Links

Intro to Risk

Risk, with regard to financial products, typically falls into two primary categories: Financial Risk and Regulatory Risk. While Financial Risk leads to direct losses to your operating capital, Regulatory Risk can lead to regulatory fines or other penalties. Ultimately both categories of risk have the potential to impact your operating capital, can impact your reputation, and in extreme cases may lead to the suspension of your program altogether.
Since both categories can cause disruptive events for your business, we recommend building Financial and Regulatory risk reduction strategies. In this resource, we will break down both types of risk and provide guidance to help you address them.

Financial Risk

Financial Risk exists when a user spends funds in their account without intending to repay them or uses the "float" (the time it takes for transactions to process and settle) to overspend. In the case of Credit Hub, this can occur by taking credit from you, but then defaulting on the repayment obligation. While in the case of Deposit, it can occur by funding their account via one of the Payment Accounts and spending the funds knowing that that original transaction will return, thus overdrawing their balance and leaving the platform with limited options to recoup funds. Other than Provisional Credit and Credit Extensions, financial risk is primarily created by providing customers access to Payment Accounts. Since payments can return up to 60 days after a credit has been applied to a customer's account, payment processing exposes you to financial loss risk.
Based on the above statement, a valid conclusion is that most of your financial risk can be adjusted by adjusting access to Payment Accounts. With that in mind, here are some examples of how you might choose to design your Financial Risk Policy, based on your overall risk appetite:
Risk Appetite
Policy
Conservative
We will not provide payment origination products to any customers. All customers will be required to fund their accounts with us via direct deposit or cash deposits that do not pose return risk.
Moderate
Before the policy, here are some definitions: ID Score A probabilistic score (0-1) assigned to all users at the time of onboarding that predicts the likelihood that the identity supplied belongs to the person who is creating the account. 1 meaning we are 100% certain that the user is who they say they are. 0% means with 100% certainty we can say that the user is not who they say they are.
Risk Score A probabilistic score (0-1) assigned to all users who are utilizing their accounts which predicts the likelihood that their subsequent transactions will lead to a financial loss.
Policy Reducing Onboarding Risk
We will be utilizing ID Score to reduce stolen profiles in our system, the idea being that a user is less likely to fraud us with their real identity. If a user's ID Score is below 0.8, we will be collecting additional documentation and performing enhanced due diligence before onboarding them to the platform.
Reducing Ongoing Risk
On top of that, we will be utilizing Risk Score to put people in green (over 0.9), yellow (0.5-0.89), and red (below 0.5) paths. Where the green path will give users uninterrupted access to all payment products, yellow will reduce all payment limits by 50% and red will reduce limits by 90%.
Aggressive
We will provide all payment products to customers and assume that financial fraud is an acceptable risk to the business.
We currently provide a solution for ID Score. Go to ID Score Product Guide to learn more.
Following are more details on Financial Risk by types:

ACH

ACH is a one-way messaging system for payment processing. Meaning, that a transaction in ACH is assumed to have succeeded unless the receiving bank sends a failure notice.
Based on the reason for failure, the receiving bank can have up to 60 days to return a transaction, assuming they have return rights. In practice this means if you released an ACH credit in 3 business days to your user, you might still receive a return up to 57 days later. Here are the most common return reasons:
❌ = Will not lock the user or node. ✅ = Will lock the user or node.

Returns Codes

Code
Description
Locks Node
Locks User
R01
Insufficient Funds
R02
Account Closed
R03
No Account/Unable to Locate Account
R04
Invalid Account Number
R06
Returned Per ODFI's Request
R07
Authorization Revoked by Customer
R08
Payment Stopped
R09
Uncollected Funds
R10
Customer Advises Not Authorized
R11
Check Safekeeping Entry Return
R12
Branch Sold To Another DFI
R13
RDFI Not Qualified to Participate
R14
Account Holder Deceased
R16
Account Frozen
R17
File Record Edit Criteria
R20
Non-Transaction Account
R21
Invalid Company Identification
R22
Invalid Individual ID Number
R23
Credit Refused by Receiver
R24
Duplicate Entry
R29
Corporate Customer Advises Not Authorized
R31
Permissible Return Entry
R33
Return of XCK Entry
R34
Limited participation DFI
These returns are broken into three categories:

Unauthorized

These returns occur when the account holder of the ACH account informs their bank (receiving bank) that the transaction was not authorized by them. NACHA guidelines allow account holders to take up to 60 days to dispute these kinds of transactions. Return codes R07, R10, and R29 signify unauthorized returns.

Administrative

Administrative returns indicate that a transaction was returned due to administrative or account data errors. They occur within 3 business days of settlement. Return codes R02, R03, and R04 signify administrative returns.

Others

The rest of the returns are just other types of returns allowed by the ACH network. Like Administrative, these returns also occur within 3 business days of settlement.

Dishonoring a Return

Dishonoring a return is only allowed in circumstances where the return notice is late. This means, if Administrative and Other returns are coming to us after 3 business days or Unauthorized are coming after 60 days, then they can be dishonored. Otherwise, all other ACH Returns must be honored in compliance with the NACHA consumer protection guidelines.

