Merchant Onboarding & Underwriting
Merchant onboarding is the initial process through which a business whether a company or individual entrepreneur is enabled to start accepting payments via a payment processor or aggregator. This step involves evaluating the merchant’s legitimacy, compliance standing, business model, and risk level before setting up a merchant account. Functionally, it's akin to opening a dedicated financial account for business transactions.During onboarding, the payment provider gathers key documentation such as business licenses, ownership details, and product information to verify that the merchant is operating lawfully and aligns with acceptable risk thresholds. For instance, an online retailer may need to provide company registration documents and explain its product catalog to rule out prohibited items or past fraudulent activity.A robust onboarding process is crucial to keeping bad actors out of the payments ecosystem. If ineffective, it can expose the provider to onboarding risk where a seemingly legitimate merchant turns out to engage in fraud, accumulate excessive chargebacks, or breach regulatory obligations. To manage this risk, providers typically apply a mix of identity verification, background screening, and risk scoring mechanisms at this early stage.
Risk-Based Approach: A risk-based approach is a compliance and risk management strategy where financial institutions including acquirers, PayFacs, and ISOs allocate resources and apply controls based on the level of risk presented by a customer or transaction. Instead of applying the same checks across all merchants, a risk-based approach adjusts the intensity and frequency of due diligence based on factors like industry, geography, transaction behavior, and past activity.
For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business such as an online pharmacy or gambling operator would face enhanced verification, documentation, and transaction monitoring.
This approach is a cornerstone of AML (Anti-Money Laundering) and KYC/KYB frameworks and is encouraged by global regulators and standards bodies like the FATF (Financial Action Task Force). It helps payment providers remain compliant without overburdening low-risk merchants, balancing fraud prevention, regulatory requirements, and business efficiency.
KYC, or Know Your Customer, is a key compliance requirement that focuses on verifying the identities of customers during the onboarding process. It involves collecting and authenticating personal and business details such as legal names, addresses, identification numbers, and official documentation to confirm who the customer is and whether they pose a risk.
The core aim of KYC is to safeguard the financial system from threats like fraud, money laundering, and illicit financing by ensuring that payment providers and financial institutions understand exactly who they are working with. For example, before approving a merchant account, a provider may request official ID from the business owners and validate business registration data to ensure the enterprise is legitimate.For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business such as an online pharmacy or gambling operator would face enhanced verification, documentation, and transaction monitoring.
KYC isn't limited to a one-time check; many organizations continue to perform ongoing KYC or continuous monitoring, which involves tracking changes in customer behavior or newly emerging risks over time. In essence, KYC is not just a regulatory checkbox it’s a cornerstone of secure, compliant, and trust-based onboarding.
Know Your Business (KYB): KYB, or Know Your Business, is a due diligence process focused on verifying the authenticity and legal standing of a business entity an essential step when onboarding merchants. While it shares principles with Know Your Customer (KYC), KYB specifically targets business structures rather than individuals. It involves confirming company registration, reviewing business licenses, validating operational addresses, and crucially identifying key individuals behind the business.
A core part of KYB is uncovering Ultimate Beneficial Owners (UBOs) the individuals who hold significant control or ownership stakes in the company. This ensures transparency and helps payment providers avoid engaging with shell companies or entities involved in illegal activities.For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business such as an online pharmacy or gambling operator would face enhanced verification, documentation, and transaction monitoring.
For example, when vetting a new merchant, a payment service provider might review corporate filings, confirm the identities of executives, and screen them against global watchlists or sanctions databases. KYB safeguards the financial ecosystem by ensuring that every merchant onboarded is a real, law-abiding business not a cover for fraud, money laundering, or other illicit operations. When paired with KYC, KYB offers a complete picture of both the business and the people behind it.
Failing to identify or screen UBOs properly may result in onboarding shell companies, sanctioned entities, or businesses used as fronts for illicit activity. For example, a low-risk retail site might be controlled by a hidden UBO involved in a banned industry making proper UBO discovery critical to understanding who’s truly behind a merchant account.
UBOs are typically defined as people who:
- Own 25% or more of the company’s shares or voting rights (thresholds may vary by jurisdiction)
- Exercise control through ownership structures or legal arrangements
- Benefit financially from the company’s operations
For payment providers, uncovering and screening UBOs is a regulatory requirement under AML and KYC frameworks. This includes performing:
- Identity verification
- PEP and sanctions screening
- Adverse media checks
- Ongoing monitoring for changes in ownership or risk status
Ultimate Beneficial Owner (UBO): An Ultimate Beneficial Owner (UBO) is the individual or individuals who ultimately own or control a business, even if they are not listed as directors or legal representatives. In merchant onboarding and KYB processes, identifying UBOs is essential to ensure transparency and assess financial crime risk.
