Merchant underwriting used to follow a checklist process: Collect documents. Verify identity. Run the standard checks. Make a decision. Move on. AI and other technologies, however, are now upending that approach.
In a recent webinar, LegitScript brought together three experts on payments and technology — Brendan Stevens, ISO Sponsorship Risk Manager and VP at Pinnacle Financial Partners; Leo Patching, CEO of Kompliant; and Dan Frechtling, SVP of Product and Strategy at LegitScript — to talk about what’s actually changing in underwriting and what teams need to do about it. Read the takeaways below and then watch the webinar on demand.
May 26, 2026 | by LegitScript Folks
The Cost of Being a Bad Actor Has Collapsed
This framing captures the core shift of how AI is impacting underwriting. Building a fake business identity used to require meaningful time, skill, and money. AI has changed the economics completely, Leo Patching said, essentially democratizing merchant fraud.
A synthetic identity, which is pieced together from real data and assembled into a person who doesn’t actually exist, can be produced in minutes. According to Dan Frechtling, one researcher with no prior experience documented building a convincing synthetic identity for a video interview in about 70 minutes. AI-generated websites now produce novel content, fake video testimonials, and fabricated review histories that defeat the old screening tools designed to catch recycled stock photos or duplicated copy.
Furthermore, Frechtling noted there’s a technical category of adversarial testing — probing AI models to find their detection thresholds, then systematically staying below them — that allows bad actors to optimize their fraud operations against the specific tools meant to stop them.
The cost of being a bad actor has collapsed. The cost of being caught has not changed for the victims.
The Asymmetry of Risk Raises the Stakes
Patching talked about the lopsided nature of merchant fraud. A bad actor only has to get approved once, whereas an acquirer, sponsor bank, or ISO has to consistently and persistently prevent fraudsters from entering their ecosystems. Once a bad actor gets through, the consequences can stretch on for months: disputes, chargebacks, reserve requirements, and potential liability that can spread across a portfolio.
This asymmetry is not a rhetorical point. It’s the structural reality that makes getting underwriting right so important. One bad decision can result in months of pain.
Onboarding Is No Longer a Point-in-Time Event
Traditional underwriting was designed to answer one question at a specific moment: Is this merchant acceptable?
That question isn’t enough anymore. A merchant that appears clean at onboarding can behave very differently once processing begins. Volume anomalies, transaction pattern shifts, and chargeback spikes can all be lagging indicators. By the time the data tells you something is wrong, the damage is typically already done.
The conversation on the panel kept returning to the same conclusion: Trust has to be earned continuously, not just at the point of application. The teams that will manage risk most effectively are those building toward proactive, ongoing monitoring rather than periodic reviews triggered only by calendar or crisis.
Traditional Identity Signals Alone Are Inadequate
When verifying a name, date of birth, address, and government ID number required that those details actually correspond to a real, live person, those signals had real power. That assumption no longer holds.
Standard KYC checks were not designed to catch synthetic identities, and most standalone KYC stacks remain inadequately defended against them. What works instead is a layered approach: document verification combined with liveness checks (photo or video selfies), behavioral signals like device data and IP-to-address relationships, checks against authoritative third-party sources like the IRS and secretary of state databases, and credit bureau data used not just for creditworthiness but to surface signs of prior identity theft.
No single signal is sufficient. The value is in triangulation.
AI Alone Is Not the Answer — But Neither Is Ignoring It
Nearly two-thirds of webinar attendees said they're already using AI in risk or underwriting. That number will keep growing. The question isn’t whether to use AI, it’s how to use it well.
The risk with AI-native tools built primarily around large language models is what Frechtling called the “short stack” problem: limited context, susceptibility to adversarial manipulation, and cold-start challenges when encountering new fraud patterns. A model that hasn’t been trained on a particular type of fraud is not well-positioned to detect it.
The practitioners who build more durable defenses are combining AI with things that AI alone can’t replace: human analysts capable of zero-shot detection on novel fraud patterns, proprietary databases of enforcement actions and known bad actors, network mapping that surfaces connections between seemingly unrelated merchants, and authoritative data integrations that go beyond what LLM-based tools can access.
AI handles evidence gathering, screening, narrative generation, and audit documentation well. Human judgment catches the edge cases, including the new fraud techniques that don’t have a pattern yet.
Decision Defensibility Is the New Standard
Card brand regulations are tightening. Regulatory scrutiny is increasing. Enforcement actions can land without much warning.
The teams best positioned for that environment aren’t just the ones making good decisions, they’re the ones who can prove they made good decisions. Audit-ready documentation, decision logs, and the ability to demonstrate a consistent, defensible process are becoming operational requirements, not nice-to-haves.
AI can help here too. Automated audit trails, triggered re-underwriting based on transaction anomalies, and AI-assisted documentation of decisioning rationale can reduce the burden of compliance reviews while building the kind of institutional record that holds up under scrutiny.
Where to Go From Here
The practitioners on our panel converged on a few practical principles for underwriting teams navigating this environment:
Use the data you already have. Many organizations are sitting on behavioral and transactional signals they aren’t yet turning into decisioning inputs. AI makes it faster to run that data, identify patterns, and retrain on what you find.
Move from point-in-time to continuous. Onboarding is the beginning of the risk relationship, not the end of it. Build toward monitoring that flags changes in merchant behavior before the losses show up.
Layer your defenses. No single tool or signal is reliable on its own. The goal is triangulation: combining identity verification, behavioral signals, network analysis, and human review into a system where multiple things have to go wrong simultaneously before a bad actor gets through.
Build for defensibility. Know your acceptable use policy. Know your risk matrix. Document your reasoning. The standard isn’t just getting the decision right; it’s being able to show that you got it right for the right reasons.
The problem is getting harder. The tools are getting better. The teams that come out ahead will be the ones that treat underwriting not as a gate to clear, but as a posture to maintain.
See Our AI Solution in Action
Want to see what human-in-the-loop AI technology can do for you? For a limited time, qualified organizations can receive five free merchant risk scans from LegitScript — a detailed analysis flagging compliance issues, restricted products, suspicious activity, and policy alignment concerns. Get started in just minutes.
The full webinar recording is available on-demand.
