When you start onboarding users, there are onboarding and Know Your Customer (KYC) obligations, depending on the account type, that must be fulfilled for compliance purposes. You must prepare to meet these obligations as you define and develop your Connect integration. Meeting these requirements can help prevent losses and avoid payout delays for your users.
Stripe has gathered what it’s learned from thousands of platforms, extensions, and plug-ins that can help you go live more effectively. Join the Stripe Partner Program to learn more.
Stripe uses webhooks to notify you of updates to your accounts and other account activities. It’s important to establish a webhook endpoint so you can promptly respond to Stripe requests. Failure to do so will lead to delays in funds being transferred.
Stripe requests additional information if the provided user information fails verification. If something like a user’s date of birth or last name appear incorrect, it may be the result of a data entry error. Review the information to see if this is the cause of the failure.
When a user updates their account information (e.g., bank account), Stripe sends you a notification of this change. You must verify the updated account information.
There’s no foolproof method to detect bad actors so it’s good practice to assess an account’s holistic risk profile to help mitigate your fraud risk. The more you understand your user and their business, the better this assessment will be. Stripe recommends you:
- Verify your users (within a certain amount of time) before they can do business through your platform
- Examine a user’s online presence through social or professional profiles like Facebook, Twitter, or LinkedIn
- Closely review the user’s website (e.g., should they reasonably have one)
- Collect appropriate licenses if appropriate for a user’s business
- Confirm your user’s email address if it’s linked to their business domain (e.g., send an email to an address at that domain and require a response from it)
- Collect and verify platform-appropriate information such as a physical address, inventory list, or selling history
- Monitor activity on your platform to get a sense of typical behavior, which you can use to look for suspicious behavior
- Use the built-in fraud tools to identify and prevent fraud on individual charge attempts
On rare occasions, Stripe might shut down specific accounts. You will receive a webhook if this occurs.
If you suspect someone is committing fraud, Stripe recommends rejecting the account. This prevents the account from receiving more funds (reducing losses) and helps improve Stripe’s fraud detection systems.
Bad actors could potentially target your connected accounts and compromise them, an attack known as account takeover (ATO). Attackers commonly obtain account credentials (e.g., through phishing, data breaches, and guessable passwords) and use that to create unauthorized transactions and other fraudulent activities on the account. To help prevent account takeovers from happening, it’s good practice to:
- Require two-factor authentication when your users log in
- Educate your users on phishing
- Enforce unique password policies
- Monitor anomalous login activity, specifically with regard to new device identifiers and IP addresses
- Be aware of account changes originating from new devices (e.g., password resets, email changes, and bank account changes)
Credit risk management
Managing disputes and chargebacks are, unfortunately, a normal part of doing business when accepting card payments. It’s good practice to employ a number of different methods to build an effective strategy for preventing disputes. The following subsections are some recommendations to help you manage your exposure, protect your business, and support your accounts.
Monitor your accounts. The more you understand your user and their business, the better you can assess their risk.
- Examine user account balances through the API or the Dashboard. In the Dashboard’s accounts overview, use filters to investigate accounts that might require you to take action (e.g., accounts with negative balances).
- Review financial activity on an account. When viewing the account in the Dashboard, click View financial reports in the Activity card.
- Create alerts to monitor riskier accounts so you can quickly adjust your strategies. Riskier accounts have higher dispute rates (dispute activity above 0.75% is generally considered excessive), sharply reduced volume, or negative balances.
For platforms with users on manual payouts, you can update your payout creation logic to defer or slow down payouts for riskier accounts.
For platforms with users on automatic payouts, you can change the payout schedule to be longer (for slower payouts) on an account-by-account basis in the Dashboard or with settings.payouts.schedule in the API. When viewing the account in the Dashboard, click Edit payout schedule in the Balance card’s overflow menu (…):
Impact from chargebacks and negative balances
Consider product or service refunds instead of having to manage chargebacks and negative balances. It might be a better customer experience and also less expensive for you. You could:
- Issue refunds. You can check the connected account’s balance to see if the refund can be covered using the Dashboard or with retrieve in the API. If their balance can’t cover the refund, you can reverse the transfer without issuing the refund (which will result in a negative balance on the account).
- Issue refunds based on certain parameters. For example, you can wait until the account’s balance is no longer negative to issue refunds or immediately issue the refund knowing the amount will be covered by future payments.
- Proactively cancel and refund charges that are likely to be disputed if you have chargeback concerns. The loss on the transaction might be better than getting a chargeback and a bad customer experience. In addition, there are costs that come with chargebacks and the potential scrutiny from card networks.
