Most real payment processors (e.g. banks, merchant services companies) “underwrite” a company BEFORE allowing them to process. Underwriting means they look over the business model, financials, etc and make sure the business is an acceptable risk, not doing anything illegal or against their terms, etc. So you’re more likely to be declined initially, but if you’re lit up, you should be good for the future because the underwriters actually saw the deal and approved it.

While I haven’t worked for these other companies, a lot of experience seems to show that Stripe, Square and PayPal operate differently: they light up ANYONE, and then only underwrite when the account hits a critical threshold of revenue. So it’s easy to get an account there, but if you scale up, that’s when you’ll be scrutinized and potentially terminated. It’s a very unethical practice because it ends up hitting businesses at the worst possible time, when the termination or suspension causes a huge financial hit.

So basically, always have a backup processor and use these web based services at small scale to prove out your model, but NEVER rely on them as your sole payment solution.

When you use Stripe or Paypal or similar, you don't apply for your own merchant account. You make transactions using their merchant account. If there's a fraud or chargeback percentage issue, the banks will have a problem with them, not you, but it also means the service needs to be proactive in policing their clients so the banks never come after their merchant accounts.

When starting up a company, use a Stripe or a Paypal to get up quickly, but probably ramp up to using multiple quickly, so you have backups. As your revenue increases, apply for a merchant account and move your transactions over to that. There is an upfront cost, but the processing fees are significantly cheaper, and no one will pull the rug out from under you without quite a bit of correspondence. Even when using your own merchant account, you can find processors who will handle all the credit card input and transmission on their end instead of on your site, which greatly limits your PCI compliance requirements. Regardless, when you build your service, abstract the payment process such that you can easily add or switch providers. Don't be married to a single one, because at the least you should be switching to a merchant account when the application fee is lower than the transaction fee percentage difference.

Source: I also worked for (and was the principle developer of) a high risk payment processor, providing a processing gateway for individual merchant accounts serviced by an ISO. We tried to look at becoming an IPSP (I think that's the acronym), letting customers leverage our merchant accounts like Stripe or Paypal do, but it was significantly more work and process with credit card companies than we wanted to deal with.

Stripe makes this super easy, but it is a house of cards based on stories like this one. So I agree, you still need to get your own merchant account, and not rely on stripe as you get larger, but depending on your business model it might be taking more of your time generating due diligence documents than an acquisition.

Is there an X.509-based hierarchical bank registrar system for charge-origination signing certificates, for putting charges onto the card networks? Is there a DNS registry of merchant accounts for pre-checking charges before attempting them? Do banks underwrite other banks into existence by signing their certs?

In short, it's a different category of risk than the category that an individual business or even a business that is acting as a middleman for transactions takes on. And it's a different category precisely because most of the solutions aren't technical; they're legal, social, and financial. If a bank gets screwed it just gets screwed; even if the law intervenes to deal with transgression, money is often just gone as a result of such fraud. So they are comparatively more conservative in their decision-making.

This is probably what a business like OP's would need to do. When their customers are small, use a processor like Paypal or Stripe. But as customers get larger, OP should probably do what we did: partner with an ISO, who can get the customer their own merchant account. OP still does the processing for them, but the risk and finances run directly through the client, not OP. The ISO can also add in a margin on the transaction fees for OP if that's part of their business model.

With an actual merchant account you can probably get closer to 2% or at least 2.5% + 25-30¢

At 5 million in transaction revenue, a .5% decrease would be 25k a year. You can probably get a larger decrease depending on how much risk your company's business has.

Stripe's sales rep might be contacting your company because you've hit the threshold where it's probably worth getting a merchant account, and they want to see if you're considering leaving to give you a discounted rate to stay. You're pretty much in Stripe's retention department because of your volume. It is definitely worthwhile at this point for your company to shop around for a merchant account. Some don't even have application fees if you're not a high risk business. At the least they can get an idea of how much they could save, and use that to leverage lower fees from Stripe.

