When it comes to owning a business, some merchants are victims of criminal fraud. This happens more often than people would like to admit, and those in larger payment environments can see a higher risk overall. The Visa Fraud Monitoring Program, also called VFMP, is an initiative from Visa. Its purpose is to help merchants manage the risk, and it is often utilized so Visa can keep track of merchants who are identified as risky.
There are many reasons Visa might identify a business as risky, but it is most often due to the products they sell, their individual risk profiles or the types of business models that they employ. Even though having to deal with the monitoring program can be frustrating, having more knowledge about the program and how it operates is essential and it may be something you need to navigate through.
A company can fail to bring their fraud rate under control, and after 12 months in either the Standard Level or Excessive Level, you become eligible for disqualification.
When Do People Qualify for VISA Fraud Monitoring?
There are three levels to the Visa Fraud Monitoring Program. The first level is warning, the second is standard and the third is excessive. Depending on your Visa fraud rate, you could be placed into any of these three levels, or none at all. The Visa fraud rate is based on the dollar value of transactions a business has lost to fraud in a calendar month. This is relative to the total transaction value from the same period.
The number determined using this formula is applied against a threshold of fraud determined by Visa. This threshold has been established by Visa and is used to signify when a company becomes subject to VFMP. In October 2019, Visa changed the threshold they use, so it is a good idea to check up on where you are in relation to the most recent standard.
What Are the VFMP Thresholds?
Before being officially placed in the program, you may end up in the VFMP Early Warning Level. This stage of the process notifies you that there is a need to investigate the causes of your rising fraud levels. Your acquirer is also notified. The monthly thresholds to be in the VFMP Early Warning Level is $50,000 and .65% of sales value.
If you reach a monthly threshold of $75,000 and .9% of sales value, you could hit the VFMP Standard Level. Once a business reaches this level, they're generally allowed a four-month workout period. Over the course of this time, you can try and bring your instances of fraud down. If a company is not able to do this, Visa will begin an eight-month enforcement period at the Standard Level.
For those who have breached the excessive Visa fraud threshold, another level of VFMP exists. This is called the Excessive Level. Merchants in high-risk category codes are placed in this level automatically, so it is essential to know if your business is in a high-risk merchant category code. The thresholds at this level are $250,000 and 1.8% of sales value. Categories that are included in this level include Visa MCC 5962, 5993, 5966, 5122, 7995, 5912, 5967 and others.
There are exceptions in the calculations that Visa uses, including that Visa does not count fraudulent transactions or chargebacks past the first ten instances per individual credit card number. If a fraudster uses one card to run over ten fraudulent attacks on your business in a given month, only 10 of these transactions will count towards your threshold. It is also vital to note that Visa excludes fraud type code 3 from the fraud-to-sales ratio.
What Are the Consequences of Being Placed in the Program?
There are consequences to being placed into the Visa Fraud Monitoring Program. While new fines are in place for the Standard Level, if you are a U.S. merchant, you also do not get access to the fraud liability protection from 3-D Secure. Visa will instead assign you liability for fraud-related disputes, as stated in reason code 10.5 under the Visa Claims Resolution. If fraud is deemed to be a persistent problem, when a customer alleges that criminal fraud was an issue for them, you may no longer get the benefit of the doubt.
Under the Excessive Level, merchants have a 12-month program where they can receive expensive noncompliance fees for each month of the breach that is outside the stated acceptable threshold. These fees can range from $10,000 up to $75,000, depending on the number of months in the program and other details.
Can a Merchant Get Out of the VFMP?
While a merchant can be removed from the Visa Fraud Monitoring Program to save on the costs of compliance and the stresses the program brings, there are steps to the process. Avoiding being placed into the VFMP can be highly beneficial, and reaching out to us is a great way to learn some strategies for avoiding it.
A business can exit the program after keeping its fraud rate below the acceptable threshold for three consecutive months. It is possible to breach the threshold again and need to start over after this occurs, however. Keep in mind that the Fraud Monitoring Program and the Chargeback Monitoring Program are independent of each other, and it is possible to be in both of them at the same time. Just because you have gotten out of one of them does not mean that you have gotten out of both.
What Should I Do?
There are consequences for failing to rectify the situation if you are placed into any VFMP program. This issue is one that needs to be taken seriously. A company can fail to bring their fraud rate under control, and after 12 months in either the Standard Level or Excessive Level, you become eligible for disqualification. Visa can block your business from accepting Visa payments altogether and permanently ban you from their network, which can drastically and negatively affect your business.
Jonathan Corona has 15 years of experience in the electronic payments industry. As MobiusPay’s EVP, Corona is primarily responsible for day-to-day operations as well as reviewing and advising merchants on a multitude of compliance standards set forth by the card associations. MobiusPay specializes in merchant accounts in the U.S., EU and Asia. Follow them @MobiusPay on Twitter, Facebook and IG.
