Moral Hazard: How Payments Firms Are Addressing High-Risk Merchant Categories

September 6, 2022
After Visa is sued for allegedly turning a blind eye to videos of child sexual abuse, VIXIO takes a closer look at how payment companies can stay safe in high-risk merchant categories.

After Visa is sued for allegedly turning a blind eye to videos of child sexual abuse, VIXIO takes a closer look at how payment companies can stay safe in high-risk merchant categories.

In the case against Visa and MindGeek, the two companies are accused of monetising videos of child sexual abuse via Pornhub, a MindGeek-owned website that hosts user-generated pornography.

The two companies are also accused of monetising such material by processing payments to TrafficJunky, a MindGeek-owned advertising platform that serves Pornhub as a client.

Visa strongly denies the allegations and has emphasised that it does not have and never did have any involvement in MindGeek’s content moderation decisions.

“Visa condemns sex trafficking, sexual exploitation, and child sexual abuse,” Visa chairman and CEO Al Kelly said in a statement.

“We are vigilant in our efforts to deter this, and other illegal activity on our network.”

Visa also said it suspended its card network on all MindGeek websites that contain user-generated content in December 2020, and acceptance on those websites has not been reinstated, contrary to claims in the lawsuit.

In August, Visa also suspended TrafficJunky until further notice due to “new uncertainty” about its role in MindGeek’s operations.

“During this suspension, Visa cards will not be able to be used to purchase advertising on any sites including Pornhub or other MindGeek affiliated sites,” said Visa.

Mastercard has given a similar response. It suspended its services to Pornhub in December 2020 and at the beginning of this month it suspended services to TrafficJunky.

“New facts from [Visa’s] court ruling made us aware of advertising revenue outside of our view that appears to provide Pornhub with indirect funding,” Mastercard said in a statement.

Legal but unethical

Among payment companies, the Visa-MindGeek case is expected to re-ignite longstanding debates over the processing of payments in high-risk business sectors that are often adjacent to illegal activity.

Although Visa declined to comment any further on its due diligence practices or the ongoing case, Mastercard said that its first priority in high-risk business areas is upholding what it calls the “legality standard”.

“Put simply, we only permit lawful purchases of legal materials and content on our network,” Seth Eisen, senior vice president of communications at Mastercard, told VIXIO.

“These principles are so central to who we are and what we do that they are integrated into our Human Rights Statement.”

When it comes to activities that are permissible by law but potentially unethical, Mastercard said it respects the right of individuals to transact privately with others.

“We review proposals to limit acceptance of Mastercard products very carefully against our core commitment, which is to enable consumers and businesses to access their financial assets and engage in private commerce — expanding their liberty, connectivity and individual agency — consistent with the rule of law,” said Eisen.

“While we hold all stakeholders in our payments system to high standards, if illegal activity is identified, we work with partners to act.

“This approach respects the varying laws in each country or locality in which we do business, the privacy and independent judgement of account holders, and the role our company plays in the global economy.”

In setting its own rules and standards for limiting acceptance, Mastercard believes it can apply these consistently when it has the knowledge to do so.

However, Mastercard also recognises that other parties in the transaction chain have to make their own decisions in line with the risk they are willing to take.

Building guardrails through MATCH

To help inform the monitoring, evaluation and risk management process throughout its network, Mastercard has published the Member Alert To Control High-Risk Merchants list, also known as MATCH, since 1995.

“One financial institution could have dozens or hundreds of service providers across geographies and lines of business,” said Eisen.

“This is why we have instituted registration programs to help us — as well as the issuer and acquirer — understand who they are doing business with and the expectations of their activities.”

MATCH aims to help acquirers evaluate potentially high-risk merchants, or those who have had rules and standards violations in the past, before beginning any work with them.

However, even if a merchant is flagged by MATCH, an acquirer can still conduct business with them if they so choose.

“Both we and the acquirer can place a merchant on MATCH,” said Eisen. “When a merchant is placed on the list, it’s accompanied by topline information (including category codes) that allow an acquirer to better evaluate their potential risk.”

Although MATCH is overseen by Mastercard, Eisen said that all networks — including Visa and American Express — have “seen the value” of it and have made the independent determination to require that the list is reviewed before a merchant is registered in their systems.

Parallel risk management among acquirers

VIXIO spoke with one acquirer that uses both MATCH and Visa’s equivalent programme, the Visa Merchant Screening Service (VMSS), when assessing whether to accept business from new merchants.

The acquirer, who asked not to be named, said both these tools are then combined with in-house risk guidelines, some of which are standard and some of which are sector-specific.

Such guidelines may include only working with merchants that meet a certain revenue and/or business size threshold.

In sectors where licensing is required, such as gambling, the acquirer ensures that new merchants have obtained the correct licence for their jurisdiction, which will be validated by an out-of-house legal team.

The acquirer also employs a similar network of lawyers to interpret and issue judgements on new regulations in individual jurisdictions, creating what’s known as a “legal heat map”.

This allows the acquirer to continue to operate in jurisdictions where some gambling activities may be legal but may fall outside of the company’s risk parameters.

“Raffles, for example, are too high-risk for us to get involved in anywhere,” said the acquirer. “But sports betting, wagering and casinos are not, and the heat map enables us to take a commercial approach to those activities.”

The acquirer’s risk guidelines are updated at least annually in every sector, whereas high-risk sectors are updated more often, and the legal heat map is updated twice a year.

At the individual merchant level, the acquirer said it asks potentially high-risk merchants to enter a service agreement that allows it to review their business activities at least once a year.

The acquirer could not comment on other legal activities that it would not process payments for, except for those flagged due to anti-money laundering (AML) and counter-terrorism financing (CTF) concerns.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.