I would still consider trying for a processing gateway that handles all the card transmission, though, even at a slightly higher margin. Handling the card at all means you need PCI Compliance. At your revenue you're probably PCI Level 2 or 3, which only requires a self-assessment questionnaire (that is lengthy but doable), and a quarterly vulnerability scan. At 6 Million transactions a year, you'll be PCI Level 1, which means you'll need an auditor to come in and look at your processes and policies.

If you’re using a gateway, there are some that Handle tokenization so you never have to touch the PANs and you don’t have to worry about PCI levels and audits. There’s no reason your systems should be touching PANs unless you’re really large and using multiple payment processors for scalability and redundancy like if you need to process a million transactions in a few hours.

https://www.merchantmaverick.com/what-is-a-merchant-services...

Seems what they posted above is accurate.

For processors starting out, there's nothing wrong with using Stripe or Paypal etc. When you ramp up to using your own Merchant Account, Authorize.net isn't too bad as long as you're not doing recurring payments (those get tricky), or maybe even Rocketgate.

There are others, I know of this spanish startup integrating with stripe.

In this way,you can have both your bank TPV/ Payments and Stripe working alongside, if any fails just put the other, or the one giving better prices by default, etc

https://monei.com/es/features/payments-orchestration/

https://woocommerce.com/product-category/woocommerce-extensi...

We write a few a high risk accounts per month. As a matter of fact I just had a call center run across my desk a few hours ago.

Exhaust all underwriting options as each processor has a different risk tolerance. For instance this call center is now using NMI and a rolling reserve, I've found another processor (one of the big 5) that will not fall under the High Risk thus saving a boat load not to mention negating the accounting nightmare that comes with rolling reserves and high risk processing.

Its much harder to engineer a payment abstraction layer with recurring payments where you're not relying on Stripe's subscription features that are not migratable to another payment processor.

Payment processing is a possible point of failure. Chances of it failing? I think anyone who's read HN/Reddit/etc would have to evaluate the chances as fairly high. Cost to the business of it failing? Often extremely high.

Having done this analysis, you can look at mitigations: sign up with both PayPal and Stripe, get a merchant account, etc.

Then build the redundancy into your system. Yes, this probably means you cannot use the fancy features because there's no good cross-provider abstraction. That's the cost: you might have to implement recurring transactions yourself.

This happens over and over again. Your individual business is worth basically nothing to your cloud provider, your payments provider, your CDN, your domain registry, etc. They do not care if it breaks.

You have to have redundancy for anything you cannot operate without.

I guess in the case of the orchestrator you linked they retain the card details and can then charge using any of n processors, though I'd be interested in thoughts from the overall thread where people are advising to be ready to change payment processor

You forgot the part where Paypal get to keep your money when they close your account. And it's not like they only keep it temporarily in case of lawsuits/chargebacks, they just keep it forever. I still can't believe that crap is legal.

When I was involved with taking payments through paypal that's what we did. For us there was no value in keeping payments in there but there was plenty of risk. We stopped using them very quickly though, their fees were ridiculous.

This doesn't really help. When you link your bank account with PayPal the link is 2 way. I.e. PayPal can, without any input from you, transfer money out of your account. They can even do that if the account is empty. Your bank will almost certainly allow an overdraft on your account and you're still liable for the amount + overdraft fees.

I had some issues with PayPal about a year ago and a senior rep at my bank talked me through these details.

With my bank, it wasn't even possible to turn off the overdraft feature.

Bottom line is, PayPal almost always wins.

Or perhaps I am missing something here?

But yes, please remove overdraft from your accounts. I have no input to offer on paypal at this time.

P.S. Are you in the U.S.? I am just really surprised they bank deemed overdraft as a necessary feature in your case. I am personally interested in this case.

1. Overdrafting. My bank would not allow me to turn off overdrafting on my checking account; any money in my savings account would be used to cover an underfunded purchase from my debit card, causing a $25 fee and there was nothing I could do about this, short of closing my savings account or reducing the amount of money in it. Since free checking was dependent on a linked savings account with $500 minimum balance, this wasn't an option. The overdraft/fee could cause the savings account balance to go below the minimum, and if I didn't notice I'd get a $25 fee for my savings account as well.

