Miscoded Merchants Can Be a Seven-Figure Mistake

Pay attention to your MCCs, or pay a hefty price later on.

Merchant category codes (MCCs) play a central role in payments risk management, but too many service providers and acquirers take them at face value. Now, in the wake of renewed focus on MCCs by the payment networks, miscategorized MCCs can be a very costly mistake.

Recently, our payments risk-management firm has seen the assessments levied against payments acquirers for miscoded MCCs reach upwards of seven digits.

Let’s look at recent developments, key challenges, and some recommended actions for acquirers.

This summer, the Visa Integrity Risk Program (VIRP) entered the card-payments landscape, replacing the previous Global Brand Protection Program (GBPP). Risk-management programs by card companies are not new, but any time new standards are introduced, scrutiny is heightened. MCCs are getting extra attention right now, and acquirers that bear most of the risk must respond accordingly.

Under VIRP, “high integrity risk merchants” are now categorized into three tiers that are subject to assessments. High integrity risk merchants are business types that pose a greater risk of processing illicit transactions. In the new three-tier structure, tier 1 has the highest level of risk. Here are all three tiers as described by Visa:

Tier 1 merchants operate businesses “where there is a higher risk of illegal activity occurring without proper controls and that potential illegal activity could—either directly or by association—cause significant harm to the health, safety, and/or well-being of individuals.” Tier 1 is specific to card-absent adult content, dating and escort services, gambling, and pharmacies.

Tier 2 merchants have a higher risk of illegal activity that could cause financial or other economic harm to individuals. Tier 2 business types include card-absent crypto merchants, digital file sharing, and games of skill.

Tier 3 merchants have “a higher risk for non-compliance with regulations or deceptive marketing practices without appropriate controls.” Examples include outbound telemarketing, high-integrity-risk financial-trading platforms, and negative-option subscriptions.

The Complicated Environment

Categorizing merchants can seem straightforward, but the reality is complicated and dynamic. Miscategorized merchants are often a much larger problem than most acquirers realize and, as a result, their portfolios carry more risk than is readily apparent. In our experience, nearly half of MCCs in the average merchant portfolio are either misclassified and should be assigned a more-specific category or are altogether missing.

The reasons for this are many—some innocuous. For example, many merchants that could fall under more than one MCC often land in a “miscellaneous” category. While the broader miscellaneous MCCs are sometimes appropriate, they can also become a catch-all with opaque levels of risk.

Another scenario occurs when the initial MCC is accurate but becomes less so over time as the merchant expands offerings beyond the code’s original definition. For example, the risk profile of a restaurant changes when it begins selling alcohol.

Risk tolerance is unique to each payment-service provider, affecting both compliance risk and revenue. Legitimate, high-risk merchants can be highly desirable, as they generate more revenue. At the same time, seemingly low-risk merchants are not all safe from network fines and assessments.

And some MCC misclassifications are intentional. For example, a merchant may try to conceal riskier transactions to garner a more favorable rate with processors. More deceptively, a merchant may present a benign-looking shell business to hide transaction laundering. Gadget sites, for instance, are common front businesses for transaction launderers.

Another complicating factor, particularly for e-commerce, is jurisdiction. Operating an online business removes geographical barriers and opens the door to transact business and ship goods anywhere in the world. This poses problems for products with legality that differs across jurisdictions.

For example, cannabis laws vary widely from country to country—and even state to state within the United States. A cannabis merchant that ships products to another jurisdiction can easily run afoul of the law. That is why it is so important for acquirers to assign the most-accurate MCC for each merchant, as well as monitor every merchant for the life of the account.

Actions to Take Now

MCCs are central to managing both risk and revenue. Fines for violating payment network requirements can be staggering, and are often tied to an infraction’s length of time. That said, low-risk merchants don’t ensure compliance, and high-risk merchants can generate significant revenue. To get the balance right:

1. Define Your Risk Tolerance: Clearly articulate what “acceptable risk” is for your organization. As part of this process, create your own list of approved MCCs, which helps establish a framework for merchant selection. Regularly review and update the list to keep pace with business conditions and regulatory changes.
2. Scrub Your Portfolio: Each missing or inaccurate MCC code represents increased risk and the potential for lost revenue. Make it a priority to review each merchant’s offerings and assign the most-accurate MCC code.
3. Monitor for Changes: As merchants grow their businesses, they add and remove products and services, which can change their risk and revenue profile. Regular monitoring is critical for reducing the risk of network assessments while still meeting revenue targets.

Especially now, it doesn’t pay to leave the accuracy of MCCs to chance. Content violations can be sudden, unexpected, or may lurk indefinitely without oversight. Ultimately, even absent the risk of fines, accurate MCCs are a valuable tool for managing risk and growth. Acting now will provide a clearer picture of risk—and improve portfolio profitability.

—Alan Primitivo is the vice president of client operations and Will Seitz is the regional director of sales at G2.