What is the Visa Issuer Monitoring Program (VIMP)?
By default, merchants bear the financial liability for chargebacks. When a cardholder gets a charge reversed, the funds to make them whole again have to come from somewhere, and that somewhere is the merchant’s bank account. This can make it feel very frustrating when chargebacks seem to originate from cardholders who are reckless with their account security, or from issuing banks that don’t push back against the more dubious or outlandish claims of friendly fraudsters. Merchants are regularly monitored for fraud and excessive chargeback activity—it’s fair to ask, where is the oversight on the other end of the equation?
As of October 2019, Visa has expanded its scrutiny of issuing banks and their fraud rates. That means they’ll be taking a closer look at how many incidents of fraud and fraud-related chargebacks are coming from specific issuing banks, and enrolling banks that exceed their fraud threshold in the Visa Issuer Monitoring Program (VIMP) until they are able to reduce the number of fraudulent charges they’re authorizing.
This program is unlikely to impact merchants directly, but since issuers touch every transaction you process and are directly involved in initiating and adjudicating chargebacks, it’s worth taking the time to understand how this program works, what it is designed to achieve, and how it may affect the behavior of issuing banks going forward.
What Is the Visa Issuer Monitoring Program (VIMP)?
The VIMP has its origins in the Cross-Border Fraud Issuer Monitoring program it has already been running in the European market. VIMP will expand upon and replace this preexisting program, updating the protocols and making them applicable to issuing banks worldwide.
The ultimate objective of the VIMP is to reduce fraud across the board, not simply shifting liability (and with it, the obligation to shoulder the lion’s share of the security burdens) from one party to another. With monitoring programs already in place for merchants, the VIMP gives equal footing to the issuers’ responsibility to reduce fraud and protect consumers (and merchants!) from cybercriminals.
In specific terms, Visa is looking for problematic issuers to make better approval decisions, utilize fraud prevention tools, and verify transactions with 3-D Secure technology.
While the EU already has VIMP’s precursor in effect, it became applicable to the rest of the globe in October of this year, with the exception of Asia-Pacific markets, where the rollout has been postponed until April 2020.
Why am I in Visa's Monitoring Program?
Issuing banks with fraud rates within what Visa considers to be a “normal” range won’t get put in the VIMP. Per the Visa Core Rules, issuers will be required to participate in the VIMP if their instances of card-not-present fraud exceed the following thresholds, calculated on a monthly basis:
- $500,000 in fraudulent transactions and a 1% or greater ratio of fraud to sales
For issuers in the United States operating under 3-D Secure protocols, the thresholds are lower:
- $100,000 in fraudulent transactions and a 0.75% or greater ratio of fraud to sales
When an issuing bank hits the applicable threshold, Visa will send them a notification, kicking off a three month Notification Period. During this period, there are no penalties or other negative consequences, and the issuer is left to their own devices to figure out how to get their fraud problem under control. If they succeed in doing so and getting back under the allowable thresholds, they will be taken out of the VIMP.
Once the Notification Period is over, however, Visa starts taking matters much more seriously.
What are the Consequences of Non-Compliance with VIMP?
After an issuer’s time in the VIMP exceeds three months, Visa starts monitoring their card-not-present transaction activity more closely. If suspicious transactions are detected, Visa may step in and require the issuer to take steps to investigate and address them.
At this point, the issuer will also be required to submit to Visa an action plan for reducing their fraud levels. At twelve months, written performance assessments will be required, and issuers whose fraud rates are still excessive will be subject to additional penalties and remediation measures to be determined by Visa, which may include freezing the bank’s ability to issue new Visa payment cards.
If a bank that has been enrolled in the VIMP fails to comply with Visa’s requirements during this time period, they can get slapped with non-compliance fines that can run as high as $100,000.
After an issuer has succeeded in keeping their fraud activity below the thresholds for three consecutive months, they will be released from the program.
How will Visa Issuer Monitoring Program affect Chargebacks?
While chargeback activity is not directly implicated in the mandates of the VIMP, we believe that compliance efforts will necessarily have an impact on chargebacks. As things currently stand, banks are highly incentivized to give their customers what they want and refrain from pushing back too hard against unprovable claims of fraud. Many so-called “fraudulent” charges are actually entirely legitimate, and are disputed by cardholders out of impatience, confusion, or frustration with the merchant.
Passing these disputes along as fraudulent based entirely on the word of the cardholder will increase the issuer’s fraud rate and puts them at risk of placement in the VIMP. With the introduction of this program, there is a meaningful incentive for issuing banks to question and investigate fraud claims more thoroughly, which should reduce the amount of friendly fraud that merchants have to deal with.
We’re always pleased to see the big card networks issue a mandate that has the potential to yield benefits to merchants without imposing new obligations or requirements on them. While this program isn’t likely to change the behavior of fraudsters and unethical consumers anytime soon, we hope and expect that it will make some issuing banks more vigilant about rubber-stamping claims of fraud from consumers who are, intentionally or otherwise, engaging in harmful acts of friendly fraud.
The VIMP may also help to increase the adoption and use of 3-D Secure, which can greatly reduce actual fraud from stolen payment cards. Stopping ecommerce fraud requires a team effort from all stakeholders in the industry, but it’s always easier to pass off liability when you can. This monitoring program will help ensure that issuers do their due diligence and shoulder their fair share of the burden in keeping online marketplaces free from theft and deception.