The VAMP Era: Why Your Merchant Portfolio May Be Riskier Than You Think | Sound Commerce | PEP071

Show Notes

The VAMP Era Is Here: What Payments Pros Must Know Before It’s Too Late

Think MATCH was hard to navigate? VAMP just rewrote the risk rulebook.
In this high-impact episode, Christopher Dryden, Esq., and COO, Jeremy Stock, sit down with Matt Steinbrecher of Sound Commerce (https://sound-commerce.com/) to unpack the hidden compliance traps now emerging in merchant processing. Whether you’re an ISO onboarding merchants, a payfac dealing with CNP risk, or an investor evaluating portfolios—this episode is your early warning system.

🔍 Inside the Episode:
🚨 VAMP Isn’t Just a Buzzword—It’s Reshaping Risk Allocation

Card-not-present merchants are under a microscope. With fines expected in Q4, underwriting guidelines are tightening fast.

More ISOs are mandating RDR/Ethoca enrollment upfront. But does it help—or just shift risk silently?

🔒 The Visibility Problem: Enforcement Actions You’ll Never See

You can’t mitigate what you can’t see. We reveal how current KYC/KYB protocols fail to flag prior brand enforcement—leaving acquirers exposed to massive liability.

TC40s, dispute ratios, and fraud patterns—why they matter now more than ever.

⚠️ Case Study: The Stripe Termination No One Saw Coming

A merchant with 7 years of clean history, solid revenue, and low chargebacks was dropped without warning.

Funds frozen, tokens locked, back office access revoked. Could VAMP-related algorithms be driving silent purges?

💸 M&A Fallout: How Hidden Risk Distorts Portfolio Value

We explore how prior brand violations can kill a deal, increase reserves, and skew acquisition pricing.

For buyers and sellers alike, compliance due diligence is now mission-critical.

🧠 What Smart Acquirers and ISOs Should Do Next

Don’t wait for a fine to learn you’re out of compliance. We break down:

Monitoring VAMP ratios and TC40s per MID

Demanding API-level RDR visibility

Building attestation forms for boarding

Negotiating token migration rights and refund runways

Creating responsible offboarding flows (escrow-backed refunds, sunset terms, and portability)

🧩 Why This Episode Matters:

VAMP is not just compliance—it’s market structure. As enforcement rises, smaller high-risk shops may vanish, while those who plan ahead will own the next era of acquiring. Whether you’re working in underwriting, ops, portfolio acquisition, or product strategy, this episode is a blueprint for navigating what’s next.

Ever tried to board a merchant and wondered what you can’t see? We pull back the curtain on the blind spots that matter most: prior card‑brand violations, second‑strike liabilities, and how surcharging and dual pricing mistakes can snowball into five‑figure fines you never saw coming. With Matt Steinbrecher of Sound Commerce, we explore what VAMP could mean for acquirers, ISOs, and POS providers—and why today’s KYC/KYB isn’t built to surface nonpublic enforcement history.

**Matters discussed are all opinions and do not constitute legal advice.  All events or likeness to real people and events is a coincidence.**

👉 Global Legal Law Firm Podcast Hub: https://www.globallegallawfirm.com/podcasts/

🔔 Subscribe for more expert conversations on VAMP, MATCH, chargebacks, portfolio risk, high-risk verticals, acquiring, and merchant boarding strategy.

💬 Leave us a review: What’s your biggest VAMP challenge?

A payments podcast of Global Legal Law Firm

Chapters

• 0:00: The Transparency Problem
• 1:12: Surcharging, Dual Pricing, and Compliance Traps
• 3:10: Second Violations and Hidden Liabilities
• 5:22: Can VAMP Become MATCH 2.0
• 7:22: Why KYC/KYB Miss Prior Fines
• 10:10: Ambiguity, Incentives, and For‑Profit Enforcement
• 12:22: Market Consolidation and Fewer Principal Members
• 14:20: Portfolio Purchases, Origination Quality, and Risk
• 16:35: Timeline: Bloodbath or Course Correction
• 17:55: Finding Opportunity in Higher‑Risk Verticals
• 20:00: Closing Thoughts and Resources

Transcript

SPEAKER_01: 0:00

You can go into public records in all the different states that I've lived in and like figure out w how many traffic tickets I got, you know. Um, and it it's it's pretty easy if you know how to dig through public record databases and you kind of have an aggregated platform, you can do that, and that's the kind of stuff that you pull. But the problem is is that Visa's not a public company. That's what I'm saying. They're a public company, but they're they're they're not a government agency.

