Portfolio Monitoring
Before implementing portfolio monitoring, understand:
- Issuer perspective on fraud
- Network programs (TC40/SAFE reports)
- Fraud metrics and measurement
- Chargeback metrics for comparison
- Issuers monitor fraud patterns across their entire card portfolio, not just individual transactions
- They can identify compromised merchants by spotting clusters of fraud from cards used at the same location
- Bust-out fraud (building credit then disappearing) is detected through cross-account behavior analysis
- Early warning systems flag accounts showing signs of financial stress before default
- TC40/SAFE fraud reports from issuers affect merchant reputation even without chargebacks
While merchants focus on their own transactions, issuers have a wider view. They see every transaction across millions of cards, which lets them identify fraud patterns that no single merchant could detect.
The Portfolio View
An issuer with 10 million cardholders processes hundreds of millions of transactions per month. This scale reveals patterns invisible at the individual transaction level:
Common Point of Purchase (CPP): When multiple cardholders start experiencing fraud around the same time, issuers look for what they have in common. If 50 different cardholders all shopped at the same gas station last week and now all report fraud, that gas station likely had a skimmer installed.
Velocity across portfolio: An individual merchant might not notice 100 small transactions from different cards. An issuer sees that all 100 cards were compromised in the same breach and are being tested simultaneously.
Geographic clusters: Fraud often clusters geographically when a local ring is operating. Issuers can identify these clusters and flag transactions from the area.
Merchant Risk Profiling
Issuers build risk profiles for every merchant their cardholders transact with:
| Factor | What They Track |
|---|---|
| Fraud rate | Percentage of transactions that become fraud claims |
| Chargeback rate | Dispute frequency across all cards |
| TC40/SAFE volume | Fraud reports even without chargebacks |
| Average ticket | Changes might indicate new fraud patterns |
| Velocity patterns | Unusual spikes in transaction volume |
When a merchant's profile deteriorates, issuers respond by declining more transactions from that merchant. This happens automatically through their models. There's no human in the loop deciding to block your transactions.
If you've noticed authorization rates dropping without an obvious cause, elevated fraud or chargebacks from months ago might still be affecting your issuer reputation.
Bust-Out Fraud Detection
Bust-out fraud is a specific pattern where someone builds a credit relationship with no intention of paying:
- Setup: Fraudster opens an account with real or synthetic identity
- Seasoning: Makes regular purchases and payments for months, building credit
- Credit expansion: Requests and receives credit limit increases
- Bust-out: Maxes out all available credit across multiple accounts
- Disappearance: Abandons the debt entirely
This is particularly insidious because the account looks legitimate during the seasoning phase. Issuers use portfolio-level signals to detect it:
Cross-account patterns:
- Same identity appearing across multiple issuers
- Accounts linked by shared attributes (phone, address, device)
- Coordinated credit limit increases across accounts
Behavioral anomalies:
- Sudden shift from payment to max utilization
- Dramatic change in merchant categories
- Cash advance spikes
- Purchases inconsistent with stated income
Network signals:
- Identity elements appearing in known bust-out clusters
- Velocity of new account openings
- Credit bureau inquiry patterns
Early Warning Services and similar systems aggregate data across financial institutions to identify these patterns before the bust-out occurs.
First-Party vs. Third-Party Fraud
Issuers must distinguish between different fraud types because the response differs:
Third-party fraud (true fraud): Someone else used the card without authorization. The cardholder is a victim. Issuer should block the card, issue a new one, and refund the charges.
First-party fraud (friendly fraud): The cardholder or someone they authorized made the purchase but is claiming fraud. This could be intentional abuse or genuine confusion about a charge.
The challenge: At the point of claim, these look identical. The cardholder says "I didn't make this purchase." Issuers use patterns to determine which is more likely:
- Does this cardholder have a history of fraud claims?
- Does the transaction match the cardholder's typical behavior?
- Is the merchant known for transaction confusion (unclear descriptors)?
- Is the cardholder's device/IP consistent with the transaction?
Many issuers don't invest heavily in distinguishing these because the cost of investigation exceeds the cost of just refunding. This is why friendly fraud can be so persistent.
TC40 and SAFE Reporting
When a cardholder reports fraud, the issuer files a report with the card network regardless of whether they pursue a chargeback:
- Visa: TC40 reports (Risk Identification Service)
- Mastercard: SAFE reports (System to Avoid Fraud Effectively)
These reports include:
- Merchant information (name, MCC, location)
- Transaction details (amount, date, time)
- Cardholder claim information
Key point for merchants: TC40/SAFE reports affect your fraud-to-sales ratio even when there's no chargeback. Under VAMP, these reports count in the numerator alongside disputes.
Not every TC40 becomes a chargeback. Many issuers simply absorb very small-dollar fraud (for example, single-digit transactions) rather than incurring the cost of filing and processing a chargeback. Those cases still generate TC40/SAFE reports even though you never see a dispute.
This creates a gap: you can have fraud damaging your issuer reputation and network ratios without any chargebacks hitting your account.
Early Warning Signals
Issuers monitor accounts for signs of future problems:
| Signal | What It Indicates |
|---|---|
| Minimum payments only | Financial stress |
| Utilization creeping up | Approaching limits |
| Cash advance usage | Liquidity problems |
| Payment timing changes | Income instability |
| Multiple new credit inquiries | Shopping for credit (potential bust-out) |
| Address changes | Flight risk |
These signals don't necessarily indicate fraud, but they correlate with default risk. Issuers might respond by declining credit increases, reducing limits, or flagging accounts for closer monitoring.
Implications for Merchants
Understanding portfolio monitoring helps you:
Explain mysterious declines: If your authorization rates drop, it might not be anything you did recently. Fraud from months ago can still affect your issuer reputation.
Request your TC40 data: Ask your acquirer for TC40/SAFE reports. Many now provide this data given VAMP's importance. It shows fraud claims you might not know about.
Recognize pattern attacks: If you're targeted by a fraud ring, issuers will see the pattern across their portfolio. They may start declining transactions from your merchant ID as a protective measure.
Time your responses: When fraud spikes, issuer models update. Cleaning up your fraud problem is only half the battle. You need time for issuer models to recognize improvement.
See Also
- The Issuer Perspective - How issuers think about fraud
- Dispute Monitoring Programs - VAMP, ECP, and network thresholds
- Network Programs - Fraud and chargeback thresholds
- Chargeback Metrics - Tracking your ratios
- Fraud Metrics - Fraud rate measurement
- Risk Scoring - Building your own fraud models
- Velocity Rules - Detecting bust-out patterns
- Bust-Out Fraud - The bust-out lifecycle
- Fake Identity Fraud - Fabricated identities in portfolios
- Authorization Decisioning - Real-time auth decisions
- First-Party Fraud - Customer abuse patterns