2. The school would constantly charge my debit card as a credit card, and the transaction wouldn't appear for up to two days. Doesn't really help me keep track of my balance when transactions don't show up. Cashiers at the student store could usually process the card properly, but every time I bought something to eat at the cafeteria it would process as credit, regardless of what I told them.

Today, I think bank policies have changed (though I switched banks before this) and I believe you can disable overdrafting on most large banks (WF and BofA, anyways)

If you login during a vacation overseas and get your account locked, they keep everything in it. Doesn't matter if you never did any transactions yet and all that money is yours from the bank account you linked. If you get banned, you lose it. Getting your account and/or your money back is about the same level of difficulty as getting unbanned from a google account. It's not impossible, but be prepared to take them to court.

If you only use PayPal to purchase things online, the protection is great, but you don't want to be on the other end of that transaction.

Trying to get money from a real bank account (Lloyds in England) after moving out of the country was much harder though. It involved writing several letters and getting a policeman to stamp something, as well as multiple phone calls, including to several staff who gave me wrong advice. But still, they returned my money eventually.

You probably already knew that, but for the benefit of anyone reading this who didn't.

Always have at least two payment processors. If you've got a lot of money on the line, get a third lined up, too.

I agree with you, as you grow, you have to diversify. However, services like Stripe Connect are more difficult and time consuming to replicate. Stripe connect handles the processing of many different accounts and handles skimming the commissions and then depositing the proceeds into the individual bank accounts of your users after doing some cursory KYC. This service is of course not compatible with similar services offered by other processors, so you will have to write all the handling logic and integrate with the KYC providers and possibly separate ACH deposit providers on your own.

In other words, there is a lot of lock-in with services like Stripe Connect.

If you're running a business and you find that it is utterly dependent on some single point of failure, you'd think that would be something you'd want to correct ASAP.

... which is to say that, yes, you and I as people who work deeply in a space, of course we know this thing is a SPOF. Everyone else? They don't know that. It took me a long time to acquire the empathy needed to talk them through this stuff, but it made me a better communicator, and it helped an awful lot of them understand.

Everything was fine, up until right after Thanksgiving. This was an ecommerce company, so a sudden 500% increase in authorization volume is pretty normal and expected. Well, not to Costco ( or rather, the bank whose services they were reselling ). Our account was immediately deactivated, and we ended up having to spend a week begging our previous bank to reactivate our previous account.

That first night was, personally, an all-nighter writing janky code to encrypt cardholder data with ephemeral keys and store it off-database on an isolated, firewalled host (in order to pass the PCI-DSS SAQ coming to us in January), ship the product anyway, and hope that we'd be able to authorize a reasonable percentage of that unauthenticated cardholder data in the future.

This is what happens when you make business decisions based purely on price -- or in the case of Stripe, developer convenience.

Initial form questions like "tell us if you have ever been to hospital for anything serious?", you're thinking "I'm not sure if that time I dropped in to the GP 5 years ago with a headache counts as serious [same for other things that seem trivial over the years, just being sensible]".

You phone the insurer to check, they say "oh there's no need to put that down, it's not meant for trivial things, you'd have to write an essay in a small box if we meant literally anything conceivable; don't worry about it". You couldn't possibly hope to remember every tiny thing over the years anyway, unless you had access to your various written medical records held by various parties.

10 years of premium payments later you make a claim because you now have MS, you need support and treatment, a brain scan confirms physical issues, and..... "your policy is invalid because you didn't tell us about that time you went in about a headache 15 years ago". They still keep the 10 years of premiums though.

You take them to court. Your lawyer mentions that this is extremely common practice by health insurance companies. They don't provide you with any way to confirm if your policy is valid until you make a claim, then it's too late. You did what you thought you were supposed to do. The lawyer says most people who then take the insurer to court are unable to prove they were misled, and the insurer keeps the premiums you paid despite not providing any actual insurance.

Don't ask me how I know.

I am disappointed the American people is simply putting up with this healthcare situation. I don't think it matters if your doctors welcome room is fancy. Or they have 10 administrators replying to you within minutes. In the end you want to be treated fast and efficiently, and it fails. But I digress.