SPEAKER_03: 0:24

Without the transparency, yeah. Without the transparency, how do I know that I'm not onboarding a merchant who, if they screw up again, it's a hundred or a two hundred thousand dollar Bram violation? Like for something that's fairly simple, it's just a like a you know, a repeat offender. And how am I supposed to even determine that? And then I'm on the hook for that, right?

SPEAKER_01: 0:45

I mean and I don't think there's there's no incentive for the acquirer who gets hit with the initial violation to because they're like, cool, you're blacklisted on our channel, like get out. You know, you're off. Here's your fine, be gone. And you know, they don't have a responsibility to their competitors to go and be like, hey guys, you know, the this guy screwed up and he had a 200k fine. Like, don't bored him again.

SPEAKER_00: 1:12

Welcome to the Payments Experts Podcast, a podcast of global legal law firm. We hope you enjoy this episode.

SPEAKER_03: 1:27

So I have some POS guys, they sell POS systems primarily, they've got uh processing attached to many of their POS systems. The one of the biggest topics is still pricing surcharging. We get so many calls these days about what's the signage I have to have. Dude, I'm watching this. Is a uh for anybody who's watching this that actually cares about our podcast, I'm gonna do one very soon about this issue. But we even have agents out competing against other agents creating violations with dual pricing or on tickets to then go resell the merchant that got violated that they contributed in the violation, or oh yeah, there's all sorts of stuff going out uh uh out there. And I'm it when it's being reported to me, I'm just making notes. I'm gonna have a whole talk about this. Um, but the thing that I saw last week was these POS guys came to me and they said, Hey, we've got four merchants, it's five thousand dollars. Here's what the signage is, here's our POS signage, here's their signage, here's what we've been doing, here's what we've been telling people. And we went through the whole process of what's compliant and what's not. And when we got to the end, they were like, Well, we just want to know because they had a legitimate reason for why the receipt was wrong. And I said, Look, you might be in violation of California law, but I think if you had a um a responsive party on the other side who wasn't looking to ding you with a fine, the reason that you just gave me, I think, is kind of justifiable. This was a mistake, and it wasn't intended as a wrongful surcharge because it was being done on credit and cash. It like it didn't matter, it was a screw up with the POS system. Okay, so they they uh I said I wouldn't really because you got to pay five grand to even oppose it, and I said I wouldn't really deal with it to be honest with you. But here's the interesting part you know that these are second violations, right? Because five grand, second violation, thousand dollars the first, that means you inherited merchants that have a second viol or a first violation already, so your liability and risk is greater when you're boarding this merchant, and it raised the question of is there any scrubbing process to scrub for prior violations? So I sent that off to some of our FSP clients because I thought that that was a great question. Like when I'm boarding a merchant, what liability am I taking on related to the card brand's prior interaction with the merchant? Right? Everybody knows that match exists, but is there secondary, any secondary reporting on a merchant related to fines? I doubt that exists. So I thought that that was very interesting. But one of the FSPs got back to me and he says, Well, they violated the rules. Why weren't they matched? Right. And I and I'm thinking, well, because it's like getting a speeding ticket. I I already think that the punishment's the fine, but it it's difficult to know the rules, they're not really well published, people don't know them, otherwise, I wouldn't have like a job to do. And so if you think about it, so you know, we try to highlight some of these things, and and I'm looking at at this particular situation, and then he said, Well, wouldn't I have liability against the prior ISO or like recourse against the prior ISO because there was no reporting or the acquiring bank because that's really where the reporting's supposed to take place? So he raised a couple questions that I didn't immediately have an answer to, which I thought were very interesting. But the point of my little example was there's no violation or there's no match placement for a violation of the dual pricing guidelines. What about VAM? What do you think they're gonna do? And how are they gonna do it? Like, how are they actually going to equitably dole out fines and then dole out some sort of match placement? And then what is that unintended impact going to be on commerce in general? I mean, we already see the shady game of duck duck goose, you know, IBO, you know, like uh we see it all the time. I think that a lot of times when you have like regime changes, you have unintended consequences that even if the intent was a good intent in general for the marketplace, right? There's a lot of unintended consequences that take place, like the example that I was talking about earlier. So, yeah, do you think that they're gonna match merchants based on vamp ratios? Or I mean they'll kill them, but is there gonna be some sort of trigger where you're like above a certain number and without even saying anything? Boom, there's match. And again, great for me. Like great for me. I'm not sure how great it's gonna be for uh US commerce, but it's gonna be awesome for me. But what do you see happening with Vamp violations?

