SARAH RENDE: Hi, everyone. Thanks for joining. I’m Sarah Rende, and I lead risk strategy here at Stripe. For many fast-growing SaaS platforms, risk is a big unknown. It sits on the back burner while you’re busy shipping for customers, working off your product roadmap, and focused on your everyday business until something happens that’s too big to ignore. In many cases, if an account on your platform goes bankrupt or something happens, you’re financially responsible. This happened recently to a platform on Stripe. A cardholder used a stolen credit card to make three transactions. They were completely normal transactions, average typical order size, nothing out of the ordinary. The money was paid out to the legitimate merchant on their platform, business as usual. But then the charges were later disputed as fraudulent, and this left the platform on the hook for $23,000 their merchant could not cover. Now, when this happens, the first instinct is naturally to hit the brake, slow things down, add some friction, try to regain a sense of control. And you’re right to be cautious, but we’ve also learned that this approach can end up costing you way more than the fraud ever did.

After more than a decade of doing this at Stripe, we now think about risk a bit differently. We’re thinking about risk as a growth accelerator rather than a platform—rather than a brake, excuse me. Having the right risk infrastructure can give you the confidence to continue to move quickly and grow your business.

Today, we’re going to walk through three things. First, considerations for scaling your business across three stages of the merchant lifecycle. Next, we’ll talk about making a strategic choice on the right approach to risk management for your platform and the questions you should be asking yourself to make a good decision. And finally, you’ll hear from Jobber on how they’re using risk as a competitive edge. Now to walk through the first two sections, I’d like to invite my colleague to the stage, Connor Mullen. Connor leads risk product here at Stripe, and he spent the last few years building the risk infrastructure we’re about to cover. Welcome, Connor.

CONNOR MULLEN: Thanks, Sarah. All right, let’s get into it. Scaling safely starts with moving away from the idea that risk is a one-time check you perform at sign-up. Risk evolves with your business. As you bring more business onto your platform, your risk doesn’t just grow—it changes shape. Let’s take an example. Say you onboard a new business, and they pass all of your risk checks on day one. Six months later, they’ve really scaled, they’re processing more volume than ever, and they start to have supply chain issues. Those supply chain issues means they’re not able to fulfill orders, and once they can’t fulfill orders, disputes start coming in. As a platform, this could be your problem.

And this is why we think you need to move away from onboarding as your only protection, and to a full lifecycle of risk management. Many platforms today put so much emphasis on onboarding, trying to stop any bad activity at the gate. But when you have monitoring and mitigation in place, you can lower those barriers and keep yourself safe. Legitimate businesses can get started faster because you have the systems to catch problems down the road. And this turns risk management from a growth inhibitor to an accelerator. So let’s get started with the first step: onboarding. To unlock growth, your priority should be reducing friction at the front door. You want legitimate businesses getting up and running fast while stopping the obviously bad ones from getting in, too. But right now, many platforms treat every new sign-up like a stranger. They don’t have data on these businesses, so in order to onboard them, they collect more information, they ask for more documents, they go back and forth. And the result of this is that only 18% of platforms are able to successfully onboard a business in less than 24 hours. That’s across the whole industry.

Every day legitimate business is waiting, is the day they’re not active on your platform. Or worse, this friction at onboarding could cause them to just go somewhere else entirely. So to scale, you need to stop treating every new sign-up like a stranger. You need signals, automated processes, and product experiences that allow you to distinguish the good from the bad. And this really starts with recognizing the good up front. So one in six businesses globally are already known to the Stripe network. What that means is when one of these businesses comes to your platform, they can grant access to their data and get onboarded instantly. No back and forth, no documents. They’re ready to go right away.

