Mastercard introduces new risk-based licence fee in Europe

Effective 2023, Mastercard changed its recurring franchise licence fee to a risk-based fee aimed at reducing the cost and impact of fraud prevention, dispute management and rule violations. We examine the new fee structure and how acquirers can minimise the time and cost of compliance.

Originally announced in March 2022, Mastercard recently clarified details of its revised risk-based recurring licence fee in Bulletin AN 6184: Revised Franchise Fees in Select Countries in the Europe Region.

Mastercard acquirers and issuers must still pay recurring franchise license fees. Mastercard has simply added a performance element to how the fee is calculated. If participants trigger certain thresholds, this in turn triggers a fee increase of between 40% and 100% per licensee.

For each principal acquirer, the calculation of the licence fee to be applied during the coming 12 months (February to January of the following year) is as follows:

For the low dispute quality metric, Mastercard uses the number of chargebacks, second presentments and arbitration cases during the previous calendar year. This includes pre-arbitration and arbitration cases, regardless of whether these are won or lost.

Ratios are compared against the European average. Ratios more than five percentage points higher than the European average incur a fee increase of 40%. Our recent blog How to take advantage of the changes to chargeback rules explains the chargeback process in more detail.

What is a BIN attack?

A BIN attack is a type of brute-force attack, whereby a fraudster takes the first six digits of a card number (the Bank Identification Number or BIN) and writes software to generate the remaining account number, expiry date and 3-digit security code. These combinations are then tested to see if the details are correct, still active and usable for fraudulent purposes. This is usually done by making small transactions at eCommerce websites.

In the context of BIN attacks, Safety Net is a Mastercard product that alerts acquirers when Mastercard suspects a BIN attack. When an acquirer causes at least six Safety Net alerts in a given month during any three months of the past year, the BIN attack criteria are triggered.

When it comes to the Business Risk Assessment and Mitigation program, or BRAM, merchants required to use one of around a dozen merchant category codes (MCCs) are considered a high-brand risk merchant. And acquirers must be registered on the BRAM program before signing them.

Potential BRAM violations are when Mastercard receives a referral that its network may be being used to facilitate the purchase of an illegal or brand-damaging product or service. This triggers an investigative process. Web Shield’s understanding is that a minimum of two actual BRAM violations, namely potential violations that on investigation are found to be breaching Mastercard rules, lead to a higher licence fee.

The Data Integrity Monitoring Program, or DIMP for short, is concerned with the accuracy and completeness of data that flows through the Mastercard system on to cardholder statements. It ensures that cardholders recognise merchant names and transactions on their statements, but also that issuers can make appropriate risk-based decisions on particular transactions.

Timeframes for calculation of Mastercard risk-based recurring licence fee

The performance criteria are determined annually in January based on data from the previous calendar year (1 January to 31 December).

The changes to the calculation of the Mastercard risk-based recurring licence fee came into effect on 01 January 2023, with the first billing of the new fee occurring on 26 February 2023. This covers the period from February 2023 to January 2024.

Worked example for calculation of Mastercard risk-based recurring licence fee

Acquirers that violate one or more of the performance criteria listed above would pay an increased fee, capped at 100% of their existing recurring licence fee, during the following year.

Acquirers whose performance improves the following year, such that none of the performance criteria listed above is violated, would pay the current standard recurring licence fee the year after.

Here is a worked example for the calculation of the Mastercard risk-based recurring licence fee:

In the calendar year 2022, an acquirer has a ratio of arbitrations to second presentments of 40%, compared to the European average of 32%. They also caused six Safety Net alerts per month in February, April, and December.

This acquirer triggers the threshold for a low dispute quality acquirer, which incurs a fee increase of 40%. They also trigger the threshold for a BIN attack acquirer, which incurs a fee increase of 80%.

Although this equates to a fee increase of 120% (40% + 80%), fee increases are capped at 100% of the existing recurring licence fee. So, in this example, the acquirer would pay an additional 100% of their existing recurring licence fee – in other words, double the standard current recurring licence fee.

How Web Shield can help

Clearly, the better an acquirer manages risk in their business, the more chance they have of staying within accepted parameters and not incurring additional Mastercard fees.

Web Shield solutions help acquirers and payment service providers take quick, effective onboarding and monitoring decisions via a single automated platform and integration, mitigating the risk of BRAM or DIMP violations.

Our InvestiGate and Monitor solutions are the most comprehensive on the market. They remove the requirement for multiple interfaces, parallel processes, or unnecessary manual reviews, thereby saving acquirers time, cost, and resources.

Web Shield underwriting and risk management expertise are also available via the Web Shield Academy, which has trained more than 600 risk professionals since 2014. The Web Shield Online Academy is an addition to the popular, in-person courses, where learners can study in their own time wherever they are based.

Get in touch for more information on Web Shield solutions and the Web Shield Academy.

To learn about the European Mastercard risk-based licence fee, please see Bulletin AN 6184: Revised Franchise Fees in Select Countries in the Europe Region.