# Onboard Risk Check
source: https://developer.mastercard.com/onboard-risk-check/documentation/index.md

## Overview {#overview}

The Onboard Risk Check (ORC) system helps businesses make smarter decisions when onboarding new merchants. It allows authorized users (details mentioned under Getting Started section) to send inquiries about a merchant to different data providers and receive valuable risk information. This helps users assess potential risks before deciding to onboard the merchant.
ORC offers two ways to create inquiries and get risk reports:

1. **ORC API** : This option is ideal for customers comfortable working with APIs. Depending on their needs, they can:

   * Use the [Initiate Inquiry endpoint](https://developer.mastercard.com/onboard-risk-check/documentation/use-cases/orc/initiate-inquiry/index.md) or the [Cyber Only Initiate Inquiry endpoint](https://developer.mastercard.com/onboard-risk-check/documentation/use-cases/orc-cyber/create-history-request/index.md) to submit merchant inquiries.
   * Use the [Retrieve Inquiry endpoint](https://developer.mastercard.com/onboard-risk-check/documentation/use-cases/orc/retrieve-inquiry/index.md) or the [Cyber Only Retrieve Inquiry endpoint](https://developer.mastercard.com/onboard-risk-check/documentation/use-cases/orc-cyber/inquiry-history-request/index.md) to view risk reports.
2. **ORC UI** : This is a user-friendly interface available through Mastercard Connect. Customers can:

   * Create merchant inquiries.
   * View risk reports.
   * Review results from inquiries submitted via the ORC API channel.
   * If a customer has already submitted a [MATCH](https://developer.mastercard.com/onboard-risk-check/documentation/glossary/index.md) inquiry, they can use the Inquiry Reference Number (IRN) from that to retrieve results.

<br />

<br />

### Advantages of using ORC API {#advantages-of-using-orc-api}

Merchant onboarding is becoming increasingly competitive and the need to make a decision is almost expected to happen in near real-time. The advantages of using an Onboard Risk Check Application Programming Interface (ORC API) during the decision-making process are as follows:

* **Automation and Efficiency** :   
  * ORC APIs enable automated merchant risk checks without manual intervention.
  * It reduces the time and effort required for the merchant onboarding process.
  * With ORC APIs, systems rather than people can manage the work, which helps entities update workflows to make them quicker and more productive.
  * The content generated can be published automatically and is available for every channel. This allows the content to be shared and distributed more easily.
* **Flexibility and Integration** :   
  * ORC APIs allow content to be embedded from any site or application more easily. This guarantees more fluid information delivery and an integrated user experience.
  * It also supports different use cases via multiple API endpoints (e.g., standard vs. cyber-only).
* **Enhanced Risk Insights** :   
  * Offers detailed and incremental risk information to support better decisions.
  * Helps identify potential fraud, compliance issues, or reputational risks early.
* **Secure and Traceable** :   
  * Each inquiry generates a unique Inquiry Reference Number (IRN) for tracking.
  * Ensures secure communication with data providers.
* **Scalable for High Volume** :   
  * The ORC API is ideal for organizations handling large volumes of merchant onboarding.
  * The API supports batch processing and parallel inquiries.   

See [the product page](https://developer.mastercard.com/product/onboard-risk-check/) for marketing and case study details.

## How it works {#how-it-works}

The below flow diagram indicates the working mechanism of Onboard Risk Check (ORC).

![](https://static.developer.mastercard.com/content/onboard-risk-check/uploads/ORCAPI_Flow_Diagram.png)


* **Customer**: A customer (An Acquirer or a Non-Traditional customer) can use Onboard Risk Check to submit an inquiry and retrieve risk assessment details for a potential merchant.
* **Data Providers**: A suite of entities/vendors integrated with Onboard Risk Check which carries out different aspects of risk assessment for a potential merchant. The available suite of data providers is explained below.
* **ORC API**: The REST API which makes GET and POST operations between Onboard Risk Check and different data providers.
* **ORC UI**: A user interface of ORC available only to Acquirers through Mastercard Connect.

**Step 1:** Authorized customers (Acquirers or Non-Traditional Customers) can submit an inquiry about a potential merchant using the ORC API endpoints through the ORC API channel. They can choose risk assessment providers from the available options.  
**Step 2:** ORC performs checks and validations. If the inquiry is valid, it returns an Inquiry Reference Number (IRN) to the customer. This IRN can be used to access risk reports.  
**Step 3:** The accepted inquiry is sent to the selected data providers for risk assessment.  
**Step 4:** Once the data providers return their results, the ORC API compiles the risk report.  
**Step 5:** Customers can use the IRN to make a callback inquiry and view the risk report.  
**Step 6:** Only Acquirers can use the ORC UI channel to view risk results for inquiries submitted through the ORC API channel.  

<br />

<br />

## Data Providers Integrated with ORC {#data-providers-integrated-with-orc}

Onboard Risk Check integrates a multitude of merchant data points for a holistic view of merchant risk.
![](https://static.developer.mastercard.com/content/onboard-risk-check/uploads/how-it-works-tech-page_F768255.png)

1. **Cyber Health**: This provides the Cyber Risk Ratings of a merchant's online environment.
2. **Business Identity**: This verifies a merchant's business details. It now also includes verification of key individuals---such as company owners and directors---from the organizations you are forming relationships with.
3. **Sanctions Screening** : This performs **Screening** of merchants or principal business owners on the **sanctions lists**.

Please refer to the [Data Providers](https://developer.mastercard.com/onboard-risk-check/documentation/data-providers/cyberhealth/index.md) section for in-depth details on each data provider.

## Getting started {#getting-started}

You must be an approved user before you can consume the endpoints in the production environment. Your production consumer key will be associated with your Company ID (CID) for authorization. For more information on keys, refer to [Getting Keys for Your Application](https://developer.mastercard.com/platform/documentation/security-and-authentication/using-oauth-1a-to-access-mastercard-apis/#getting-keys-for-your-application).

You do not need pre-approval to work in the sandbox environment. Refer to [Tutorials and Guides](https://developer.mastercard.com/onboard-risk-check/documentation/tutorials/onboard-risk-check/index.md) for instructions on how to consume the API.

### Good to know {#good-to-know}

IRN is necessary for retrieving the inquiry results. It is created by calling either the ORC Initiate Inquiry endpoint or submitting an inquiry through [MATCH](https://developer.mastercard.com/onboard-risk-check/documentation/glossary/index.md).
Note: Certain inquiry types are prohibited in certain countries. If your business/entity is located in a restricted country for an inquiry type, you will receive "null" in the results for that inquiry type.