Finance teams often treat card payments as revenue, when a meaningful portion of it is still unresolved risk. Most finance teams are carrying that exposure largely blind to their exposure levels.
Instead of treating card payments simply as revenue they should be categorised in the same way you would define risk buckets for mortgages or unsecured debt.
If you’re a CFO then this should be on your radar.
From a business reporting perspective, the standard reporting approach makes sense. The transaction has been approved, the funds are on the way, and the sale or transaction = is complete.
But from a risk perspective, that view is incomplete.
A portion of that revenue is still exposed to fraud, to disputes, and to scheme rules that allow it to be reversed days or weeks later. They’re also exposed to acquirer business failure, which while rare has happened.
Until that exposure has passed, funds can be clawed back by the acquirer.
Where the standard approach fails
In most businesses, card payments flow through finance in a fairly standard way:
- revenue is recognised at capture or settlement;
- fraud and chargebacks are treated as operational costs;
- losses are recorded after they happen;
The issue is not that this is wrong. It’s that it hides the timing and structure of risk.
Basic risk factors
Once you start thinking in terms of exposure, the next step to consider is further segmentation.
The simplest and most useful split is by customer type.
New customers
New customers carry higher risk:
- no transaction history;
- weaker behavioural signals;
- higher likelihood of fraud;
- higher likelihood of disputes;
They are also typically where growth effort is concentrated.
Existing customers
Existing customers behave differently:
- known patterns;
- previous successful transactions;
- lower fraud likelihood;
- lower dispute rates;
The same £1 of revenue has a different risk profile depending on where it comes from.
£1 from a new customer is not the same as £1 from a returning one.
Card payments as a rolling liability
A more useful way to think about card payments is as a rolling exposure, not a fixed number.
Recent transactions, particularly in the last 90 days are still well within dispute windows.
Instead of treating all revenue as equal, it’s more accurate to think in layers or buckets of risk:
- Age of transaction: 0-15 days, 15-30 days, 30-60 days, 60-90 days, 90+ days
- New vs. Old customers: 0-90 days, 90-180 days, 180-365 days, 365+ days
An example risk matrix
| Customer Tenure → / Transaction Age ↓ | 0–15 days | 15–30 days | 30–60 days | 60–90 days | 90+ days |
|---|---|---|---|---|---|
| 0–90 days (New customers) | Very High | Very High | High | High | Medium |
| 90–180 days | High | High | Medium–High | Medium | Low–Medium |
| 180–365 days | Medium–High | Medium | Medium | Low–Medium | Low |
| 365+ days (Established customers) | Medium | Medium–Low | Low | Low | Very Low |
Adding a second layer: region and liability
Two additional factors materially change the risk profile of a transaction.
Issuing region
Cards issued in different regions (US/EU/MEA/APAC) behave differently:
- fraud rates vary;
- dispute behaviour varies;
- scheme enforcement varies;
In practice, this often shows up as:
- some regions e.g. US, having consistently higher chargeback rates;
- others being more stable but slower or more friction-heavy;
Even with the same product and flow, risk is not uniform globally.
Liability shift
Authentication plays a significant role in where risk sits.
With mechanisms like 3D Secure:
- liability can shift away from the merchant;
- exposure is reduced;
Without it the merchant carries the full risk of fraud-related disputes. The same transaction can carry very different risk depending on how it’s authenticated.
Building a practical risk view
Once you combine these dimensions, a more realistic picture emerges.
You are no longer looking at total revenue;
You are looking at risk-weighted revenue across segments;
For example:
- new customer + higher-risk region + no liability shift → high exposure;
- existing customer + lower-risk region + liability shift → low exposure;
Most businesses already have this data in some form. It is just not brought together in a way that informs decisions.
What finance should do differently
The value of this model is not in the categorisation itself. It’s in how it changes behaviour.
1. Track “at-risk revenue”
Instead of looking only at total revenue, consider recent revenue split by risk buckets. This gives visibility into how much exposure the business is carrying where that exposure is concentrated.
2. Influence commercial decisions
Once a model has been estbalished and the business has a grasp of the risk in each segment it can start to inform other areas.
For example, if a disproportionate amount of revenue is coming from higher-risk segments:
- acquisition may need to be slowed;
- acceptance criteria may need tightening;
- more friction (e.g. authentication) may be justified;
If revenue is concentrated in lower-risk segments:
- the business can afford to be more aggressive;
- retention becomes more valuable;
3. Balance acquisition and retention
Growth teams are typically incentivised around:
- new customer acquisition;
- conversion rates;
But if most of that growth sits in high-risk segments:
- the apparent gains may not translate into real, retained revenue;
A more balanced approach is to:
- treat lower-risk returning customers as higher-quality revenue;
- invest accordingly in retention and repeat behaviour;
4. Align incentives around net outcomes
One of the reasons this problem persists is misaligned incentives.
- growth optimises for conversion;
- fraud optimises for loss reduction;
- compliance optimises for adherence;
Finance sits downstream of all three.
A better approach is to align around:
- net revenue after losses;
- or risk-adjusted revenue;
This creates a shared understanding of what “good” looks like and could help drive better governance.
5. Feed into product and payments decisions
This is not just a finance exercise.
The insights should influence:
- authentication strategy (e.g. where to apply 3DS);
- routing decisions;
- acceptance logic;
- onboarding flows;
If finance can identify where risk is concentrated, product and payments teams can decide how to manage it upstream.