Merchant Audit: Initiation, Review Process and Consequences

Visa and MasterCard can initiate an audit of a merchant’s credit card processing account, whenever they have reasons to believe that the merchant may be a high-risk one or is processing invalid transactions. In particular, the following two reasons can be sufficient to trigger an audit:

• The processing bank may have reason to believe that the merchant is engaging in collusive or otherwise fraudulent or illegal activity.
• The processor determines that the merchant’s chargeback ratio or credits-to-sales ratio exceeds the standards set by Visa and MasterCard or its own standards, or both. We have discussed the Associations’ rules on excessive chargebacks in previous posts and encourage you to revisit them.

Processors will typically act quickly when they notice an activity that is outside of the established merchant pattern, because they are responsible for fraud-related chargebacks. For example, if a merchant submits a transaction at an amount substantially higher than the average transaction amount approved for the account, the processor will probably contact the merchant and want to find out why the amount is so high. Similar attention is paid to sales volumes. As completely legitimate merchants have learned to their surprise and annoyance, a rapid rise in their monthly sales invariably attracts their processor’s attention.

Moreover, even when fraud is absent or nor suspected, processing banks can have good reasons to be alert. The Associations assess processors penalty fees for merchants with high levels of chargebacks. For example, processors are required to report every merchant whose chargeback-to-transaction ratio (CTR) exceeds 50 basis points (0.50 percent) and pay a reporting fee of $50 for each report submitted. The fee rises steeply when the CTR exceeds 100 basis points (1 percent). To avoid paying these fees, processors will initiate a review long before the merchant comes even close to reaching either of these thresholds.

Whenever an audit is initiated by one of the Associations, it will contact the processor to explain the reasons why it believes the merchant may be in violation of the rules against processing invalid transactions and request information. Processors have 30 calendar days to return the requested information to the Association. Requested information typically includes the following items:

• A statement explaining whether, when, and how the processor became aware of fraudulent activity or chargeback or customer service issues, the steps it took to control the occurrence of fraud, and the circumstances surrounding the merchant’s termination.
• All internal documents about the opening and signing of the merchant including its application, merchant processing agreement, credit report, and certified site inspection report.
• All internal documents regarding the due diligence procedures followed before signing the merchant, including background checks of the company and its principals, as well as trade and bank references that the processor verified during the due diligence procedure.
• If an Independent Sales Organization (ISO) or a Member Service Provider (MSP) of the processing bank has facilitated the signing of the merchant, the ISO / MSP must include the due diligence documents. (In such cases the processor must distinguish between the due diligence conducted by its employees and its ISO’s / MSP’s employees.)
• Additionally, if an ISO / MSP assisted in the signing of the merchant, the processing bank must provide all due diligence documents regarding the representative that signed the merchant.
• Reports confirming an inquiry by the processor into the Member Alert to Control High-Risk Merchants (MATCH) system before signing the merchant and, if applicable, input of the merchant to the MATCH system database within five business days after its decision to close the merchant.
• Additionally, during the review period, the processor will be required to provide the following documentation:
  • Authorization logs for the merchant.
  • A monthly breakdown of chargeback and credits by count, amount, and issuer bank identification number (BIN) for the violation period.
  • A complete record of the merchant sales volume, including the number of transactions at the location, for the period for which the authorization logs are requested.

As you see, there is a lot of documentation that will be looked at and, if something is not done according to the applicable rules, it will most likely be found and the account will be terminated (if it has not been already) and the merchant will be added to the MATCH file. Moreover, during an audit, the merchant may be listed on the MATCH system under MATCH reason code 00 (Questionable Merchant).

Image credit: Bank-northwest.com.