And the impact of this is massive. 86% of platforms on Stripe successfully onboard a business in the first 24 hours. That’s five times higher than the industry average. Take Phorest. So they are a platform for nail salons, and they use Stripe to launch in 10 countries and completely automate their onboarding and verification process. By using Stripe onboarding, they’ve made it so that it takes less than two minutes for a salon to onboard. And that speed is key to their go-to-market strategy, because they serve very busy small businesses who just want to get up and running fast. But you can only do this. You can only afford to move with that speed if you also have the confidence to catch bad actors. Instead of investigating every new sign-up, you can use signals from Stripe’s risk intelligence to quickly identify fraudsters out the gate before they’ve even processed a dollar.

And that totally changes your team’s role and how you think about risk management. Instead of investigating every single account, you’re able to rely on automated, scalable processes. Look at FreshBooks. By relying on Stripe’s risk signals, they blocked 300 fraudsters from onboarding in just three months. And this wasn’t just about stopping the bad stuff from happening. This allowed them to open up the funnel and let more business in without increasing their risk.

But if we’re going to say yes more at the front door, then you need to have the confidence that down the road, you’re going to catch bad activity when it happens. And this is why monitoring is so important. What we see is that historically, risk management has been reactive to the actual bad stuff happening. You wait for disputes to come in or an account’s balance to go negative, and then you start acting. The data on Stripe actually shows this. So on average, it takes 40 days for a platform to detect a bad actor after that original sign of suspicious behavior starts. And by then it’s too late. The funds are gone, the money is out of your platform. This 40-day window is what we think leads platforms to put so much emphasis on onboarding and increase friction, because it’s scary to be in this window of uncertainty.

So to solve this, we think you need to move to continuous automated monitoring: adjusting your strategy in real time, based on the signals of how a business is performing—and relying on these automated signals before there’s an issue, before a dispute comes in, before an account goes negative. And this shifts from like a one-time pass/fail check at onboarding to more dynamic and ongoing risk management.

To do this with confidence, you really need to rely on data that doesn’t just exist in your platform, and that’s why using signals from Stripe is so powerful. We process $1.9 trillion in annual volume across 16,000 platforms, and that data is what feeds our signals—taking your local context as a platform and combining it with the signals from Stripe, so that you can monitor and prevent bad things from happening before they affect your platform. Platforms using our automated fraud signals see over five times lower exposure with these signals, because we do things like detect fraudulent activity across the Stripe network and let you know when one of those businesses is on your platform. And that’s the difference that continuous monitoring can make.

We saw this in action with FreshBooks. By using our automated flags to catch high-risk accounts, they cut their detection time from 30 days to less than four days. That’s 80% reduction in time to detect fraud. They even use our signals to detect merchant liquidity issues. So if a business has signs of trouble, might be going bankrupt, they can detect that early before it’s too late. As FreshBooks put it: “By leveraging Stripe’s data network, we’ve eliminated risk exposure blind spots that were invisible in isolation, allowing us to accelerate growth.” By moving to this continuous lifecycle, FreshBooks was able to stop playing catch-up and start getting ahead of issues. They gained the visibility to confidently keep onboarding barriers low, knowing that they can detect issues down the road because of monitoring.

But detecting risk is only valuable if you have a precise way to act on it, and that’s why your mitigation strategy is so important. What we see is that historically, platforms rely on blunt tools and heuristics. For example, flag every single transaction over $5K, pause the account while we review. But that’s just too blunt. It treats every single user the same. Take an example. Let’s say you’re a telehealth platform. You’ve got provider A and provider B. Provider A has been active on your platform for three years. They have near zero disputes. You verify their online presence and a bunch of information about their business. And then provider B, who’s new to you. They just joined yesterday. You haven’t verified everything about them yet, and they went from $0 to $50K in just one hour.

If you use a blunt instrument, like a rule that flags every account at $5K, you could really damage trust with provider A. You’re restricting access to their funds. They’ve been a good customer with you for a long time, and it is more than just damaging their cash flow. It could make you lose the customer altogether. So instead of relying on isolated volume triggers, you need to take context from your entire relationship with the customer and use that in your mitigation strategy. For provider A, you don’t take any action at all, because you know who they are and you trust them. And then for provider B, instead of just pausing them altogether, you can use a more precise tool like a reserve. Setting aside the funds that they’re processing while allowing them to still run their business, they could be your next huge customer. But with that reserve in place, you’re still protecting yourself should something go wrong.

