Introduction to risk management for software platforms

While there is no way to completely eliminate payments risk, this guide covers ways you can assess and manage your exposure, and helps you make an informed decision about the best path forward.

  1. Introdução
  2. Introduction to credit risk and fraud risk
  3. Risk management strategies for credit risk
    1. Onboarding
    2. Monitoring
    3. Mitigation
  4. Risk management strategies for fraud risk
    1. Onboarding
    2. Monitoring
    3. Mitigation
  5. Risk management strategies for account takeovers
  6. Your risk management options with Stripe

All online businesses have to manage risk. In fact, there are many different types of risk, from reputational risk (like how your brand is perceived) to operational risk (like downtime).

This guide focuses on three types of payments risk: credit risk, fraud risk, and account takeovers. While there is no way to completely eliminate payments risk, this guide covers ways you can assess and manage your exposure, and helps you make an informed decision about the best path forward.

Introduction to credit risk and fraud risk

When software platforms add payments facilitation to their offerings, they face three unique and complex types of risk due to their three-party business model (consisting of the platform, the sellers or service providers that take payments through the software platform, and the cardholders that pay those sellers or service providers):

  • Credit risk: Credit risk tends to manifest as sellers who have every intention of fulfilling goods or services orders, but lack financial resources to do so, accumulate more refunds and chargebacks than they can financially cover, and potentially exit the business. Cardholders can request a chargeback since the goods or services weren’t fulfilled. You would owe money to those customers because, generally speaking, platforms that facilitate payments agree to be liable for their seller’s activity.

  • Fraud risk: Platforms also have to manage risk involving fraudulent sellers. For example, you could have the same person acting as a fraudulent seller and a fraudulent cardholder, where that one person has access to stolen card information, signs up for an account on your platform, and pays themselves with the stolen card. Or, you could have a fraudulent seller and a good cardholder, where a seller deceives a cardholder into giving them money (like selling goods they don’t intend to deliver).

  • Account takeovers: Having a good seller and good cardholder isn’t enough to completely eliminate payments risks. Platforms also need to manage account takeovers, where a malicious third-party gains access to a seller’s account credentials and steals their funds.

Risk management strategies for credit risk

Most sellers regularly have credit exposure (in the form of chargebacks and refunds that they have to cover), but have the cash flow to cover them accordingly. This becomes risky to you when your sellers have fewer sales and higher refund requests, which could lead to the inability to return money to customers.

For example, let’s say you run a platform where event organizers can sell tickets and you pay out the event organizer before the event occurs. If the in-person event is canceled, the event organizers have to issue refunds to the customers. But, if the event organizers don’t have enough money to complete the refunds, you—as the platform—could be responsible for making up that loss. As a result, you take on a large amount of credit risk on behalf of your sellers, which could expose you to losses.

There are a number of different ways you can manage credit risk, and we’ve organized these strategies into three sections: onboarding, monitoring, and mitigation.

Onboarding

New sellers are inherently risky when they first join your platform, simply because they have no track record or processing history with you. The more information you gather about them, the better you can evaluate your own risk and keep your platform healthy. For example, based on their financial activity, you could identify accounts that are more likely to face cash-flow issues and have negative balances before they happen.

  • Assess risk: Evaluate the risk of potential sellers during onboarding, before allowing them on your platform. Make sure to collect enough information about the services being offered so you can determine if they fall within a high-risk category. You can inquire about their refund policy or expected gross payment volume, and research their operating history on platforms similar to yours. For larger sellers, consider doing a more manual assessment including a financial review and credit checks on individual owners or directors of the business.

  • Temporarily limit transactions: For new or high-risk sellers, you may want to introduce a number of temporary controls until you can better understand their activity on your platform. For example, consider limiting their total transaction volume in a single day or single month. If they surpass these limits, you could pause their payouts so you can review the transactions.

  • Collect reserves: Reserve a certain amount of money as collateral for potentially risky sellers. You can release the reserve over time as sellers establish a positive track record with you.

Monitoring

Businesses are rarely simple and static, and as they evolve over time, so will their risk profiles. Monitor dispute activity, negative balances, processing volume, and customer complaints on an ongoing basis to help identify fraudulent behavior and take immediate action.

  • Set up alerts: Create alerts to monitor riskier sellers so you can quickly adjust your risk-management strategy. Riskier sellers have sharply reduced volume, negative balances, or higher dispute rates (dispute activity above 0.75% is generally considered excessive).

  • Conduct periodic reviews: While setting up alerts can help you monitor sellers on a day-to-day basis, it’s also important to conduct periodic, in-depth reviews. You should review a seller’s refund and dispute rates, processing volume, and customer complaints.