Customer Due Diligence (CDD): Customer Due Diligence (CDD) refers to the set of procedures financial institutions and payment providers use to verify a customer's identity and evaluate their risk profile. In the merchant onboarding context, CDD includes both KYC (Know Your Customer) and KYB (Know Your Business) measures, making it the broader framework that governs initial and ongoing assessments of a customer’s trustworthiness.
CDD typically involves gathering and validating identifying information, understanding the merchant’s business model, and checking for red flags like past financial misconduct or regulatory issues. Based on the level of perceived risk, providers may escalate to Enhanced Due Diligence (EDD) a more in-depth review process for high-risk merchants. EDD might include collecting additional documentation, conducting deeper background checks, or monitoring transactions more closely, especially if the merchant operates in a regulated or high-risk sector.
In essence, CDD ensures that businesses and individuals allowed into the payment ecosystem are properly vetted and continuously assessed to prevent exposure to financial crimes, fraud, or reputational damage. It is a dynamic, risk-based process that scales in rigor based on the customer’s risk profile.
PEP Screening (Politically Exposed Person Screening): PEP screening is the process of identifying whether a merchant, business owner, or ultimate beneficial owner (UBO) is a politically exposed person someone who holds or has held a prominent public position, such as a senior government official, judge, military leader, or head of a state-owned enterprise.
Because PEPs are at higher risk of involvement in corruption, bribery, or illicit financial activity, acquirers and payment providers are required to apply enhanced due diligence (EDD) when onboarding or monitoring these individuals. This includes identifying their status, understanding the source of their funds, and maintaining closer scrutiny over their financial behavior.
PEP screening is a regulatory expectation under AML regimes globally and is typically performed during merchant onboarding and monitored on an ongoing basis. Ignoring PEP status can expose payment providers to legal, reputational, and regulatory risks especially if transactions later become linked to financial crime or public scandals.
Sanctions Screening: Sanctions screening is the process of checking a merchant or associated individuals (such as business owners or UBOs) against government-issued sanctions lists to ensure they are not prohibited from doing business. These lists are maintained by organizations such as the U.S. Office of Foreign Assets Control (OFAC), EU, UN, and UK HM Treasury, and include individuals, entities, and countries subject to trade or financial restrictions.
Sanctions screening is a non-negotiable compliance requirement. Onboarding or transacting with a sanctioned party can lead to severe penalties, regulatory action, and reputational damage. Screening must occur:
- At onboarding (as part of KYC/KYB)
- On a continuous basis (to catch real-time matches as lists are updated)
- Across all beneficial owners, directors, and associated parties
Most providers automate sanctions screening using real-time database integrations and fuzzy-matching algorithms to detect name variations or potential false positives. If a match is found, the account is typically escalated for manual review, and in many cases, onboarding is paused or declined.
Adverse Media Screening: Adverse media screening also known as negative news screening is the process of searching public sources for negative information about a merchant, its owners, or related entities. This includes checking news articles, legal filings, enforcement actions, regulatory blacklists, and media reports for signs of criminal activity, fraud, corruption, or reputational risk.
For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business such as an online pharmacy or gambling operator would face enhanced verification, documentation, and transaction monitoring.
This approach is a cornerstone of AML (Anti-Money Laundering) and KYC/KYB frameworks and is encouraged by global regulators and standards bodies like the FATF (Financial Action Task Force). It helps payment providers remain compliant without overburdening low-risk merchants, balancing fraud prevention, regulatory requirements, and business efficiency.
For acquirers, PayFacs, and ISOs, adverse media screening is a key part of merchant due diligence, particularly during onboarding and ongoing monitoring. It helps identify whether a merchant (or its UBOs or directors) is linked to:
- Fraud or financial crime
- Bankruptcy or insolvency proceedings
- Regulatory fines or enforcement actions
- Scams, fake reviews, or consumer complaints
- Other high-risk behavior flagged in public domains
Adverse media findings don’t always trigger automatic rejection but they signal that deeper investigation may be needed. Screening tools typically use AI and natural language processing to surface relevant matches, which are then manually reviewed by compliance teams.
By catching reputational red flags early, payment providers can prevent onboarding merchants that may later result in financial loss, regulatory issues, or brand damage.
Merchant Underwriting: Merchant underwriting is the process of evaluating a business’s risk level before approving it for a merchant account or payment processing services. This step happens during onboarding and serves as a safeguard for payment providers, acquirers, and banks. The goal is to determine whether the merchant falls within the provider’s acceptable risk threshold and under what terms they can be approved.
Underwriting involves a thorough review of the merchant’s background this may include examining the industry category (such as whether it's high-risk, like CBD or adult content), financial health, credit history, chargeback patterns, and regulatory compliance. For example, a new e-commerce business selling nutraceuticals might be flagged for extra scrutiny due to industry risk, while a stable retailer with a clean history might be fast-tracked.
