Intro to Risk
Risk, with regard to financial products, typically falls into two primary categories: Financial Risk and Regulatory Risk. While Financial Risk leads to direct losses to your operating capital, Regulatory Risk can lead to regulatory fines or other penalties. Ultimately both categories of risk have the potential to impact your operating capital, can impact your reputation, and in extreme cases may lead to the suspension of your program altogether.
Since both categories can cause disruptive events for your business, we recommend building Financial and Regulatory risk reduction strategies. In this resource, we will break down both types of risk and provide guidance to help you address them.
Financial Risk exists when a user spends funds in their account without intending to repay them or uses the "float" (the time it takes for transactions to process and settle) to overspend. In the case of Credit Hub, this can occur by taking credit from you, but then defaulting on the repayment obligation. While in the case of Deposit, it can occur by funding their account via one of the Payment Accounts and spending the funds knowing that that original transaction will return, thus overdrawing their balance and leaving the platform with limited options to recoup funds.
Other than Provisional Credit and Credit Extensions, financial risk is primarily created by providing customers access to Payment Accounts. Since payments can return up to 60 days after a credit has been applied to a customer's account, payment processing exposes you to financial loss risk.
Based on the above statement, a valid conclusion is that most of your financial risk can be adjusted by adjusting access to Payment Accounts. With that in mind, here are some examples of how you might choose to design your Financial Risk Policy, based on your overall risk appetite:
Risk Appetite | Policy |
Conservative | We will not provide payment origination products to any customers. All customers will be required to fund their accounts with us via direct deposit or cash deposits that do not pose return risk. |
Moderate | Before the policy, here are some definitions:
ID Score
A probabilistic score (0-1) assigned to all users at the time of onboarding that predicts the likelihood that the identity supplied belongs to the person who is creating the account. 1 meaning we are 100% certain that the user is who they say they are. 0% means with 100% certainty we can say that the user is not who they say they are. Risk Score
A probabilistic score (0-1) assigned to all users who are utilizing their accounts which predicts the likelihood that their subsequent transactions will lead to a financial loss. Policy
Reducing Onboarding Risk We will be utilizing ID Score to reduce stolen profiles in our system, the idea being that a user is less likely to fraud us with their real identity. If a user's ID Score is below 0.8, we will be collecting additional documentation and performing enhanced due diligence before onboarding them to the platform.
Reducing Ongoing Risk On top of that, we will be utilizing Risk Score to put people in green (over 0.9), yellow (0.5-0.89), and red (below 0.5) paths. Where the green path will give users uninterrupted access to all payment products, yellow will reduce all payment limits by 50% and red will reduce limits by 90%. |
Aggressive | We will provide all payment products to customers and assume that financial fraud is an acceptable risk to the business. |
Following are more details on Financial Risk by types:
ACH is a one-way messaging system for payment processing. Meaning, that a transaction in ACH is assumed to have succeeded unless the receiving bank sends a failure notice.
Based on the reason for failure, the receiving bank can have up to 60 days to return a transaction, assuming they have return rights. In practice this means if you released an ACH credit in 3 business days to your user, you might still receive a return up to 57 days later. Here are the most common return reasons:
❌ = Will not lock the user or node.
✅ = Will lock the user or node.
