Comprehensive Merchant
Risk Management Glossary

Merchant onboarding is the initial process through which a business  whether a company or individual entrepreneur  is enabled to start accepting payments via a payment processor or aggregator. This step involves evaluating the merchant’s legitimacy, compliance standing, business model, and risk level before setting up a merchant account. Functionally, it's akin to opening a dedicated financial account for business transactions.During onboarding, the payment provider gathers key documentation such as business licenses, ownership details, and product information to verify that the merchant is operating lawfully and aligns with acceptable risk thresholds. For instance, an online retailer may need to provide company registration documents and explain its product catalog to rule out prohibited items or past fraudulent activity.A robust onboarding process is crucial to keeping bad actors out of the payments ecosystem. If ineffective, it can expose the provider to onboarding risk  where a seemingly legitimate merchant turns out to engage in fraud, accumulate excessive chargebacks, or breach regulatory obligations. To manage this risk, providers typically apply a mix of identity verification, background screening, and risk scoring mechanisms at this early stage.

Risk-Based Approach: A risk-based approach is a compliance and risk management strategy where financial institutions  including acquirers, PayFacs, and ISOs  allocate resources and apply controls based on the level of risk presented by a customer or transaction. Instead of applying the same checks across all merchants, a risk-based approach adjusts the intensity and frequency of due diligence based on factors like industry, geography, transaction behavior, and past activity.

For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

This approach is a cornerstone of AML (Anti-Money Laundering) and KYC/KYB frameworks and is encouraged by global regulators and standards bodies like the FATF (Financial Action Task Force). It helps payment providers remain compliant without overburdening low-risk merchants, balancing fraud prevention, regulatory requirements, and business efficiency.

KYC, or Know Your Customer, is a key compliance requirement that focuses on verifying the identities of customers during the onboarding process. It involves collecting and authenticating personal and business details such as legal names, addresses, identification numbers, and official documentation to confirm who the customer is and whether they pose a risk.

The core aim of KYC is to safeguard the financial system from threats like fraud, money laundering, and illicit financing by ensuring that payment providers and financial institutions understand exactly who they are working with. For example, before approving a merchant account, a provider may request official ID from the business owners and validate business registration data to ensure the enterprise is legitimate.For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

KYC isn't limited to a one-time check; many organizations continue to perform ongoing KYC or continuous monitoring, which involves tracking changes in customer behavior or newly emerging risks over time. In essence, KYC is not just a regulatory checkbox  it’s a cornerstone of secure, compliant, and trust-based onboarding.

Know Your Business (KYB): KYB, or Know Your Business, is a due diligence process focused on verifying the authenticity and legal standing of a business entity  an essential step when onboarding merchants. While it shares principles with Know Your Customer (KYC), KYB specifically targets business structures rather than individuals. It involves confirming company registration, reviewing business licenses, validating operational addresses, and  crucially  identifying key individuals behind the business.

A core part of KYB is uncovering Ultimate Beneficial Owners (UBOs)  the individuals who hold significant control or ownership stakes in the company. This ensures transparency and helps payment providers avoid engaging with shell companies or entities involved in illegal activities.For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

For example, when vetting a new merchant, a payment service provider might review corporate filings, confirm the identities of executives, and screen them against global watchlists or sanctions databases. KYB safeguards the financial ecosystem by ensuring that every merchant onboarded is a real, law-abiding business  not a cover for fraud, money laundering, or other illicit operations. When paired with KYC, KYB offers a complete picture of both the business and the people behind it.

Failing to identify or screen UBOs properly may result in onboarding shell companies, sanctioned entities, or businesses used as fronts for illicit activity. For example, a low-risk retail site might be controlled by a hidden UBO involved in a banned industry  making proper UBO discovery critical to understanding who’s truly behind a merchant account.

Ultimate Beneficial Owner (UBO): An Ultimate Beneficial Owner (UBO) is the individual  or individuals  who ultimately own or control a business, even if they are not listed as directors or legal representatives. In merchant onboarding and KYB processes, identifying UBOs is essential to ensure transparency and assess financial crime risk.

