Balancing Onboarding Friction
& Fraud Risk

Staff Engineer Case Study  ·  IPO Team


Navigate with arrow keys  ·  Press F for fullscreen

The Problem

Business pressure

  • Upfront KYC/EDD creates friction
  • Merchants drop off before first payment
  • Competitors onboard faster
  • Growth is being left on the table

Fraud reality

  • Scammer onboards → accepts payments → pays out fast
  • Once funds leave platform: irrecoverable
  • Monitoring alone is too slow
  • Chargeback hits weeks later
The real problem isn't "too much KYC". Fraud escapes before we can detect it.
Fix the detection window. Then reduce the friction.

Discovery: What I Need to Know First

The single most important question:
What is the median time-to-first-payout for new merchants, and what fraction of fraud loss occurs within that window?
If >50% of fraud loss happens before we can detect it, monitoring alone fails. We need a structural control.
Fraud / Risk Analysts Labeled fraud dataset, false positive rates, known fraud patterns and feature sets
Compliance / Legal Regulatory floor: what KYC we legally cannot skip under AML/PSD2. Sets hard constraints.
Data Engineers Which signals are available in real-time vs batch. ML ideas die on data latency.
Customer Ops Where friction is felt, drop-off rate per onboarding step
Platform Partners Buyer complaints, dispute rates, listing removals. Invisible to Adyen but critical for scam detection.
Key regulatory assumption Identity verification (name, ID, DOB) is the mandatory floor. EDD is deferrable and risk-triggered.

The Reframe


Leadership asked: "Can we accept more upfront risk if we monitor better?"
No. "Monitor better" is not enough if funds are gone before detection.

Compress the detection window to before first payout.

The answer is a structural payout hold for new accounts. Not faster analytics.

Structural control + async enrichment + risk-triggered EDD
= lower friction upfront and no increase in fraud loss

System Design: How New Services Connect to Existing Ones

Existing New

📋 Onboarding
Merchant signs up
asks for a risk score on sign-up
⚡ Risk Engine
Scores the new account instantly
💳 Payments
Accepts buyer payments
streams every transaction event automatically
🔍 Background Intelligence
Collects signals during hold window
🔍 Background Intelligence
After gathering signals
feeds enriched data before hold window closes
⚡ Risk Engine
Re-evaluates with richer information
🏦 Bank / Payouts
Merchant requests withdrawal
checks risk score before releasing any payout
⚡ Risk Engine
Allow, hold, or block
⚡ Risk Engine
Detects high-risk account
triggers a document request when risk is high
📁 Compliance Workflow
Requests additional docs from merchant

The Risk Engine: How It Decides in Under a Second

Think of it like a credit card fraud check: instant, invisible to legitimate users

What we already know

  • How long has this account been active?
  • How fast are they trying to pay out?
  • Does their payout volume match their payment volume?
Pre-calculated, ready in milliseconds

What is happening right now

  • How large is this payout?
  • Which bank is receiving the funds?
  • What device and location is this request from?
Captured from the live transaction

What our AI predicts

  • Pattern-matches against thousands of known fraud cases
  • Trained on historical data, updated continuously
  • Returns a fraud probability score
ML model, runs in under 50ms
Risk Engine combines all three and returns:
ALLOW: payout released HOLD: human review BLOCK: request EDD docs
Design safeguard: Rules and AI run as two independent layers. Rules (velocity limits, bank reputation, behavioural anomalies) degrade predictably and visibly. The AI score is an additional signal on top, not the sole decision-maker. If the model underperforms, rules still protect us.

The Trust Ladder: Every Merchant Earns Their Way Up

Like a new employee on probation: start with limited access, earn full access through good behaviour

New
Merchant
Cleared
Merchant
Trusted
Merchant
Onboards with minimal friction. Can accept payments immediately. First payout is held for 24-48h while we collect intelligence in the background. Merchant is not penalised, just not yet trusted.
Payout hold lifted automatically once background checks pass. Daily payout limits apply and grow over time as clean history builds. Every payout is still scored against the merchant's own behavioural baseline, not just absolute rules.
Full payout access. Limits increase as trust is earned. Accounts sharing a device, bank, or IP with a previously blocked merchant are flagged immediately, regardless of tier.
builds trust over time
When the 24-48h hold window closes, one of three outcomes:   Auto-release (most merchants)  ·  Human review (borderline cases)  ·  Block and request documents (high risk)

Background Intelligence: What We Learn During the Hold Window

While the merchant's first payout is held, we are doing homework automatically

Day 0
Merchant
onboards
24 - 48 hours of intelligence gathering
Decision
Release or
escalate
PRIMARY

Their own transactions

  • Are payment amounts suspiciously uniform?
  • Are buyers from unusual locations?
  • Any refund or dispute requests already?
  • Buyer dispute rate filed through Adyen?
We own this data. No external dependency.
ENRICHMENT

What the platform sees

  • Has the marketplace received buyer complaints?
  • Were any listings removed for fraud?
  • Dispute rate among this seller's buyers?
Adds signal when platform partners share data. Not required for the system to function.
ENRICHMENT

