There are lots of merchants out there and most of them are good, honest people making a living by working hard every day. There are some which are not, and these are the ones that can blow your whole operation if you’re not careful. It may be true that one bad merchant can kill your business. But the ISOs I know that have lost the merchant risk game have done it through their own mismanagement of chargebacks, not so much because of merchant fraud. Merchants who perpetrate false transactions or who don’t deliver quality goods and services get chargebacks from consumers. If the merchant isn’t there to pay the bill when the chargeback hits – then someone has to eat that risk – the processor or the ISO. How the ISO manages that chargeback flow can make the difference between the life and death of their company.
   For an ISO to take merchant risk, there are two key tasks to perform: Up-front merchant credit underwriting and ongoing day to day risk management. Underwriting is the process of determining whether or not the merchant is legitimate. Is there physical inventory in the shop? Is there a real store front? Or is the ‘merchant’ a cover for a crystal Meth lab and wants to take credit cards to speed up sales before fleeing to South America?
   Ongoing transaction risk management is a daily task – reviewing transactions from your merchant base to see if they follow predictable patterns which you might expect from that merchant. For example, is it normal for a pizza parlor to generate a string of $500.00 transactions? If it looks fishy, it may well be, and that may be your risk. Transactions must be monitored daily and if necessary, funds held back pending further investigation.
   When funds are held, the accounting has to be perfect since those funds will likely be sent to the merchant eventually after an investigation is concluded. In addition, when chargebacks come through, they have to be passed on to the merchant quickly so that they don’t accumulate causing further problems. Here’s where the chargebacks themselves are not the problem, but rather is the management of them. I know of one large ISO who went under because they failed to reconcile chargebacks every day. After a couple of years, the chargebacks had accumulated to over $1,000,000. This amount should have been collected from merchants one transaction at a time, but years later, the merchants no longer existed. Oooops - too late. The ISO was bankrupt and had to sell quickly at a bargain price to a cash-rich big brother. Game over.
   This kind of thing has happened so many times throughout the history of our industry, that I have to ask - is merchant risk worth taking? What do you get for taking risk? What’s in it for you if you hire the staff, put in the systems and sweat bullets at night? For all the headache, infrastructure and worry, you get a processing rate that is about 6 basis points better than if your processor takes the risk for you. That’s 0.006% of the transaction volume. For every $100 in charge volume, that would be about $0.60 more in revenues to you. Is that worth the trouble?
   It takes at least two people to create a risk department. Skilled personnel in this field make about $45,000 per year, plus 20% for benefits and extras, for a total of $54,000 each or $108,000 per year - $9,000 per month. Add a competent accountant at $5,000 per month plus benefits at 20% for a total of another $6,000. (Remember that ISO who went bust due to poor accounting practices? This is no place to scrimp. Hire someone smart, or don’t get into risk management.) Then, there’s the computer systems and other overhead, phone bills, etc. I’ll just throw in $3,000 per month for that. So far, our fledgling risk management group is running at $18,000 per month and I have not even added in the extra administrative overhead to coordinate all that, let alone your time to manage all these people when you could be doing something else.
   Without even trying hard, I come up with $18,000 in expenses per month. With the benefit being .0006% of transaction volume, it will take at least $30 million in monthly volume just to break even! If each merchant does an average of $5,000 per month in volume, then it will take 6,000 merchants just to break even. With that many merchants, it will probably take at least one more person to manage risk, so these numbers may be low.
    And for all that trouble and expense, you inherited what? Not more profit, this is just a break even analysis. Instead, you got management headaches plus the possibility of a catastrophic risk which could destroy your business after years of struggle all because some risk management guy blew it. Sounds great, right? Do you feel like the losing contestant on a game show?
    You: “I’ll take Door Number Three. I sure hope success, wealth, prestige and a new car is hiding in there!” Host: “Oh, no! Sorry, Door Number Three is a notoriously fraudulent merchant and a year’s worth of unaccounted for chargebacks – You’re Bankrupt! That’s all we have time for today! See you next time on ISO Risk Roulette!”
    The camera pans left and you are there standing by yourself in the studio alone wondering how you will make the next mortgage payment.
    The thing I really don’t like about managing merchant risk is what I call the “unequal consequence profile” between the employee who is actually assessing or accounting for the risk day to day, and the guy is going to pay for his mistakes. (That would be me, the business owner). Risk managers and accountants are employees. They get paid to come to work everyday and do a job. Their reward comes in the form of a paycheck and perhaps a bonus. I am a business owner. I am here for the long haul. My reward comes in the form of a stable, solid company which someone might buy from me someday for a large sum of money. If the risk manager fails to correctly address a risk situation, then he gets fired. I, on the other hand, lose my company, many years of hard work, my personal net worth and who knows what else as a consequence. The risk manager gets a new job and I get a bankruptcy (definitely business, perhaps personal). This is not what I am in business for.
    The point is that risk is a volume game. It really does not make sense to take risk until and unless you have huge processing volumes. Even then, for the marginal profit you get from the oh-so-much-better deal you cut with the processor, you get a lot of headaches and uncertainty with your business. Me? I pay the .0006% and sleep great at night knowing I will have a residual check in the morning. I know someone out there is shouting “But you gave up merchant ownership and portability!” To which I shout back “I’ll write about it next month!”