Customer Due Diligence (CDD): Customer Due Diligence (CDD) refers to the set of procedures financial institutions and payment providers use to verify a customer's identity and evaluate their risk profile. In the merchant onboarding context, CDD includes both KYC (Know Your Customer) and KYB (Know Your Business) measures, making it the broader framework that governs initial and ongoing assessments of a customer’s trustworthiness.

CDD typically involves gathering and validating identifying information, understanding the merchant’s business model, and checking for red flags like past financial misconduct or regulatory issues. Based on the level of perceived risk, providers may escalate to Enhanced Due Diligence (EDD)  a more in-depth review process for high-risk merchants. EDD might include collecting additional documentation, conducting deeper background checks, or monitoring transactions more closely, especially if the merchant operates in a regulated or high-risk sector.

In essence, CDD ensures that businesses and individuals allowed into the payment ecosystem are properly vetted and continuously assessed to prevent exposure to financial crimes, fraud, or reputational damage. It is a dynamic, risk-based process that scales in rigor based on the customer’s risk profile.

PEP Screening (Politically Exposed Person Screening): PEP screening is the process of identifying whether a merchant, business owner, or ultimate beneficial owner (UBO) is a politically exposed person someone who holds or has held a prominent public position, such as a senior government official, judge, military leader, or head of a state-owned enterprise.

Because PEPs are at higher risk of involvement in corruption, bribery, or illicit financial activity, acquirers and payment providers are required to apply enhanced due diligence (EDD) when onboarding or monitoring these individuals. This includes identifying their status, understanding the source of their funds, and maintaining closer scrutiny over their financial behavior.

PEP screening is a regulatory expectation under AML regimes globally and is typically performed during merchant onboarding and monitored on an ongoing basis. Ignoring PEP status can expose payment providers to legal, reputational, and regulatory risks  especially if transactions later become linked to financial crime or public scandals.

Sanctions Screening: Sanctions screening is the process of checking a merchant or associated individuals (such as business owners or UBOs) against government-issued sanctions lists to ensure they are not prohibited from doing business. These lists are maintained by organizations such as the U.S. Office of Foreign Assets Control (OFAC), EU, UN, and UK HM Treasury, and include individuals, entities, and countries subject to trade or financial restrictions.

Most providers automate sanctions screening using real-time database integrations and fuzzy-matching algorithms to detect name variations or potential false positives. If a match is found, the account is typically escalated for manual review, and in many cases, onboarding is paused or declined.

Adverse Media Screening:  Adverse media screening  also known as negative news screening  is the process of searching public sources for negative information about a merchant, its owners, or related entities. This includes checking news articles, legal filings, enforcement actions, regulatory blacklists, and media reports for signs of criminal activity, fraud, corruption, or reputational risk.

For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

This approach is a cornerstone of AML (Anti-Money Laundering) and KYC/KYB frameworks and is encouraged by global regulators and standards bodies like the FATF (Financial Action Task Force). It helps payment providers remain compliant without overburdening low-risk merchants, balancing fraud prevention, regulatory requirements, and business efficiency.

Adverse media findings don’t always trigger automatic rejection  but they signal that deeper investigation may be needed. Screening tools typically use AI and natural language processing to surface relevant matches, which are then manually reviewed by compliance teams.

By catching reputational red flags early, payment providers can prevent onboarding merchants that may later result in financial loss, regulatory issues, or brand damage.

Merchant Underwriting: Merchant underwriting is the process of evaluating a business’s risk level before approving it for a merchant account or payment processing services. This step happens during onboarding and serves as a safeguard for payment providers, acquirers, and banks. The goal is to determine whether the merchant falls within the provider’s acceptable risk threshold and under what terms they can be approved.

Underwriting involves a thorough review of the merchant’s background  this may include examining the industry category (such as whether it's high-risk, like CBD or adult content), financial health, credit history, chargeback patterns, and regulatory compliance. For example, a new e-commerce business selling nutraceuticals might be flagged for extra scrutiny due to industry risk, while a stable retailer with a clean history might be fast-tracked.