I can see why paypal does this and I am glad we are planning on avoiding them in our back end.

In the U.S. I guarantee you that most insurance companies are NOT doing this. What this company is doing is called "Bad Faith" in insurance jargon. And the penalties for this sort of behavior are enormous, and can even include the possibility of the company losing its license to sell insurance in a particular state.

> The insurance industry as a whole is seriously messed up and congress seems unwilling to do anything about it.

Congress doesn't do much with insurance because insurance in the U.S. is regulated at the state level, not the federal level.

We may be talking past each other here. I was referring to property and casualty insurance in my comment, while it sounds like you're talking about health and disability insurance. Two completely different worlds and regulatory frameworks.

Now if you are in line for a large payout the insurance company will definitely review your application to see if you lied. Significant lies will get your policy cancelled and no payout. So don't lie on any insurance applications.

(or if you are trying to be pseud, let me interview you and I'll write it)

if this is SOP it's important information

2. Why write at all: consensus drives policy change, and information drives consensus. Writing, of any length, assembles information, bundles it into an argument, and (if the argument lands) becomes a 'capsule' around which consensus can form.

1. Why long form: room for nuance and research. Long form can include different perspectives (including stripe's -- perhaps they have a reason for these practices). It can address questions like 'what % of the industry behaves this way, what are the downsides to the banks' approach'. The interview + editing process can tease out anecdotes that sharpen the argument, or uncover new aspects of the problem.

This part is selfish, but for the writer, long form lets you improve your own knowledge of the topic, and your ability to make arguments around it.

I've never thought about this, but now that you've pointed it out, I'm realizing this is genuinely a fantastic feature.

Sounds like yet another of the many perks of the spartan design here. All substance, with just a hint of (cascading) style.

A link to an HN thread is opaque, uninteresting, and context-less.

With, half of the blogs that I liked I can't remember the name of the blog, it's probably either been dropped from search engine indexes for being older than a year or two or pushed to the 10th page by better SEO, or the site has simply vanished.

A blog post also feels more trustworthy than a random social media site comment.

Shocking, I know.

Sounds similar to how subprime lenders doled out the mortgages without any due diligence. They skimmed their bit off the top in transaction commissions, but later dumped them before they became a compliance hassle.

https://www.kff.org/health-reform/issue-brief/pre-existing-c...

"Before private insurance market rules in the Affordable Care Act (ACA) took effect in 2014, health insurance sold in the individual market in most states was medically underwritten.1 That means insurers evaluated the health status, health history, and other risk factors of applicants to determine whether and under what terms to issue coverage."

"Prior to the ACA’s coverage expansions, we estimated that 18% of individual market applications were denied. This is an underestimate of the impact of medical underwriting because many people with health conditions did not apply because they knew or were informed by an agent that they would not be accepted. Denial rates ranged from 0% in a handful of states with guaranteed issue to 33% in Kentucky, North Carolina, and Ohio. According to 2008 data from America’s Health Insurance Plans, denial rates ranged from about 5% for children to 29% for adults age 60-64 (again, not accounting for those who did not apply)."

And that's the only thing similar in here. The payment processors are not selling anything by fraudulent claiming they evaluated their quality.

What they do have is a very bad customers service that is prone to a different kind of crime (withholding people's money) and create a very unique kind of risk they don't communicate to their customers.

The other side has one chance to learn.

Thank you for sharing your insight!

Your best bet is to pay the slightly higher fees by going directly through your actual bank.

[1]https://www.elavon.com/industries/cenpos.html [2] https://www.tempuspayment.com/default.aspx

Sounds like there's an opportunity for a Stripe competitor that businesses can somewhat trust to not pull the rug, though that'd be quite the bootstrapping process.

We hadn't charged a single live customer yet, but we had done plenty of tests using the Stripe testing environment. So we go live with a huge launch event, and we have customers signing up in droves. When they get to the last step -- payment -- they get an error.

Logging in to the dashboard I didn't see any indication that there was anything wrong with our account. No alerts or notices. We had already gone through the approval process you go through when signing up, and been told we were approved.

The thing that surprised me the most was that there was just no indication anywhere that our account would not be able to charge cards. Wouldn't it make sense for there to be an indicator somewhere that just says "Not ready yet"?

Apparently, they had never even begun reviewing/vetting us since the time we signed up for the account months earlier. We reached out to customer support and it took them about two weeks to get us activated. And, similar to OP, they never gave us a shred of information about what was going on. I still don't know to this day what the issue was.

Next time I build something with Stripe I'm going to test it in production before launching, with my own real credit card!

I'm genuinely curious why you wouldn't have done that anyway? I pretty much always do, precisely so I can experience a full end to end user experience.

That's in addition to explaining to our investors that we ended our launch day at -$1,000 due to all the chargeback fees because some dumb developer doesn't know what a testing environment is. And in addition to the fact that Stripe recommends against you testing in that way.

I did get a full end-to-end experience, in my production environment, with literally one variable changed: using the testing Stripe API key instead of the production one.

I don't know, it didn't seem like a crazy way of testing at the time. When you consider that the testing environment worked perfectly, and there was no indication, whatsoever, anywhere that we would not be able to charge cards, it kind of felt like how you're supposed to do it.

But clearly I was wrong :) The way you find out if your account has any issues is by charging a real card, and if it works, reversing it, and if it doesn't work, waiting a couple weeks with no information on what's going on. Lesson learned!

Why would you reverse it? If you can’t afford to consume one unit of whatever you are selling are you really in a good place to be in that business?

I guess there can be rare exceptions where the business sell only a handfull of high ticket items. But then again probably Fincantieri does not let you put your bespoke mega yacht on a card through a web transaction.

After some eye-rolling he agreed to buy a burner phone, add a prepay SIM, and whaddayano the bloody charger did not work. Two months later it works, for most people, who have recent cars that are not Teslas. Sigh. "welcome to our product, you're a beta tester. Maybe an alpha tester. We hope it works!".

Test in production. Do real dollar value tests. If you can test with different cards with different security levels, try a Visa 3D Secure and a 2FA Amex charge. Personally I do them and then get reimbursed (or do them directly on a company credit card) rather than start out a production payment history with refunds, not sure if that matters but I figure if it does it's got to be a bad signal so I may as well avoid it.

Why would you not? Stripe still keeps the transaction cost, so clearly they anticipate this happening.

This isn't recommended. Also, presumably by end-to-end you meant post auth business flow too. Such as reconciliation, settlement, generating tax receipts, invoices etc.,

In general, all the data in production should be real, as much as possible.

If the amount is big (e.g., say jewellery story) then figure out a way to recoup/refund the money out of band in a way that leaves no trace in production system. E.g., reimburse it, put it under QA budget or some such.

"Do not use real card details. Testing in live mode using real payment method details is prohibited by the Stripe Services Agreement. Use your test API keys and the card numbers below."

https://stripe.com/docs/testing

They probably mainly just don't want people running shitloads of automated-test charges and issuing refunds for all of them. It may technically be against the TOS but there's no way they actually care if you run the occasional real-credentials test, especially if you don't refund it.

That's the trick. Let Stripe put the money into your bank account and let them think its a real sale (not a production test), then refund the money out of the bank account back to the person who's card was used instead of refunding or reversing the charge. Stripe don't need to know about that.

(You also owe yourself "due diligence" in knowing that you _can_ refund or reverse charges, so you'll also do that test in production as well, but don't make it one of the first transactions you ever do in prod. I try to stretch that test out until after a 60 day window past the first few dozen real sales have gone through, under the assumption that by then Stripe (or whoever) will have seen a bunch of payments go through and not be challenged when the CC statements arrive, and that'll have sent some "probably not a new fraudulent merchant" signals into their systems.)

No need to roll back the transactions directly and risk flagging anything.

Plus, it's often useful having a real, live, paid and in good standing account and/or purchase in the system for further testing steps! (More true in the subscription space than the one-time purchase space... but even there... it's probably worth testing your refund flow end to end periodically eventually, once you have a healthy set of traffic under your belt to avoid standing out.)

