Payment providers—processors, acquirers, payment facilitators (PayFacs), and payment service providers (PSPs)—face some of the most demanding KYB requirements in any industry. They're the gateway through which businesses access the financial system, making them critical choke points for fraud, money laundering, and regulatory compliance.
This guide covers KYB requirements and best practices specific to the payments industry, from card network rules to anti-money laundering obligations.
Why Payments KYB Is High-Stakes
The Gateway Problem
Payment providers connect businesses to the card networks, banking system, and global payment infrastructure. Bad actors who can't open a bank account directly may try to access the financial system through a payment provider instead. This makes payment providers targets for:
- Transaction laundering: Processing payments for undisclosed businesses
- Merchant fraud: Fabricated businesses that process transactions then disappear
- Card fraud: Stolen card data monetized through fake merchants
- Prohibited products: Using legitimate-appearing merchants to sell illegal goods
Liability Cascade
When something goes wrong, payment providers face liability from multiple directions:
- Card networks: Fines for excessive chargebacks, fraud, or compliance failures
- Sponsor banks: Reputational and regulatory exposure
- Regulators: AML violations, consumer protection failures
- Merchants and cardholders: Disputes, refunds, legal action
Effective KYB is the first line of defense against all these risks.
Regulatory Intensity
Payment providers operate under multiple regulatory frameworks simultaneously:
- Card network rules (Visa, Mastercard, etc.)
- Bank Secrecy Act and AML requirements
- State money transmitter licensing (in the US)
- PCI DSS for payment card data
- Consumer protection regulations
Regulatory Requirements
Card Network Rules
Visa, Mastercard, and other networks mandate merchant due diligence. Requirements include:
Merchant Identification
- Legal business name and DBA
- Business address (registered and physical)
- Principal owner information
- Business type and Merchant Category Code (MCC)
Risk Monitoring
- Chargeback rate monitoring (typically <1% threshold)
- Fraud rate tracking
- Transaction monitoring for anomalies
- Prohibited merchant category screening
Registration Programs
- High-risk merchants require registration with networks
- Terminated merchant files (MATCH/TMF) screening
- Payment facilitator registration
Violations can result in fines—ranging from thousands to millions of dollars—and ultimately termination from the network.
AML and BSA Requirements
Payment providers with banking relationships have Customer Due Diligence (CDD) obligations:
Payment facilitators inherit these obligations for their sub-merchants. The sponsor bank is ultimately responsible, which is why sponsor banks scrutinize PayFac compliance programs.
State Money Transmitter Requirements
In the US, money transmission licensing varies by state but often includes:
- Background checks on principals
- Minimum net worth requirements
- Compliance program requirements
- Regular examination and reporting
Some states have specific merchant due diligence requirements within licensing frameworks.
The Payment Provider KYB Process
Stage 1: Application and Data Collection
Collect comprehensive merchant information at onboarding:
Business Information
- Legal name and trade name/DBA
- Business address (legal and physical location)
- EIN or SSN (for sole proprietors)
- State of incorporation and registration number
- Years in business
- Industry/MCC code
- Website URL
- Business description and product/service information
Ownership Information
- Names and contact information for all owners 25%+
- Ownership percentages
- Controller/authorized signer information
- Corporate structure details for complex entities
Processing Information
- Expected monthly volume
- Average ticket size
- Highest ticket amount
- Card-present vs. card-not-present ratio
- Refund/return policy
Stage 2: Entity Verification
Verify the merchant is a legitimate business:
Secretary of State Verification
- Entity exists and is in good standing
- Legal name matches application
- Entity type and formation date confirmed
- Registered agent current
Entity Resolution
- Match application data to authoritative records
- Resolve trade name to legal entity
- Connect multiple data sources to build confidence
Operating Verification
- Physical address verification (not just mailbox or formation agent)
- Web presence verification (website matches claimed business)
- Business license verification where applicable
Stage 3: Beneficial Owner Verification