With Stripe, everything that I just described is built in. You’ve got this control plane that allows you to take the right mitigation actions like restricting payouts, placing reserves, triggering identity checks, or rejecting accounts if you have to. And as you take these actions, Stripe gets better itself and more attuned to your product and your platform. But monitoring and mitigation is not just about stopping bad things from happening; it’s also about learning who you should trust more. The same signals that allow you to detect that provider A was a good customer also allow you to extend more trust to them. When you have that level of certainty, you don’t just not take action. You can give them faster access after they’ve processed that $5K transaction. You give them something like Instant Payouts that lets them get that money in their bank account quickly and keep growing their business on your platform. This turns your risk team from a growth inhibitor to a growth accelerant.

So ultimately, scaling safety safely is not just about a one-time check at sign-up. It’s about managing risk across the entire lifecycle—from reducing friction at onboarding, so legitimate businesses can get up and running fast, to continuous monitoring to identify threats after they’ve signed up, and mitigating with precision, including moving beyond just stopping bad actors to identifying who to trust more. And together, full lifecycle risk management enables you to move risk from a brake to an accelerator. But knowing what to do is only half the equation. The other question is who builds it? Sarah’s going to walk us through that. Sarah, back to you.

SARAH RENDE: Every platform eventually reaches a crossroads. Do we want to make risk management a core internal priority that we’re going to invest in, or do we need to look to leverage a partner? To help you decide, here’s three things to consider. First, your resource allocation. This is really important. There’s only so many resources. Resources are finite. Is risk management going to be the priority area and the best allocation of your limited product and engineering resources? If you’re going to bring risk in-house, you’ll need to hire and staff a team, build custom workflows, maintain internal tools and datasets. It’s a big investment. Alternatively, you might decide that’s not the best use of your product resources, and instead want to leverage a partner. Second, your data strategy. Do you have the right data to actually manage risk? Do you have enough data? If not, do you have someone you can partner with who’s seen these types of threats before to augment your own data?

Can you use your proprietary data, or are you already using it to augment the risk decisions for your product and your customers? And finally, liability management. This is a big one. You have to remember that as you’re scaling your platform, you’re also expanding your financial risk to struggling or fraudulent businesses. And with that, you need to think about how much financial risk can your business actually carry, and how much do you want to carry. Effectively, you’re co-signing for every merchant that signs onto your platform. And depending on your business model, you may be comfortable with that financial uncertainty, or you may decide that you want to off-load it to a partner.

To hear how a high-growth platform leverages all of these areas to make good decisions on their risk management approach, I’d like to invite you to hear from Jobber. Jobber is a platform for professional services that’s optimizing everything from scheduling appointments to sending customer invoices. Please join me in welcoming Jobber’s Head of Risk, Barnard Steyn. Thank you for joining us.

BARNARD STEYN: Thank you for having me.

SARAH RENDE: Great to have you. So we talked a lot today about areas that platforms should consider when they’re deciding on the right risk management approach for their platform. I’d love to hear if those resonate for you and how you think about whether to outsource risk.

BARNARD STEYN: Yeah, thank you. When thinking about outsourcing risk management, I think there are two things which really come to mind. The one is the stage of growth your business is in, and how closely tied your growth and revenue is to risk management. If you’re a younger business and you’re just starting, you’re really focused on product-market fit, you’re focused on gaining financial momentum. You don’t really have much choice but to outsource risk management. As you start scaling and start growing, it becomes important for a executive team to then decide: is risk management in-house important for the business? And if the answer is yes, then it makes sense to start bringing in pieces of it bit by bit. I’ve seen very large successful SaaS companies mostly outsource risk management, because they had a simple portfolio or a simple product. I’ve also seen much smaller organizations have to bring in risk management much earlier in their journeys, simply because of the nature of their product. It really isn’t a one-size-fits-all approach, and it’s something that executive team has to decide on as the business grows.