Although I guess doing lots of refunds would mess with anti-fraud and other systems.

I just do special pricing/discounts to do a $5 transaction (too small could look like credit card fraud).

Everyone runs 1-3 “real transactions” as a “real customer” when getting ready for a launch with QA.

This cause exists for Stripe to point to for excuses people make when attempting to wash transaction or test stolen CC info in a prod environment (which doesn’t work with a test api key)

There's "testing"

* manual during development

* automated testing

And there's "testing"

* smoke checking processes in production

In most cases, the "test in production" is more of a "validation" that end to end experience works. And there probably shouldn't really be much of a way to distinguish between a "test" in production and a "validation" of the purchase process.

Sure, you can do it, but you'll have to forever have a note in your accounts package saying 'this revenue isn't actual revenue'.

It really upsets those who want the accounts to match up to the cent at the end of the year...

They just walk in and buy one. They in their personal capacity end up richer by a burrito and some invaluable experience. The company ends up richer by the price of a burrito. If this kind of “revenue inflation” matters to anyone then either the CEO has a bad burrito addiction or the company wasn’t transacting enough anyway or both.

More and more, we just keep acting dumber as "tech" is more and more engrained

I'm curious why you would still consider them a trustworthy business partner after what happened?

What a disaster.

My recommendation is to look into your local providers and see if any can integrate with payment APIs like Authorize.net. These providers really want your business and care enough to at least not let you go bankrupt. The bar is low!

I think that's the biggest thing I see on this thread. That Stripe gets the chance of a next time. This validates what Stripe is doing to developers.

No appeal process, nothing. Caused significant short term cash flow issues. So be very careful using your own card.

I don't know if that's still the case, but these days I'm wary about using AMEX on any sort of money transfer service.

There are more and more Stripe horror stories like this, and from an outsider perspective it looks awfully like PayPal behaved back in the day (probably still does but I'd never touch it again as a merchant).

I have positive experiences with using Stripe in my last startup and we're currently building Stripe integration on another, which will process about 50% of our revenue (the other payment method being direct wire transfer).

There might be just a tiny minority of people that end up treated like this, but with every story, I'm less confident about our move.

yeah, im sure its a minority of accounts at stripe, but seriously, do not take the chance!

Op speaks of calling and emailing and reaching out … instead, pay your lawyer 30 minutes and have the letter hand delivered to their legal department.

I can’t predict what will happen but it won’t be ignored.

But I seriously ask anyone, how important is processing payments to you? what do you suspect the chances are? would you prefer to go through a bit more hoops upfront with a non-stripe alternative, or roll a 1/100 or even 1/10000 dice that one day you're just gonna be royally screwed over?

I have seen it happen very close, so I know my choice. It always "only" happens to other people... until it happens to you. Its easy to say "yeah.. they were doing shady things, I dont", but when the algorithmic gods determine you to be shady, no mere mortal, except perhaps a couple of very influential people lurking HN(cough edwin cough) will do anything. Will you catch his eye? is it worth the risk?

ANYTHING you depend on, spend serious serious time doing vetting, making sure its proper, and I would say, for the love of god, make it someone you could go visit physically.

It's an arms race with fraudsters that eventually sucks in legitimate businesses.

As much as I hate government intervention in business, it really seems like there needs to be a way to force companies to actually be direct, accessible, and reactive in cases like this. I went through something similar with Venmo randomly locking my account after I received a large-ish payment, and not getting any real action or sense of urgency on their side.

This. This is a common tune to about 100% of "BigSomething killed my business" stories that appear on HN almost weekly. If you go to BigSomething, you get a polished, automated, convenient, cheap service that would not hesitate to kill you account the moment something looks wrong to any of the robots watching it, and the customer support (the non-robotic kind, I don't count "we are working on it" auto-replies) is not part of the package because it doesn't scale. You have to either accept this as the risk for doing business, or not use BigSomething as you primary or critical vendor.

Government has made entry to this space hard which is why there aren't enough competitors, so they're really the source of the problem.