If concerns arise, underwriters might still allow the merchant to onboard but apply conditions such as rolling reserves, processing limits, or enhanced monitoring. Strong merchant underwriting helps prevent fraud, chargebacks, and reputational damage by ensuring only trustworthy businesses enter the payment system. It balances the need for quick onboarding with the responsibility of protecting financial infrastructure.
Risk Scoring (Merchant Risk Score): Risk scoring is the practice of assigning a numerical value or rating to a merchant during onboarding or underwriting to indicate their level of risk. This score helps payment providers, acquirers, and compliance teams make data-driven decisions about whether to approve, reject, or monitor a merchant more closely.
Risk scores are calculated using models that factor in variables such as business type, processing history, creditworthiness, geographic location, product category, and more. For instance, a brand-new merchant in a high-risk vertical like dietary supplements or ticket resales may receive a high risk score, while a long-established business with steady sales and low disputes would score much lower.
By quantifying risk in a consistent way, providers can streamline onboarding, flag potentially problematic merchants early, and implement safeguards like reserves or tiered monitoring. In high-risk sectors, card networks often require enhanced risk scoring and fraud detection as part of compliance. Ultimately, merchant risk scoring is a core tool for balancing growth and security in the payments ecosystem.
Merchant Category Code (MCC): A Merchant Category Code (MCC) is a four-digit number used by card networks to classify a merchant based on the type of goods or services they offer. Each merchant is assigned an MCC during onboarding, and this code helps payment processors, acquirers, and card schemes understand what kind of business they’re dealing with.
MCCs play an important role in risk management, compliance, and transaction routing. Some codes are associated with high-risk industries, which may require additional underwriting or monitoring. For example:For example, a low-risk merchant selling household goods may undergo basic onboarding checks, while a high-risk business such as an online pharmacy or gambling operator would face enhanced verification, documentation, and transaction monitoring.
MCC 5912
Drug stores and pharmacies
Assigning the correct MCC is critical. If a business that sells regulated products like dietary supplements or age-restricted items is misclassified under a generic retail code, it could bypass important risk checks and create compliance issues. On the other hand, high-risk MCCs alert providers to potential challenges such as fraud, chargebacks, or regulatory exposure.
In short, MCCs help acquirers apply the right rules and risk controls from day one by categorizing merchants accurately based on their core business activity, while remaining in compliance with card-brand rules.
High-Risk Merchant: A high-risk merchant is a business that presents a greater-than-average risk to payment processors, acquiring banks, or card networks. This elevated risk may stem from the merchant’s industry type, business model, transaction behavior, or compliance history.
Industries typically labeled as high-risk include:
- Online gambling
- Adult content
- Pharmaceuticals (especially online sales)
- Alcohol and tobacco
- Payday lending
- Travel and ticketing services
- Subscription-based or future-delivery models (e.g., pre-orders)
A merchant can also be deemed high-risk due to operational factors such as a lack of processing history, high average order value, large volume spikes, or poor credit standing. For example, a newly launched electronics site accepting large upfront payments for future delivery might raise red flags due to the potential for customer disputes or fulfillment failures.
High-risk merchants often undergo enhanced underwriting, face higher processing fees, may be subject to rolling reserves, and are closely monitored. They may also be required to enroll in card brand compliance programs that apply stricter oversight.
While these merchants can generate significant processing volume, they require robust risk controls to protect the payment ecosystem from fraud, financial losses, and reputational damage.
Merchant Onboarding & Underwriting
Transaction Monitoring: Transaction monitoring is the ongoing process of analyzing financial transactions to identify behaviors that may signal fraud, money laundering, or other forms of financial crime. In the context of merchant acquiring, it refers to how acquirers, payment processors, and PayFacs track transaction activity within merchant accounts to detect anomalies and emerging risks.
This process is typically powered by automated monitoring systems that flag suspicious patterns such as:
- Sudden spikes in sales volume
- Unusual transaction amounts or frequency
- High rates of declined transactions
- Purchases from high-risk or geolocated-restricted countries
- Inconsistencies between a merchant’s expected profile and actual behavior
For example, if a low-volume merchant that typically processes $50 orders suddenly begins handling hundreds of $1,000 transactions overnight, that activity would trigger alerts for further investigation.
Transaction monitoring serves both preventive and compliance functions:
- Prevents financial abuse by stopping suspicious activity in real time or near-real time
- Supports regulatory compliance by enabling detection of transactions that may require escalation or reporting (e.g. via Suspicious Activity Reports (SARs))
Regulators in most jurisdictions mandate that financial institutions—including payment service providers—maintain robust transaction monitoring programs as part of their AML and fraud prevention obligations.
For payment providers, effective transaction monitoring is not just a checkbox—it’s a critical control layer that protects the integrity of the payments ecosystem, reduces exposure to regulatory penalties, and ensures that only legitimate merchants and transactions flow through the network.