Code | Description | Locks Node | Locks User |
R01 | Insufficient Funds | ❌ | ❌ |
R02 | Account Closed | ✅ | ❌ |
R03 | No Account/Unable to Locate Account | ✅ | ❌ |
R04 | Invalid Account Number | ✅ | ❌ |
R06 | Returned Per ODFI's Request | ❌ | ❌ |
R07 | Authorization Revoked by Customer | ✅ | ✅ |
R08 | Payment Stopped | ✅ | ❌ |
R09 | Uncollected Funds | ❌ | ❌ |
R10 | Customer Advises Not Authorized | ✅ | ✅ |
R11 | Check Safekeeping Entry Return | ❌ | ❌ |
R12 | Branch Sold To Another DFI | ✅ | ❌ |
R13 | RDFI Not Qualified to Participate | ✅ | ❌ |
R14 | Account Holder Deceased | ✅ | ✅ |
R16 | Account Frozen | ✅ | ❌ |
R17 | File Record Edit Criteria | ❌ | ❌ |
R20 | Non-Transaction Account | ✅ | ❌ |
R21 | Invalid Company Identification | ❌ | ❌ |
R22 | Invalid Individual ID Number | ❌ | ❌ |
R23 | Credit Refused by Receiver | ❌ | ❌ |
R24 | Duplicate Entry | ❌ | ❌ |
R29 | Corporate Customer Advises Not Authorized | ✅ | ✅ |
R31 | Permissible Return Entry | ❌ | ❌ |
R33 | Return of XCK Entry | ❌ | ❌ |
R34 | Limited participation DFI | ✅ | ❌ |
These returns are broken into three categories:
These returns occur when the account holder of the ACH account informs their bank (receiving bank) that the transaction was not authorized by them. NACHA guidelines allow account holders to take up to 60 days to dispute these kinds of transactions. Return codes R07, R10, and R29 signify unauthorized returns.
Administrative returns indicate that a transaction was returned due to administrative or account data errors. They occur within 3 business days of settlement. Return codes R02, R03, and R04 signify administrative returns.
The rest of the returns are just other types of returns allowed by the ACH network. Like Administrative, these returns also occur within 3 business days of settlement.
Dishonoring a return is only allowed in circumstances where the return notice is late. This means, if Administrative and Other returns are coming to us after 3 business days or Unauthorized are coming after 60 days, then they can be dishonored. Otherwise, all other ACH Returns must be honored in compliance with the NACHA consumer protection guidelines.
Unlike ACH, Interchange (more popularly know as acquiring) is capable of giving you failure notices in realtime in almost all circumstances. However, there are some scenarios, known as chargebacks that can take up to 120 days.
Based on the reason for failure, the receiving bank can have up to 120 days to fail a transaction. This means, if you released an Interchange credit instantly to your user, you might still receive a failure notice (also known as a Chargeback) up to 120 days later. Here are the most common failure reasons:
Code | Description | Locks Node | Locks User |
IR01 | More information is needed from the card issuer | ❌ | ❌ |
IR02 | Refer to card issuer's unique transaction rules | ❌ | ❌ |
IR03 | Not recognized as a valid merchant | ❌ | ❌ |
IR04 | Card not activated for transaction use | ❌ | ❌ |
IR05 | Suspicious activity; do not honor this card's transactions | ✅ | ❌ |
IR06 | Error during transaction process | ❌ | ❌ |
IR07 | Card has unique conditions; currently not activated for transaction use | ❌ | ❌ |
IR08 | Needs more identification to process the transaction | ❌ | ❌ |
IR09 | Transaction requested; currently in progress | ❌ | ❌ |
IR10 | Transaction amount partially approved | ❌ | ❌ |
IR11 | Approved but not processed | ❌ | ❌ |
IR12 | Transaction invalid | ❌ | ❌ |
IR13 | Transaction amount invalid | ❌ | ❌ |
