Risk Appetite
Prerequisites
Before defining risk appetite, understand:
- Fraud types you're protecting against
- Fraud metrics and measurement
- Economics of fraud and cost calculations
- Checkout conversion tradeoffs
TL;DR
- Risk appetite = The fraud loss level you accept to achieve business goals (conversion, growth, UX)
- No "zero fraud" without "zero revenue"—every fraud decision is a trade-off
- Conservative: under 10 bps fraud rate, under 30% false positives. Aggressive: 30-50 bps, 50-70% FPs
- Segment by customer type (new vs. returning) and transaction type (digital vs. physical)
- See Economics of Fraud for cost calculations
Defining your organization's tolerance for fraud loss vs. customer friction.
What is Risk Appetite?
Risk appetite is the level of fraud loss your organization is willing to accept to achieve business objectives (conversion, growth, customer experience).
Key Insight
There is no "zero fraud" without "zero revenue." Every fraud decision is a trade-off.
Defining Your Risk Appetite
Quantitative Targets
| Metric | Conservative | Moderate | Aggressive |
|---|---|---|---|
| Fraud Rate (bps) | Under 10 | 10-30 | 30-50 |
| False Positive Rate | Under 30% | 30-50% | 50-70% |
| Manual Review Rate | 5-10% | 2-5% | Under 2% |
| Block Rate | 3-5% | 1-3% | Under 1% |
Qualitative Factors
Consider your:
- Industry – High-risk MCCs have different norms
- Margin structure – High-margin can absorb more fraud
- Customer base – New vs. established customers
- Regulatory environment – Compliance requirements
- Competitive landscape – Friction vs. competitors (see checkout conversion)
Segmented Risk Appetite
Different segments warrant different approaches:
By Customer Type
| Segment | Risk Appetite | Rationale |
|---|---|---|
| Returning customers | Higher | Trust earned, lower fraud rate |
| New customers | Lower | Unproven, higher fraud rate |
| High-value customers | Higher | Worth the risk for LTV |
| First transaction | Lowest | Highest fraud concentration |
By Transaction Type
| Type | Risk Appetite | Rationale |
|---|---|---|
| Small purchases | Higher | Limited loss exposure |
| Large purchases | Lower | Significant single-transaction risk - use 3DS |
| Digital goods | Lower | Instant delivery, no recovery - see third-party fraud |
| Physical goods | Moderate | Delivery delay allows intervention |
Operationalizing Risk Appetite
Translate to Rules
IF customer_tenure > 12_months AND prior_orders > 5:
threshold = "permissive"
ELIF new_customer AND order_value > $500:
threshold = "strict"
ELSE:
threshold = "standard"
See processor rules configuration for implementation.
Regular Calibration
- Monthly: Review fraud rate vs. target
- Quarterly: Adjust thresholds based on performance
- Annually: Strategic review of risk appetite
Next Steps
Defining your risk appetite?
- Set quantitative targets - Pick your thresholds
- Segment by customer type - Different rules for different segments
- Understand the economics - Know the cost trade-offs
Operationalizing risk appetite?
- Configure processor rules - Translate to rules
- Set up risk scoring - Combine signals
- Build velocity rules - Implement limits
Optimizing existing approach?
- Review fraud metrics - Know your current rates
- Check network thresholds - Stay below limits
- Balance with conversion - Monitor friction
Related Topics
- Economics of Fraud - Cost calculations
- Rules vs. ML - Detection approaches
- Fraud Prevention - Prevention strategies
- Risk Scoring - Combining signals
- Velocity Rules - Rule-based detection
- 3D Secure - Authentication trade-offs
- Manual Review - Review costs
- Fraud Metrics - Measuring performance
- Chargeback Metrics - Dispute costs
- Checkout Conversion - Friction impact
- Auth Optimization - Approval rate impact
- Network Programs - Threshold consequences