Connect is a flexible and powerful tool that facilitates performing transactions for your users through Stripe. Although Stripe greatly simplifies the technical components of payment processing, there are legal obligations that must be fulfilled by you (the platform), the connected accounts, and Stripe. You must prepare to meet these requirements when defining and developing your platform.
Currently, only platforms in Australia, Canada, Denmark, Finland, Ireland, Japan, Norway, Spain, Sweden, the United Kingdom, and the United States can use Managed Accounts, though sellers–connected users–can be located in any of the countries in which Stripe is available. Alternatively, you can support Standalone Accounts, which are available to platforms in all supported countries.
Steps to take before going live
Platforms are expected to take all of the following steps before going live and onboarding users. Meeting these requirements helps prevent losses and ensure that transfers to your users are not delayed.
- Have your Managed Accounts agree to the Stripe Connected Account Agreement
- Know your users by collecting and verifying required information
- Use webhooks to watch for and respond to account activity
- Manage fraud on your platform to limit risks to you and your users
- Subscribe to the Connect Announce mailing list to hear about new features and changes
Agree to Stripe’s Services Agreement
All Stripe accounts must accept Stripe’s Services Agreement, and Managed Accounts in particular must accept the Stripe Connected Account Agreement (which includes the Stripe Services Agreement). Acceptance must occur before you begin processing payments on a connected user’s behalf.
We’ve provided a recommend interface and sample text in multiple languages in our Services Agreement Acceptance documentation. There you’ll also find the code you’ll use to notify Stripe of a user’s acceptance.
Know your users
As your users are also Stripe’s users (albeit discretely), you’ll need to work with Stripe to meet all “Know Your Customer” (KYC) obligations. We’ve designed Connect to accept KYC information directly through the API. When the information provided is incomplete or incorrect, it may result in delayed transfers for your users, or financial losses of your own.
Stripe requires that certain information about your users is provided as part of onboarding in order to comply with local KYC requirements. A platform with Managed Accounts is responsible for all communications with its users, including collection of this required information. Because Stripe will not have direct communications with your users, it is your obligation to communicate the importance of compliance and identity verification.
We recommend conveying to your users the relationships involved as such:
- Stripe is processing charges on a connected user’s behalf. Although the platform is initiating and managing the transactions, funds are not flowing through the platform itself.
- The connected user has a Stripe account but rely on you to help them manage it, and Stripe has a legal obligation to know who they are.
Sometimes we’ll need more information about connected accounts. Should Stripe require something, we’ll reach out to you via a webhook (not via email). It’s vital that you establish a webhook endpoint that responds to our requests and other account activity. Failure to watch for, and promptly respond to, these notifications will lead to delays in money being transferred.
Sometimes Stripe will ask for additional information because the provided information failed verification: for example, a user’s date of birth or last name appears to be incorrect. In such cases, you should also take the opportunity to re-verify the previously submitted information, as the cause of verification failure may be a simple misspelling or data entry error.
The platform is ultimately responsible for any losses incurred by Managed Accounts through its Connect application. Stripe helps by monitoring the accounts that you onboard, preemptively shutting down accounts that we believe are fraudulent, and contacting you should we notice anything suspicious.
There’s no silver bullet to detecting bad actors on your platform, but generally the better you understand your user and their business, the better you–and Stripe–can assess their risk profile. To do this and reduce the opportunity for fraud, we recommend you:
- Establish a time period in which you verify your users before they can do business through your platform
- Examine a user’s online presence through social or professional profiles like Facebook, Twitter, or LinkedIn
- Closely review the user’s website (should they reasonably have one)
- Collect appropriate licenses, if warranted for a user’s business
- Confirm your user’s email address if it is linked to their business domain (e.g., send an email to an address at that domain and require a response from it)
- Collect and verify platform-appropriate information, such as a physical address, inventory list, or selling history
- Monitor activity on your platform to get a sense of typical behavior, which can be used to look for suspicious behavior
If you suspect a user may be fraudulent, we recommend rejecting the account. This prevents the account from receiving further funds and improves Stripe’s fraud detection systems.
Learn more about Connect: