Risk Management interview prep.

A payments risk manager owns the loss line + the approval-rate line at the same time: fraud loss, chargeback loss, credit loss (on BNPL / lending), AML penalties + reputational risk, and operational-incident loss - against approval rate, false-positive rate, and friction that costs revenue.

What interviewers look for

  • Can the candidate talk loss bps + approval rate together - not just 'we caught more fraud' without the friction + approval-rate cost?
  • Do they own the model + policy stack (rules + ML + thresholds + manual review) with proper governance - not just hand off to a vendor?
  • Do they treat scheme rules + regulator posture (chargeback monitoring tiers, Reg E timelines, PSD2 SCA, BSA / OFAC) as design inputs, not afterthoughts?
  • Can they manage a fraud or chargeback incident end-to-end - detect, contain, root cause, remediate, report - with a clear loss + friction trade?
  • Do they think about merchants + customers (the friction cost) + the bank + the scheme (the reputational + monetary cost) - the whole ecosystem, not just the fraud loss line?
  • Can they defend a quantitative call to a risk committee - the model, the thresholds, the back-test, the back-of-envelope on expected loss vs approval-rate impact - with a senior voice?

Behavioural questions to expect

  1. Walk me through your CV.

    What it tests: Story coherence + genuine fit for payments + fintech risk work. Teams want evidence of progressive risk scope (a rule / model -> a policy -> a portfolio / product) and quantified outcomes (loss bps moved, approval rate lifted, false positives cut, regulator clean exit) - not 'I worked on risk projects'.

  2. Tell me about your most impactful risk decision or project.

    What it tests: Depth + ownership + willingness to defend a quantitative call. Tests whether the candidate frames problem -> data -> model + policy -> tradeoff -> result (quantified) -> lesson, not just 'we reduced fraud'. The probing will press on the approval-rate cost, the back-test, the governance trail.

  3. Tell me about a weakness, a failure, or feedback you've received and worked on.

    What it tests: Self-awareness + risk discipline. Cross-role canonical. Fake weaknesses downgrade immediately. Senior payments-risk mistakes (a model rolled to prod without a proper back-test, an over-aggressive rule that crushed approval rate, a missed early signal on a chargeback spike, an AML alert backlog that aged) shape teams; honesty about a judgment error + the process fix matters.

  4. Why payments + fintech risk - and why this firm's segment vs general bank risk or pure model work?

    What it tests: Authentic fit for the payments risk seat: real-time decisions, model + policy + ops together, scheme + regulator pressure, the loss-vs-friction tension that defines the role. Tests whether the candidate is drawn to the constraints specifically, not just 'I want a risk job at a hot company'.

  5. Which risk sub-function would you want to own, and why?

    What it tests: Genuine fit + grasp of how payments-risk sub-functions differ. Tests whether the candidate has a reasoned preference (fraud / credit-on-payments / chargebacks + disputes / AML + sanctions / operational risk / model risk) rather than 'wherever you put me'.

  6. Why this firm?

    What it tests: Whether the candidate has done the homework. Bar: firm-specific evidence from the product, segment, risk posture, model stack, regulatory perimeter, scheme standing, and people - not generic 'great fintech'.

  7. How would you describe this firm's risk posture + risk organisation in your own words?

    What it tests: Whether the candidate has internalized HOW the firm runs risk - sub-function shape, model + policy stack, governance posture, scheme + regulator standing - not just that it 'has risk people'. Tests whether they've read the risk-side signals (10-K / regulator filings / scheme posture / public talks) + can speak to specifics.

  8. How does risk actually drive value at a payments firm like this firm?

    What it tests: Whether the candidate understands payments-risk economics: loss bps directly hit P&L, approval-rate bps directly hit revenue, scheme placements drive cost + customer experience, regulator clean exits unlock segments + geographies, and risk-engineering capability scales the rest of the org.

Technical concepts to master

Fraud + risk modelling fundamentals

Rules vs ML vs vendor scoring
Rules: deterministic, explainable, fast to write + change. ML: pattern detection on dense features, harder to explain, needs labels + retraining. Vendor: shared-consortium signal + speed-to-market, less control. Production stacks blend all three.
FPR / TPR + ROC + precision / recall + AUC
Standard model-evaluation framework. TPR + FPR define ROC; AUC summarises ranking quality. Precision + recall are the operating point chosen on the curve. Payments cares about both at the chosen threshold.
Champion-challenger + holdout + back-test
Champion-challenger: run the existing policy + a candidate in parallel on overlapping traffic; measure relative loss + approval + FPR. Holdout: never decisioned by the new rule, used to measure true performance. Back-test: simulate the candidate on historical decisioned data, label-aware.
Model risk management (MRM) + governance
Independent validation of every model: data + assumptions + back-test + monitoring + sign-off + cadence. Required by regulators (SR 11-7 in the US) and increasingly by scheme + sponsor banks.