- Permit your team to handle refunds by adding them to your platform account.
- Pause billing subscriptions (recurring payments) that are at high risk for chargebacks. This gives you more control over when to resume the subscription. For example, if your platform offers classes that have been canceled for the next few months, you can pause payment collection from your customers.
- Protect your platform from negative balances by adding funds to your platform balance.
- Use Stripe Sigma to generate a report of each account’s negative balance over time.
Negative balances on accounts AustraliaCanadaU.S.
If your connected accounts are in Australia, Canada, or the U.S., you can allow Stripe to automatically debit their external accounts to cover negative balances. Otherwise, the negative balance could be covered by future payment volume. By default, automatic debiting is set to
true for Express accounts, and
false for Custom accounts.
You can toggle the automatic debits setting on an account using the Dashboard or with debit_negative_balances in the API. From the Dashboard, select an account and open the overflow menu (…) on the Balance card:
To view all connected accounts from the Dashboard that have the automatic debits setting turned off, use the Debit negative balances filter:
Concerns about sanctions
As a U.S. company, Stripe complies with all sanctions programs administered by the U.S. Office of Foreign Assets Control (OFAC), along with a number of other national and international sanctions regimes. This includes both prohibitions against interactions with certain individuals and entities as well as comprehensive bans on business dealings involving certain countries or regions that are targeted by sanctions regimes.
Stripe screens all accounts, including connected accounts, in compliance with our own obligations under these sanctions regimes. If a connected account is flagged as a possible sanctions concern, Stripe will pause payouts from the connected account and contact the platform by email to request additional information. If there is a particular email address you would like sanctions-related requests to be sent to, please contact Stripe. You can also set up webhooks to listen for sanctions-related events, which will appear as account.updated,
Payouts from the connected account will remain paused until the review has been cleared. Disregarding or violating sanctions can lead to fines, regulatory action, and loss of licensing for both Stripe and our users.
More best practices for Express accounts
The following are additional best practices to consider if you’re using Express accounts.
The Express onboarding process and Dashboard use your company name, logo, and color so it’s important to configure your brand settings. You can set these from the Express section of your Connect settings.
To maximize the conversion rate, position the Express onboarding process carefully within the flow of your application. Stripe recommends the last step be account creation before users can start operating on your platform. This is because users are more likely to complete the process and provide the necessary information when you position Express onboarding after the initial signup and onboarding steps for your application.
Before sending users into the Express onboarding flow, briefly introduce Stripe and convey the role that Stripe plays in your application. This informs your users of next steps and helps transition them to the Express flow. Consider adapting the sample text below and including it in your user interface:
[Your company name] uses Stripe to get you paid quickly and keep your personal and payment information secure. Thousands of companies around the world trust Stripe to process payments for their users. Set up a Stripe account to get paid with [your platform name.]
Because you control much of the payments experience, Stripe recommends that your users contact you first with any questions. They can work with Stripe for any questions that only we can answer after contacting you. To provide the best support possible, work with the user first and then refer them to Stripe for these questions:
- Verification questions (e.g., what information do I need to give Stripe and why?)
- Problems accessing the Express Dashboard (e.g., why doesn't two-factor authentication work?)
If a question comes up that you’re unable to answer, please contact Stripe for assistance.
More best practices for Custom accounts
The following are additional best practices to consider if you’re using Custom accounts.
Stripe services agreement
All Stripe accounts must accept the Stripe Services Agreement, and you must ensure Custom accounts accept the Stripe Connected Account Agreement (which includes the Stripe Services Agreement). Acceptance must occur before you begin processing payments for your users.
To help you collect acceptance from your users, included in the Stripe Services Agreement Acceptance documents is a recommended interface and sample text in multiple languages. You’ll also find the code to use to notify Stripe of a user’s acceptance.
As your users are also Stripe users, you’ll need to work with Stripe to meet all Know Your Customer (KYC) obligations. Connect is designed to accept KYC information directly through the API. Having incomplete or incorrect information could result in delayed payouts for your users or financial losses of your own.
To comply with local KYC requirements, you're required to provide certain information to Stripe about your users as part of onboarding. A platform with Custom accounts is responsible for all communications with its users, including collection of this required information. Because Stripe won't have direct communications with your users, it's your obligation to communicate the importance of compliance and identity verification.
Stripe recommends conveying to your users the relationships involved as the following:
- Stripe is processing charges for the platform’s users. Although the platform is initiating and managing the transactions, funds are not flowing through the platform itself.
- The platform's user has a Stripe account but relies on the platform to help manage it, and Stripe has a legal obligation to know who they are.