In the Payments space, you’ll hear certain merchants referred to as high-risk businesses. But what does high risk mean, what factors are at play and how do you know if your company will be considered a high-risk business? Fibonatix CEO Tal Miller outlines the key factors used to judge a merchant’s risk level and explains why businesses shouldn’t be classed as high risk at all, and why it’s more important to focus on the likelihood of certain risks, in certain contexts and their potential impact. Learn more in this article.
The insights in this blog are based on Episode 4 of our Pay Attention podcast. Listen via the player below or scroll down if you’d prefer to read the blog first…
What is a high-risk business?
Before we look at how a merchant’s risk level is assessed, let’s consider the concept of high risk and low risk. In a recent article, we outlined the fundamentals of business risk management and how to approach assessing and managing risks. But payment service providers (PSPs), aquirers, card schemes, and other institutions, also assess the risk level of your business model, product/service offering and industry and compliance considerations, analysing the likelihood of events that can cause financial and reputational damage and their potential impact.
We recorded a podcast on this topic: Understanding business risk management and risk assessment best practices here. After this podcast dropped, we had requests for a deep dive into high-risk business types, why a particular merchant might be classed as a high-risk business and how PSPs make these decisions. So, we’ve answered this call.
Why are some merchants considered a “high-risk” business?
At Fibonatix, we’re not keen on categorising businesses as high, medium or low risk. High and low risk are relative terms and what is high or low for one payment service provider might not be for another organisation or PSP. I prefer terms like “increased risk” or “higher risk”, rather than classifying a company as a low-risk or high-risk business.
However, to discuss how the payments industry classes merchants as higher-risk businesses, we’ll use this phrasing. So, let’s look at the main reasons for merchants being classed as high-risk or presenting a higher level of risk than other businesses.
The four main reasons a merchant can be classified as a high-risk business
- Business model – the nature of the business generates more risk exposure.
- The merchant’s reputation and standing – the strength or weakness of the merchant’s reputation, both within their industry and in the wider marketplace and public eye.
- Compliance or lack of compliance – level of infrastructure, procedures and support concerning payment regulation compliance, industry standards and regional restrictions, etc.
- Size and volume of the business – primarily the number of transactions per month.
Let’s explore each of these reasons in detail to explain which factors can influence business risk classification.
1. Business model
What is the merchant’s business model? Does the business sell products or services? Services are generally higher risk than products. For product-based businesses, digital products are typically deemed higher risk. This is largely down to a perception of data security concerns, plus there’s a grey area around the legality of certain practices within the digital space. Merchants selling digital goods are more likely to incur chargebacks or encounter fraudulent activity, as there is less stigma around it with digital products as opposed to the physical world.
The market in which products and services are offered is also a key factor for which merchants are classified as high-risk businesses. Some markets and regions are more prone to fraudulent activity than others. Rules can be less stringent in some areas, so activity is more prevalent. PSPs consider how diligent policing is in a particular market and region and how much protection merchants get from authorities. This information helps providers to understand a merchant’s level of risk exposure. Payment processors need to know if the products require any kind of regulations, licenses, etc, and if so, whether the merchant has these.
PSPs also want to understand the full picture of the sales model. Is it a straightforward sale of goods or a subscription service? Will there be repeat purchases over time? The straight sale is the baseline. If there is any modification to the model, it increases the risk. Cancellations, chargebacks, fraudulent activity and other issues are more likely than with a one-off purchase.
Here are the key considerations for PSPs around a merchant selling a product:
- Is the product legal?
- If it is legal, is it being sold in regions in which it is legal to sell this product?
- How is the merchant selling the product?
- Is it a trial or sample or the full product?
- Is it a subscription or recurring payment?
These elements can create heightened risks, which can be problematic for PSPs and merchants alike if not managed properly.
2. Merchant reputation
A merchant’s reputation has a lot of influence on payment service providers. Like other businesses, PSPs have stakeholders and stakeholder perceptions can change based on the merchants that providers are associated with.
Luckily for PSPs, the legitimacy and reputation of merchants are easier to evaluate in today’s digital age of information. An illegitimate or problematic business will find it difficult to hide this for long. Evidence will appear online, from negative reviews, publicity, exposés, etc. An excessive amount of negative press can significantly impact the perception of this business.
Here are some of the sources PSPs and merchants alike can use to gain reputational information:
Online search engines
You can do a general search of a company name or product or a more specific online search adding certain keywords related to issues, such as “scam”, “fine”, “fraud”, “complaints”, etc, along with the brand or product name.
Social media networks
Exploring social channels like Facebook, LinkedIn, Twitter, Instagram, Quora, YouTube, etc, is a great way to seek out customer interactions, engagements and reviews. Most companies have a presence on these channels, so responses about products, practices and customer service are a good indicator of a merchant’s reputation. Look for patterns. If comments are largely negative, this creates doubts and leads to higher exposure to risk because this reputation can lead to more people cancelling orders, charging back, etc. If brands are not on these channels, it’s a red flag. Are they trying to stay under the radar, avoid negative press and comments from customers?
Online complaints board/forums
Check out industry-specific forums and groups, plus channels like Reddit. You’ll likely find threads about common issues with merchants and specific brands, based on problems and experiences with customer service, products not arriving, defective goods, etc. This kind of online presence of negative customer discussions can affect the business reputation and lead to higher exposure to risk for merchants and PSPs.