SARAH RENDE: Great, thank you for sharing that. I think just the nature of the business is a big factor in determining what’s the right path and how complicated it is, seems like a big dimension.

BARNARD STEYN: Yeah.

SARAH RENDE: How high on the priority list do you think risk management should be for platforms as they’re thinking about scaling?

BARNARD STEYN: My view is that risk management should be high. Risk management has changed very much in the last decade. If you think about risk teams, they used to be somewhat of a compliance function. They’d be in a corner of the organization. There’d be a team you’d go to to normally get the answer, “No, you’re not doing that.” That has evolved tremendously. And by having risk management and risk management teams higher up on the executive agenda, they get the time and the attention and the resources needed to perform a function which helps unlock growth and identify new revenue opportunities.

SARAH RENDE: Yep. I think that’s so important that there’s the company backing and decision that this is an area we’re going to invest in, and then that really sets up the function for success. Absolutely. And what was the specific inflection point for Jobber on the decision to bring risk management in-house?

BARNARD STEYN: Yeah. So as a reminder, Sarah already mentioned this, we’re a CRM platform with embedded fintech, and we serve the trades industry. So we have plumbers, roof technicians, construction companies, a very wide variety of businesses. And the inflection point for us where we realized risk management was better managed in-house was when we saw how complex our risk world is. And I’ll offer an example. Imagine a lawn care business. They have many customers. They have many small transactions. If one customer goes bad or one transaction charges back, it generally doesn’t matter. The business keeps going. But now imagine a construction business. They have very large transactions, not many customers. And if one of those transactions or just one customer goes bad, it often has enough financial momentum to seriously jeopardize that business’s financial health. With that kind of complexity in the risk environment, we had to insource. And we felt that our outsource strategy simply would not be able to deal with the extreme nuances we see across our portfolio.

SARAH RENDE: That makes a lot of sense. I think just understanding the magnitude there of a different… A transaction is not a transaction. Depends on all these other factors of size and the stage of the business and all of these things like the industry.

BARNARD STEYN: Absolutely. And if there’s concentration risk, it really changes things.

SARAH RENDE: Definitely. And how has your risk strategy affected how you decide where to expand or how to grow?

BARNARD STEYN: At Jobber, we have a bit of an inside joke, and it was coined by our GM of fintech, is that we want to do things without blowing off our fingers. So whenever we’re going to move into a new product or a new feature, we spend a lot of energy doing the due diligence, looking at the upside and downside risks. We’ve been processing card payments for a long time. We understand that risk as an example. We recently want to expand our ACH portfolio. It is a payment rail that makes a lot of sense for us and our businesses. So before we invested there, we spent a lot of time digging into it and understanding how this works, and it led us to decide to invest heavily in open banking data. Looking back on this decision now, I’m so glad we did that because we’ve been able to successfully scale the business without major changes to our exposure. And it’s this attitude of, “Don’t blow off your fingers,” which leads our product thinking from a risk perspective.

SARAH RENDE: It’s always good to have a good catchphrase internally, a strong internal brand.

BARNARD STEYN: And 10 fingers.

SARAH RENDE: I like it. Yes. And 10 fingers. Very important. Yes. Great. Thank you for sharing that. I’d love to hear how you’re using proprietary data from inside of Jobber and connecting that with Stripe’s payment data to make better decisions.

BARNARD STEYN: Yeah. We’ve been a user of Stripe data and Stripe products for a long time, and we trust it as high-quality data. And without getting technical, the precision recall is very well-balanced. And our approach is to layer data. And one of these layers is Stripe data. We obsess about false positives. And for those in the audience that don’t know what a false positive it is, it’s essentially a risk action against a good customer, which should have never happened in the first place. It is a high-friction event. It’s bad for your customer. It’s bad for your platform. And we’ve seen time and again, by layering data, you can drive down false positives. It’s a key point to our strategy.

