TL;DR

• Industry codes are the beginning of a high-risk merchant review, not the end — the relevant question is what specific transactions flow through your platform
• A weapons company doing payroll is a different risk profile from a weapons company processing consumer firearms sales; review the transaction, not just the category
• Six questions drive a proper transaction-level review: what’s flowing, to whom, does your platform facilitate the risky activity, what’s the chargeback exposure, is the merchant licensed, and do your bank and card network agreements allow it
• Document every approval decision: use case approved, controls in place, who signed off, and ongoing monitoring plan — the memo is what protects you when an examiner or bank partner asks

The head of sales brought in the application on a Friday. Established company, good financial history, strong revenue. Their business: management software for cannabis dispensaries. Not a cannabis company directly — a SaaS platform selling to cannabis operators.

Two people in the room said no on the spot. Three said the revenue was too significant to pass. The compliance lead said it depends. That’s the right answer. The problem is that “it depends” doesn’t mean anything unless you know what it depends on.

Most merchant risk policies give you a list of categories: cannabis, gambling, weapons, adult content, crypto, debt relief. The policy says which are prohibited and which require approval. What it often doesn’t say is what “review” actually means — specifically, what questions you’re trying to answer and what information changes the outcome.

The result: decisions made by committee intuition, inconsistent outcomes for similar merchants, and documentation thin enough to fail an examiner review.

Why the Industry Code Fails as the Primary Criterion

Industry codes — SIC codes, MCC codes, or your own internal category taxonomy — tell you one thing: what the company does as a general matter of business. They don’t tell you what specific transactions are touching your platform, who the counterparties are, or whether your platform is actually facilitating the activity that makes the industry high-risk.

The cannabis SaaS company is a straightforward example. The company sells software subscriptions to dispensaries. What flows through your payments platform? Monthly SaaS subscription fees from cannabis operators. The counterparties are businesses, not consumers buying cannabis products. Your platform is not processing point-of-sale cannabis sales. It’s collecting subscription revenue. That’s a structurally different risk exposure than a cannabis dispensary processing consumer transactions at checkout.

The same analysis applies across categories:

• A gun manufacturer using your platform for supplier invoices and payroll is different from one collecting consumer payments for firearm sales
• A licensed sports betting operator paying employee wages is different from one collecting player deposits across consumer accounts
• An adult content production company paying contractors is different from one running a subscription billing model for end consumers

The industry code captures all of these as the same category. The transaction-level review distinguishes them.

This is the thesis behind a properly designed high-risk merchant policy: the category determines which review pathway applies. The transaction-level analysis determines the outcome.

The Six Questions That Drive the Review

Before approving or denying a high-risk merchant, you need answers to six questions. The answers, taken together, define the risk profile — and the documentation of those answers becomes your decision record.

1. What specific transactions will flow through the platform?

Not “what does the company do” — what will they actually run through your payments infrastructure? Payroll? Accounts payable to suppliers? Consumer-facing collections? B2B invoice settlement? The more specific, the better. An approval memo that says “cannabis company” is useless. An approval memo that says “monthly SaaS subscription invoices from licensed cannabis dispensaries, $5,000–$15,000 per transaction, invoiced quarterly” gives you something to monitor against.

2. Who are the counterparties?

Consumers, businesses, or other institutions? What jurisdictions are they in? Are they themselves in regulated industries? A cannabis operator’s customers (dispensary shoppers) carry a different risk profile than a cannabis operator’s vendors (agricultural suppliers, software companies). Understanding counterparty composition matters for AML exposure, chargeback risk, and what monitoring looks like.

3. Does your platform facilitate the high-risk activity itself — or just adjacent operations?

This is the distinction between primary and ancillary exposure. If a gambling company uses your platform to collect player deposits, you’re in the middle of the gambling transaction. If it uses your platform to pay its marketing vendors, you’re adjacent to the gambling activity but not facilitating it. Primary exposure requires stronger controls and may be prohibited by your card network regardless of your internal policy. Ancillary exposure is more manageable.

4. What is the expected chargeback rate and does it create card network liability?

Visa’s VAMP (Visa Acquirer Monitoring Program) set a chargeback threshold of 1.5% starting April 2025, with a tighter 0.9% threshold effective January 2026. Mastercard’s equivalent threshold is 1.0%. Gambling merchants routinely experience chargeback rates 2–4x the e-commerce average — partly because of friendly fraud (customers disputing legitimate gambling losses). If a single high-risk merchant pushes your portfolio above card brand thresholds, you face remediation requirements from Visa or Mastercard that affect your entire acquiring relationship, not just that one merchant. The question is not just whether you can accept this merchant — it’s whether you can absorb the chargeback exposure in your portfolio.

5. Is the merchant properly licensed for the activity?

Cannabis operators need state licensing. Sports betting operators need gaming authority licenses in each jurisdiction. Money transmitters need state MTL licensing. Lenders need applicable lending licenses. If the merchant’s business activity requires a regulatory license, verifying and documenting that license is not optional — it’s your due diligence baseline. An unlicensed merchant in a regulated category is a different risk entirely from a licensed one, regardless of whether the transaction type looks manageable.

