Effective 2023, Mastercard introduced a risk-based license fee in Europe, aimed at reducing the cost and impact of fraud prevention, dispute management, and rule violations. This blog examines the new fee structure and how acquirers can minimize the time and cost of compliance.
Originally announced in March 2022, Mastercard clarified the details of its revised risk-based recurring license fee in “Bulletin AN 6184: Revised Franchise Fees in Select Countries in the Europe Region”.
Mastercard acquirers and issuers continue to pay recurring franchise license fees. Mastercard has simply added a performance element to the calculation of the fee. If participants trigger certain thresholds, this in turn triggers a fee increase of between 40% and 100% per licensee.
Mastercard compliance programs
Mastercard operates several compliance programs created to protect its brand integrity and ensure data accuracy across its network. Two key programs that impact acquirers license fees are the Business Risk Assessment and Mitigation (BRAM) program and the Data Integrity Monitoring Program (DIMP).
BRAM
- Merchants operating under certain high-risk merchant category codes (MCC) are considered high-risk merchants. Acquirees must be registered in the BRAM program before onboarding them. When Mastercard receives a referral that its network may be used to facilitate illegal or brand-damaging activity, it triggers an investigation. A minimum of two confirmed violations typically results in an increase in the license fee.
DIMP:
- DIMP ensures that merchant data flowing through Mastercard networks is accurate and complete. It helps cardholders recognize transactions on their statements and allows issuers to make informed, risk-based decisions.
What is a BIN attack?
A BIN attack is a type of brute-force attack, whereby a fraudster takes the first six digits of a card number (the Bank Identification Number or BIN) and uses software to generate the remaining account number, expiry date, and 3-digit security code. These combinations are then tested to verify that the details are accurate, still active, and not susceptible to fraudulent use. This is usually done by making small purchases on e-commerce websites.
In the context of BIN attacks, Safety Net is a Mastercard product that alerts acquirers when Mastercard suspects a BIN attack is underway. When an acquirer causes at least six Safety Net alerts in a given month during any three months of the past year, the BIN attack criteria are triggered.
Timeframes for Mastercard’s risk-based license fee
The performance criteria are determined annually in January based on data from the previous calendar year (1 January to 31 December).
The changes to the calculation of the Mastercard risk-based recurring license fee took effect on January 1, 2023, with the first billing of the new fee occurring on February 26, 2023. This covers the period from February 2023 to January 2024.
Worked example
Acquirers that violate one or more of the performance criteria listed above will pay an increased fee, capped at 100% of their existing recurring license fee, during the following year.
Acquirers whose performance improves the following year, such that none of the performance criteria listed above is violated, would pay the current standard recurring license fee for the year.
Here is a worked example for the calculation of the Mastercard risk-based recurring license fee:
In the calendar year 2022, an acquirer had a ratio of arbitrations to second presentments of 40%, compared to the European average of 32%. They also caused six Safety Net alerts per month in February, April, and December.
As explained earlier, repeated Safety Net alerts are Mastercard’s signal of potential BIN attack, one of the triggers for an increased fee.
This acquirer triggers the threshold for a low-dispute-quality acquirer, which incurs a 40% fee increase. They also trigger the threshold for a BIN attack acquirer, which incurs an 80% fee increase.
Although this equates to a 120% fee increase (40% + 80%), fee increases are capped at 100% of the existing recurring license fee. So, in this example, the acquirer would pay an additional 100% of their existing recurring license fee – in other words, double the standard current recurring license fee.
How G2 Risk Solutions can help
Acquirers that manage risk effectively are more likely to remain within acceptable thresholds and avoid Mastercard fees.
G2RS merchant risk solutions enable acquirers and payment service providers to make quick and effective onboarding and monitoring decisions via a single, automated platform and integration. Our Global Onboarding (GO) and Persistent Merchant Monitoring (PMM) solutions are among the most comprehensive in the market. They eliminate the need for multiple systems, parallel processes, or unnecessary manual reviews, saving you time, cost, and resources.
Contact us today to learn more about how G2 Risk Solutions can support your compliance and risk management needs.