Risk Rules: Best Practices & Recommendations

Updated
  • 3 minute(s) read
Prev Next

Risk settings help your financial institution mitigate the risk involved with money movement in Narmi Banking. With Risk Manager, you have complete control of the conditions and actions (outcomes) of the risk rules you put in place. Benefits of setting risk rules include:

  1. Mitigate fraud

  2. Emulate segmentation

  3. Customize user experiences

  4. Complete control over ACH, wires, and user-based actions or events

Risk Rule Conditions

You can set risk rule conditions when creating new risk rules in Risk Manager. Possible risk conditions include:

  1. ACH

    • Days since external account was verified

    • Days since last user login

    • ACH transfers to this external account (day/week/month)

    • Transaction type

  2. Wires

    • User profile age (days)

    • User password reset request velocity (day/week/month)

    • User wire transaction count total

    • User email change velocity (day/week/month)

  3. Users

    • Failed login velocity (day/week/month)

    • User profile age (days)

    • Micro-deposit velocity (day/week/month)

For a complete list of available risk conditions that can be used when adding a new risk rule, please see Risk Conditions.

For instructions on how to add a new risk rule, please see Add a New Risk Rule.

Recommended Best Practices

The risk rules we recommend as a baseline for tighter controls are:

  • If a user initiates greater than 5 transfers in 1 day > move to review

  • If a user initiates a transfer greater than $100, after changing their email more than once in the last 24 hours > move to review

  • If a user with an account age of less than or equal to 30 days initiates a transfer greater than $500 > move to review

  • If a user initiates a transfer to a known fraudulent routing and account number > lock user

  • If a user initiates a transfer greater than $500 to an external account that is less than 30 days old > move to review

  • If a user resets their password, changes their email, and initiates more than one transfer in 24 hours > move to review

Use Cases

Below are some sample use cases highlighting where risk rules could be used.

New User Transfer Limit

Prevent new accounts from initiating ACH/wire transfers by adding an ACH Transfer Rule or Wire Rule that sends new user profiles for review using the condition User profile age (days) and action Move to Review. You can customize the age of the user profile to the day. In this example, any user profile less than or equal to 30 days old will not be able to initiate ACH transfers without review.

ACH transfer rule for new users with a condition and action.

New User Transfer Limit with Sub-Conditions

In this example, you can prevent new user profiles from initiating ACH/wire transfers of a certain amount by adding an ACH Transfer Rule or Wire Rule with condition User profile age (days), sub-condition Amount, and action Move to Review.

ACH transfer rule settings for new user transfer limits with a condition, sub-condition, and action.

Large Transfer Limit

In this example, you can prevent a user from transferring a certain transaction type and amount via ACH/wire by adding an ACH Transfer Rule or Wire Rule with condition Transaction type, sub-condition Amount, and action Move to Review. The transaction type can be Push (credit) or Pull (debit).

ACH transfer rule with condition transaction type, sub-condition amount, and action move to review.

Multiple Transfer Limit

In this example, you can limit the number of transfers a user can initiate in a time period by using the condition User ACH transfer velocity (day, month, or week). In this example, users who initiate more than 5 ACH daily transfers will be moved to review.

ACH Transfer Rule with condition User ACH transfer velocity (day) and action move to review.

Failed Login Attempts

In this example, you can add a User Rule with the action Lock user to lock a user after a specified number of failed login attempts. You can set this limit on a daily, weekly, or monthly basis using the condition Failed login velocity (day, month, or week).

Denial of Service Risk

Narmi does not recommend locking a user after a certain number of failed login attempts. By default, Narmi will rate limit login attempts to help mitigate brute force and credential stuffing attacks. These rate limits expire to ensure that users will be able to regain access to digital banking.

User rule with condition Failed login velocity (day) and action lock user.

Limiting Routing Numbers

In this example, you can send a user to review if they are trying to initiate a transfer involving other financial institutions. For example, your institution may experience higher levels of fraud with certain third parties in your platform. If this is the case, your institution may decide to send all transactions involving these parties to manual review or block the transactions altogether. In this example, an ACH Transfer Rule or Wire Rule has the condition Routing number with a specific routing number entered, and action Move to review.

You can also add a sub-condition that limits the functionality based on the transfer amount.

ACH Transfer Rule with the condition Routing number, a specific routing number entered, and action Move to review.

Related articles