Interchange

Unlike ACH, Interchange (more popularly know as acquiring) is capable of giving you failure notices in realtime in almost all circumstances. However, there are some scenarios, known as chargebacks that can take up to 120 days.
Based on the reason for failure, the receiving bank can have up to 120 days to fail a transaction. This means, if you released an Interchange credit instantly to your user, you might still receive a failure notice (also known as a Chargeback) up to 120 days later. Here are the most common failure reasons:

Failure Codes

Code
Description
Locks Node
Locks User
IR01
More information is needed from the card issuer
IR02
Refer to card issuer's unique transaction rules
IR03
Not recognized as a valid merchant
IR04
Card not activated for transaction use
IR05
Suspicious activity; do not honor this card's transactions
IR06
Error during transaction process
IR07
Card has unique conditions; currently not activated for transaction use
IR08
Needs more identification to process the transaction
IR09
Transaction requested; currently in progress
IR10
Transaction amount partially approved
IR11
Approved but not processed
IR12
Transaction invalid
IR13
Transaction amount invalid
IR14
Card number does not exist
IR15
Card issuer does not exist
IR17
Customer canceled/reversed payment
IR18
The customer reversed the transaction: chargeback
IR19
Please retry the transaction
IR20
Response from the card processor was invalid
IR21
Transaction formatted incorrectly (Potential reversal detected)
IR22
Suspected malfunction, reversal
IR23
Transaction fee was unacceptable
IR24
File update not supported by receiver
IR25
Unable to locate record on file
IR26
Duplicate file update record, no action taken
IR27
File update field edit error
IR28
Field update record locked out
IR29
File update not successful, contact the acquirer
IR30
Transaction formatted incorrectly (Potential reversal detected)
IR31
Transaction must be initiated in person, bank not supported by "switch"
IR32
Completed partially, reversal
IR33
Expired card, pick-up
IR34
Suspected fraud, pick-up
IR35
Card acceptor must contact acquirer, pick-up
IR36
Restricted card, pick-up
IR37
Merchant must contact the card security
IR38
PIN tried too many times; request a new card or try again later
IR39
No credit account tied to credit card
IR40
Function requested can not be carried out
IR41
Lost card: request a new card
IR42
Account tied to card is not universal
IR43
Stolen card: request a new card
IR44
Investment account not on required
IR45 - IR50
Reserved for ISO use
IR51
Insufficient funds (NSF)
IR52
Checking account not associated with the card
IR53
Savings account not associated with the card
IR54
Card Expired: request a new card
IR55
Pin tried is incorrect
IR56
No record of the validity of the card
IR57
Transaction not permitted to cardholder
IR58
Transaction denied by acceptor (Potential chargeback detected)
IR59
Fraud suspected
IR60
Merchant must contact the card acquirer
IR61
Transaction exceeds card limits
IR62
Card restricted
IR63
Card information compromised (Potential chargeback detected)
IR64
Original amount incorrect, reversal
IR65
Current transactions exceeds withdrawal frequency limit
IR66
Merchant must contact the card acquirer
IR67
Hard capture
IR68
Response received too late, reversal
IR69 - IR74
Reserved for ISO use
IR75
Allowable number of PIN tries exceeded
IR76
Key synchronization error
IR77
Reserved for private use
IR78
Customer not eligible for POS
IR79
Invalid digital signature
IR80
Stale date transaction
IR81
Issuer requested standin
IR82
Count exceeds limit
IR83
Reserved for private use
IR84
Time limit for pre-authorization reached
IR85
Issuer has no reason to decline the transaction (Account Verification)
IR86
Cannot verify PIN
IR87
Check already posted
IR88
Card information not on file
IR89
Security code verification failed
IR90
Card cutoff is in progress
IR91
Card change in progress or not taking effect
IR92
Intermediate network/financial institution is unknown
IR93
Transaction is in violation of the law and will not be completed
IR94
Duplicate transaction
IR95
Error with transaction reconciliation
IR96
System error during transaction
IR97 - IR98
Reserved for national use
IR99
Card network error during transaction
IR100 - IR126
Reserved for ISO use
IR127
SEC is invalid
IR128
Address and verification check data is required for this transaction
IR129
Security code date is required for the transaction
IR130 - IR131
Transaction not permitted to cardholder
IR132
Country of the card issuer is blocked by this merchant
IR133
Incorrect MAC was sent
IR134
Standard Entry Class requirements were not met
IR135
System error during transaction
IR136
Account length error
IR137
Card information error
IR138
Security code format error
IR139
Internal authorization error
IR140
Card product code is blocked
IR141
Attempt to process a BRIC transaction on a prior PIN based transaction
IR142
CyberSource Time Out Connection to CyberSource timed out
IR143
CARD_ENT_METH supplied is not valid or required additional data not provided as defined
IR144
CARD_ID is not valid
IR145
Required PIN block not present
IR146
Card Bin is not valid for pin-less routing
IR147
Signature store did not complete
IR148
Debit PIN transactions must be swiped
IR149
DB proxy response was not processed within the time out period
IR150
Transaction declined by merchant to security code mismatch
IR151
Transaction not allowed as per a validation rule
IR152
Processing gateway full: poll again later
IR153
Authorization life cycle unacceptable
IR154
Authorization life cycled expired
IR155
Card authentication failed
IR156
Fraudulent transaction prior to embossed valid date
IR157
Credit not received
IR158
Allowable PAN entries warning -- approved
IR159
Transaction approved with card overdraft protection
IR160
Security code is invalid
IR161
Internal transaction processing error
IR162
Check not acceptable for cash
IR163
Check not acceptable
IR164
Check deposit limit exceeded
IR165
Cash back limit exceeded
IR166
Check amount does not match courtesy amount
IR167
PIN not selected for card
IR168
PIN already selected for card
IR169
Unmatched voucher information
IR170
Card number entered too many times
IR171
Expiration date not valid for card
IR172
Card status is set to inactive
IR173
Expiration date mismatch: request a new card
IR174
Item suspected for stop pay
IR175
Account associated with card was closed
IR176
Account associated with card is ineligible for the transaction
IR177
Duplicate transaction
IR178
No account associated with card on file
IR179
Unable to locate card
IR180
Transaction denied
IR181
Transaction settled via ACH