SPEAKER_01: 6:30

Yeah, it's a good question, right? Because it's it's kind of the same thing right now where the ambiguity on the Visa Dispute Monitoring Program or MasterCards program or whichever, um, you can get matchless matchlisted today for excessive chargebacks on those programs. And I think that VAMP's gonna operate in a pretty similar way. Um and maybe they just add another reason code for like excessive fraudulent chargebacks on TC40. I don't know if that one exists today, but um, you probably do better than me off the top of your head. But no, no, not necessarily.

SPEAKER_03: 7:04

Yeah, we don't get into the granular too often. I mean, I I'm I was interested in that. I'm also interested in like, have you seen a scrubbing process so that I could actually properly analyze my risk by onboarding a merchant related defines that I'm gonna ultimately be responsible for?

SPEAKER_01: 7:22

No, not really. I mean, there's so there's there's a few ways you can do it, and a lot of people do it through their KYC and KYB checks, you know, like you know, proper acquires or whatever when they're bringing merchants on board. Obviously, you look for bankruptcy, the the UBO, uh, and of course the entity and any sort of outstanding collections, stuff like that. That's super easy to run in in databases. What's a little bit more granular on top of that is you know, outstanding or previous tickets, right? So you can look at every like with most people, if you have you know, Matthew Steinrecker is my name, like you can go into public records and all the different states that I've lived in and like figure out how many traffic tickets I got, you know. Um, and it's it's pretty easy if you know how to dig through public record databases and you kind of have an aggregated platform, you can do that. And that's the kind of stuff that you pull. But the problem is that Visa's not a public company. That's what I'm saying. They're a public company, but they're they're they're not a government agency.

SPEAKER_03: 8:20

Without the transparency, yeah. Without the transparency, how do I know that I'm not onboarding a merchant who, if they screw up again, it's a hundred or a two hundred thousand dollar Bram violation? Like for something that's fairly simple, it's just a like a you know, a repeat offender. And how am I supposed to even determine that? And then I'm on the hook for that, right?

SPEAKER_01: 8:40

I mean, and and I don't think there's there's no incentive for the acquirer who gets hit with the initial violation to because they're like, cool, you're blacklisted on our channel, like get out, you know, you're off. Here's your fine, be gone. And you know, they don't have a responsibility to their competitors to go and be like, hey guys, you know, the this guy screwed up and he had a 200k fine, like, don't bored him again. And and there's definitely, you know, in the agent ISO world, there's you know, lists and we talk and you know, we can we can sniff things out, but but from like a a much higher level of scale of millions and millions of mids getting created every month, um, yeah, there's this there's no way to do it. And I imagine that's one of the gaps that probably Visa's gonna run into pretty quickly here, is that they have to have some way similar to a match list where they're tracking those violations, um, but maybe not with match, right? Like you could have a you could have a shitty month with e-commerce and like your your warehouse lights on fire, and you've got a bunch of orders outstanding, and you're like, hey guys, we're gonna refund your orders, you know, we're getting a new warehouse, whatever. Like, that's a very real-world, totally gray area example. But like your your chargebacks could go through the roof. You got a bunch of pissed-off customers who are like, I don't care if you want to refund too late. I charged it back.

