ast year an ISO contacted Integrity Bankcard Consultants, Inc. to do a portfolio risk review after experiencing a series of losses. The losses resulted from unfunded chargebacks and merchants processing fraudulent returns.

While we were able to help the ISO improve how it identifies merchants entering returns for transactions with no corresponding sale and to take steps to minimize its chargeback risk exposure, the problem was really caused in the upfront approval process used by the ISO.

Caught up in the 24-hour approval race, the ISO was auto-approving retail merchants that seemed to be "acceptable types of businesses"-these merchants were swiping above a certain percentage of transactions, were not providing future services beyond a certain number of days and were below certain monthly volume and average ticket thresholds.

Furthermore, the ISO was auto-approving Internet merchants using similar thresholds. This included an even longer period for future services than it allowed the retail merchants, but with lower monthly volume and average ticket thresholds.

Many of the ISO's merchant applications were generated from inquiries over the Internet; because it did not require site surveys or photos, however, the ISO didn't engage any company to do site inspections and no agents ever visited the premises.

The ISO's account verification process simply included telephoning the merchant, determining whether the designated checking account would accept ACH deposits and withdrawals, verifying Web site registration (if applicable), and doing reverse-lookups on the business and home telephone number.

The auto-approval guidelines included approval regardless of the owner's personal credit history, except for merchants currently in a bankruptcy and for merchants on the MATCH list of risky merchants.

As if by magic, applications that were within the auto-approval thresholds were soon being submitted. The subsequent processing history illuminated entirely different information than was provided on the merchant application.

When we reviewed the merchant files, it became apparent that many of the merchants had previously been declined by other processors. We also discovered that several of the ISO's agents showed patterns of losses to the ISO; a review of the merchant applications submitted by these agents indicated that most were being auto-approved.

We did site inspections of the merchants being submitted by these agents and found a number of situations where losses would have been prevented had a site inspection been conducted. For example, there were instances where the address either did not exist or was just a mail drop.

Several of the merchants were in businesses that were entirely different than had been indicated on the merchant applications; some of them fell into the prohibited business category.

The use of proper underwriting practice would have flagged these merchant applications and indicated that they should be declined.

We recommended changes that did not appreciably slow down the approval process but that allowed sound underwriting practices to be implemented and maintained.

Initially the percentage of declined merchant applications increased, but now the percentage is tracking downward-as the problematic agents are no longer submitting merchant applications, either through termination or after receiving a series of declines.

In February 2004 MasterCard International issued a bulletin to its member financial institutions, reinforcing the importance of compliance with all standards aimed at preventing the use of MasterCard systems for any illegal activities.

The bulletin targets transactions that present heightened risks of potentially illegal activity, including Internet payments for transactions involving gambling, pornography and prescription medications.

The bulletin notes that MasterCard can require a member that fails to comply with these standards to absorb the cost of any illegal transactions and, in addition, MasterCard could assess, suspend or terminate that member.

The bulletin emphasized compliance with key standards in connection with the prohibition of illegal activities including:

Due Diligence

Members must conduct due diligence on merchants from which they elect to acquire, before permitting those merchants to accept MasterCard-branded cards, to ensure that the merchant is engaged in a legitimate business and not in an illegal activity.

In addition, the member is required to check the merchant's Web site and business activities regularly to confirm that their activities are, and remain, legal.

If there is any doubt about the legality of the merchant's activities in any jurisdiction it intends to provide goods and services, the acquirer should not permit the merchant to accept MasterCard cards until the legality of the activities can be confirmed.

Proper Transaction Identificaiton

Members must ensure that transactions are identified properly. For example, an authorization request involving Internet gambling transactions must contain the proper codes indicating that it is a gaming transaction and is being conducted by the cardholder via the Internet. Members can reject a transaction if they have any doubts about its legality.

Compliance With All Applicable Laws

MasterCard standards require all members to comply with all applicable laws and not engage in illegal behavior or in behavior that would cause MasterCard to violate any laws.

MasterCard's acquiring members are also required to ensure that each of their members comply with the standards.

MasterCard's bylaws state "each member must conduct its programs and other activities that utilize or otherwise involve any of the MasterCard marks in compliance with the standards and with all applicable laws and requirements imposed by government or regulatory authority."

This recent MasterCard bulletin on compliance is a reminder to its members and ISOs of their duty to conduct a due diligence inquiry into each and every merchant application submitted.

Auto-approval based on the information provided on a merchant application falls short of meeting acceptable standards for due diligence. Members must ensure that the merchants are engaged in legitimate businesses and not illegal activities.

The ISO must also take steps to ensure that merchants are properly categorized and that their transactions will be properly identified. This must happen before merchants begin to process MasterCard transactions.

David H. Press is Principal and President of Integrity Bankcard Consultants, Inc. Phone him at 630-637-4010, e-mail dhp@integritybankcard.net or visit www.integritybankcard.net .