Best Practices for Instant Pull Payments

Product guidelines for accepting payments.

An Account Funding Transaction (AFT) to an account easily converted to cash (ATM withdrawal, Western Union money order, P2P transfer) presents unique risks because:

  1. This process can be exploited to convert stolen cards to cash in minutes.
  2. It can be difficult to demonstrate that the actual cardholder authorized and participated in the account funding transaction.

Identifying Suspicious Activity

Merchants should be able to identify indicators of suspicious activity that may point to potential fraud; this includes but is not limited to:

  • Large volumes of AFTs
  • Significant activity on an account reactivated from inactive or dormant status
  • Increasing volume of AFTs or significant fluctuations in type or volume of AFTs that are inconsistent with patterns identified in a customer’s profile
  • Change in account credentials followed by out-of-pattern AFT activity


AFT with Debit or Credit Card?

Account Funding Transactions (AFT) works regardless of the card type – debit or credit, and all the card types will be supported. To start accepting Credit as well (let’s say as a fallback mechanism), a few things you need to be aware of:
• Most Credit Card issuers treat an AFT as quasi-cash and they may incur Cash Advance fees
• Cash Advance fees, when applied, could be a flat fee or percentage
• In order to cover the above fees as well as to avoid chargebacks, you may want to apply appropriate messaging to your consumers before they place the transaction.

In addition, standard credit card acceptance fee will apply

Risk Management

To monitor transaction activity and manage risk and fraud, Merchants should implement manual or automated anomaly detection mechanisms that focus on individual account holder or peer group behavior by establishing a model of expected behavior for each account holder:

  • Analyze activity patterns of AFTs; e.g., frequency, amount, and count of AFTs.
  • Recognize significant activity on an account reactivated from inactive or dormant status.
  • Identify increasing volume of AFTs or significant fluctuations in type or volume of AFTs that are inconsistent with patterns identified in a customer’s profile.
  • Detect changes in account credentials followed by out of pattern AFT activity.
  • Establish thresholds for new or dormant accounts to monitor for large or multiple AFTs.
  • Consider segregating new accounts from existing accounts and incorporating tighter controls for new accounts.
  • Establish multi-factor authentication before account credentials can be changed or new beneficiaries are established.
  • Establish enhanced controls over changes to account profiles initiated online or via customer service representatives.
  • Monitor accounts that may have historical suspicious activity with enhanced due diligence.
  • If third party vendors and technology solutions are engaged to monitor accounts for suspicious activity, dedicate internal resources to monitor vendor performance and develop risk assessment standards for vendor engagement, such as incorporating independent code reviews and Payment Application Data Security Standard.
  • Ensure that technology solutions are updated with latest patches.
  • Establish distinct first, second and third lines of defense as customary with standard risk management practices to monitor and test design and operating effectiveness of policies, procedures and monitoring mechanisms.
  • Consider factoring key differentiators to monitor for suspicious activity and establish transaction limits based on parameters such as:
    • Geographies from and to which transactions are sent
    • Customer base
    • Risk appetite
    • Use common cardholder and payment authentication and validation processes in approvals of AFTs:
    • Payment account address validation (AVS)
    • CVV/CVV2
    • EMV 3-D Secure (3DS)
  • Post Transaction Processing:
    • Track chargebacks, reversals and declines to identify patterns.
    • Suspend or terminate accounts when fraud is detected.

TabaPay requires that all AFT programs implement and complete technical certification to use AVS and Duplicate Card Check (both enabled by TabaPay).

Third-party services (identity verification, bank account verification, and fraud scoring).

  • Ekata
  • Idology
  • Plaid
  • Socure
  • Yodlee