Review sites like Trustpilot and Feefo or those specific to particular industries provide good intel. You can see average review scores or dive into qualitative data, and explore specific issues and experiences called out on these sites. The way companies respond to reviews and comments is also illuminating.
You can get access to records about a merchant’s transaction history from a previous PSP. The main value is identifying a merchant’s chargeback rate. How many chargebacks do they get every month? Does this align with expectations for the business type or industry? Is this number acceptable for the PSP? Providers have responsibilities to meet certain thresholds when it comes to chargebacks, fraud, etc. A merchant with a higher volume of chargebacks will typically be deemed higher risk than one with lower volume but it’s not as simple as the lower the better with chargebacks. Chargeback ratios need to meet expectations and make sense. If you’re a business with zero chargebacks in an industry where you’d expect to have a fair number of chargebacks, this would raise questions around whether the data is correct and even doctored.
Financial credit scoring
This will give you a good idea about the financial reputation of a particular company and should be taken into consideration.
3. Compliance level
How compliant is the merchant with rules and regulations? There are various things to investigate in relation to high-risk business types, and KYC due diligence and screening can identify issues, including sanctions, blacklists and adverse media, and more. Look out for:
- Direct warnings about working with the brand,
- Whether the company has been involved in some form of crime,
- The relevance of the crime, e.g. if it’s financial crime,
- PEPs (politically exposed person) – if anyone involved or connected to the company involved in political roles, where they could be exposed to bribes, money laundering, corruption, etc.
These considerations should be documented, assessed and evaluated by the PSP, as part of analysing a merchant’s risk level and whether they’re a company for whom they want to provide payment processing solutions.
PSPs need merchants to follow various payment rules and regulations, from the basics like having payment method logos displayed on websites and disclaimers to gathering certain documentation from customers. If merchants don’t meet compliance requirements, PSPs could be exposed to potential fines. Plus, it’s a sign that they are not strict in following regulations, which leads to distrust from service providers and presents a higher risk. The level of risk depends on the level of non-compliance, the severity and the intent. If it’s minor, it could be forgiven, if it’s something like not carrying out required age checks for products, this can lead to PSPs deciding that a merchant is too much of a high-risk business for a partnership.
4.Business size and volume
Here, we’re not talking about business size in terms of the number of employees but instead, the number and monetary amount of transactions made each month because any problem gets amplified according to the volume of activity.
If a PSP provides payment processing services for a merchant that processes £5000 of transactions per month and the merchant poses a higher risk than expected, the impact is relatively low because it’s a small amount of money. In some cases, the impact remains the same. If a merchant breaches compliance, the fine will likely be the same regardless of the volume. But other factors that can cause direct financial damage are dependent on the volume of transactions. If circumstances are the same but with a merchant processing £5m per month, the impact can be significantly higher and potentially damaging to the merchant and PSP alike. Higher volume merchants require greater monitoring. The higher the volume, the higher the exposure, therefore the higher risk.
Additional factors for merchants being classed as high-risk business types
There are additional factors that lead to merchants being seen as a high-risk business, such as involvement with cryptocurrency or other industries that divide opinion. In the early days of cryptocurrency, during a high-profile industry event with key risk experts from around Europe, I asked the following question to the audience: “How many people here provide payment services to crypto-related businesses?” Out of a room of around 600 people, there were just two hands in the air. When asking those with their hands down why they don’t work with companies involved with crypto, one professional gave this answer: “I don’t understand these types of businesses, I don’t know much about them, therefore I don’t accept their business.”
As humans, the unknown can cause fear. Risk managers by their nature tend to be risk-averse and want to eliminate risks entirely. And sometimes in their attempts to eliminate risk, they don’t entertain the unknown or aspects of payments they’re not comfortable with. Crypto still has a perception problem and many PSPs won’t work with crypto-related businesses. We’ve seen numerous instances of business being looked over simply because of a crypto element or an area of business the assessor doesn’t fully understand, despite the merchant ticking most boxes that would typically see them classed as low risk or standard risk.
For merchants in the crypto space or other lesser-understood markets, we recommend having all the resources available to prospective PSPs that might help you easily explain your business model. This can help certain fears and preconceptions to be overcome. Make sure your documentation is explainable for laymen and be ready for any potential questions about your business model that you might get asked. If it’s too complex, you’ll have an uphill struggle against a lack of understanding and stereotypes.
Listen to the podcast on this topic and explore other episodes from our Pay Attention podcast services: What Makes a Business a High(er)-Risk Business?
This article should give you a better understanding of the reasons a merchant is classed as a high-risk business or higher risk than others. As you’ve learned, there are lots of factors involved in judging risk levels and various considerations for both merchants and PSPs. If you’d like to learn more, get in touch with our payments experts or if you’re looking for a suitable PSP for your business, we recommend our blog on how to choose the right payment service provider, as it outlines the key questions to ask prospective providers.
Fibonatix is a global payments consultancy and a leading payment service provider. We offer customised payments solutions that contribute to powering and scaling businesses across the globe. We empower merchants with our expertise and offer effective payments processing tools that drive business growth. Our experts are ready to help you with risk management, compliance and regulation, and payment technology development and optimisation. Fibonatix is FCA regulated, headquartered in the UK, Germany, and Israel.