6. Does your bank partner and card network allow this?

Your internal policy can only approve what your bank partner and card network agreements permit. Certain merchant categories are prohibited outright by Mastercard, Visa, or your processing agreement — firearms sales in certain jurisdictions, unregulated gambling, specific adult content categories. Before your internal approval process completes, you need to know whether the bank partner has any written restrictions on the category, whether you’ve received prior RFIs about similar merchants (a signal of bank partner discomfort), and whether there are card network rules that would prohibit the transaction type. See the related post on bank partner AUP alignment for how to map internal approvals against sponsor bank restrictions before you commit.

Category-Specific Transaction Risk Factors

Different high-risk categories carry different risk profiles at the transaction level. A table:

This isn’t an exhaustive list — it’s the starting framework. The answers to your six questions fill in the specific profile for the merchant in front of you.

The Review Decision Framework

After gathering answers to the six questions, the decision falls into one of three categories:

Hard deny. The card network or bank partner prohibits the category outright. The specific transaction type facilitates an illegal activity. The merchant lacks required licenses. The chargeback exposure is unacceptable. Or the financial crime risk (AML, sanctions) cannot be managed with available controls.

Approve with enhanced monitoring. The category is restricted but manageable. The specific transactions are lower-risk within the category. You can implement elevated transaction monitoring, periodic review of the use case, and defined exit triggers. Bank partner has been pre-cleared or doesn’t restrict this category. Document the approved use case narrowly — not “cannabis company” but “B2B SaaS subscriptions for cannabis dispensary software.”

Escalate for decision. The analysis produces a genuinely mixed result: the transaction type is manageable but the category is sensitive to your bank partner, or the chargeback modeling is borderline, or there’s a legal question about whether certain transactions in this jurisdiction are permitted. This outcome needs a defined escalation path — to a risk committee, a designated approver, or a compliance/legal review — not a loop back to sales.

The decision framework fails when “escalate” means “leave it in a shared inbox until sales closes the deal.” Define who has authority to decide escalated cases, within what timeframe, and what information they need.

What the Documentation Should Look Like

For every high-risk merchant approval, create a decision memo before onboarding begins. The memo doesn’t need to be long — it needs to be complete.

Required elements:

• Merchant name, category, and SIC/MCC code
• Specific transaction use case approved (narrow language, not general category)
• Counterparty description (who they’re transacting with)
• License verification status and expiration date
• Primary/ancillary exposure determination
• Chargeback risk assessment and portfolio impact
• Bank partner pre-clearance status (or basis for not requiring it)
• Card network rule check
• Controls applied (transaction monitoring rules, volume limits, reserve requirements)
• First-line and second-line sign-offs
• Ongoing monitoring plan and review cadence
• Exit triggers (what changes would require re-review or offboarding)

This document is not bureaucracy. It’s what you show an examiner when they ask how you made the decision, and it’s what you reference when the merchant’s transaction pattern drifts from the approved use case.

For detailed due diligence questions by restricted category, see Restricted Business Due Diligence: Questions to Ask Before You Approve Cannabis, Weapons, Adult, Gambling, or Crypto Customers.

What Examiners and Bank Partners Actually Look For

Examiners reviewing your merchant risk program — whether under OCC, FDIC, or state examination — are not primarily trying to catch you for approving high-risk merchants. They’re evaluating whether your approval process was reasonable and defensible. That means:

Consistency. Similar merchants should receive similar treatment under a documented process, not different outcomes based on who was in the room. If you approved a cannabis SaaS company and denied a cannabis SaaS company with nearly identical profiles, you need a documented reason.

Documentation. Verbal approvals, Slack message trails, and undated email threads do not constitute a compliance record. The decision memo is the record.

Ongoing monitoring. Approval is not a one-time decision. Your monitoring plan should show that you’re comparing actual transaction behavior against the approved use case, and that drift triggers a review.

Bank partner alignment. If your sponsor bank later asks about a merchant you onboarded, you want to be able to show that either (a) you obtained prior clearance or (b) you had a documented basis for concluding it didn’t require clearance. Blind onboarding of restricted-category merchants without bank partner awareness is what puts the relationship at risk.

For the broader onboarding and exception memo process, see AUP Exception Memos: How to Document a High-Risk Customer Approval.

So What?

The cannabis SaaS company from the opening scenario? With a proper transaction-level review, the answer is almost certainly yes — subject to narrow approval (SaaS subscriptions only), license verification for the dispensaries, card network check, and bank partner awareness. The decision is defensible, documented, and monitored. The revenue is on the table.

Without a transaction-level review framework, the outcome is a committee debate that drags until someone with authority makes a gut call. Sometimes that call is right. More often, it’s either more restrictive than necessary (good revenue lost) or more permissive than documented (exposure created).

The Compliance Essentials bundle includes an acceptable use policy template, an exception memo format, and restricted-category due diligence questionnaires — built for the full high-risk merchant review process from initial inquiry through onboarding documentation.