Typical Underwriting Policy in Consumer Lending and Buy Now, Pay Later

Published on: 2026-03-09 23:48:40

Underwriting policy in consumer lending and BNPL is often presented as a neat, rational framework. On paper, it is. In practice, it is a mix of hard eligibility checks, fraud controls, credit risk logic, affordability constraints, and a lot of scar tissue from earlier mistakes.

That last part matters. Underwriting policy is not built from theory alone. It comes from losses, fraud cases, collections outcomes, regulatory pressure, and the slow realization that some customer segments are much harder to serve profitably than they looked in the first growth deck.

Decisimo decision engine

Try our decision engine.

The typical policy includes the following components.

Age Verification and Basic Eligibility

The first gate is usually age. At minimum, the lender has to meet the legal threshold in the market, often 18. But many lenders go further and set stricter internal limits, sometimes 21, sometimes 25, depending on the product, tenor, and channel.

The reason is practical. Younger customers often have thinner files, less stable income, and lower repayment predictability. Students are a classic example. A lender can approve a lot of student traffic and feel good about growth for a few months, then find that collections on students is expensive, ineffective, and turns into a public relations problem fast. Many lenders learned that the hard way.

Age policy therefore tends to combine legal minimums with business rules based on risk appetite. The question is not just “is this customer legally eligible?” but also “is this a segment we actually want in this product?”

Identity Checks, Blacklists, and Known Bads

Before a lender starts debating affordability or score cutoffs, it needs to answer a more basic question: is this person real, and is this application clean?

That is why most underwriting policies include both internal and external negative-file checks. Internal blacklists usually contain prior fraud cases, confirmed abuse, linked identities, linked devices, repeat disputes, written-off customers, and other known bad patterns the lender has already seen. External blacklists or negative databases are usually provided by specialist data vendors in each market.

Skipping these sources is usually a mistake. External data is often priced per hit, but the cost is small compared with the damage from approving obvious fraud, known defaulters, or stolen identities that have already spread through the market. Once one fraud ring starts circulating identities, phone numbers, devices, or bank details across multiple lenders, shared negative data becomes one of the few practical defenses.

This layer is not about fine risk segmentation. It is about stopping applications that should never enter the portfolio in the first place.

Credit Bureau Data, Especially Negative Credit Record

For most consumer lenders, bureau data remains one of the core underwriting inputs. It provides a view of prior borrowing behavior, current exposure, repayment history, defaults, arrears, insolvency events, inquiry activity, and sometimes utilization or indebtedness patterns.

The most important signals are often the least glamorous ones. Negative credit record matters. Recent delinquencies matter. Existing unresolved defaults matter. A customer can look perfectly reasonable inside the application form and still be a clear decline once bureau negatives appear.

This is one reason underwriting policy needs hard exclusions as well as softer score-based logic. Some bureau events should be automatic declines. Others should feed into the score. The policy needs to separate the two.

Alternative Data

Alternative data comes in when the lender wants a fuller view of financial stability, especially in segments where bureau coverage is thin or slow. This can include cash-flow data, employment proxies, income consistency signals, residence stability, utility or telco repayment patterns where available, and application consistency checks.

In some setups, it also includes signals that point to unstable or compulsive financial behavior. Gambling is the obvious example when transaction-level data is available and lawful to use. The point is not to moralize. The point is to identify patterns that correlate with repayment stress, volatility, or fraud.

Alternative data is useful, but it should not be treated like magic. In good underwriting, it improves resolution where standard data is weak. It does not replace basic policy discipline.

Affordability Limits

Affordability is one of the most important parts of the policy, and one of the most constrained by regulation. In many markets, the lender is expected to assess not only whether the customer is likely to repay, but whether repayment is affordable given their broader financial situation.

That means the policy usually needs explicit logic around income, existing debt obligations, housing costs, household expenses, minimum living costs, and sometimes dependants or household composition. In some markets the regulator prescribes what must be included. In others the framework is principle-based, but the expectation is still clear.

This is where lenders often get lazy when growth pressure rises. A weak affordability setup can still generate approvals and disbursements for a while. The problem appears later in early delinquency, repeat borrowing stress, complaints, and regulatory findings.

Affordability is not the same as credit score. A customer can have no obvious negative bureau history and still not have enough room in their monthly budget to take on more debt.

Rules

Rules are the backbone of most underwriting policies, especially early on. They define the hard boundaries of the product.

