1. Field of the Invention
The invention relates to a method and system for identifying merchant risk, such as credit risk and/or fraud risk, using an automated, multi-tiered process.
2. Background Art
The use of data cards, such as credit cards, debit cards and other financial account cards, has gained widespread acceptance as a method of paying for goods and services. With the growth of electronic commerce, particularly Internet sales, transactions paid by credit cards will represent an increasingly greater percent of total sales. Credit card transactions, however, expand transaction risk beyond a cardholder and merchant, to include a card issuer (representing the cardholder) and a transaction processor (representing the merchant).
Transaction processors provide merchants with data processing services that facilitate the flow of credit card transaction data and corresponding payments of monies between merchants and card issuers. The flow of transaction data from a merchant to a card issuer via a transaction processor is commonly referred to as “processing” or “clearing” the transactions. The flow of money from a card issuer to a merchant via a transaction processor is known as “settlement”. The term “transaction processor”, as used herein, generally means a third-party institution that processes credit card transactions independently of a card issuer, but may also include a card issuer or a card issuing association that processes credit card transactions.
In a “point of sale” credit card transaction, a cardholder presents a credit card to a merchant, who records transaction data by using either an electronic terminal or a manually imprinted sales draft. The recorded data includes the amount of the purchase, the cardholder's account number, the card's expiration date, the merchant identification number, and the date of the transaction. In most cases, the cardholder is also required to sign a copy of the receipt. Credit card transactions can also take place in the absence of merchant and cardholder physical proximity or the presentations of a credit card, such as transactions that occur through the mail, telephone or the Internet. These types of transactions pose increased fraud and credit risk as they may involve uncertainty relating to the merchant, cardholder and the product or services purchased; a time lag between purchase and delivery; and lack of physical evidence of cardholder authorization.
Typically at the end of each day (although it can be more or less frequently), the merchant determines the total dollar volume of the credit card transactions completed and prepares a deposit slip indicating that amount. All of the transaction data is then transferred to the merchant's transaction processor and entered into the transaction processor's computer. This transfer may be electronic, in which case a data capture terminal transfers the data directly to the processor's computer. Alternatively, the transfer may involve the deposit of imprinted paper sales drafts and subsequent entry of the data into the computers by the transaction processor.
Once the transaction processor receives the data, the amount of the merchant's “deposit” is verified and recorded. At that point, the transactions are separated according to the type of credit card used to complete the transaction. The transaction processor then transfers the corresponding transaction data to the appropriate credit card issuer or card issuing association. The card issuer posts the individual transactions to the appropriate cardholder's account. The card issuer then provides payment to the transaction processor for the transaction, and bills the cardholder via a credit card statement.
In most cases, settlement occurs very soon after the data is cleared. For example, after a transaction processor receives a merchant's daily transaction data, the balance due the merchant is calculated and paid to the merchant via check, direct deposit, or wire transfer. The transaction processor sorts the transaction data from all of its client merchants according to the type of card used and forwards that data to the appropriate card issuer. The card issuer or card association then determines the balance due and transfers that amount to the transaction processor.
Credit card transactions pose risk to the card issuer and merchant in terms of the creditworthiness and integrity of the cardholder, and the risk that the cardholder does not have the authorization to use the credit card. Over the years, card issuers and merchants have relied on several different methods to protect themselves from fraud or misuse and to verify the validity of a credit card before completing a transaction. Initially, card issuers provided “warning bulletins” to merchants. Warning bulletins, which are still in widespread use, are booklets that list account numbers of credit cards that should no longer be accepted for various reasons. For example, an account number may be included in such a bulletin if the corresponding credit card has been reported lost or stolen, if the cardholder has exceeded his or her credit limit or has become delinquent in the payments to the card issuer, if the credit card was mistakenly issued, or if the credit card is invalid outside the country of origin.
More recently, card issuers and card issuing associations have provided real-time access to their computerized databases. This has allowed merchants to request telephonic authorization for transactions based on a search of a continually updated database before completing each transaction. For a typical transaction authorization, the merchant obtains an authorization code from an authorization source or institution, often via telephone.
For most credit card transactions, the cardholder's risk is minimal due to regulations that apply to card issuers and merchants and that serve to protect consumers. Such regulations, for example, may protect the cardholder from risk by allowing transactions to be “charged back” if they are not authorized by the cardholder, or if the product or service is not provided in accordance with the sales terms. Typically, the cardholder has up to six months from the transaction date to chargeback a transaction. The chargeback process involves notifying the card issuer of a claim about the transaction or a dispute with the merchant. The card issuer may request evidence from the merchant that the transaction was authorized by the cardholder, or that the products or services were delivered as sold. The card issuer then submits this request through the transaction processor to the merchant, and a response from the merchant is required within a specified period of time. If the merchant is unable to successfully defend a chargeback, the transaction is reversed and a debit is passed to the merchant through the processor.
The transaction processor's risk can be considerable due to its role in the credit card transaction, the long lead-time between a transaction date and a chargeback, and the uncertainties surrounding the elements of the credit card transaction (e.g., product or service purchased, merchant and cardholder). The transaction processor assumes ownership of the transaction and is at risk for the full amount. Thus, if the cardholder successfully disputes the transaction, and the merchant's funds are unavailable to fund the chargeback, a credit to the cardholder or the card issuer must be funded by the transaction processor. Unless the processor has set up a reserve amount from the merchant's previous processing funds, the unfunded chargebacks will become a loss for the transaction processor.