Others (adult services) are not due to government regulations, they are there simply there because banks don't want to deal with chargebacks.

Except the operationalization of those rules is: here are some vague guidelines that you have to follow, and if we don't like you we'll retroactively decide you were committing a crime even if you followed those guidelines to the letter. See HSBC for a case in point.

No, that's wrong. Firstly, as others have pointed out, society long predates any such notions.

Secondly, determining what is illegal activity, and putting a stop to it, is ostensibly the job of law enforcement and the courts, not the bank.

I assume the government didn't want to put all the work in of making sure the currency they've societally coerced the world to use isn't being used for fraudulent transactions, they'd rather pawn it off onto the banks because it's easier for the government to not do anything about it.

Now the banks have been shooting anything and everything that has even a semblance of fraud with account locks/funds freezing/etc., because if they don't the government will go after them.

How does this system make any sense to anybody? So frustrating. Let me exchange currency with anybody for any reason at any time.

That's what SLAs/contracts are for.

I still love them. That issue aside they allow me to have a personal and business account in multiple currencies, and don't screw me on the exchange rates.

This would be the same as saying: I want zero car accidents on the road, so I'll scale the police headcount linearly with the number of reckless drivers.

Depending on amounts, small claims in the US might be viable.

I do some payments that are ridiculously suspect but legal.

I have never been completely blackholed and given robot responses, any time a problem comes up.

Stripe is lower margin than other banks/payment providers, so they don't look very hard.

They have a very strong incentive to throw away troublesome customers, which they do.

I don't think it's right to say Stripe's "hands are tied".

They could spend more to identify false positives, but they don't.

If I used Stripe for all of my transactions I would be blocked. I know this because I have 100% confirmed this from an inside source at Stripe and at a countries central bank.

Yet somehow I have and continue to maintain accounts with other banks without breaking the law.

What law do you think forbids this? In my experience running global payments through multiple rails, on an OFAC/risk ping you typically get a request for enhanced due diligence, which normally looks to the payee like “send me a picture of your drivers license”.

The most common result is that O Bin Laden (matching the OFAC list) is actually Oscar bin Laden; with further info you disambiguate the payee from the OFAC listed entity and are allowed to transact.

I have never encountered a reg that says you are obliged to ghost your customer.

See https://www.lawsociety.org.uk/topics/anti-money-laundering/t...

I would bet that 99.9% of the Stripe (and Paypal) horror stories that get posted almost weekly are _not_ federal money laundering or terrorism financing investigations with legal secrecy provisions imposed on the payment processor.

edit: As I re-read the thread I see that I am thinking more of onboarding KYC, as opposed to this case which would be ongoing-activity investigation. So that would explain the difference in expectations here. Still interested in learning more about the regs for ongoing investigations if you have time to share!

For anyone following along, text at https://www.fincen.gov/resources/statutes-and-regulations/ba... > https://www.govinfo.gov/content/pkg/USCODE-2020-title31/pdf/....

This is for SARs (Suspicious Activity Reports). (At least, that's the one I've encountered before, there may be other forms too).

If anything, I would bet that regulators would be concerned about the fact that companies such as Stripe have triggered a race to the bottom whereby underwriting has become an after-the-fact exercise that can severely damage and/or kill a high-growth SME. The old way, where you filled out a ton of paperwork, provided every bit of information possible about you and your business, and then went back and forth with a human to get approval, was a much more stable way to business. But alas, when you've got former bank governors on your payroll and political mega-PAC donors on your cap table, people don't scrutinize very much.

(Obviously it’s quite difficult to know the ratio of cases like these involving government investigations and those involving their own internal risk procedures.)

Even if it is government under the hood you have to know what you're accused of. Not American so I doubt the US political system is interested in hearing from me, but I agree that's the only way of solving the deeper AML problems.

This is exactly why the whole process is suspect. The government farms out the policing of certain financial crimes onto the financial institutions as a prerequisite for operating the business. If the government came along and froze your bank account you’d have a right to ask why and a right to get some answers. But instead the government pawns the responsibility off onto businesses and then prohibits those businesses from telling you why.

