Best Practices for Platforms with Managed Accounts

Provide the smoothest experience for your managed accounts by following these best practices when it comes to compliance, verification, and fraud prevention. If you need help after reading this, check out our answers to common questions or chat live with other developers in #stripe on freenode.

Connect is a flexible and powerful tool that facilitates performing transactions for your users through Stripe. Although Stripe greatly simplifies the technical components of payment processing, there are legal obligations that must be fulfilled by you (the platform), the connected accounts, and Stripe. You must prepare to meet these requirements when defining and developing your platform.

Currently, only platforms in Australia, Canada, Ireland, Denmark, Norway, Sweden, Finland, the U.K., and the U.S. can use managed accounts, though sellers–connected users–can be located in any of the countries in which Stripe is available. Alternatively, you can support standalone accounts, which are available to platforms in all supported countries.

Steps to take before going live

Platforms are expected to take all of the following steps before going live and onboarding users. Meeting these requirements helps prevent losses and ensure that transfers to your users are not delayed.

Agree to Stripe’s Services Agreement

All Stripe accounts must accept Stripe’s Services Agreement, and managed accounts in particular must accept the Stripe Connected Account Agreement (which includes the Stripe Services Agreement). Acceptance must occur before you begin processing payments on a connected user’s behalf.

We’ve provided a recommend interface and sample text in multiple languages in our Services Agreement Acceptance documentation. There you’ll also find the code you’ll use to notify Stripe of a user’s acceptance.

Know your users

As your users are also Stripe’s users (albeit discretely), you’ll need to work with Stripe to meet all “Know Your Customer” (KYC) obligations. We’ve designed Connect to accept KYC information directly through the API. When the information provided is incomplete or incorrect, it may result in delayed transfers for your users, or financial losses of your own.

Stripe requires that certain information about your users is provided as part of onboarding in order to comply with local KYC requirements. A platform with managed accounts is responsible for all communications with its users, including collection of this required information. Because Stripe will not have direct communications with your users, it is your obligation to communicate the importance of compliance and identity verification.

We recommend conveying to your users the relationships involved as such:

  1. Stripe is processing charges on a connected user’s behalf. Although the platform is initiating and managing the transactions, funds are not flowing through the platform itself.
  2. The connected user has a Stripe account but rely on you to help them manage it, and Stripe has a legal obligation to know who they are.

Properly explaining the relationship in terms of banking regulations should suffice. You and your users will also benefit from having a clear privacy policy clearly illuminating what will and won’t be done with the user’s information. (See Stripe’s Privacy Policy to know how we use provided information.)

Establish webhooks

Sometimes we’ll need more information about connected accounts. Should Stripe require something, we’ll reach out to you via a webhook (not via email). It’s vital that you establish a webhook endpoint that responds to our requests and other account activity. Failure to watch for, and promptly respond to, these notifications will lead to delays in money being transferred.

Sometimes Stripe will ask for additional information because the provided information failed verification: for example, a user’s date of birth or last name appears to be incorrect. In such cases, you should also take the opportunity to re-verify the previously submitted information, as the cause of verification failure may be a simple misspelling or data entry error.

Prevent fraud

The platform is ultimately responsible for any losses incurred by managed accounts through its Connect application. Stripe helps by monitoring the accounts that you onboard, preemptively shutting down accounts that we believe are fraudulent, and contacting you should we notice anything suspicious.

There’s no silver bullet to detecting bad actors on your platform, but generally the better you understand your user and their business, the better you–and Stripe–can assess their risk profile. To do this and reduce the opportunity for fraud, we recommend you:

  • Establish a time period in which you verify your users before they can do business through your platform
  • Examine a user’s online presence through social or professional profiles like Facebook, Twitter, or LinkedIn
  • Closely review the user’s website (should they reasonably have one)
  • Collect appropriate licenses, if warranted for a user’s business
  • Confirm your user’s email address if it is linked to their business domain (e.g., send an email to an address at that domain and require a response from it)
  • Collect and verify platform-appropriate information, such as a physical address, inventory list, or selling history
  • Monitor activity on your platform to get a sense of typical behavior, which can be used to look for suspicious behavior

If you suspect a user may be fraudulent, we recommend rejecting the account. This prevents the account from receiving further funds and improves Stripe’s fraud detection systems.

Further, Stripe’s built-in fraud tools can also be used to identify and prevent fraud on individual charge attempts. You’ll also want to familiarize yourself with the most common fraud types.

Further reading

Learn more about Connect: