By: Money Navigator Research Team
Last Reviewed: 20/01/2026
FACT CHECKED
Quick Summary
Banks build an “expected activity” profile from what a business says it does and what its early account behaviour looks like. When live payments don’t resemble that profile – by:
- Sector
- Geography
- Counterparties
- Payment rails
- Card-transaction categorisation
Automated monitoring can flag the account for review. Merchant Category Codes (MCCs) matter because they are widely used in card payments to classify merchant activity; if the MCC (or related card data) doesn’t align with the stated business model, it can look like undisclosed trading, a change in business model, or a higher-risk activity type – leading to questions, temporary limits, or in some cases an exit.
This article is educational and not financial advice.
What banks mean by “business model mismatch”
A “business model mismatch” is a risk signal: the bank’s records say the business is one thing, but the transaction pattern looks like another.
That mismatch can be created by:
How the business is described at onboarding (industry, products/services, customer type, typical ticket size, countries involved).
The payment pattern that builds up over time (volume, velocity, chargeback/refund rates, cash intensity, crypto exposure, high-risk sectors, unusual counterparties).
Card ecosystem classifications (such as MCCs) that can label activity in ways the bank or payment partners interpret as higher-risk or simply inconsistent.
Guidance bodies describe ongoing monitoring as scrutiny of transactions to check they are consistent with the customer and relationship, and to spot changes that may require further checks (for example, updated due diligence).
See the FATF risk-based approach guidance for the banking sector for a clear description of ongoing monitoring and customer profile changes: FATF risk-based approach guidance for the banking sector
Where MCCs fit: what they are and why they can create false “signals”
MCCs (Merchant Category Codes) are four-digit codes used in card payments to describe a merchant’s primary business type. They are typically assigned within the acquiring/card acceptance chain and then carried through card transaction data.
Two important points for mismatch risk:
MCCs are not a narrative. They are a classification used for operational purposes (risk management, reporting, and other scheme/issuer processes). Visa describes MCCs as a four-digit number assigned to describe a merchant’s primary business, and notes they’re used for purposes including risk management: Visa Merchant Data Standards Manual
MCCs can be imperfect. Visa’s standards include rules about selecting the MCC that most accurately describes the business and allow multiple MCCs where there are multiple lines of business. Mastercard similarly emphasises the need for an accurate code that reasonably and fairly describes the merchant’s primary business: Mastercard Quick Reference Booklet – Merchant Edition
That matters because banks and payment partners may treat certain MCCs (or combinations of MCC + other indicators) as higher risk, more prone to disputes, or more likely to involve restricted activity.
Why mismatches trigger alerts even when the activity is legitimate
1) Monitoring compares reality to “expected activity”
Banks run monitoring rules designed to identify unusual patterns relative to what they “know” about the customer. A mismatch can look like:
A different product/service than declared
A different customer base than declared (consumer vs business, domestic vs international)
A shift into a sector the bank restricts or “exits”
Third-party payment flows that resemble agency, marketplace, or money movement services rather than “ordinary trading”
This is one reason business model changes can cause friction: the account may still be labelled as the old model until records catch up.
2) Card classification data can intensify the mismatch
If a business says it’s “IT consultancy” but card acceptance is categorised (via MCC or similar signals) in a way that suggests “online retail” or another higher-risk category, that divergence can trigger questions.
Sometimes the mismatch isn’t the merchant’s fault:
A business expands into a new line before formal records are updated
A processor/acquirer assigns an MCC that fits imperfectly
A marketplace model (facilitating third-party sellers) resembles payment intermediation
Marketing copy, website content, or invoice descriptors suggest activity different to the onboarding description
3) Banks may be unable (or unwilling) to give granular reasons
Even when a bank can share broad categories (“activity inconsistent with profile”), the specifics of monitoring logic are often not disclosed. If the account becomes restricted or closed, complaint handling may focus on fairness, notice, and process rather than disclosing the bank’s detection rules. The ombudsman’s business-facing overview is here: Financial Ombudsman Service guidance on bank account closures
The most common “mismatch patterns” that get flagged
Sector and product mismatch
Examples include:
Declared “services” but pattern resembles goods trading (higher frequency, fulfilment-related counterparties, seasonal spikes)
Declared “consultancy” but heavy inbound consumer card payments consistent with an online retail or subscription model
Declared “single business line” but activity resembles a multi-merchant marketplace (many small payouts, platform fees, chargeback exposure)
Geography mismatch
Suddenly high levels of cross-border payments, or new corridors not previously seen
Unusual jurisdiction mix relative to stated customers/suppliers
Related reading (internal): International payments under review: why cross-border transfers get held
Payment-rail mismatch
A business that described itself as invoice-based B2B begins receiving mainly consumer card payments
Large volumes of third-party payments where the business appears to be acting as an intermediary
Dispute/returns mismatch (card ecosystem risk)
Certain card-payment patterns – such as elevated refunds or disputes – can be interpreted as inconsistent with a stated low-dispute model. Where MCCs indicate categories historically linked with higher dispute rates, mismatch sensitivity can increase.