Chargebacks + disputes lifecycle

Reason codes + dispute types
Disputes are categorised by reason code: fraud (CNP / lost / stolen / counterfeit), authorisation (declined / expired), processing error, consumer dispute (quality / not received). Reason-code mix tells you the root cause + the defence.
Representment + compelling evidence
The merchant's response to a chargeback: a structured packet (delivery proof, customer communication, login + device evidence, prior history) submitted within the scheme window to argue the merchant's case.
Acquirer + scheme monitoring programs
Schemes monitor merchant chargeback ratio + fraud-to-sales ratio. Breaching standard thresholds places the merchant in a monitoring program with fines + remediation requirements + ultimately termination.
Pre-emptive dispute tools
Issuer-funded notification services that warn the merchant of a brewing dispute (cardholder inquiry, alerts) BEFORE it becomes a chargeback; the merchant can refund + lower the ratio.

AML + sanctions + KYC fundamentals

KYC + CDD + EDD
KYC = identify + verify the customer at onboarding. CDD = standard ongoing due diligence (risk-rated). EDD = enhanced due diligence on higher-risk customers (PEPs, high-risk geographies, complex structures).
Transaction monitoring + SAR
Rules + ML monitor transactions for suspicious patterns (structuring, layering, integration, unusual velocity / geography / counterparty); alerts go to investigators; confirmed suspicion files a Suspicious Activity Report (SAR) with the regulator.
Sanctions screening
Screen every customer + counterparty + payment against OFAC + European multilateral + EU + UK sanctions lists at onboarding + on every transaction; blocked + rejected payments follow specific regulatory paths.
Three-lines-of-defence + regulator engagement
First line: business + risk-owner controls. Second line: independent risk + compliance oversight. Third line: internal audit + external audit + regulator. Each line tests + reports independently.

Loss vs friction + approval-rate economics

Approval-rate economics
Every 100bps of approval rate translates to ~1% of TPV in lost or won revenue; at scale, an approval-rate point is worth tens of millions; the risk manager owns half the conversion funnel.
False-positive cost
Every blocked-but-good transaction has a cost: lost revenue, customer friction, churn risk; the FPR:TPR ratio + the $ value of an FP vs a TP define the operating point.
Step-up + friction-as-a-lever
Instead of block / approve binary, route ambiguous cases to step-up auth (3DS / SCA / OTP / behavioural challenge) - converts an FP into an extra-friction conversion + still avoids loss.
Segment-aware + customer-lifetime view
A new customer + a 5-year customer should not face the same control; risk policy is risk-rated + lifetime-aware + segment-aware to optimise loss + approval + retention together.

Practical drills

  • this firm is acquiring for a high-volume merchant doing $500m / year in card-not-present TPV. Last month they processed $42m, had $580k in disputes (of which $380k were fraud-coded), $120k in confirmed fraud loss, and $190k in chargeback loss after representment (win rate 30%). (a) Fraud-to-sales ratio? (b) Chargeback ratio? (c) Where do they sit vs standard tier + high-risk tier thresholds? (d) What's the loss bps + how does it compare to the ~7-15bps CNP benchmark?
  • this firm is launching a new P2P wallet for consumers in 6 months. Funding source = bank account (ACH pull); send / receive = real-time; limits = $1k / day, $5k / week. Walk me through the fraud + risk strategy you'd build pre-launch.
  • Friday morning the dashboard shows fraud-loss bps on card-not-present jumped from a baseline ~10bps to ~45bps over the last 72 hours. Approval rate is unchanged. No deploys this week. Walk me through how you'd diagnose + contain.

Smart-question anchors

  • Sub-function + scope - which risk sub-function the role would own + the loss + approval line it carries
  • Model + policy stack - rules + ML + vendor mix, MRM maturity, recent or planned re-architecture
  • Loss + approval posture - disclosed loss bps + approval rate trend, scheme-monitoring history, KRI dashboard
  • Regulator + scheme + sponsor-bank - the firm's relationship + cadence with regulators, schemes, sponsor banks
  • Risk + product partnership - how risk + product co-own the funnel, where the friction trade is hardest

Related roles

Sourced from

Ready to Generate Your Own Prep?

Drop your CV and a job description on the home page. A couple of minutes later you get a report with everything you need to land the job.

Generate my first prep