SPEAKER_03: 10:04

Um, you know, there's there's and look, to the credit of this of the acquiring banks and and you know, because we don't go to Visa MasterCard, really. We go to every now and then we bump into it. But to the credit of the acquiring banks, when there's a real world situation, they do listen. And we get a lot of people off. I mean, we do, we get a lot of people off, like far more than pre-COVID. Like you got placed on match or TMF, you're done, right? Today it feels like there's definitely um a little more latitude and definitely a more responsive ear. But, you know, I'm sitting there looking at it from the context of it can't be through match, otherwise, you would match place them. But what about like a secondary reporting database that tracks fines, uh previous fines against EINs? I don't think they're incentivized to do it because every fine they collect is just more money for them. I mean, it's again, it's like a it is a regime that they have oversight, sort of like chargebacks, where they are assessing fines, collecting those, and they're not doing anything for the money. It's just penalizing people within, and look, sometimes rightfully penalizing people that are operating in their ecosystem, but there's a lot of times where it's very difficult when you're the arbiter of all of the decisions and it goes directly to your for-profit bottom line, right? Ah, you gotta wonder like how much machination goes in there that seems a little self-serving. I don't really know. Um, you know, it's kind of what this box is on.

SPEAKER_01: 11:41

I feel like I feel like there's there's this is a good example. I never really thought about it like that, um, which is which is super interesting because you know, I mean, there you have your match lists, you have Mac Alerts, and then it's really just and Mac Alerts is really just kind of a community for underwriters to flag stuff to each other. Um, but like it's not it's not like an official process. Uh almost like with match, it's very ambiguous and there's no like kind of cohesive rule set that's publicly listed and is like, here you go. Um in the same way like Visa localization rules are posted on their website, you know, and you can read through them and they make sense. And it's not uh there's nothing like that yet, but I suspect there will be because I can imagine. So one of the things I think that's gonna happen is there's gonna be a huge consolidation. I think Visa introduced Vamp um and ping-ponged all the rules around quite a bit because what they're trying to do is minimize the number of direct acquirers, principal members in the US, and pick the good players. And I think that they're gonna try to consolidate some of these higher risk shops and have them fold into larger players who have more risk to be able to balance the portfolio. I think that's like one of my sneaking suspicions of you know, tinfoil hat for a second, of like why I think ultimately they may have done it is because it's it's less stuff for them to regulate and they can start to consolidate the market a little bit more. Um and I think that smarter players, like the the much larger tier one processors, I think that they're gonna wise up at some point and realize that they might have an opportunity to sort of take in some of these maybe higher risk portfolios or whatever. But once that consolidation happens, what we just spoke about is absolutely true, right? And if uh if I'm a owner of a high-risk, you know, acquiring bank in the US and I sell to whoever, some you know, Stripe, for example, I'm I'm out. I sold my shares, I'm done, I cashed out, like I'm good. You know, you bought my book, and and that's that. And I don't really, I may not have a responsibility in those terms to tell you what's going on. Um, or same thing. Some of these guys might just fold, they might just close shop. They may say, great, we're taking a bunch of reserves and we're just gonna we're gonna fold or have to go into administration depending on the situation. And so I think um those are much smaller players, right? But I think there's gonna be that consolidation, and I I think that's where you're gonna start to run into Visa having to look at some sort of program to, you know, look at the violations.

SPEAKER_03: 14:13

Well, it's it's funny you said that about the portfolio and selling. You know, I've got uh I talked to some guys yesterday, money guys that are coming over from Merchant Cash Advance, wanting to do some funding for people that buy portfolios, and but you know, they're virgins in the industry, they don't understand the purchase. And, you know, one of the guys who's like, you know, he's got a business degree from Georgetown, he's a fucking smart guy, right? He says, you know, I don't know what I don't know, but this seems really simple. Like this guy's acquisition model seems very, very simple. And I was like, yeah, man, I mean, really to me, it's about the origination of the account. When you originate an account, where that account originates from will determine the stickiness, you know, whether or not you're seeing attrition, you know, and a lot of the portfolio that they were first analyzing were bank referrals. And I'm like, look, unless the bank goes under or the customer's pissed at the bank, this account's not going anywhere for a long period of time, right? Like, yeah, this is one of the even if there's a rate increase, like you know, as a cost of living adjustment almost, right? You're still gonna see that merchant staying right there because they're bundled in with loans, they're bundled in with all sorts of other financial products with the bank, their deposit accounts. I said, that's that's like the holy grail right there of uh of buying a portfolio. You're gonna be counting the money for a long time. And that's not even considering the future business with the bank as they continue to acquire customers and onboard them. I said, see, you know, it it really does come down to, you know, what does it look like? Because there's more impact, again, unintended consequences. What you just described was what's gonna happen to purchasers coming in to purchase portfolios, not understanding the real risk associated with some of those portfolios and not having data in order to analyze that risk based on what we've been talking about here, right? Yeah, yeah, just no visibility. They're going in blind. Yeah, totally. Well, look, man, what do you want to leave us with?