IR14 | Card number does not exist | ✅ | ❌ |
IR15 | Card issuer does not exist | ✅ | ❌ |
IR17 | Customer canceled/reversed payment | ✅ | ❌ |
IR18 | The customer reversed the transaction: chargeback | ✅ | ✅ |
IR19 | Please retry the transaction | ❌ | ❌ |
IR20 | Response from the card processor was invalid | ❌ | ❌ |
IR21 | Transaction formatted incorrectly (Potential reversal detected) | ❌ | ❌ |
IR22 | Suspected malfunction, reversal | ❌ | ❌ |
IR23 | Transaction fee was unacceptable | ❌ | ❌ |
IR24 | File update not supported by receiver | ❌ | ❌ |
IR25 | Unable to locate record on file | ❌ | ❌ |
IR26 | Duplicate file update record, no action taken | ❌ | ❌ |
IR27 | File update field edit error | ❌ | ❌ |
IR28 | Field update record locked out | ❌ | ❌ |
IR29 | File update not successful, contact the acquirer | ❌ | ❌ |
IR30 | Transaction formatted incorrectly (Potential reversal detected) | ❌ | ❌ |
IR31 | Transaction must be initiated in person, bank not supported by "switch" | ❌ | ❌ |
IR32 | Completed partially, reversal | ❌ | ❌ |
IR33 | Expired card, pick-up | ✅ | ❌ |
IR34 | Suspected fraud, pick-up | ✅ | ✅ |
IR35 | Card acceptor must contact acquirer, pick-up | ❌ | ❌ |
IR36 | Restricted card, pick-up | ✅ | ❌ |
IR37 | Merchant must contact the card security | ❌ | ❌ |
IR38 | PIN tried too many times; request a new card or try again later | ✅ | ❌ |
IR39 | No credit account tied to credit card | ❌ | ❌ |
IR40 | Function requested can not be carried out | ❌ | ❌ |
IR41 | Lost card: request a new card | ✅ | ❌ |
IR42 | Account tied to card is not universal | ❌ | ❌ |
IR43 | Stolen card: request a new card | ✅ | ❌ |
IR44 | Investment account not on required | ❌ | ❌ |
IR45 - IR50 | Reserved for ISO use | ❌ | ❌ |
IR51 | Insufficient funds (NSF) | ❌ | ❌ |
IR52 | Checking account not associated with the card | ❌ | ❌ |
IR53 | Savings account not associated with the card | ❌ | ❌ |
IR54 | Card Expired: request a new card | ✅ | ❌ |
IR55 | Pin tried is incorrect | ❌ | ❌ |
IR56 | No record of the validity of the card | ❌ | ❌ |
IR57 | Transaction not permitted to cardholder | ❌ | ❌ |
IR58 | Transaction denied by acceptor (Potential chargeback detected) | ❌ | ❌ |
IR59 | Fraud suspected | ✅ | ✅ |
IR60 | Merchant must contact the card acquirer | ❌ | ❌ |
IR61 | Transaction exceeds card limits | ❌ | ❌ |
IR62 | Card restricted | ❌ | ❌ |
IR63 | Card information compromised (Potential chargeback detected) | ❌ | ❌ |
IR64 | Original amount incorrect, reversal | ❌ | ❌ |
IR65 | Current transactions exceeds withdrawal frequency limit | ❌ | ❌ |
IR66 | Merchant must contact the card acquirer | ❌ | ❌ |
IR67 | Hard capture | ❌ | ❌ |
IR68 | Response received too late, reversal | ❌ | ❌ |
IR69 - IR74 | Reserved for ISO use | ❌ | ❌ |
IR75 | Allowable number of PIN tries exceeded | ❌ | ❌ |
IR76 | Key synchronization error | ❌ | ❌ |
IR77 | Reserved for private use | ❌ | ❌ |
IR78 | Customer not eligible for POS | ❌ | ❌ |
IR79 | Invalid digital signature | ❌ | ❌ |
IR80 | Stale date transaction | ❌ | ❌ |
IR81 | Issuer requested standin | ❌ | ❌ |
IR82 | Count exceeds limit | ❌ | ❌ |
IR83 | Reserved for private use | ❌ | ❌ |
IR84 | Time limit for pre-authorization reached | ❌ | ❌ |
IR85 | Issuer has no reason to decline the transaction (Account Verification) | ❌ | ❌ |
IR86 | Cannot verify PIN | ❌ | ❌ |
IR87 | Check already posted | ❌ | ❌ |
IR88 | Card information not on file | ❌ | ❌ |
IR89 | Security code verification failed | ❌ | ❌ |
IR90 | Card cutoff is in progress | ❌ | ❌ |
