Merchant risk is becoming harder to assess because the riskiest part of a business is often not how the business presents itself, but what it actually does.
A merchant application may look like an ordinary retailer, marketing agency, supplement brand, or trading education platform. The real risk only surfaces when compliance teams look more closely at what is being sold, where it is being sold, how the merchant describes its services, and whether the business model matches its claims.
Unauthorized e-cigarette sales, ingestible cannabidiol (CBD), click farms, and proprietary trading models may appear to sit in very different categories. But they all create risk when business practices are unclear, incomplete, misrepresented, or judged only by surface-level categories.
For underwriting, compliance, and merchant monitoring teams, the takeaway is straightforward: category labels are not enough. The more important question is whether the merchant’s actual activity matches the activity payment providers believe they are supporting.

1. E-cigarettes: when product details determine the risk
E-cigarette merchants continue to present a complicated risk profile because the issue is rarely whether a merchant sells vapes at all. The more important question is what types of products are being sold, whether they are authorized, and whether they comply with the rules in each market where they are offered.
In the United States, for example, e-cigarette products must receive FDA authorization before they can be lawfully marketed, and the FDA lists only a limited set of authorized products.
Recent letters from attorneys general in dozens of U.S. states to card networks and payment providers reflect a growing regulatory consensus that the payments ecosystem plays a critical role in preventing and disrupting unlawful e-cigarette sales.
A merchant may sell a mix of authorized and unauthorized products, disposable and non-disposable devices, flavored and non-flavored products, or products that are permitted in one jurisdiction but restricted in another. That makes product-level review essential. The merchant category code (MCC) may not reveal whether the merchant’s actual inventory aligns with applicable rules and program requirements.
Underwriting best practices for e-cigarette merchants
- Verify inventory: Confirm product-level details, including brand names, device types, flavors, nicotine content, and authorization status.
- Check market fit: Confirm whether products are permitted in each target market and whether the merchant applies appropriate geographic restrictions.
- Review sales signals: Examine website claims, shipping policies, age verification, and recurring changes to stock keeping units for signs of unauthorized or restricted products.
- Go beyond codes: Do not rely on the MCC alone; compare the declared business model with the actual products offered for sale.
- Monitor beyond onboarding: Use inventory review, transaction monitoring, invoice review, SKU-level reporting, and mystery shopping where risk warrants closer oversight.
2. Cannabidiol: when form and geography change the answer
The same need for product-level context applies to cannabidiol (CBD). CBD remains a category where risk can change significantly depending on product form, claims, and geography.
In Europe, ingestible CBD products continue to receive particular attention because CBD has long been treated as a novel food under European Union (EU) law. Recent enforcement attention in France on foods and supplements containing CBD shows why product form and geography matter.
For payment providers, the lesson is that a broad CBD category may be too blunt. A topical product, ingestible product, vape, or cosmetic may each raise different questions. More granular controls can help teams identify merchants that may require closer review, enhanced documentation, or region-specific restrictions.
Underwriting best practices for CBD merchants
- Classify the form: Identify the exact CBD product form, such as food supplement, conventional food, vape, cosmetic, or pet product.
- Prioritize ingestible products and labeling: Pay particular attention to foods, supplements, and other ingestible forms, as well packaging and marketing that prominently feature CBD, hemp-derived cannabinoids, or related cannabinoid content.
- Review claims: Check product descriptions, packaging, labels, and marketing claims for therapeutic or disease-treatment language.
- Map jurisdictions: Confirm whether the merchant sells into jurisdictions where the product form, cannabinoid content, or claims may trigger restrictions.
- Request documentation: Require evidence for sourcing, ingredient composition, testing, and legal review where product form or geography increases risk.
3. Click farms: when “marketing services” become deceptive influence
Where CBD risk often turns on what is inside the product, click farm risk turns on what the service actually delivers.
Click farms artificially generate or inflate digital engagement metrics such as followers, likes, views, reviews, ratings, ad clicks, app installs, website traffic, or search rankings. Many of these merchants do not describe themselves as click farms. Instead, they may present themselves as digital marketing agencies, audience growth services, engagement providers, traffic generation platforms, or influencer growth tools.
The risk is often one of misrepresentation. A merchant may appear to offer legitimate marketing support while selling services that generate fake influence, manipulate reviews, or violate platform rules.
In the U.S., the FTC’s Consumer Review Rule makes this especially relevant for services involving fake reviews or fake indicators of social media influence, including followers, likes, views, subscribers, and shares.
Relevant risk indicators include the sale of followers, likes, views, reviews, or ratings; claims of “instant,” “guaranteed,” or automated growth; social media boosting services; and social media marketing panels. These businesses can also create elevated chargeback and complaint exposure when purchased engagement is removed, fails to deliver promised results, or does not match customer expectations.
Underwriting best practices to catch click farms
- Inspect the offer: Review the merchant’s service menu for followers, likes, views, reviews, ratings, ad clicks, app installs, traffic, or search-ranking manipulation.
- Flag growth promises: Treat claims such as “instant,” “guaranteed,” “automated,” or “real-looking” growth as indicators for closer review.
- Check delivery methods: Confirm whether the merchant discloses how engagement is generated and whether the model violates third-party platform rules.
- Look for concealment signals: Watch for vague marketing language, multiple domains, related merchant accounts, or undisclosed service offerings that obscure the true nature of the service.
- Monitor outcomes: Watch for customer complaints, refund patterns, and chargebacks linked to non-delivery, removed engagement, or misleading results.
4. Proprietary trading: when the business model tells a different story
The same underwriting challenge appears again in proprietary trading, where the label can obscure the business model.
Proprietary trading generally refers to a firm trading financial instruments for its own account and risk, using its own capital rather than acting on behalf of clients. In practice, payment providers may encounter merchants that use “proprietary trading” language while operating client-facing models involving fees, trading challenges, simulated accounts, funded-trader programs, profit-sharing arrangements, or access to trading platforms.
The distinction matters because a genuine proprietary trading firm may not maintain a customer-facing business model. A merchant that onboards external participants, charges subscription or evaluation fees, provides trading infrastructure, advertises payouts, or facilitates trading activity may raise questions about whether it is providing regulated financial services.
Payment providers should look closely at how these merchants make money, who participates, whether real market execution occurs, how payouts are disclosed, and whether licensing or authorization is required.
Underwriting best practices to identify prop trading
- Validate the model: Determine whether the firm trades only its own capital or charges external participants for evaluations, subscriptions, training, platforms, or funded-trader programs.
- Review money flows: Examine the revenue model, payout structure, trading environment, and whether trades are simulated or executed in live markets.
- Confirm licensing status: Check whether the merchant is licensed as a securities broker, investment firm, financial institution, crypto-asset service provider, or equivalent in relevant jurisdictions.
- Scrutinize claims: Check marketing claims for income promises, guaranteed payouts, unrealistic performance claims, or unclear disclosure of participant risk.
The bigger picture: category labels are not enough
These risk areas operate in very different markets, but they point to the same broader challenge: merchant risk increasingly depends on context. The issue is not only what category a merchant appears to belong to. It is whether the merchant’s products, claims, authorizations, jurisdictions, and business model align with what payment providers believe they are supporting.

That is why effective merchant risk management requires more than one-time underwriting. It requires category expertise, jurisdiction-specific controls, product-level review, ongoing monitoring, and the ability to detect when a merchant’s activity or risk profile has shifted.
As regulations evolve and fraud patterns move quickly, payment providers need controls that are as dynamic as the risks they are designed to manage. G2 Risk Solutions delivers expertise and technical infrastructure that supports you with this.