Best Practices for Instant Payouts
Risk Management Considerations and Merchant Responsibilities
- All disbursements to the beneficiary (i.e. ultimate card or account holder) are considered final
- Merchants must ensure compliance with all applicable local laws and regulations.
- Merchants must employ transaction monitoring mechanisms to detect anomalous activity, including fraud and money laundering, as well as the misuse of the disbursement for the payment of goods and services
- Merchants must have a robust, bank reviewed and approved Anti-Money Laundering (AML) program in place in accordance with local laws and regulations.
- Merchants are responsible for conducting Know Your Customer (KYC) checks on their customers and including sender data in the disbursements.
- Merchants must not disburse a daily amount greater than the amount held in their account used to fund disbursement activity. The account is generally opened at the Sponsor Bank and should be pre-funded with ~1 day of processing activity. TabaPay will set a daily aggregate disbursement limit and sends Merchant an alert once a certain threshold is reached (default 90%)
- Merchants must provide appropriate terms and conditions, disclosures, fee information, transaction confirmation, receipts, and notifications to customers and users.
|Required Transaction Receipt Content:|
|☐ Sender name|
☐ Recipient name
☐ Sender’s payment credential (masked and/or truncated)
☐ Date and time of transfer
☐ Amount of transfer in the sender’s currency and/or recipient’s currency
☐ Total amount paid (i.e., amount of transfer plus any fees)
☐ Fees associated with the transaction
☐ Foreign currency conversion rates for cross-border transactions
☐ Sender Reference Number
☐ Description (e.g., Money Transfer)
A Merchant’s transaction monitoring system should consider the following:
- Transaction limits
- The geographies from and to which transactions are sent
- Models of expected behavior for each account holder, including types of disbursements they send, frequency of disbursements and subsequent withdrawal activity, the number of disbursements, and the senders and recipients of the disbursements.
- Accounts that may have historical suspicious activity should be monitored with enhanced due diligence.
Examples of Suspicious Activity
- Change in account credentials following out-of-pattern disbursement activity
- Large volume of transactions immediately followed by cash withdrawals, conversion to monetary instruments, payments to a third-party or transfer of funds to a different account
- Significant activity on account reactivated from inactive or dormant status which may or may not include subsequent withdrawals to deplete transferred money
- Increasing volume of disbursements or significant fluctuations in type or volume of disbursements that are inconsistent with patterns identified in a customer’s profile
- Several disbursements during the same day or over a span of a few days from the same sender (sender data is included in every disbursement) or different senders who share the same common identifiers such as family name, address, or telephone
- Large disbursements from foreign jurisdictions not consistent with account activity or from countries known to be associated with terrorist activity
- Upon receipt of disbursements, increasing volume of cross-border transfers or transfers to beneficiaries in countries known to be associated with terrorist activity
- Recipient reports that they do not know the sender(s) of disbursements
- Bust-Out/Sleeper Fraud: A fraudster opens an account and establishes a history of successful transactions over a period and then ‘busts-out’ of this pattern with large transactions.
Verify that the person providing card/account details is the intended recipient. Account takeover is a real risk with disbursements.
- Require recipient login: Require recipient to provide login/password to payer page or app (e.g., recipient logs into insurance company site to provide debit card).
- IP address matching: Validate that the IP address from which the recipient is providing the PAN matches IP addresses that the merchant has previously seen for this individual.
- Two-factor Authentication: After collecting PAN, send a text or email (using phone number or email address on file) with an authentication code that the recipient must provide back to the merchant before disbursement is processed.
Account Validation and Verification
- Look up key characteristics of the recipient card (e.g., country, card type, block status, etc.) and verify account (e.g., screen for lost, stolen or expired accounts).
- Validate the address by performing a AVS check. This will verify that the address on file with merchant matches the address on file with the issuer of the recipient PAN.
- Require Card Verification Value (CVV2) and validate before proceeding
- Use $0 Account Verifications Requests to verify the account is open and in good standing.
Updated 4 months ago