By Electronic Transactions Association's (ETA) Risk & Fraud Management Committee ETA originally published this white paper on March 10, 2005. Reprinted with permission.

his is the first in a series of white papers authored by the ETA Risk & Fraud Management Committee designed to inform ETA members about industry trends in managing risk within their respective portfolios.

The desired outcome is to improve risk management practices among all of our members and to potentially reduce losses within the industry.

Changing technology and markets (such as Internet providers, wireless card readers, etc.) are evolving at a rate that challenges even the best risk management process. These white papers are designed to provide the most current information available about best practices as well as loss trends in the marketplace.

We recognize that each acquirer and financial institution has different levels of risk that they are willing to accept into their portfolios.

This series is not designed to inhibit or restrict the type of risk you should accept, but rather to provide tools that will enable you to better assess and monitor risk within the constraints established by your organization.

The practices contained in the upcoming series of articles are generally considered "best practices" and will be provided by a team of industry experts from a variety of backgrounds in the card industry.

Defining Risk Management

To begin, risk management is typically defined in the four major categories listed in bold letters below:

A good system of risk management consists of controls that enable prevention (or reduction) of risk, yet facilitates the acquisition of business into your portfolio that fits your risk constraints.

A good credit screening system will also identify those businesses that have potential for resulting in losses regardless of cause (either business risk or committing fraud).

Alternatively, good detective controls enable early identification of trends that can minimize loss potential if the credit screening process did not identify the potential for either business or fraud risk.

For example, a rigorous credit analysis complete with a "credit report" from a known reporting agency may assist in early identification of a business or owner that has resulted in a loss to an acquirer or financial institution.

Although certain card companies require reporting known offenders to a shared database, not every fraud offense is reported. This sometimes results in a single merchant going from acquirer to acquirer, leaving behind a wake of fraud losses.

Once a merchant is approved, a failure of the monitoring systems to detect anomalies such as significant increases of chargebacks or unusual increases in sales volume may result in more losses.

The resulting increase in the rate of Internet commerce brings with it new risk since the card may be charged prior to fulfilling the cardholder's order. If the issue is not detected early, there is a potential for loss exposure if the merchant ultimately has business failure or if it is determined they have committed fraud.

Certainly a minimum baseline for "best practices" in credit screening can start with what is currently required by the card Associations and by law.

Credit Screening Requirements

• An acquirer must determine that a prospective merchant is financially responsible and there is no significant derogatory background information about any of its principals. This may be done through the below tools:
  • Credit reports
  • Personal and business financial statements
  • Income tax returns
  • Other information lawfully available to the acquirer
• An inquiry must be made to the MasterCard Member Alert to Control Merchants (MATCH) system to determine if the prospective merchant has been terminated for cause.
• Whenever feasible, conduct a physical inspection of the business premises and records to ensure the merchant has the proper facilities, equipment, inventory, agreements and personnel required, and if necessary, license or permit to conduct business. For mail/phone order merchants, the acquirer must obtain a detailed business description.
• In addition to the above, if the merchant is an electronic commerce merchant the acquirer must examine the merchant's Web site to:
  • Verify that the merchant is operating within the acquirer's jurisdiction
  • Ensure that the merchant is not engaged in any activity that is in violation of the Association's guidelines
• Ensure that the merchant is not engaged in any illegal activity. Annually:
  • Examine the merchant Web site
  • Print and retain copies of the Web site
  • Provide retained copies of the Web site if so required by the Associations

In addition, the violators are subject to chargebacks of fraudulent transactions.

Subsequent white papers will address other areas of risk management and fraud monitoring hopefully providing value and minimizing overall losses for ETA members.

Contributors:
ETA 2004 - 2005 Risk & Fraud Management Committee, including:
Mary F. Dees, creditranz.com
Jeffry A. Beene, Pipeline Data Processing Inc.
Barrie Berman VanBrackle, Mannatt, Phelps & Phillips LLC
Mike Love, ReD Consulting
Tad Scales, Deloitte & Touche
William Higgins, Retriever Payment Systems
Laurie LeBoeuf Novacek, Merchants' Choice Card Services
Eduardo Perez, Visa U.S.A. Inc.
Steven Peisner, Merchant Mechanix
Carla Balakgie, ETA

For more information, call ETA at 800-695-5509 or visit www.electran.org .