  • Educate sellers: Create resources to help your sellers prepare for the unexpected. Examples include COVID-19 resources from Shopify and Xero, or Hurricane Harvey information for businesses from Mindbody.

Mitigation

Once you understand the risk profiles of your new and existing sellers, you can start proactively managing your exposure. For example, for sellers who seem more likely to pose a risk to your platform, you can change your payout schedule and encourage them to change the way refunds and chargebacks are handled.

  • Delay payouts: Delay payouts until you become familiar with sellers’ average volumes and chargeback rates. You can even link the payout schedule to the seller’s risk category—for example, the higher the risk category, the longer the payout schedule. For goods and services that are not immediately provided, hold payouts until they are delivered. This reduces the likelihood of chargebacks and refunds because you can confirm that customers received what they paid for before releasing the funds.

  • Manage negative balances: Set up a process to recover funds from sellers who go into large negative balances (sellers with a negative balance won’t be able to process chargebacks and refunds, so the risk will fall to your platform). Depending on where your sellers are located, you may be able to set up auto debits to automatically pull funds from their bank account and recover negative balances.

  • Define your risk concentration: Consider setting a maximum risk-exposure threshold for certain geographies (for example, only X% of your total risk exposure should be from a single country) or for certain sellers (for example, only X% of your total exposures should be from a single seller). If your exposures go beyond that threshold, you can tighten your risk-management policies.

  • Capture funds on the date of delivery: Reduce the gap between the date of payment and date of fulfillment to reduce risk exposure. This is particularly important for high-risk sellers who process payments long before the delivery of goods or services (like event organizers selling tickets to a sporting event or concert). To capture funds on the date of delivery (or as close to as possible), create a charge to place a hold on cardholder funds, but capture the funds once the seller has delivered the goods or services.

Risk management strategies for fraud risk

At the most basic level, a payment is considered fraudulent when the cardholder does not authorize the charge. This could be a result of stolen cards or card testing attacks. A common example is when a fraudster makes a purchase using a stolen card. This type of fraud risk can be prevented and managed using fraud software (like Stripe Radar).

In addition to fraudulent cardholders, platforms also have to manage risk involving fraudulent sellers. There are a number of different ways you can manage fraud risk, and we’ve organized these strategies into three sections: onboarding, monitoring, and mitigation.

Onboarding

Seller onboarding is your chance to collect as much information as you can to verify the legitimacy of a business. To prevent fraud risk, however, there are additional factors you need to consider, such as cross-checking existing and previously rejected sellers to identify duplicate accounts.

  • Assess risk: Confirm a seller’s identity during onboarding and make sure their business is legitimate. Examine the seller’s social media profiles, collect appropriate business licenses, review their website (look for red flags like templated websites, copied language from other websites, etc.), and verify platform-appropriate information, such as a physical address, inventory list, or selling history.

  • Check for duplicate accounts: Fraudulent merchants may open multiple accounts on your platform. To prevent this, conduct checks for duplicate account information associated with previously rejected accounts (such bank account information, tax information, or name and date of birth). You might also consider links between accounts, such as multiple accounts from the same IP address or email domain.

  • Collect reserves: Reserve a certain amount of money as collateral for potentially risky sellers. You can release the reserve over time as sellers establish a positive processing track record with you.

Monitoring

Fraudulent sellers may take the time to establish a positive track record on your platform before committing fraud, underlining the importance of continuous monitoring. Understand what normal seller activity looks like, set up anomaly detection alerts to surface any major changes or spikes, and be ready to request additional information if you see suspicious activity.

  • Identify normal behavior: Monitor your sellers’ activity to understand their typical behavior. What is their average monthly transaction volume? What are their average chargeback and dispute rates? This offers a benchmark against which you can look for suspicious behavior (such as charge size and frequency) and take appropriate action.

  • Customize your alerts: Create rule-based alerts to monitor riskier sellers so you can quickly adjust your risk management strategy. Look at confirmed fraudulent sellers to find any patterns in their activity to help you adjust and customize your alerts.

  • Request additional information: If you observe suspicious transaction behavior, reach out to the seller for more information. You can request invoices, inventory photos, or tracking numbers.

Mitigation

Once you understand the risk profiles of your new and existing sellers, you can start proactively managing your exposure. For example, for sellers who seem more likely to pose risk to your platform, you can change your payout schedule and encourage them to change the way refunds and chargebacks are handled.

  • Delay payouts: Delay payouts until you become familiar with sellers’ average volumes and chargeback rates. You can even link the payout schedule to the seller’s risk category—for example, the higher the risk category, the longer the payout schedule. For goods and services that are not provided immediately, hold payouts until they are delivered. This reduces the likelihood of chargebacks and refunds because you can confirm that customers received what they paid for before releasing the funds.

