All business owners assume a certain amount of risk when accepting payments for goods and services. This guide defines the risks to consider as a Connect platform owner and the approaches you can take to mitigate that risk in the most sensible way for you and your business goals.
Components of payments risk
There are many sources of payments risk (such as compliance, credit, fraud risk, and so on) to consider in any approach to risk management. It’s often helpful to think about the components of payments risk in two broad categories:
- Transaction risk primarily affects connected accounts and characterizes the risk that a consumer might charge back a transaction to a business for any reason (for example, disputes that arise in ordinary course of business, fraud derived from card testing, and so on).
- Business risk primarily affects platforms and characterizes the risk that a connected account might be predatory or not credit worthy. For example, a business might experience industry-wide disruptions that result in chargebacks. If significant, the disruption might render the business unable to fulfill obligations. Alternatively, a fraudulent connected account owner might not intend to fulfill obligations for the product or service that they’ve committed to their consumers. Either case could result in a series of chargebacks and unrecoverable negative balances on the connected account that a platform is usually liable for.
Stripe provides a variety of solutions to help manage both transaction and business risk. Radar provides you and your connected accounts with configurable tooling to manage transaction fraud risk, while this guide focuses on Stripe’s business risk management options.
Overview of Connect business risk offerings
Connect provides two primary solutions to help platforms manage business risk:
- Stripe-managed risk: Stripe provides an end-to-end business risk management solution for your platform that includes ongoing monitoring and mitigation for credit and fraud risk, as well as protection against risk of loss in the event of unrecoverable negative balances attributed to business risk across a platform’s portfolio of connected accounts.
- Platform-managed risk: You, as the platform, are responsible for monitoring risk signals and establishing the processes to take action on your connected accounts to mitigate risk.
The actor responsible for risk of loss with Stripe-managed risk or platform-managed risk configurations of Connect (Stripe or the platform, respectively) maintains responsibility for risk of loss for unrecoverable negative balances for all connected accounts associated with the platform in a specific region.
|Stripe product or service offering
|Business risk screening and monitoring: Stripe conducts credit and fraud assessments during onboarding and on an ongoing basis to mitigate risk and reduce risk of loss.
|Business risk interventions: Stripe automates interventions against risky businesses to optimize exposure and reduce (or avert) credit risk, fraud risk, and risk of loss. There are numerous interventions that Stripe might take, but common interventions include: changes to capabilities (such as pausing or slowing payouts, pausing processing), implementing reserve requirements, suspending, or deactivating accounts.
|Risk of loss: Stripe assumes risk of loss for unrecoverable negative connected account balances due to credit and fraud risk. Unrecoverable negative balances attributable to credit and fraud losses incurred from connected accounts and transaction risks aren’t deducted from your platform.
KYC and compliance: Stripe provides KYC screening to onboard connected accounts for payments and conducts risk-based onboarding screens to simplify platform adherence to evolving compliance regulation. You’re responsible for making sure that Payments KYC requirements are sufficient for meeting their business objectives and relevant industry regulations. Stripe screenings include:
|Platform monitoring: Listen to Stripe webhooks to understand connected account status and risk signals, such as disputes.
|Platform interventions: Take action on risk signals from the Stripe Dashboard to pause or slow payouts, pause processing, or reject accounts.
|Platform loss recovery tools: Debit the linked business bank account to collect on negative Stripe balances that have accumulated against a connected account.
|Transaction risk screening and monitoring: You or your connected account owners can configure risk scoring of payments to prevent high fraud risk transactions.
|Available with Stripe Radar and Radar for Fraud Teams
|Incremental risk signals Identity: Streamline risk processes by providing ID verification during onboarding or prior to enabling payouts.
|Available with Stripe Identity: Additional verifications
|Incremental risk signals Connections: Minimize fraud by matching bank account ownership against the identity of a user before accepting payments or payouts. Fully underwrite users with a deep-understanding of balance and transaction data.
|Available with Stripe Connections
Stripe provides platforms with an end-to-end business risk management solution that includes ongoing monitoring and mitigation for credit and fraud risk. In addition, Stripe assumes risk of loss to provide platforms with protection in the event of unrecoverable negative balances attributed to risk across a platform’s connected accounts. When you use Stripe-managed risk, Stripe monitors risk signals on connected accounts, implements risk interventions on connected accounts in response to observed signals, and seeks to recover negative balances from your connected accounts. You aren’t liable for unrecoverable negative balances attributed to business risk. There are three core components of the Stripe-managed risk offering:
Screening and detection
Stripe conducts a number of upfront risk-based onboarding checks to screen connected accounts onboarding to your platform for adherence to our compliance and regulatory standards for payments and fraud and credit risk signals to mitigate risk to Stripe and to your platform. You, as the platform, might need (or elect) to implement additional onboarding verifications to meet relevant regulations for products or services your platform or connected accounts offer. Stripe risk-based onboarding screens include:
- KYC checks, including person and business verification
- Anti-Money Laundering (AML) screening, including Office of Foreign Assets Control (OFAC) and sanctions screenings
- Prohibited business and risk screening
- MATCH list checks
- Credit assessment on individuals and businesses
Monitoring and mitigation
Stripe performs ongoing monitoring of risk signals (KYC, transaction data, and so on) to identify businesses that might pose credit or fraud risk to your platform through automated processes (ML models) and Stripe risk team manual review. Stripe automates interventions against risky businesses to reduce (or avert) fraud and risk of loss. For example, Stripe’s processes might flag a risky connected account in response to a number of signals (for example, elevated losses, spikes in chargeback rates, or refunds) and Stripe might take targeted action on a connected account using any of a large number of interventions to reduce risk exposure. The following are a few key risk interventions Stripe might make:
- Changes to capabilities: In response to risk signals, Stripe might slow or pause payouts, or pause a connected account’s ability to process charges.