IR91 | Card change in progress or not taking effect | ❌ | ❌ |
IR92 | Intermediate network/financial institution is unknown | ❌ | ❌ |
IR93 | Transaction is in violation of the law and will not be completed | ❌ | ❌ |
IR94 | Duplicate transaction | ❌ | ❌ |
IR95 | Error with transaction reconciliation | ❌ | ❌ |
IR96 | System error during transaction | ❌ | ❌ |
IR97 - IR98 | Reserved for national use | ❌ | ❌ |
IR99 | Card network error during transaction | ❌ | ❌ |
IR100 - IR126 | Reserved for ISO use | ❌ | ❌ |
IR127 | SEC is invalid | ❌ | ❌ |
IR128 | Address and verification check data is required for this transaction | ❌ | ❌ |
IR129 | Security code date is required for the transaction | ❌ | ❌ |
IR130 - IR131 | Transaction not permitted to cardholder | ❌ | ❌ |
IR132 | Country of the card issuer is blocked by this merchant | ❌ | ❌ |
IR133 | Incorrect MAC was sent | ❌ | ❌ |
IR134 | Standard Entry Class requirements were not met | ❌ | ❌ |
IR135 | System error during transaction | ❌ | ❌ |
IR136 | Account length error | ❌ | ❌ |
IR137 | Card information error | ❌ | ❌ |
IR138 | Security code format error | ❌ | ❌ |
IR139 | Internal authorization error | ❌ | ❌ |
IR140 | Card product code is blocked | ❌ | ❌ |
IR141 | Attempt to process a BRIC transaction on a prior PIN based transaction | ❌ | ❌ |
IR142 | CyberSource Time Out Connection to CyberSource timed out | ❌ | ❌ |
IR143 | CARD_ENT_METH supplied is not valid or required additional data not provided as defined | ❌ | ❌ |
IR144 | CARD_ID is not valid | ❌ | ❌ |
IR145 | Required PIN block not present | ❌ | ❌ |
IR146 | Card Bin is not valid for pin-less routing | ❌ | ❌ |
IR147 | Signature store did not complete | ❌ | ❌ |
IR148 | Debit PIN transactions must be swiped | ❌ | ❌ |
IR149 | DB proxy response was not processed within the time out period | ❌ | ❌ |
IR150 | Transaction declined by merchant to security code mismatch | ❌ | ❌ |
IR151 | Transaction not allowed as per a validation rule | ❌ | ❌ |
IR152 | Processing gateway full: poll again later | ❌ | ❌ |
IR153 | Authorization life cycle unacceptable | ❌ | ❌ |
IR154 | Authorization life cycled expired | ❌ | ❌ |
IR155 | Card authentication failed | ❌ | ❌ |
IR156 | Fraudulent transaction prior to embossed valid date | ❌ | ❌ |
IR157 | Credit not received | ❌ | ❌ |
IR158 | Allowable PAN entries warning -- approved | ❌ | ❌ |
IR159 | Transaction approved with card overdraft protection | ❌ | ❌ |
IR160 | Security code is invalid | ❌ | ❌ |
IR161 | Internal transaction processing error | ❌ | ❌ |
IR162 | Check not acceptable for cash | ❌ | ❌ |
IR163 | Check not acceptable | ❌ | ❌ |
IR164 | Check deposit limit exceeded | ❌ | ❌ |
IR165 | Cash back limit exceeded | ❌ | ❌ |
IR166 | Check amount does not match courtesy amount | ❌ | ❌ |
IR167 | PIN not selected for card | ❌ | ❌ |
IR168 | PIN already selected for card | ❌ | ❌ |
IR169 | Unmatched voucher information | ❌ | ❌ |
IR170 | Card number entered too many times | ✅ | ❌ |
IR171 | Expiration date not valid for card | ✅ | ❌ |
IR172 | Card status is set to inactive | ❌ | ❌ |
IR173 | Expiration date mismatch: request a new card | ✅ | ❌ |
IR174 | Item suspected for stop pay | ❌ | ❌ |
IR175 | Account associated with card was closed | ❌ | ❌ |
IR176 | Account associated with card is ineligible for the transaction | ❌ | ❌ |
IR177 | Duplicate transaction | ❌ | ❌ |
IR178 | No account associated with card on file | ❌ | ❌ |
IR179 | Unable to locate card | ❌ | ❌ |
IR180 | Transaction denied | ❌ | ❌ |
IR181 | Transaction settled via ACH | ❌ |