Confessions of a Risk Analyst (Part 1)

Risk reserves are one of those things in the processing world that go unknown for most businesses. For many businesses the first time they find out about risk reserves is when their funds get held. It can be a scary and confusing thing. One day you are receiving deposits, and the next nothing. It can happen without warning – leaving business owners scrambling to find out what has happened. Over the next two or three articles we are going to go over the primary ways you could find yourself with your funds held and how best to resolve the issue. We are also going to include real world examples that we have seen first hand with our own customers or that we know about from others in the industry. We hope this information and these stories will help you build a stronger business by preparing you for future unknowns.

What is a Risk Reserve?

A risk reserve or held funds usually starts with a rapid change in the business. Maybe it’s an abnormally large batch on an account or sudden activity on an account that hasn’t processed for some time or a large transaction that is far outside the norm for the merchant. More concerning it can be caused by a sudden increase in card holder disputes (chargebacks), or legal action against the business. Whatever the reason the first thing to understand is it is not a punishment sent down by the processor. While it may feel like a punishment, its really designed to protect the business, the card holders, and the processor from loss.
What losses or risk could there be?

For businesses the primary risk will come from disputes like chargebacks. These can originate from many different types of fraud on the part of the card holder (i.e. friendly fraud or stolen credit cards). Many times, a chargeback is not from a cardholder fraud. A chargeback may originate as legitimate claim against a business such as not processing a refund, selling faulty products, or not completing the anticipated services. The higher the dispute amount, the higher the potential for the business to be financially overwhelmed which could effectively destroy a business’s cash reserves, leaving the business owner with a large debt owed to card holders. And if the business cannot cover the refunds back to their customers, the processor is left to pick up the bill.

Real Life Example
A jewelry store owner several years ago was the victim of friendly fraud. In short, a man walked into her store in a small beach town and asked to see some diamond necklaces. While displaying her work to the man he calmly explained he was on vacation with his wife for the first time since they had been married years ago. He told her about the business he started and how his wife stood by him during the darkest days, but now it had grown, and they were doing well. He wanted to find something he could give his wife as a small token of his gratitude for putting up with all the hard years.

He finally settled on a $10k necklace and during the checkout process his credit card declined. He seemed quite a bit embarrassed about it, but they both figured it was due to the amount and the fact that he was out of town. He stepped aside to call his card issuer, and several minutes later returned saying they had fixed the issue. He also explained that his card issuer had given him an approval code along with instruction on how to properly run the sale, so the terminal would prompt for the approve code he had obtained. Now the merchant was a taken a bit off guard by this and the man told the her that his issuer wouldn’t be able to identify the transaction unless they used the code she provided.

The merchant knew that she needed to swipe the sale in order to be protected from stolen cards. So when they were processing the sale she made sure that the card was swiped. Her terminal then spit out her normal receipts, which the man signed for and everyone parted ways happy.

Happy, until the merchant received the chargeback notice a few days later. Not just any chargeback, but one specifically for accepting a stolen card and using a fake approval code on a closed account. It turned out that the card the man used had been closed after it was stolen, which is why the card was declining in the first place. The man never called his credit card company, he had just faked a phone call, and then told the store owner how to process the card in such a way so the terminal wouldn’t contact the issuer for approval.

In the end she lost the chargeback, the money, and the necklace. We assisted her and the local police to get a criminal report made. Surprisingly the man was later caught in a different state and arrested. He had been using his real name and bragging on social media about how we went on vacation and basically stole from a bunch of businesses using the same tactic. Unfortunately, they never found the necklace.

For the card holder, the risks are smaller and generally more related to time and inconvenience. When you are the card holder, the industry rules are heavily weighted in your favor, but they still have their limits. There is a relatively small amount of true business to consumer fraud out there, however the main source of risk is stolen card information. While the card holder can dispute transaction, they have to notice them and dispute it within the time-frame of their card agreement. Generally, they get paid back, but it takes some amount of time and frustration on their part. If they don’t check their statements with any frequency, they can miss the window to dispute a transaction.

For the processor, its much the same as the business, just amplified. The processor is the second in line for liability. If a business cannot cover their chargebacks, it will fall on the processor, who will then place a negative balance against the merchant’s revenue. Meaning they will have try to collect from the merchant, either through holding their batches until they are paid back, or some type of legal action. Since the processor is exposed to thousands upon thousands daily, they must watch and verify that their portfolio of merchants isn’t taking on too much risk. This creates a problem however since it is impossible to take a detailed look at every transaction or batch nor do their customers want the processor investigating every little thing they do.

Stay tuned for part 2 of our Confessions of a Risk Analysis series.