There are various scenarios that can result in chargebacks. Examples of such scenarios include products or services not delivered due to operating, cashflow, or other business problems of the merchant; products or services not provided as agreed due to poor merchant business practices; merchant fraud whereby transactions are initiated without the authorization of a cardholder; cardholder fraud whereby legitimate transactions are disputed in an attempt to avoid payment; and third party fraud whereby lost or stolen credit cards or associated account numbers are used. In addition, poor operational practices and record keeping on the part of a merchant may lead to the merchant's inability to defend chargebacks.
Failure to obtain authorization on transactions may also expose a merchant to chargeback risk. Furthermore, merchants who violate regulations of card issuers or card issuing associations may fall victim to scams initiated by other merchants. An example is “factoring” or allowing other merchants to process transactions through the merchant's terminals. The merchant whose account is being used for processing is responsible for any chargebacks that arise from these transactions.
Most merchants who accept credit cards incur some level of chargebacks in the normal course of business. As long as the merchant funds the chargebacks, there will be no loss to the transaction processor. Chargebacks result in a loss to the transaction processor when the merchant can not fund such chargebacks. Thus, in an effort to mitigate risk of loss, the transaction processor may monitor merchant processing trends, which may be indicative of a business problem or change, the merchant's ability to deliver goods and services as agreed and the merchant's viability and financial position to fund chargebacks.
The risk of losses borne by the transaction processor can be considerable and can rapidly escalate if a problem merchant remains undetected. If a merchant is selling products or services that he does not intend to or cannot deliver, or that are not as agreed, such transactions will eventually become chargebacks. However, it is difficult for the transaction processor to determine which sales will charge back at the time the sales are made. Because there may be a time lag of at least a few months before chargebacks begin to appear, the transaction processor must rely on other signs to detect merchant risk and the potential for loss before it is too late. At the same time, however, there may be a large number of good merchant accounts that can exhibit processing behavior similar to that of bad accounts. For example, a sales surge or increase in average transaction amount may reflect a positive business change for a good merchant (such as expansion into a new line of business or additional outlets) or a negative business change for a bad merchant (such as a going out of business sale or fraud). The risk management challenge is to be able to quickly identify risky merchant behavior and to distinguish this behavior between good and bad accounts.
Merchant risk for a particular merchant is a function of the merchant's industry, credit card processing volumes, business practices, financial strength, viability and payment trends in the industry, as well as the extent to which there is delivery of a product or service. These elements can be used to estimate the level of merchant risk and to monitor for potential chargebacks. Changes in processing volumes and trends, negative card authorization results, changes in average transaction amounts and increasing sales returns may also represent signs of potential risk. In addition, there are external signs that are available through credit vendors that indicate a merchant's payment experience with its suppliers as well as outstanding legal actions. Transaction processors may also conduct investigations on merchants that may include obtaining bank references, supplier references and cardholder contacts; reviewing financial statements; and visiting merchants.
One method currently used by transaction processors to detect risky merchant behavior involves reviewing daily hard copy mainframe reports, which identify merchants whose prior day's processing activity has met predefined criteria. For example, a hard copy report may list all merchants whose processing volume or average sales ticket amount exceeded expected levels. After the hardcopy reports have been reviewed, a subset of merchants may be selected for further review.
Under this approach, there may be considerable “noise” or “false positives”, as both good and bad accounts may meet the pre-defined criteria of a particular report. Furthermore, the reports include only limited data on merchants related to the underlying report criteria, and fail to provide a comprehensive snapshot of each merchant's processing profile. In addition, there is no efficient way to cross-reference various reports, or to determine if a particular merchant appeared on a previous report. Given the volume of merchants in a transaction processor's portfolio and the various criteria that need to be monitored, this approach is both labor intensive and inefficient. Furthermore, because of the lag time for identifying problem merchants, the time available to mitigate risk is diminished.
Once the subset of potential problem merchants has been selected, an analyst must typically go to various sources to piece together a processing and external behavior profile for each merchant. The analyst may spend a considerable amount of time gathering additional information on the merchant and conducting further investigation steps. Any recommended mitigative action also typically needs to be documented in a file and presented to higher authority levels for concurrence. This entire review process may further delay action necessary to mitigate risk.
Another conventional technique is known as parameter analysis. A parameter analysis detection scheme targets certain merchants using a small number of database fields combined in a simple Boolean condition or equation. An example of such an equation is:If (number of transactions in 24 hours>X) and (more than Y dollars authorized) then flag this account as high risk.Values for X and Y may be selected so as to satisfy either a required detection rate or a required false positive rate. Since only single-variable threshold comparisons are used, complex interactions among variables are not captured. Consequently, this technique may discriminate poorly between risky and valid account behavior, resulting in low capture rates and high false positive rates. Additionally, an effective risk detection model generally requires more variables than conventional parameter analysis systems can handle. This approach also requires additional investigation and analyst review before a decision can be reached as to whether any action should be taken to mitigate risk.