Why payment processors freeze merchant accounts, and what the industry doesn't tell you

Before Sovrn, I worked in the risk function at a neobank. Not the kind of risk team that prices loans — the kind that reviews merchants and decides who to keep. We sat between the compliance team upstairs and the engineering team downstairs, and we processed a queue of merchants that had been flagged by various automated systems for review.

This is what actually happens, mechanically, when a payment processor freezes or terminates a merchant. Not the version their support team sends you. The real version.

What triggers a review in the first place

Every payment processor runs a continuously updated risk model on every merchant. The model isn't sophisticated — it's a set of rules that flag merchants when certain conditions are met. The most common triggers, in rough order of frequency:

1. MCC code change. The Merchant Category Code is a four-digit number that classifies the merchant's business. The processor assigns it at signup based on the merchant's stated business. If a subsequent transaction looks like it doesn't fit (a "florist" suddenly processing larger and more uniform transactions), the model flags it for review. The MCC is the single most important thing about your merchant account, and you probably don't know what yours is.
2. Chargeback ratio above threshold. Most processors set this around 1%. If your chargeback rate creeps above that, you're flagged. The threshold doesn't care about why — fraud, dissatisfied customers, friendly fraud, processor error — it's just a ratio.
3. Refund ratio above threshold. Around 5% for most processors. Even legitimate high-refund businesses (subscription services with money-back guarantees) get flagged here.
4. Sudden volume change. If your monthly volume jumps from $5k to $50k, you're flagged. The model assumes the new volume might be fraudulent, money laundering, or the merchant outgrowing their original risk classification.
5. "Industry inquiry" from compliance. Periodically, the compliance team upstairs sends a memo: "we're tightening MCC X this quarter due to upstream regulatory guidance." Every merchant with MCC X gets queued for review, regardless of their individual performance.
6. External news/press. If your business gets covered by mainstream news in a way that mentions your processor, your account gets reviewed. Doesn't matter if the coverage is positive.

What the review actually looks like

When your account hits the review queue, someone like me opens it in a CRM and sees: your MCC code, your monthly volume, your chargeback rate, your refund rate, your bank account on file, the email you signed up with, any prior reviews, and a flag indicating which rule triggered the current review.

The person reviewing your account spends, on average, between 90 seconds and 4 minutes on it. The reviewer is not an industry expert. They are a generalist working through a queue. They have a checklist and a dropdown of available decisions: approve / require additional documentation / impose reserve / pause processing / terminate.

If your MCC matches one on the "elevated risk" list (kept by every major processor, never published, occasionally leaked in litigation), the reviewer's default decision tilts toward the conservative end of the dropdown. If your transaction pattern looks "atypical" for the stated MCC (subjective; what does an atypical research-peptide merchant look like?), the default tilts further.

The reviewer files their decision and moves to the next account. If the decision is "require documentation" or stricter, your account is paused immediately. You don't get a phone call. You get an email that says your account is under review and asks for documents — usually articles of incorporation, beneficial-ownership disclosures, supply contracts, lab results, anything the reviewer can think of to justify the friction.

The 90-day reserve

If the reviewer decides your business is borderline acceptable, the most common middle-ground outcome is a rolling reserve. The processor holds 5–25% of every transaction in a non-interest-bearing account for 90 days as protection against chargebacks. This reserve is real money — your money — that you can't access.

For a merchant doing $50k/month with a 20% reserve, that's $30k of working capital frozen at any given moment. For a small business, this is often fatal. You can't pay suppliers. You can't pay yourself. You start running on credit cards. By the time the reserve actually releases (90 days later, in trickles), you've often gone under or migrated to a worse processor.

The reserve is, mechanically, a free loan from the merchant to the processor. The processor invests it in short-term Treasuries or money market funds and pockets the yield. At an average reserve of $10k held across 100,000 merchants at 4.5% yield, the processor earns ~$45M/year in pure interest revenue on funds that don't belong to them.

The SAR filing nobody mentions

If a reviewer decides your account is "suspicious," they file a Suspicious Activity Report (SAR) with FinCEN. The SAR is a legal document accusing your business of potentially being involved in money laundering, terrorism financing, or financial crime. SARs are filed at the rate of approximately 2 million per year across all US financial institutions.

Two things you should know about SARs:

• You cannot be told a SAR was filed against you. "Tipping off" is itself a federal crime, so the processor is legally prohibited from informing you. The first hint you'll get is when your account is closed without explanation, or when your bank account at a different institution gets closed because the SAR information has propagated.
• SARs are filed defensively, not accurately. The reviewer doesn't have to prove suspicion; they have to claim they had it. The standard for filing is much lower than the standard for an actual fraud allegation. SARs are filed routinely on legitimate businesses because the reviewer doesn't want to be the person who didn't file when they should have.

This is why, when Stripe drops you and you ask them why, they say nothing. They can't say. They're not allowed to.

What this actually looks like by industry

From inside the queue, certain MCCs come up over and over. Not because the businesses are actually criminal — they overwhelmingly aren't — but because the MCC is on the "elevated risk" list and the model is set to flag them aggressively.

Research peptides, SARMs, supplements

Almost everyone gets flagged. The MCC is typically 5912 (drug stores and pharmacies) or 5499 (miscellaneous food stores), neither of which fits. The reviewer sees "research peptides" in the business description and assumes black market pharmaceuticals. The fact that the merchant is selling lab-grade compounds for genuinely legal research applications gets lost in the queue.

VPN providers

Privacy services trigger reviews because "privacy" reads to the compliance team as "they have something to hide." VPN merchants are routinely terminated despite running entirely legitimate businesses that serve customers who simply value privacy. Some have moved to crypto rails specifically because they can't keep a Stripe account open.

Online gaming and iGaming

Heavily regulated state-by-state. Even merchants who are fully licensed in their jurisdiction get terminated by processors who don't want to navigate the per-state licensing patchwork. The processor's blanket policy is easier than per-state nuance.

Adult creators and content

Almost universal termination on traditional processors. Even legal, consensual adult content businesses with established platforms get dropped. OnlyFans' 2021 attempt to ban adult content was downstream of pressure from their payment processors.

Firearms and 2A-adjacent

Legal sales of legal products to legal buyers in legal jurisdictions, routinely terminated because the MCC matches a list that includes "high-risk discretionary." The Operation Choke Point legacy from the 2010s is still alive in most processors' risk policies.

Cannabis and adjacent

Cannabis remains federally illegal in the US, so federally-chartered banks won't bank cannabis merchants. State-legal cannabis operations have built an entire parallel banking system because the mainstream one refuses to serve them.

What you can do

The honest answer for merchants in the categories above is that building your business on a custodial payment processor is building on rented land. The processor's risk policy can change tomorrow. Your account can be paused with no explanation, no recourse, and no timeline for resolution. The funds in your reserve can be held for 90+ days while you negotiate with someone who has no incentive to negotiate.

The structural alternative is non-custodial rails: payment systems where the processor doesn't hold your funds and therefore can't freeze them. Specifically:

• Crypto payment rails (Sovrn, BTCPay Server) — non-custodial by design.
• Bank ACH with merchant-of-record services that don't hold funds in transit — these exist but are rare and usually expensive.
• Cash on delivery / wire transfer — works for B2B; doesn't scale for consumer e-commerce.

For most high-risk merchants, the realistic answer is dual-rail: keep a traditional processor (which may or may not survive a future risk review) for normal customers, and run a non-custodial crypto rail (which can never be terminated) for the customers who'd rather pay that way. The crypto rail also becomes your insurance against the traditional one being shut off.

What I wish merchants understood

The risk teams at payment processors aren't malicious. They're underpaid generalists doing what their checklist says, in a job where the personal cost of approving a bad merchant is high (a SAR filing investigated by their manager) and the personal cost of denying a good one is zero (the merchant complains to support, which is a different team). The incentive structure produces conservative decisions, and the conservative decision in a borderline case is always "freeze + ask for documents."

This isn't going to change. The system is doing what it's designed to do. The only structural fix is rails that don't have a risk team because they don't have custody.