External checks

  • Is the destination bank account linked to known fraud elsewhere?
  • Is the email or phone number flagged in industry databases?
  • Device linked to previous bad actors?
Industry fraud data providers

How It All Fits Together: Two Moments That Matter

The system intervenes at exactly two points in the merchant journey

When a merchant signs up
1
Merchant submits identity verification (name, ID, DOB)
2
Risk Engine scores the new account instantly
3
Account activated immediately. Merchant can start accepting payments.
4
Background intelligence gathering starts automatically in the background
Merchant experience: fast and frictionless
When a merchant requests their first payout
1
Still within 24-48h window? Payout is queued, not blocked.
2
At window close, Risk Engine re-evaluates with all collected intelligence
3
Most merchants: payout released automatically, no human involved
4
High-risk accounts: payout blocked, compliance team requests documents
Fraud is stopped before money leaves the platform

Risks We Identified and How We Address Them

Stress-testing the design before we build it

RISK 1: Account seasoning
Sophisticated fraudsters wait out the 24-48h hold window, earn Tier 1, then strike with full payout access. The design's heaviest controls are front-loaded at onboarding.
HOW WE ADDRESS IT
Tier is a starting point, not a safe pass. Tier 1 has daily payout caps that grow over time. Every payout is scored against the merchant's own behavioural baseline. Accounts linked to previously blocked merchants are flagged regardless of tier.
RISK 2: Platform partner signals are fragile
The scam website detection story depends on external platforms sharing complaint data. They may refuse, delay, or format data inconsistently. The critical signal is the one we least control.
HOW WE ADDRESS IT
Our own buyer dispute data from Adyen's payment pipeline is the primary signal. We own it entirely. Platform partner data is enrichment on top, not the foundation. The system works without it; it just works better with it.
RISK 3: AI model trained on the wrong population
The ML model is trained on today's high-friction merchant cohort. Reducing friction attracts a new population the model has never seen. Model failures are silent. False negatives only appear weeks later as chargebacks.
HOW WE ADDRESS IT
Rules and AI run as two independent layers. Rules degrade visibly; AI is additive. Friction is only reduced after 3-6 months of model data on the new tier system. Model confidence distribution is monitored as an early warning signal before fraud outcomes appear.

Rollout Plan

Strengthen the backstop before opening the front door.
1 Shadow Mode Deploy RES alongside existing system. Log scores, take no action. Validate against labeled fraud data for 2–4 weeks.
2 Tier 0 Hold Enable payout hold for net-new onboardings only. Existing accounts unaffected. Tune hold window duration.
3 EDD Trigger Enable risk-triggered EDD at high-confidence threshold. Monitor false positive rate. Tune down threshold as model improves.
4 Reduce Friction Only now: remove upfront EDD from onboarding flow for low-risk profiles.
Each phase is a feature flag gate · rollback = disable flag · no big bang release

Success Metrics

Metric Target What it validates
Onboarding completion rate Friction reduction is working
Time-to-first-payout (legitimate merchants) Merchant experience improving
Fraud loss rate ($ per onboarded merchant) → or ↓ Core hypothesis: must not increase
False positive rate (legit merchants held/blocked) Model precision, trust metric
Payout hold auto-release rate Enrichment pipeline signal quality
EDD trigger precision (fraudster confirmed / triggered) Compliance workflow efficiency
RES p99 latency <100ms Non-negotiable SLA
Instrument from day 1 in shadow mode so baselines exist before any live change

Team Structure

New: Risk Platform Team

  • Owns: RES, feature store, enrichment pipeline, model serving
  • Platform team serving onboarding, payments, bank as consumers
  • Embedded data scientist (not shared), owns ML model lifecycle
  • Partner Signals workstream for webhook integrations with marketplace operators

Compliance Engineer (new role)

Bridge between legal and engineering. Understands both regulatory constraints and system design. Prevents compliance being a bottleneck on every release.

Hiring priorities

  • ML platform engineer (feature store + model serving)
  • Compliance engineer
  • Senior backend engineer (Kafka / streaming experience)

Upskilling first

Build a risk ops dashboard for fraud analysts to inspect RES decisions and override them. Do this before hiring more analysts. Tooling multiplies existing headcount.

Summary

THE INSIGHT
Compress the detection window to before first payout. Structural hold buys the time. Enrichment makes the time useful.
THE DESIGN
RES (<100ms) + Tier 0 payout hold + Kafka enrichment pipeline + risk-triggered EDD. No new infrastructure categories, all on existing Adyen stack.
THE ROLLOUT
Shadow to Hold to EDD to Friction reduction. Strengthen the backstop before opening the front door.
THE HYPOTHESIS CHECK
Success = onboarding completion ↑ AND fraud loss → or ↓. Baseline both in shadow mode. If fraud loss rises at any phase, stop and tune before proceeding.
Lower friction upfront · full fraud control · no new infrastructure categories