Summary table
| Scenario | Outcome | Practical impact |
|---|---|---|
| Business described as B2B services; activity looks like consumer retail | Monitoring alert; case opened | Requests for explanation and supporting evidence; possible temporary limits |
| New product line launched; bank records still show old model | “Profile drift” alert | Delays while the bank re-verifies details and updates risk classification |
| Acquirer/processor assigns MCC that doesn’t reflect the real activity | Conflicting signals | More questions; potential friction with both bank and payment partner |
| Cross-border volumes increase sharply | Geography-based alert | Transfers may be held pending checks; time-sensitive supplier payments affected |
| Activity resembles marketplace/intermediation | Higher perceived risk | More intensive review, sometimes enhanced checks |
What happens after an alert: review, restrictions, or exit
Step 1: questions and evidence requests
Banks commonly ask for documents that show what the business actually does and why the payment pattern makes sense. Typical categories include contracts, invoices, proof of fulfilment, customer lists, and explanations of counterparties. Internal detail: Documents banks ask for when considering account closure
Step 2: enhanced checks in higher-risk cases
Where the mismatch suggests higher risk (or simply can’t be resolved quickly), the review can shift into enhanced due diligence – more detail, more context, and deeper verification. Internal explainer: Enhanced due diligence (EDD) for SMEs: triggers, checks, outcomes
Step 3: outcomes range from “profile update” to closure
Outcomes vary by bank policy and what the evidence supports:
Records updated and monitoring thresholds recalibrated
Ongoing limits (for example, on certain payment types) while activity stabilises
Exit/closure where the bank decides the activity is outside risk appetite or remains unclear
If closure occurs and the business disputes the process or fairness, escalation routes may be relevant. Internal explainer (outcomes-focused): Business account closure complaints: realistic outcomes the FOS looks at
Scenario table
| Scenario-level | Process-level | Outcome-level |
|---|---|---|
| The business model evolves (new products, new countries, new customer type) | Monitoring detects deviation from “expected activity”; analyst requests corroboration | Profile updated, or restrictions applied if risk remains unclear |
| Card acceptance is categorised via MCC in a way that conflicts with onboarding description | Data mismatch between declared sector and card ecosystem classification | Additional verification; possible reclassification request via acquiring chain |
| Activity resembles third-party funds movement (platform/agent characteristics) | Higher-risk workflow triggered; intensified due diligence | Restrictions, termination of certain flows, or exit decision |
| Sudden spikes in volume/velocity | Automated thresholds trip; temporary holds to prevent exposure | Time delays; staged re-enablement if explanations are supported |
| Persistent unresolved mismatch | Repeated alerts and unresolved queries | Closure/exit, with complaints process as the route for dispute |
Compare Business Bank Accounts
Different business account providers have different onboarding questions, sector restrictions, and monitoring tolerances, particularly for complex models (marketplaces, cross-border-heavy trading, or high chargeback exposure).
A neutral way to understand feature differences – such as international payment support, integrations, and eligibility constraints – is to compare account terms side by side: Compare business bank accounts
Frequently Asked Questions
It usually means the bank’s “expected activity” picture (built from onboarding information and early account behaviour) differs from what the bank is now seeing in transactions. The mismatch can be about industry type, customer type (consumer vs business), geography, or the flow of funds.
In practice, the phrase is often used when the bank sees patterns that could indicate a change in business model, undisclosed lines of business, or heightened exposure to fraud/financial crime risk. The bank may treat it as a trigger to re-check whether the account still fits the bank’s policy and risk appetite.
An MCC is a four-digit code used in card payments to classify a merchant’s primary business category. It is part of the wider set of data used across card networks and payment processing.
