Risk Appetite
On this page
Before defining risk appetite, understand:
- Fraud types you're protecting against
- Fraud metrics and measurement
- Economics of fraud and cost calculations
- Checkout conversion tradeoffs
- Risk appetite = The fraud loss level you accept to achieve business goals (conversion, growth, UX)
- No "zero fraud" without "zero revenue." Every fraud decision is a trade-off
- Conservative: under 10 bps fraud rate, under 30% false positives. Aggressive: 30-50 bps, 50-70% FPs
- Segment by customer type (new vs. returning) and transaction type (digital vs. physical)
- See Economics of Fraud for cost calculations
Risk appetite is the level of fraud loss your organization deliberately accepts to preserve revenue, conversion, and customer experience. Every fraud decision is a tradeoff: a conservative approach (under 10 bps fraud rate) blocks more good customers, while an aggressive approach (30-50 bps) lets more fraud through but maximizes sales. This page covers how to set quantitative targets, segment by customer and transaction type, and translate risk appetite into operational rules.
SMB Risk Appetite in Plain English
If the table below feels abstract, here's what risk appetite means in practical terms for smaller merchants:
| Approach | What It Means | False Positive Rate | Best For |
|---|---|---|---|
| Conservative | "I'll decline the occasional good customer to block fraud" | 0.5-1% of good orders declined | Under $500K/month. The cost of a false positive (one $100 order) is lower than the cost of sophisticated fraud tools. |
| Balanced | "I want to block obvious fraud without annoying customers" | 1-3% of good orders declined | $500K-$5M/month. You have enough volume that false positives start to matter, but fraud losses also add up. |
| Aggressive | "I'd rather lose a few dollars to fraud than lose a good customer" | Under 0.5% of good orders declined | When your fraud rate is already low and customer retention is your priority. Requires confidence in your detection tools. |
If you're under $500K/month, "conservative" is almost always correct. The math is simple: a blocked $100 order costs you $30 in margin. A fraud tool that reduces false positives by 1% saves you maybe $150/month. That's not worth $500+/month in tool costs. Start conservative, and only loosen your thresholds when false positive complaints become a real business problem.
What is Risk Appetite?
Risk appetite is the level of fraud loss your organization is willing to accept to achieve business objectives (conversion, growth, customer experience).
There is no "zero fraud" without "zero revenue." Every fraud decision is a trade-off.
Defining Your Risk Appetite
Quantitative Targets
| Metric | Conservative | Moderate | Aggressive |
|---|---|---|---|
| Fraud Rate (bps) | Under 10 | 10-30 | 30-50 |
| False Positive Rate | Under 30% | 30-50% | 50-70% |
| Manual Review Rate | 5-10% | 2-5% | Under 2% |
| Block Rate | 3-5% | 1-3% | Under 1% |
Qualitative Factors
Consider your:
- Industry – High-risk MCCs have different norms
- Margin structure – High-margin can absorb more fraud
- Customer base – New vs. established customers
- Regulatory environment – Compliance requirements
- Competitive landscape – Friction vs. competitors (see checkout conversion)
Segmented Risk Appetite
Different segments warrant different approaches:
By Customer Type
| Segment | Risk Appetite | Rationale |
|---|---|---|
| Returning customers | Higher | Trust earned, lower fraud rate |
| New customers | Lower | Unproven, higher fraud rate |
| High-value customers | Higher | Worth the risk for LTV |
| First transaction | Lowest | Highest fraud concentration |
By Transaction Type
| Type | Risk Appetite | Rationale |
|---|---|---|
| Small purchases | Higher | Limited loss exposure |
| Large purchases | Lower | Significant single-transaction risk - use 3DS |
| Digital goods | Lower | Instant delivery, no recovery - see third-party fraud |
| Physical goods | Moderate | Delivery delay allows intervention |
Operationalizing Risk Appetite
Translate to Rules
IF customer_tenure > 12_months AND prior_orders > 5:
threshold = "permissive"
ELIF new_customer AND order_value > $500:
threshold = "strict"
ELSE:
threshold = "standard"
See processor rules configuration for implementation.
Regular Calibration
- Monthly: Review fraud rate vs. target
- Quarterly: Adjust thresholds based on performance
- Annually: Strategic review of risk appetite
Next Steps
Defining your risk appetite?
- Set quantitative targets - Pick your thresholds
- Segment by customer type - Different rules for different segments
- Understand the economics - Know the cost trade-offs
Operationalizing risk appetite?
- Configure processor rules - Translate to rules
- Set up risk scoring - Combine signals
- Build velocity rules - Implement limits
Optimizing existing approach?
- Review fraud metrics - Know your current rates
- Check network thresholds - Stay below limits
- Balance with conversion - Monitor friction
Related Topics
- Economics of Fraud - Cost calculations
- Rules vs. ML - Detection approaches
- Fraud Prevention - Prevention strategies
- Risk Scoring - Combining signals
- Velocity Rules - Rule-based detection
- 3D Secure - Authentication trade-offs
- Manual Review - Review costs
- Fraud Metrics - Measuring performance
- Chargeback Metrics - Dispute costs
- Checkout Conversion - Friction impact
- Auth Optimization - Approval rate impact
- Network Programs - Threshold consequences