SPEAKER_01: 16:19

I don't know. I'd say uh more will be revealed for sure. I think uh November is probably when we're gonna really start to see the bloodbath unfold if we see it at all. Um, but yeah, I mean, kind of what I what I mentioned before, I really think there's gonna be a consolidation shift here. Probably it'll start moving within the next six months. But I'd say by like Q3 next year, we're gonna start to see some some movement and some some MA in the space, particularly in U.S. acquiring small, you know, small acquirers, I think are gonna start getting swallowed up or merging um just in order to balance the books better. And I I I for sure see that coming as part of this based on everything I'm seeing and hearing and you know the general buzz. I I feel like that's probably one of the unintended consequences, maybe intended consequence.

SPEAKER_03: 17:08

Um, without giving away secret sauce, what opportunity do you see for yourself in that scenario?

SPEAKER_01: 17:21

Uh I've been approaching some of the larger like tier one players with uh viable strategies, you know, traditionally a company that uh would only take a certain type of risk profile since every acquirer kind of has their niche for the most part. And maybe they won't take a certain type of risk profile or certain industry, like they just don't touch it. Um and approaching them tactfully and saying, look, there's a there's an industry here and there's an opportunity. And like, yes, your underwriting and risk team may not fully understand this industry, right? Travel, for example, usually really low margin, huge delays in funding times, um, very high bankruptcy risk, right? Like very complex market. You see something like that, and you go to someone and say, look, you can make a lot more margin in this industry if you're able to, you know, tackle it. Um, maybe nutraceuticals, for example. Um, ADIAN is a good example. They came into the U.S. market, they dominate in Europe. They came into the U.S. market trying to fight Stripe and checkout.com for the most part. Um, and like they didn't touch any nutraceuticals initially, and now they're pushing very hard and winning a lot of business in that space. And I think they're starting to see that there's an opportunity in certain verticals that maybe they wouldn't touch before, but now they understand, well, when we look at our balanced portfolio, we can sort of take on some of these higher risk verticals that we traditionally wouldn't have done. Um, and that's where I think we're gonna start seeing some of that cannibalization and MA activity, is you're gonna have larger shops like that saying, well, great, you know, we're processing payments for Airbnb and Uber and you know, Google. We don't have a whole lot of, you know, chargeback risk. So we could take some things on maybe a small local airline in in the US or something like that, uh, or you know, a larger nutraceutical shop who generally has higher chargeback rates for whatever reason. Um and that's kind of where I see the biggest opportunity right now. And what I've been looking at is like how can how can some of these uh traditionally standoffish players look at some of these new verticals and dive into them, but responsibly, right? There's a good way to ramp up and and do it responsibly. It's very easy to get caught up in a new industry and just get burned. Uh, and we see that time and time again with different shops and portfolios that grow up and then blow up. Um, but yeah, that's probably the the biggest opportunity that I see in kind of what I've been navigating right now. Awesome.

SPEAKER_00: 19:48

Excellent. You guys, that was a great conversation, Matt. So much. We're so grateful for you joining us once again. Everybody listening, please, you can find Matt Steinbrecker, SoundCommerce, at sound-commerce.com. We've got all the information down below. Thank you for this conversation today. We're looking forward to the next one. Thank you for listening to this episode of the Payments Experts Podcast, a podcast of Global Legal Law Firm. Visit us online today at global legalaw firm dot com. Matters discussed are all opinions that do not constitute legal advice. All events or likeness to real people and events is a coincidence.