SARAH RENDE: Yeah. I think sometimes there’s not just one answer, right? It’s like, how can we take the best combination of signals to make the best overall decision. And then I’d love to hear how you’re using automated signals from Radar today.

BARNARD STEYN: Yeah. Also, we’ve been using Radar for a very long time. I’ve probably used the product for almost a decade now, I think. And what we’ve seen is, on the spectrum of risk scoring that Radar offers, on the high end and the low end, the signals are very reliable. So we’ve built a lot of automation there. We’ve kept humans in the loop, in the sort of the middle of the risk spectrum. And what this has allowed us to do is to scale the business without having to scale head count in a linear fashion. And this additional free time we’ve gotten back from people and the team, we’ve dedicated to other more value-adding risk activities. Also, it’s a key part to our data strategy.

SARAH RENDE: Absolutely. I think there’s a ton of efficiency there. And obviously the big theme of this event is around AI and automation. And I think finding ways to be more efficient with the resources, we don’t have to scale head count, and overhead is always top of mind, especially for scaling platforms and growing businesses. What’s the next risk problem that Jobber is tackling?

BARNARD STEYN: Yeah, I feel like the list of risk problems never ends, but the things I think about the most is—and some of them might be a bit cliché and obvious at this point—but the one is the AI arms race between bad actors and platforms at the moment. We work really hard to stay a step ahead or catch up really quickly, and we invest heavily in AI technology. The second thing that I think about a lot is how AI is going to change the efficiency for risk teams. It is already having an effect, and it feels like we’re just starting. I think we’re heading for a future where we’re going to have extremely efficient teams because of AI being able to do things which were previously impossible to do. I think the third thing which I’m most excited about is how AI is going to help us, in my view, develop bespoke risk management strategies.

Today with any kind of risk management, you segment the risk, you develop a strategy for each segment, but they are diminishing margins of return for how granular each of these strategies become. We have an opinion that with AI, we are going to be able to build strategies at a per-merchant level. Not only is this going to protect the platform, we believe, it’s also going to unlock new revenue opportunities, which previously simply were not accessible. And I think that’s what I’m the most excited about.

SARAH RENDE: Yeah, I think that’s amazing. I think we feel very similarly, just the opportunities here are tremendous, and for much more customized and personalized risk treatments that feel very appropriate and targeted, nuanced to individual users. So, look forward to working on that together. And maybe lastly, just any words of advice you would give to a head of risk or risk leader who’s in the audience today thinking about evolving their strategy from maybe a more defensive sort of reactive posture. What advice would you give?

BARNARD STEYN: My guidance would be that risk management in today’s age is really… Risk management and revenue are two sides of the same coin, and you have to see them as working in partnership. If you do not do that, you’re surely leaving opportunities on the table. You’re leaving money on the table. Once you adopt that viewpoint that revenue and growth and risk management go hand in hand, you can start applying product management philosophies and start thinking about risk as a product. It’s something we’ve long driven within Jobber, and we’ve had a lot of success with it. And the ultimate goal for us is not to have zero risk at all. If you have zero risk, you probably don’t have a business. Risk is a good thing, but to have predictable, controllable risk, and I think that’s the advice I would offer.

SARAH RENDE: Sounds good to me. “Predictable” and “controllable” are nice words to hear in the risk management field. Thank you so much for joining us. We really appreciate it. I hope all of you learned something today and heard a little bit more about how risk can be used as a growth lever and not just as a brake. Whether you’re deciding to invest heavily in building your own risk management and looking at ways to use our modular tools to empower your teams, or looking for a partner to be able to off-load some of that complexity, Stripe can help you with that. Wherever you’re at on the journey, we’re happy and eager to work with you as partners to find the right solution for your business. Please do feel free to join us in the expo at the fraud and risk booth, and we’ll be happy to talk about our strategies and how to help you. Thank you.

BARNARD STEYN: Thank you.