How Rain Reduces Risk: A Guide
Moving money is serious work.
Rain helps facilitate instant, global payments at scale. Our systems support real-world economic activity, and therefore must be designed to operate reliably in practice, not just in ideal conditions.
Tokenized money introduces new capabilities. It also introduces new responsibilities. Infrastructure companies, like Rain, have to do more than move value quickly. We have to build controls that keep that value from flowing in the wrong direction, and response plans for when risks are identified.
This guide describes Rain’s risk mitigation program. It explains how we reduce, identify, and respond to threats throughout the lifecycle of a payment program. It’s a practical look at how we think about responsibility, how we maintain compliance and regulatory standards, and why we operate with the assumption that risk needs constant attention.
Risk Ownership and Responsibility
Effective risk management depends on clear ownership. Rain structures its programs to ensure that responsibility for risk is explicitly defined across all parties involved.
In programs where Rain manages the payment stack directly, Rain is wholly responsible for transaction-level risk controls. Rain is also responsible for assessing Anti-Money Laundering (AML) and fraud risks and for collecting and verifying key identity elements in these programs.
In partner-managed programs, partners are able to add additional transaction risk protections specific to their product. Partners are responsible for assessing AML and fraud risks and for identity verification in partner-managed programs.
Fraud prevention is a shared responsibility. Rain works together with partners to detect and reduce fraud through multiple layers of monitoring and clear escalation paths. Fraud losses and liabilities are primarily the responsibility of merchants and partners, consistent with how card networks operate today.
Clear ownership keeps risk from pooling in the wrong places. When responsibility is unambiguous, responses are fast, coordination is efficient, and accountability is maintained.
Picking the Right Partners
Before any program goes live, Rain completes an extensive due diligence process to confirm that we’re choosing the right partners.
Every partner is required to complete a Know Your Business (KYB) review. That includes verifying company formation documents, identifying and validating beneficial owners, screening for sanctions, politically exposed persons, and adverse media, and reviewing the partner’s website and business model to understand how the program works.
When a program or partner carries additional risk, the threshold is higher. When indicated, Rain will implement additional requirements. These may include heightened AML requirements, independent audits, and ongoing reporting obligations.
This process is how Rain builds durable partnerships that support sustainable, long-term growth.
Customer Due Diligence
Every Rain program starts with a simple rule: If someone is going to spend money, we need to know who they are.
At minimum, partners are required to meet established customer due diligence requirements and Customer Identification Program (CIP) standards. This includes collecting a legal name, date of birth, address, and a government-issued ID number.
As an added step, Rain employs additional identity verification checks. This higher standard of collecting IDs sets a stronger foundation for knowing the customer and preventing fraud.
Knowing who cardholders are is only the first step in Rain’s KYC process. Understanding how an account is likely to be used is just as important for detecting misuse. Rain collects additional cardholder information, including occupation, annual income, and IP address. These details provide more context for what “normal” looks like, so if there is unusual activity, it stands out.
Before programs launch, Rain verifies that these KYC steps are embedded into the partner’s UX and onboarding flow. Programs do not go live until identity and context collection are actually enabled, not just described in documentation.
Geography and Sanctions
Where an account is created, accessed, and used materially affects the risk profile of a payment program. As such, geographic and sanctions controls are a foundational component of Rain’s risk mitigation framework.
Rain applies controls to prevent signups from sanctioned or restricted jurisdictions and to block transactions involving merchants or counterparties in sanctioned or restricted regions. These controls are informed by authoritative sources like OFAC and by network requirements, including Visa’s rules.
Geography isn't stagnant — people move, devices change, and usage patterns shift — so controls are enforced at multiple points. This includes during onboarding to prevent account creation from sanctioned locations, through ongoing monitoring to identify changes in user behavior or location, and at the transaction level to screen activity in real time.
By applying sanction controls across these layers, Rain reduces reliance on any single checkpoint, ensuring compliance and risk mitigation remain active throughout the life of the program.
Fraud and FinCrime Monitoring in Practice
The above steps cover what happens before programs go live and cards are issued, but risk management doesn’t stop there.
Rain continuously monitors transactions to catch behavior that looks off, and measures are in place to block certain purchases at the authorization level. For example, transactions from sanctioned or restricted countries or certain high-risk merchant categories are declined. Rapid-fire transactions can be stopped when velocity limits are hit. ATM withdrawals have per-transaction and daily caps.
Rain also has an onchain screening program, which includes continuous monitoring of wallet addresses and blockchain activity for suspicious activity. Smart contracts are also reviewed by an outside auditor before they are deployed.
These rules are only a subset of Rain’s transaction monitoring controls. We apply additional rules and dynamic risk signals in real time to adapt to evolving threats and usage patterns.
The Limits of Risk Mitigation
Stablecoins, by design, offer some real advantages when it comes to risk mitigation. Transactions settle on a shared, immutable ledger, so the history of where funds came from is traceable. Settlement is also atomic, meaning transactions either immediately complete or fail, eliminating timing gaps and reconciliation risks that exist in traditional payment systems.
Still, no payment system is perfect. Card sharing, credential theft, and secondary markets exist across all forms of card-based payments, including traditional fiat programs. These risks are not unique to stablecoins.
We acknowledge this reality explicitly because it’s a prerequisite to building durable safeguards. Pretending that misuse can be eliminated entirely doesn’t make systems safer, it makes them vulnerable. Rain focuses on early detection, fast response, and continuous improvement, not overconfident promises.
Rain’s systems are designed with the expectation that anomalies will happen. That might be attempted fraud, an operational error, a partner control failure, or a pattern of transactions that simply doesn’t make sense. That’s why Rain maintains layered monitoring and response controls.
When thresholds are triggered, alerts are reviewed under clear procedures. Rain’s response framework focuses on timely containment, investigation, and documentation. Accountability matters here. Responses are assigned to specific operational or compliance owners, and material issues move through established governance channels.
Rain isn’t built for clear skies only. It’s built to keep working when conditions change.
Transparency, With Guardrails
Rain believes in transparency, but we do not disclose every risk control or threshold. Publishing this information would meaningfully help bad actors work around the system. As a payments provider, we also have a responsibility to protect sensitive information and respect confidentiality commitments to our partners.
Responsible transparency means being open about our approach to risk mitigation without compromising the systems themselves.
Our Work Isn’t Done
Risk management is never finished. As products evolve, regulations change, and threats emerge, controls have to adapt. Rain treats risk management as a continuous responsibility, not a one-time exercise.
We’re building products that fundamentally disrupt how money moves around the world. Trust and safety can’t be an afterthought, they’re the foundation.
.png)