MCC assignment typically sits in the acquiring/merchant acceptance chain rather than with the customer’s bank account provider. Visa and Mastercard both describe the importance of assigning an accurate MCC that reflects the merchant’s primary business: Visa Merchant Data Standards Manual and Mastercard Quick Reference Booklet – Merchant Edition
Yes. MCCs are a classification layer, and real businesses do not always fit neatly into a single category – especially where there are multiple product lines, hybrid models, or marketplace-style activity.
Visa’s standards explicitly address multiple lines of business and how MCC choice may be based on the primary business by sales volume, with some circumstances allowing multiple MCCs. Where the MCC is a poor fit, it can create confusing risk signals even when the underlying trading is legitimate.
Sometimes they do, sometimes they don’t – depending on the product and the data feeds involved. Banks that provide merchant acquiring, or that receive enriched card/merchant data through their systems, may have more visibility into MCC-type classification than a bank that only sees settlement transfers from a payment processor.
Even where a bank doesn’t see a definitive MCC for “sales”, it can still see other indicators that resemble the MCC mismatch problem: merchant descriptors, processor settlement patterns, unusually high dispute/refund activity, and website/invoice evidence that suggests a different sector than declared.
Banks often apply controls while they verify information because time matters in risk management: if the activity is genuinely unauthorised or outside policy, the bank may want to limit exposure while it checks.
Risk-based guidance describes monitoring as a way to detect transactions inconsistent with knowledge of the customer and to identify changes to the customer profile that may require additional due diligence. The “control first, clarify second” approach is one operational way some firms manage that tension in higher-risk cases: FATF risk-based approach guidance for the banking sector
Common triggers include rapid changes in transaction volume, sudden international corridors, new payment rails (for example moving from invoicing to consumer card payments), and patterns that resemble third-party fund movement rather than straightforward trading.
Another trigger is inconsistency between what the business says it sells and what evidence suggests (site content, invoices, customer type, and settlement patterns). Where card acceptance is involved, classification signals like MCCs can amplify the inconsistency.
Requests vary, but they commonly focus on proving the commercial rationale and the reality of trading: contracts, invoices, proof of delivery/fulfilment, supplier agreements, explanations of counterparties, and sometimes marketing materials or website evidence that clarifies what is being sold.
A practical overview of the document categories banks often request is here (internal): Documents banks ask for when considering account closure
EDD is typically the “deeper” version of due diligence applied where risk is higher or where the basic picture still doesn’t reconcile. A mismatch that suggests a higher-risk sector, higher-risk geography, or unclear source and purpose of funds can move a case into EDD.
EDD can involve more detailed verification and more probing questions, which can extend timelines and increase the operational burden during the review. Internal detail: Enhanced due diligence (EDD) for SMEs: triggers, checks, outcomes
It can, because geography is a major dimension of “expected activity”. A business that starts receiving or sending significantly more cross-border payments than its prior pattern can look like a business model change, a new supplier/customer profile, or new exposure to higher-risk corridors.
Cross-border reviews can also interact with time-sensitive settlement and supplier payments. For a focused explanation of why cross-border transfers may be held, see (internal): International payments under review: why cross-border transfers get held
A closure outcome can be disputed through the bank’s complaints process, and where eligible, escalation routes may include the ombudsman. The ombudsman’s approach to closure complaints focuses on standards, fairness, and notice, rather than forcing a bank to disclose detection logic: Financial Ombudsman Service guidance on bank account closures
For a realistic, outcomes-based view of what tends to happen in complaints about business account closures, see (internal): Business account closure complaints: realistic outcomes the FOS looks at
Most “mismatch” events are not about a single transaction. They arise when multiple classification layers disagree:
- What the business declared
- What the bank’s monitoring model expects
- What the payment ecosystem’s metadata implies (including MCCs and merchant descriptors)
When those layers diverge, the bank often treats the account as “unknown risk” until the narrative and the evidence align. The hidden mechanism is less “one red flag” and more “confidence collapse”: the monitoring system loses confidence that it understands the commercial story behind the flows, and operational controls follow.
Sources & References
FCA Policy Statement PS24/17 (Financial Crime Guide updates)
Visa Merchant Data Standards Manual (includes MCC assignment rules)
Mastercard Quick Reference Booklet – Merchant Edition (MCC accuracy and use)
GOV.UK guidance on reporting suspicious activity linked to money laundering
Financial Ombudsman Service guidance on bank account closures