If concerns arise, underwriters might still allow the merchant to onboard but apply conditions such as rolling reserves, processing limits, or enhanced monitoring. Strong merchant underwriting helps prevent fraud, chargebacks, and reputational damage by ensuring only trustworthy businesses enter the payment system. It balances the need for quick onboarding with the responsibility of protecting financial infrastructure.

Risk Scoring (Merchant Risk Score): Risk scoring is the practice of assigning a numerical value or rating to a merchant during onboarding or underwriting to indicate their level of risk. This score helps payment providers, acquirers, and compliance teams make data-driven decisions about whether to approve, reject, or monitor a merchant more closely.

Risk scores are calculated using models that factor in variables such as business type, processing history, creditworthiness, geographic location, product category, and more. For instance, a brand-new merchant in a high-risk vertical  like dietary supplements or ticket resales  may receive a high risk score, while a long-established business with steady sales and low disputes would score much lower.

By quantifying risk in a consistent way, providers can streamline onboarding, flag potentially problematic merchants early, and implement safeguards like reserves or tiered monitoring. In high-risk sectors, card networks often require enhanced risk scoring and fraud detection as part of compliance. Ultimately, merchant risk scoring is a core tool for balancing growth and security in the payments ecosystem.

Merchant Category Code (MCC): A Merchant Category Code (MCC) is a four-digit number used by card networks to classify a merchant based on the type of goods or services they offer. Each merchant is assigned an MCC during onboarding, and this code helps payment processors, acquirers, and card schemes understand what kind of business they’re dealing with.

MCCs play an important role in risk management, compliance, and transaction routing. Some codes are associated with high-risk industries, which may require additional underwriting or monitoring.  For example:For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business  such as an online pharmacy or gambling operator  would face enhanced verification, documentation, and transaction monitoring.

Assigning the correct MCC is critical. If a business that sells regulated products  like dietary supplements or age-restricted items  is misclassified under a generic retail code, it could bypass important risk checks and create compliance issues. On the other hand, high-risk MCCs alert providers to potential challenges such as fraud, chargebacks, or regulatory exposure.

In short, MCCs help acquirers apply the right rules and risk controls from day one by categorizing merchants accurately based on their core business activity, while remaining in compliance with card-brand rules.

High-Risk Merchant: A high-risk merchant is a business that presents a greater-than-average risk to payment processors, acquiring banks, or card networks. This elevated risk may stem from the merchant’s industry type, business model, transaction behavior, or compliance history.

A merchant can also be deemed high-risk due to operational factors  such as a lack of processing history, high average order value, large volume spikes, or poor credit standing. For example, a newly launched electronics site accepting large upfront payments for future delivery might raise red flags due to the potential for customer disputes or fulfillment failures.

High-risk merchants often undergo enhanced underwriting, face higher processing fees, may be subject to rolling reserves, and are closely monitored. They may also be required to enroll in card brand compliance programs that apply stricter oversight.

While these merchants can generate significant processing volume, they require robust risk controls to protect the payment ecosystem from fraud, financial losses, and reputational damage.

Transaction Monitoring: Transaction monitoring is the ongoing process of analyzing financial transactions to identify behaviors that may signal fraud, money laundering, or other forms of financial crime. In the context of merchant acquiring, it refers to how acquirers, payment processors, and PayFacs track transaction activity within merchant accounts to detect anomalies and emerging risks.

For example, if a low-volume merchant that typically processes $50 orders suddenly begins handling hundreds of $1,000 transactions overnight, that activity would trigger alerts for further investigation.

Regulators in most jurisdictions mandate that financial institutions—including payment service providers—maintain robust transaction monitoring programs as part of their AML and fraud prevention obligations.

For payment providers, effective transaction monitoring is not just a checkbox—it’s a critical control layer that protects the integrity of the payments ecosystem, reduces exposure to regulatory penalties, and ensures that only legitimate merchants and transactions flow through the network.