And so the BSA and Patriot Act effectively allow the government to take your property and take away your right to confront the government about why they took your property. And it’s all on merely a vague suspicion of misconduct. No proof whatsoever.

I can’t help but laugh at the irony— the federal government laundering their otherwise unconstitutional activities through the banks.

I'm curious as to why you think that? Is this a way way more common thing than I expect? Or is "My startup uses Stripe Connect to accept payments on behalf of our clients" a raging red AML flag I don't recognise (I've never done that, so it could easily be)?

The thing with SARs is that they tend to be cascading as OP described. So if I (innocently and totally coincidentally) do a transaction with someone who has been flagged for suspicious activity my account might now be flagged as “higher risk” for suspicious activity and will be monitored more closely.

And, if they decide they’ve found suspicious activity in my account then everyone who does business with me is at risk of having their accounts flagged as “higher risk” for closer monitoring and so on.

And the bank isn’t allowed to tip anyone off because if any of those accounts are actually laundering money they might suddenly withdraw it and then the “lead” from the SAR is moot. It’s actually a crime to notify someone about the suspicious transaction(s). Which is why you get stonewalled.

The issue most people in this thread are talking about exists in the almost. If it was always guaranteed, then there would not be so much evidence to the contrary.

But in all seriousness, being a YCombinator startup is now a big red flag outside of the VC-funded bubble. My current employer, and the previous one, have strict no-YC policy for SaaS due to numerous issues with previous YC companies. And these are both tech-friendly/tech-adjacent companies.

It's even worse at stodgier companies; an executive sees "Stripe froze my payments" and that's what they remember when a Stripe salesman tries to pitch them on using stripe for their online store. Stripe is quickly becoming Google, in the bad way: it's a name people are learning to avoid, and if that hits critical mass they're dead.

As executives and purchasing managers get more tech-aware I think we're going to see an increase in due diligence into who is running companies, who their investors are, what other companies they've invested in, etc. Brands like YC will end up getting punished (and all their portfolio companies, by extension) for the bad actors.

It is like this with virtually any security system. Adding feedback you can use for debugging also makes the system much easier to compromise.

One of the attacks that fraudsters have developed is to buy businesses to use their accounts for fraud. That going out with a fraudulent bang is better than trying to run a marginal business.

Onboarding new customers looks better and gets more funding than maintaining quality for existing customers, so they just don't care.

I'd love to know why certain categories are always flagged or silently banned. Cannibis, sex toys, porn, crypto, etc. Payment processors seem to always give these categories the worst service and whenever a company is nuked like this, it's usually one of these categories. Why is that? It almost feels like there's some secret government organization tasked with upholding religious values telling payment processors to fuck with random accounts and swearing them to secrecy. I obviously don't believe that, but it's equivalent to the scale of whatever is going on due to natural causes. I don't believe that these industries are prone to higher than usual fraud. So what is it?

* - https://news.ycombinator.com/item?id=32263429

Don't believe me? Ask anyone at the front desk of a hotel the rate of attempted chargebacks for ppv porn.

You can get vetted by banks, visa and co for those things (maybe not cannabis with US companies) but the fees are considerably higher because of the chargeback rates. This is why onlyfans announced then backtracked the porn ban, visa told them "either you're paying us like you distribute porn, or you stop doing it".

To be honest this seems more like a hotel problem than a porn problem. E.g., I viewed it by mistake, I didn't understand the pricing, etc. I would expect that there is a similar amount of complaints about the hotel room's minibar and snacks that are lying there but charged an incredible rate afterwards if touched.

Re: porn, the issue is its sky-high chargeback rates.

While I don't know what the incentives are for payment processors, they act as though they are under a quota, similar to SARs in banks, where it's mainly about showing they are getting petty crime as a means to protect their interest in partnership level crime.

https://en.wikipedia.org/wiki/Texas_obscenity_statute

or google "texas six dildoes"

<edit> https://www.theregister.com/2016/12/13/us_purchase_governmen...

and https://onwardtexas.org/trending/is-it-illegal-to-own-more-t...

which was posted on HN about 3 months ago and flagged.

</edit>