How Verify Control Works

Orum verifies account control by sending a unique four-character code to the bank account of your end user and prompts them to authenticate it — removing the lost time and expense of microdeposits.

The maximum number of attempts an end-user can enter the code defaults to three.

Once the end user locates the code within online banking, there are two ways to confirm it:

  1. API-based solution: Send back the code via the Control endpoint
  2. Orum Hosted Email Solution: Orum triggers an automated email to the end user with instructions on how to verify the code via an Orum-hosted website. This email comes from you, but is automatically sent by Orum.

A control verification also includes an account status verification. This means both control_status and verification_status will update to validupon success.

API-Based Solution

If you prefer owning the entire user experience with your brand, this is the option for you. In this option, Orum still sends a penny with a unique 4-character code to the end-user’s bank account. However, the rest of the experience is managed by you, the enterprise.

Here’s how it works:

  1. Your enterprise builds a self-branded interface for your end customers to submit their unique four-character code (for example, in your app or on a website)
  2. Your enterprise delivers the verification request to the end user and informs them of the steps they need to take to retrieve their unique four-character code
  3. Your end user enters the unique 4-character code through the interface you manage, which is then verified by Orum through our Control API

This approach works best if you want the process to be a natural extension of your brand, since you are in control of how you communicate with the end-user and the experience they’ll have submitting the code.

Orum Hosted Email Solution

If you don’t have the resources in place to build your own user experience, our hosted email solution could be a great fit.

Here’s how it works:

  1. Your enterprise sends a verification request and includes the end user’s email in the Verify request body
  2. Orum sends a penny with a 4-character code to the end user’s bank account
  3. Orum sends an email to the end user to prompt them to look for and enter the 4-character code in an Orum-hosted webpage

This approach works best if you are comfortable with a generic branding experience and don’t have the resources or systems in place to send emails or build and manage the code-acceptance experience.

Email Delivery Timing

If using the email-based solution, Orum will send an email based on the following logic:

  • If the bank account is FedNow-eligible, the email is sent once a verify_account_updated webhook event returns a verification_status of valid.
  • If the bank account is not FedNow-eligible, the email is sent during evening hours or the following morning of the next business day (if not a bank holiday).

Domain Configuration

Follow the below steps to enable Orum to send emails on your behalf securely and reliably. This process ensures your emails are trusted by recipients and aren’t marked as spam.

  1. Verify Your Domain
    1. Add a special record to your domain’s DNS settings to prove ownership
  2. Set Up Email Authentication
    1. SPF Record: Authorizes us to send emails on your behalf
    2. DKIM Record: Adds a digital signature to your emails for better security and deliverability
    3. Use a Custom Mail Domain (Mail From): Emails will be sent from a custom domain like mail.yourdomain.com, to enable this a specific DNS records must be added

After the above steps are completed, Orum will:

  1. Provide the records you need to add if you manage your DNS settings
  2. Verify and test the setup to ensure everything works as intended once the DNS updates are in place

Control Statuses

Regardless of whether you choose to use the API-based or email-based solution, the Control statuses and webhook events remain the same.

Ownership StatusDescription
PendingAcknowledgment of the request being received
ValidA match has occurred and ownership has been verified
CanceledThe maximum number of attempts has been reached, a transfer has failed, or it has been 5 days since the request was sent to the receiving bank

Fraud Controls

You will be blocked from making >5 verification requests to the same account within a 24 hour period.

Example Webhook

{
    "created_at": "2023-11-17T20:10:06.173Z",
    "event_data": {
        "account": {
            "id": "2b610cd7-0366-47a0-94c7-923dc0472bc5",
            "account_number": "12345678910",
            "routing_number": "102001017",
            "account_holder_name": "John Doe",
            "estimated_verification_date": "2023-11-17T00:00:00Z",
            "verification_status": "valid",
            "control_status": "valid",
            "created_at": "2023-11-17T20:09:58.356657Z",
            "updated_at": "2023-11-17T20:10:05.351604Z"
        }
    },
    "event_id": "562eec7a-b6e7-489a-bbaa-2f04c137b3d1",
    "event_type": "verify_account_updated"
}