Identify and verify individuals who own or control the merchant:
Identification
- All individuals with 25%+ ownership interest
- Anyone with significant control (CEO, CFO, managing member)
- Trace through ownership layers to natural persons
Verification
- Government ID verification
- Address verification
- Match to application-provided information
Red Flag Detection
Stage 4: Risk Assessment and Screening
Evaluate merchant risk profile:
Screening
- MATCH/TMF (terminated merchant files)
- OFAC sanctions and SDN list
- Industry and government watchlists
- Adverse media for business and principals
Risk Scoring
Consider factors including:
- Industry risk (MCC-based)
- Geographic risk (high-risk countries)
- Business model risk (subscription, CNP, high-ticket)
- Time in business
- Ownership complexity
- Online vs. brick-and-mortar
MCC and Prohibited Merchant Screening
- Verify business type matches claimed MCC
- Screen for prohibited merchant categories
- Flag high-risk MCCs for enhanced review
Stage 5: Underwriting Decision
Based on verification and risk assessment:
Approve
- Entity verified, owners verified, screening clear
- Risk within acceptable parameters
- Appropriate processing limits set
Decline
- Cannot verify entity or owners
- MATCH/TMF hit
- Prohibited merchant category
- Sanctions or screening hit
- Unacceptable risk profile
Conditional Approval
- Approved with reserves
- Lower initial limits (graduated over time)
- Additional monitoring requirements
- Rolling reserve or holdback
Stage 6: Ongoing Monitoring
Merchant risk doesn't end at onboarding:
Transaction Monitoring
- Chargeback rate tracking
- Fraud rate monitoring
- Volume and velocity anomalies
- Ticket size outliers
Periodic Re-Verification
- Annual entity status check
- Ownership update requests
- Re-screening against updated watchlists
Event-Driven Review
- Chargeback threshold breach
- Fraud spike
- Customer complaints
- Adverse media alert
- Significant volume change
High-Risk Merchant Considerations
Certain merchant categories require Enhanced Due Diligence (EDD):
High-Risk MCCs
Industries with elevated risk include:
- Online gambling and gaming
- Adult content
- Nutraceuticals and supplements
- Travel and timeshares
- Debt collection
- Telemarketing
- Cryptocurrency
- Firearms and ammunition
EDD for High-Risk Merchants
- Deeper verification: Additional documentation, site visits, financial statements
- Ownership clarity: Full beneficial ownership chain to natural persons
- Business model review: Understand exactly how the business operates
- Source of funds: Where does the business capital come from?
- Reference checks: Bank references, processing history
- Senior approval: Management sign-off on high-risk accounts
Reserves and Controls
High-risk merchants may require:
- Rolling reserves (5-10% of processing volume held)
- Volume caps until track record established
- Delayed funding windows
- More frequent monitoring and review
Transaction Laundering Detection
Transaction laundering—processing transactions for undisclosed third-party businesses—is a critical risk for payment providers.
Red Flags
- Website content doesn't match MCC or business description
- Multiple unrelated products or services
- Traffic sources don't match claimed business
- Transaction patterns inconsistent with business type
- Customer service issues (wrong business name, unfamiliar charges)
Prevention
- Website verification: Confirm website matches claimed business, not a front
- Aggregation detection: Watch for patterns suggesting multiple businesses
- Descriptor monitoring: Ensure billing descriptors match actual merchant
- Customer complaint analysis: Track confusion about unfamiliar charges
Operational Efficiency
Balancing Speed and Rigor
Payment providers face competitive pressure to onboard merchants quickly, but cutting corners creates risk. Optimize for efficiency without sacrificing quality:
Auto-Approval for Low-Risk
- Pre-defined criteria for straight-through processing
- Clear auto-decline rules for obvious rejections
- Reserve manual review for genuinely ambiguous cases
Smart Data Collection
- Progressive profiling (collect more data as risk increases)
- Prefill from trusted data sources
- Adaptive questioning based on business type
Efficient Manual Review
- Prioritized queues (high-value merchants, oldest applications)
- Clear decision frameworks for reviewers
- Templates for common scenarios
Ongoing Monitoring at Scale
- Risk-based monitoring intensity: Higher-risk merchants get more scrutiny
- Automated alerting: Systems flag anomalies for human review
- Batch re-screening: Periodic watchlist screening of entire portfolio
- Portfolio-level analytics: Identify systemic risks across merchant base