- Reserves: In response to risk signals, Stripe might hold a reserve on the connected account balance as a fixed amount or a percentage of go-forward transactions.
- Offboarding: In the extreme case that a business poses significant risk to Stripe or your platform (ToS violations, fraud, and so on), Stripe might deactivate the connected account.
Connected account experience
Connected account owners receive notifications for risk interventions alongside the pathway to resolve an intervention through Stripe Dashboard components or through email. Connected account owners can use the Home page in their Dashboard to review and track their outstanding interventions. Connected account owners can respond directly to interventions in their Dashboard or through email.
Resolving an intervention for a connected account owner might invlove providing additional KYC information or completing a form in their Dashboard. Alternatively, resolving an intervention might require additional documentation and communication with Stripe support and risk teams, most often through email. Stripe reviews relevant documentation to inform an assessment on whether to lift a given intervention, revise it, or continue to apply the intervention to the connected account.
Risk of loss
When you choose Stripe’s managed risk offering, Stripe won’t deduct unrecoverable negative connected account balances attributable to credit and fraud losses incurred from business and transaction risk from your platform account. Stripe takes risk actions to prevent, manage, or collect funds (for example, from a connected account’s available balances, reserve balances, or linked bank accounts), in order to reduce potential or incurred losses. Stripe assumes risk of loss for two primary types of business risk:
|Credit risk typically occurs when connected accounts that have every intention of fulfilling obligations to consumers (for example, goods or services orders) might lack financial resources to do so. If a connected account accumulates more refunds and chargebacks than it can financially cover, it might result in default with the connected account owner exiting the business.
|Fraud risk typically manifests when:
|During the COVID pandemic, supply chain issues resulted in a number of business disruptions that impacted the credit worthiness of many businesses. The inability of connected accounts to manage operational risk (including chargebacks and refunds) often resulted in significant loss and occasional defaults across a wide range of businesses.
|A fraudulent connected account might begin charging customers for goods that they don’t intend to fulfill. As customers submit chargebacks, negative balances might accumulate on the fraudulent connected account that the owner has no intention to remedy (particularly if the owner was able to transfer funds initially processed from their customers).
Ordinarily, you’re responsible for covering accumulated negative balances resulting from chargebacks (as platforms that facilitate payments agree to be liable for their connected accounts’ activity). With Stripe managed risk, Stripe assumes this risk of loss on your behalf.
Platforms can bring risk management for business credit and fraud risk in-house and further tailor the risk experience of connected account owners through platform-managed risk tooling Stripe provides. For additional details on strategy and approach to risk management, see our guide on risk management for software platforms. Starting a risk management solution involves several investments. Some of the core considerations include:
- Screening and detection: Risk screening infrastructure to understand the risk profile of connected accounts and prevent or reduce fraud and credit risk. This includes building detection mechanisms and machine-learning models to identify risky connected accounts.
- Monitoring and mitigation: Systems to monitor risk signals and take action (such as pausing payouts, pay-ins, and so on) to mitigate exposure in response to changes in risk signals over time. Building forms and workflows in your product to make sure that users have resolution paths, such as uploading identity documents or verifying legal entity information.
- Risk specialists: Risk operations teams can monitor risk exposure and intervene in response to signals. Make sure that your operations teams can support connected account owners with questions about risk actions taken on their account.
Platform risk tooling
Stripe provides several tools to allow connected account owners to monitor and manage business credit and fraud risk.
|Layer 1: Starting tools
|Layer 2: Interventions
|Layer 3: Final mitigation
|Layer 4: Additional signals
Consider the steps necessary to transition from Stripe-managed risk to platform-managed risk configurations, in which you fully own risk management. The following list highlights high-level steps involved in a transition:
- Start a risk team. Begin monitoring risk signals (such as listening to Stripe webhooks for disputes, chargebacks, and so on) and developing risk screening and monitoring solutions to understand changes in credit or fraud risk of connected accounts over time.
- Prepare to integrate Stripe-provided risk actions, such as pausing pay-ins, pausing payouts, and rejecting accounts into risk operations processes to act on risk signals, with preferences for connected account experience and platform risk tolerance.
- Develop notification mechanisms and resolution paths for your connected account owners based on the risk actions that your platform takes against connected accounts in response to risk signals.
- Coordinate with Stripe to transition connected accounts between risk states and remove relevant Stripe risk components, such as within embedded experiences.
A shift from Stripe-managed to platform-managed risk involves Stripe migrations and engineering support to update platform risk of loss on connected accounts.