account termination. PSPs also conduct independent monitoring and may impose reserves or processing limits before scheme-level action occurs.

What is a risk assessment matrix and how should merchants use one?

A risk assessment matrix scores each identified risk across two dimensions: likelihood (how probable is the event) and impact (how damaging would it be). Each dimension is assigned a numeric value, typically on a 1–5 scale, and the two scores are multiplied to produce a composite risk rating. Risks are then ranked by that score to prioritise where mitigation effort should focus. In a payment context, the matrix should cover chargebacks, fraud, compliance breaches, and data security incidents. 

For UK and EEA merchants operating under FCA-regulated payment relationships, card scheme thresholds and AML obligations under the Money Laundering Regulations 2017 set externally defined limits that belong in the matrix as fixed reference points. The matrix should be reviewed regularly, not completed once at setup.

How should merchants in specialist or regulated industries approach payment risk management?

Document and audit compliance obligations specific to your industry before approaching a PSP. Invest in fraud prevention tooling. Monitor chargeback ratios proactively rather than reactively. Maintain transparent communication with your PSP when issues arise—PSPs respond better to merchants who surface problems early than those who appear only after scheme thresholds are breached.

What is the difference between financial risk and reputational risk for a UK merchant?

Financial risk is direct and quantifiable: chargebacks, fraud, fines, and penalties. Reputational risk is indirect: damage to how customers, regulators, and banking partners perceive your business. Reputational incidents generate financial consequences over time through customer attrition and loss of processing relationships. For UK merchants in regulated industries, FCA enforcement actions are published publicly, making compliance failures a matter of permanent record.

How do FCA-regulated payment service providers manage risk differently from unregulated providers?

FCA-authorised PSPs must conduct AML due diligence under the Money Laundering Regulations 2017, maintain capital reserves under the Payment Services Regulations 2017, and report suspicious activity under POCA 2002. These are regulatory requirements, not discretionary practices. Unregulated providers apply no consistent, independently audited risk process. Merchants working with FCA-authorised PSPs also have access to Financial Ombudsman Service redress mechanisms unavailable through unregulated providers.