  • Prevent card testing attacks: You can identify most card testing activity by a significant increase in declines (these declines are categorized as 402 errors in your failed request logs). To prevent these attacks, introduce additional security measures during checkout such as CAPTCHA.

Risk management strategies for account takeovers

You could personally confirm the legitimacy of every seller using your platform and still be susceptible to payments fraud in the form of account takeovers. While malicious third parties will always exist on the internet, you can invest in strict security and identification efforts to prevent bad actors from hacking into your sellers’ account.

  • Enforce identity verification measures: One of the best ways to prevent account takeovers is to enforce strict security and identity verification measures. For example, enforce unique password policies, and implement two-factor authentication at login.

  • Monitor suspicious activity: It’s important to understand the signs of an account takeover so you can immediately pause payouts. Common signs of an account takeover include a large spike in processing volume or average order size, or logins from new devices or nonlocal IP addresses.

Your risk management options with Stripe

Platforms using Stripe have two options when managing risk: 1) you can have Stripe help manage payments risk for you or 2) you can take on risk management yourself. The most popular approach is to have Stripe help manage payments risk for you, reducing operational overhead and decreasing your exposure. With Stripe-managed risk, Stripe will actively monitor and manage risk on your behalf and cover negative balances that cannot be recovered.

To help enterprises adapt to a rapidly digitizing economy, Salesforce—one of the world’s largest software companies—partnered with Stripe to launch Salesforce Commerce Cloud. With payments outside their core competencies, Salesforce offloaded risk management to Stripe so they could focus on building a powerful commerce solution for their customers.

If you have risk expertise and have a good understanding of who your sellers are, you can take on risk management yourself. Platforms that choose to manage risk on their own typically have dedicated operations and engineering resources to build and maintain a homegrown fraud solution, integrate third-party tools, and monitor and report on fraud losses.

In addition to dedicating specific teams to risk management, you will need to partner with other internal departments that may be affected by risk, including:

  • Legal teams: An in-house legal generalist or payments product legal specialist will need to stay up to date on relevant laws, regulations, and industry rules, and partner with cross-functional teams to respond to audits and inquiries.

  • Support teams: In-house or vendor customer service teams will need to be prepared to respond to user questions related to risk management activities, including chargebacks, disputes, and delayed payouts.

When managing risk yourself, you can customize your approach with Stripe’s powerful suite of prevention and monitoring tools, including:

Onboarding sellers: Onboard sellers quickly and safely with prebuilt, conversion-optimized UIs that securely collect sensitive personal details and identification documents needed for verification. Stripe leverages its experience from having verified millions of accounts and uses proprietary systems to approve more sellers with less friction. Stripe’s onboarding flows dynamically update with changing regulations and international location, providing seamless onboarding experiences as you grow and move into new markets.

Verifying identities: Platforms that are especially susceptible to professional fraudsters can prevent fraud losses from fake merchants with Stripe Identity, which programmatically confirms the identity of global sellers while minimizing friction for legitimate customers.

Surfacing dispute and refund information: Monitor the health (and risk) of your sellers with the prebuilt Stripe Dashboard, which provides a range of analytics and real-time charts about the performance of your platform, or use Stripe Sigma to quickly analyze your Stripe data by writing SQL queries directly in the Dashboard. With structured access to your data, you can identify which accounts process the most disputes and refunds and identify trends over time. Build webhooks to create alerts for potentially fraudulent behavior and investigate accounts with negative balances or high refund and chargeback rates.

Enabling flexible payout schedules: Stripe Connect offers a number of different payout schedule options that you can use, depending on the risk profiles of your sellers. You can choose to automatically have funds paid out instantly or daily for established sellers, or set a custom payout schedule to slow or defer payouts to higher-risk accounts.

Leveraging machine learning to fight transaction fraud: Stripe Radar is a suite of modern tools for transaction fraud detection and prevention. Its core is powered by adaptive machine learning, with algorithms evaluating every transaction for fraud risk and taking appropriate actions. Specific to cardholder (not seller) transactional fraud, Radar is included for free as part of Stripe‘s integrated pricing. Platforms can upgrade to Radar for Fraud Teams to set their own rules-based logic and use other powerful tools for fraud professionals.

To learn more about Stripe’s risk management offerings, contact our sales team.

Vamos começar? Fale conosco ou crie uma conta.

Crie uma conta e comece a aceitar pagamentos sem precisar de contratos nem dados bancários ou fale conosco para criar um pacote personalizado para sua empresa.