Authorization Rate: Definition and Use in Compliance

What is Authorization Rate?

Authorization rate is the percentage of card payment attempts the issuing bank approves. If a merchant submits 1,000 transactions in a day and 930 come back approved, the authorization rate is 93%.

The formula is: (approved transactions ÷ total transaction attempts) × 100. The arithmetic is simple. The decision behind each outcome is not. The issuer bank has 200–400 milliseconds to check available funds, card status, velocity patterns, geographic plausibility, and fraud model scores before responding to the acquiring processor.

Declines fall into two categories. Hard declines are permanent: the card is blocked because it is lost, stolen, expired, or the account is closed. Soft declines are conditional. The issuer is willing to approve if additional verification is completed. This is the mechanism behind Strong Customer Authentication (SCA) under Payment Services Directive 2 (PSD2): the issuer sends a soft decline with a reason code requesting 3DS authentication, and the merchant can resubmit after authenticating the cardholder.

Card networks formalize authorization rate through monitoring programs. Visa's Transaction Processing Excellence program and Mastercard's Acquirer Monitoring Program track decline rates across acquirer portfolios. Acquirers whose merchants fall below network thresholds (approximately 85% for many merchant categories) face fees or remediation requirements. These are contractual obligations, not suggestions.

For fraud teams, what drives the rate matters as much as its level. A merchant at 94% authorization with 3 basis points of fraud losses is well calibrated. The same merchant at 99% authorization with 40 basis points of fraud has a model that is too permissive. At 80% authorization with 2 basis points of fraud, the model is almost certainly blocking too many legitimate transactions.

A UK-based e-commerce merchant that upgraded from 3DS 1.0 to 3-D Secure 2.x in 2022 moved its authorization rate from 87% to 93% in six months, because 3DS 2.x shares richer transaction context with issuers, giving them the data to approve borderline transactions with confidence. The 6-point improvement translated directly to revenue recovery.

How is Authorization Rate Used in Practice?

Fraud investigators treat authorization rate as a first-level signal. A merchant running at 91% for months that drops to 74% overnight is sending a distress signal. The investigation checklist: Did a card testing attack hit the checkout? Did a major issuer update its fraud model and start blocking a BIN range? Did the gateway have a technical failure? Each cause implies a different owner and a different fix.

Subscription merchants are the most rate-focused operators in payments. They run authorization retry logic, using different card network rails and timing windows to recover soft declines. They also rely on credential update services. Visa Account Updater and Mastercard Automatic Billing Updater automatically refresh expired card data before a renewal attempt, eliminating a category of avoidable declines that can represent 30–40% of total failures on subscription portfolios.

AML teams have incorporated authorization rate as a behavioral signal in transaction monitoring workflows. A money mule account receiving inbound transfers and then immediately attempting multiple small purchases often shows authorization rate anomalies that flag before larger suspicious flows appear. When an account that previously experienced repeated declines suddenly achieves sustained high approval rates, that behavioral shift can indicate a card-testing phase has ended and active fraud is underway.

Acquirers segment authorization rate by MCC, BIN range, and geography to identify underperforming merchants. A merchant in miscellaneous retail running at 60% authorization on the same BIN pool as peers running at 92% is worth scrutinizing. The gap can indicate the merchant is a fraud magnet: criminals testing batches of stolen cards because the checkout lacks velocity controls.

For customer due diligence (CDD) reviews, persistently low authorization rates are a red flag for transaction laundering, where a legitimate-looking merchant is processing payments on behalf of undisclosed sub-merchants. The failed authorizations represent the portion of fraud attempts the network's controls stopped.

Authorization Rate in Regulatory Context

Authorization rate sits at the intersection of several regulatory frameworks, and the compliance obligations differ by jurisdiction.

In Europe, PSD2 Article 97 mandates SCA for electronic payments. The European Banking Authority's Regulatory Technical Standards (Commission Delegated Regulation 2018/389) specify exemptions: transactions under €30, trusted beneficiaries, and low-risk transactions where the issuer's real-time fraud rate stays below defined thresholds. Specifically, issuers whose fraud rate on remote card transactions stays below 0.06% may exempt individual transactions up to €500 using Transaction Risk Analysis (TRA), without requiring SCA. Issuers that manage fraud rates below these thresholds can maintain high authorization rates while meeting their regulatory obligations. The full framework is published by the European Banking Authority.

In the US, the Card Act of 2009 and Federal Reserve Regulation Z set consumer protection boundaries on credit card authorization practices. More directly relevant to risk teams is the Federal Reserve's SR 11-7 supervisory guidance on model risk management, which requires that authorization models undergo validation and ongoing performance monitoring. A model with systematic decline disparities across demographic groups is a fair lending problem, even if the model variables are facially neutral. The Federal Reserve's SR 11-7 guidance is the foundational reference.

FinCEN guidance FIN-2012-A010 on payment processor risk explicitly flags unusual authorization patterns as potential indicators of transaction laundering and card fraud schemes. A payment facilitator whose sub-merchants collectively show declining authorization rates alongside rising chargebacks is a combination that warrants Suspicious Activity Report (SAR) consideration. The original guidance is on the FinCEN website.

Card network operating regulations add a further layer. Both Visa and Mastercard publish thresholds for their acquirer monitoring programs. Failure to maintain acceptable rates results in program enrollment, escalating fees, and, ultimately, processor termination.

Common Challenges and How to Address Them

The core tension in authorization rate management is calibration: every unnecessary decline costs revenue and creates customer friction, but every unnecessary approval increases fraud exposure.

A card issuer running a machine learning fraud model faces this trade-off directly. Tightening the decision threshold from 0.70 to 0.80 (where 1.0 represents certain fraud) will decline more transactions, reducing fraud losses. It will also decline more legitimate transactions, generating service calls and potential churn. Banks that analyze this trade-off rigorously often find their thresholds are set 10–15% too tight, blocking legitimate spend to avoid relatively small incremental fraud losses.

Threshold tuning is the formal discipline for optimizing this balance. The relevant mathematics involve precision (the share of declined transactions that are actually fraudulent) and recall (the share of fraudulent transactions that get caught). A high-precision model declines accurately but misses cases. A high-recall model catches more fraud but declines too many legitimate transactions. The right balance depends on the marginal fraud loss per transaction, the cost of a declined legitimate customer, churn probability, and that customer's lifetime value.

Card testing is a specific and well-documented challenge. Criminals who obtain batches of stolen card credentials test them on low-value transactions, often $0–$1 authorization attempts on digital merchants, to identify active cards before committing larger fraud. A merchant under card testing will see a spike in attempted transactions with a very low authorization rate, typically 20–40%. Effective detection requires velocity analysis at the BIN level, across all cards in a BIN range, not just individual cards.

Account takeover (ATO) fraud creates a different problem. A compromised account that was previously well-behaved will show normal authorization rates on early fraudulent transactions, because the card is legitimate. Detection requires behavioral signals beyond the transaction itself: device fingerprint change, session velocity anomalies, login location shift. UK Finance's annual fraud report found that ATO-driven card fraud reached £79 million in the UK in 2022, with a substantial portion involving transactions that passed authorization because the card was genuine but the account was compromised. The underlying data is available at UK Finance's fraud statistics.

Related Terms and Concepts

Authorization rate connects to a cluster of payments and fraud metrics, each measuring a different aspect of transaction health.

Fraud rate is the ratio of fraud value to total settled transaction value, measured in fraud basis points (BPS). A merchant might show 93% authorization and 5 BPS of fraud losses, which is acceptable for most categories. The same merchant at 93% authorization and 80 BPS of fraud has a serious model problem. Both metrics are needed to diagnose the portfolio correctly; neither tells the full story alone.

Chargeback rate measures disputes as a percentage of settled transactions. Visa's Chargeback Monitoring Program threshold is 1% for most merchants. A high authorization rate combined with a high chargeback rate almost always means the fraud model is approving fraudulent transactions that cardholders then dispute. This combination is a clear indicator that the approval threshold is too permissive.

Card-not-present (CNP) fraud is the fraud category most directly affecting authorization decisions in e-commerce. CNP fraud in the UK totaled £395 million in 2022, according to UK Finance. Card networks respond by tightening issuer fraud models, which affects authorization rates across the board, including for legitimate cardholders caught by broader model updates.

3-D Secure 2.x is the technical protocol that enables SCA for online card payments by sharing richer data between merchants and issuers. Merchants who implement 3DS 2.x typically see authorization rate improvements of 2–8 percentage points over 3DS 1.0, because issuers receive more context to make confident approval decisions on borderline transactions.

Behavioral analytics systems increasingly use authorization rate patterns as an input signal. An account experiencing repeated declines followed by a sudden shift to consistent approvals is worth examining. When false positives in transaction monitoring investigations are traced back through behavioral history, authorization rate anomalies frequently appear in the data that preceded the suspicious activity.