These rules usually cover:

  • minimum and maximum age,
  • residency and documentation requirements,
  • negative bureau events,
  • fraud and blacklist hits,
  • income thresholds,
  • debt-to-income or affordability thresholds,
  • loan amount and tenor limits,
  • channel, merchant, or product-specific exclusions.

Rules are useful because they are clear, auditable, and easy to explain. They also work well for regulatory constraints and fraud hard stops. If a policy says a recent default means decline, that should be a rule, not a debate.

A good rule of thumb for knockout criteria is this: if the Head of Risk is not comfortable having a segment in the portfolio at all, or the segment runs at several times standard risk, it should be a KO.

That is the real purpose of KO logic. It removes segments that are clearly outside risk appetite, instead of letting them drift into the book through soft cutoffs or manual exceptions.

But rules alone become blunt as the business scales.

Scoring

As lenders grow, they usually reduce the number of rules and rely more on scoring. That does not happen because scoring is magical and turns an average lender into a brilliant one. It happens because scale changes the economics of underwriting.

Once volume grows, approval rate starts to matter a lot. A rules-heavy setup is often too rough. It cuts large groups of applicants in or out without enough nuance. Scoring gives the lender a way to rank customers more precisely by expected risk and expected profitability.

That matters for three reasons.

  • Approval control: the lender can move cutoffs with more precision instead of rewriting multiple rules.
  • Segment profitability: different customer groups, channels, and merchants can support different cutoffs.
  • Risk-based pricing: better score separation allows pricing to reflect expected risk more accurately. See risk-based pricing.

The catch is that the score has to be stable, especially around the cutoff. A score that looks strong in a model deck but behaves badly at the approval boundary can become expensive very quickly. At scale, small instability around cutoff points turns into real loss leakage.

Underwriting Policy Changes as the Lender Scales

This is usually the real story.

Early-stage lenders often lean on simple rules. That makes sense. The business needs control, explainability, and fast implementation. With lower volumes, rough segmentation is tolerable.

As the portfolio grows, that approach starts to strain. Management wants more approvals without taking on obviously worse risk. Pricing needs to become more granular. Product and merchant strategies start diverging. Repeat customers need different treatment from first-time applicants. At that point, scoring becomes less of a nice-to-have and more of an operating requirement.

The best lenders do not replace rules with scoring. They separate their roles properly. Rules handle hard exclusions, policy boundaries, and compliance constraints. Scoring handles ranking, cutoffs, and nuanced segment selection.

What a Good Policy Actually Does

A good underwriting policy does not try to predict everything. It does something more useful. It creates a controlled decision framework for who gets approved, who gets declined, on what terms, and for what reason.

In consumer lending and BNPL, that usually means:

  • verify age and basic eligibility,
  • screen out fraud and known bads,
  • check bureau negatives and existing debt signals,
  • use alternative data where it adds real signal,
  • apply affordability limits,
  • use hard rules where the answer should be binary,
  • use scoring where the business needs precision.

That is what a mature underwriting policy looks like. Not complicated for the sake of complexity. Just explicit, testable, and grounded in the actual economics of the portfolio.

Decisimo decision engine

Try our decision engine.

Related Articles

  • The process of implementing a decision engine

    Implementing a decision engine lets companies automate and scale decision-making to reduce costs, accelerate processes, and improve efficiency. This article walks through the practical steps—from identifying candidate business processes and mapping existing decision logic and data, to formalizing a decision model, selecting the right engine, and deciding whether to use internal expertise or external consultants.

  • Improving Login Security with a Rule Engine

    This article explains how a rule engine uses decision logic to detect account takeover and bot attacks. It covers escalating authentication, including OTP and other challenges, PST integration, and practical rule examples you can deploy to block suspicious logins fast.

  • Stopping Synthetic Identity Fraud with SEON and Decisimo - Decisimo

    Synthetic identity fraud exploits small gaps in identity data. This article explains how SEON adds digital footprint and address analysis to registration checks, and why that mix helps businesses spot suspicious identities before they open an account or complete a purchase.

  • AI Reshapes Collections - Decisimo

    AI is changing collections from broad outreach to targeted action. This article explains how segmentation, decision logic, and voice bots can improve recovery rates, reduce manual work, and help teams focus on the right accounts at the right time.

  • Using distance calculation with the spherical law of cosines to detect fraud in ecommerce

    This article explains how to use the Spherical Law of Cosines to calculate great-circle distances from latitude and longitude, and apply that decision logic in a decision engine for customer verification, geo-fencing, and ecommerce fraud detection. It compares the formula with Haversine, shows the exact equation and implementation steps, and explains the accuracy trade-offs at different distance ranges.