Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Agency/Organization Program Coordinators (A/OPCs) Purchase Training

Lesson 8: Risk Mitigation

How can Agency/Organization Program Coordinators (A/OPCs) and contractor banks help to minimize the risk of misuse/abuse and fraud?

A/OPCs should work to minimize the risk of misuse/abuse and fraud in your GSA SmartPay® Purchase program. The most important thing you can do is to be aware of what activity is occurring on the accounts under your purview. Do not be afraid to ask card/account holders questions if you identify unusual or suspicious transactions or behavior.

Risk mitigation controls, policies and practices are critical tools for ensuring the efficiency and integrity of payment solution programs by eliminating payment delinquencies, payment solution fraud, misuse, waste and abuse.

Public Law 112-194 (Government Charge Card Abuse Prevention Act of 2012) [PDF, 7 pages] and OMB Circular A-123, Appendix B [PDF, 71 pages] place a great deal of emphasis on risk management.

Contractor banks shall support goals to manage risk by:

  • Developing an efficient approach to risk identification, analysis and mitigation.
  • Suggesting and sharing industry leading practices.
  • Developing and suggesting internal controls.
  • Assisting in the development of risk mitigation policies.
  • Providing agencies/organizations with exception reports that flag high risk transactions.
  • Assisting agencies/organizations and GSA in the communication of policies to card/account holders.

What control mechanisms do A/OPCs have to assist in managing the GSA SmartPay program?

A/OPCs may proactively implement controls to ensure proper use of the card/account and reduce risk to all parties (the card/account holder, the agency/organization and the contractor bank).

When appropriate controls, often referred to as authorization controls, are combined with effective oversight and consistent enforcement of agency policies/procedures, the result is a well-managed program. While there can be a cost to implement certain controls, the costs should be balanced against the benefits received by reducing delinquency and misuse.

These authorization controls include:

Default Limit

Standard commercial default limits suggested by the contractor bank during card/account setup that may be changed by an agency/organization.

Dollars Per Transaction Limit

Restricting the dollars per single transaction that can be spent on each card/account as set by the A/OPC.

Dollars Per Month Limit

Restricting the dollars per month that can be spent on each card/account as set by the A/OPC.

Transactions Per Day Limit

Restricting the number of transactions per day on each card/account as set by the A/OPC.

Transactions Per Month Limit

Restricting the number of transactions per month on each card/account as set by the A/OPC.

Merchant Category Code (MCC)

Restricting the types of purchases made by each card/account as set by the A/OPC. Purchases are restricted depending on the type of merchant (identified by the MCC).

Preferred Supplier Listing

Each account may be restricted from making purchases at certain merchants; straight-through processing (STP) or virtual accounts may have established relationships with a specific supplier.

Preferred Supplier Listing Threshold

Each account may be restricted to certain dollar thresholds and preferred suppliers.

Automatic Controls

Controls that flag and deny invalid cards (such as lost, stolen, suspended and canceled cards).

Mass Changes

The ability for the A/OPC to make changes on a large number of accounts (to meet contingency operations such as natural disasters).

Information Adjustments

The ability for the A/OPC to adjust account information based upon hierarchy levels.

Activation/Deactivation On-Demand

The ability for the A/OPC to activate/deactivate multiple accounts upon demand or activate/deactivate automatically based upon established business rules provided by the agency/organization at the task order level. No transactions shall be authorized on a deactivated account.

User Account Recognition

The ability to uniquely identify and authenticate an account user before processing card-not-present transactions. The transaction processing shall support a two factor authentication where one of the factors is provided by a device separate from the computer gaining access. The concept to tie the financial authorization process with an online authentication.

Card-Not-Present Notifications

The ability to notify the agency/organization on card-not present transactions.

What program management tools are available to assist agencies in minimizing instances of misuse/abuse and fraud?

Credit Limits

  • Credit limits restrict single, daily, weekly or monthly expenditures by the card/account holder.
  • In accordance with agency/organization policy, an A/OPC may set the limits which best meet the agency’s needs.
  • Setting limits that are realistic, but not excessive, will deter card/account holder misuse.
  • By reviewing card/account holder spending patterns, you may be able to lower limits without disrupting the agency’s mission.
  • A/OPCs also have the authority to raise limits at any time in response to emergency or unforeseen situations.

MCC Blocks

  • MCCs are established by the associations or contractor banks to identify different types of businesses.
  • Merchants select the codes best describing their business.
  • You may limit the types of businesses where the account will be accepted by limiting the MCCs available to the card/account holder.
  • The contractor bank has established sample templates that may assist you in determining which MCCs should be restricted.
  • In the event that a card/account holder needs to make a purchase outside of his/her restricted MCCs, A/OPCs are authorized to override the restriction for a transaction by contacting the contractor bank’s Customer Service Representative.
  • Agency/organization policy should specify who is authorized to perform overrides.

Online Reports

  • A/OPCs have access to many standard and ad hoc reports online through the contractor bank’s Electronic Access System (EAS). See Lesson 5 of this training.

Account Deactivation

  • In those instances when the purchase card/account is not needed on a continuous basis, deactivation of the account may serve as a deterrent to fraud and/or misuse.
  • You may deactivate the account when a card/account holder is not using or is not planning to use the purchase card/account.
  • By understanding the card/account holder’s need and use of the account, you can work with the card/account holder to establish deactivation guidelines.
  • Deactivation and reactivation can be completed through the bank’s EAS or by calling the bank’s customer service phone number.


  • The banks have developed written guides for A/OPCs and card/account holders.
  • A/OPC Guide: This guide addresses issues of concern to the A/OPC, including responsibilities of program participants, account setup and maintenance, account suspension/cancellation, disputes, reports and invoicing procedures. The guide is available from the banks in hard copy and/or electronically.
  • Card/Account Holder Guide: This guide addresses authorized uses of the purchase card/account, disputes and billing.

GSA Provided Resources

  • GSA developed and hosts an online training course for purchase card/account holders that discusses the proper use of purchase card/account.
  • The annual GSA SmartPay Training Forum for A/OPCs provides training on the bank’s EAS, best practices and program management.
  • Free online resources from the GSA SmartPay website to assist purchase A/OPCs in detecting and preventing misuse and fraud.
  • Printable resources such as Helpful Hints for Purchase Account Use [PDF, 14 pages] is a card-sized brochure that provides information on the purchase card/account. This brochure can be ordered online and can be passed out to card/account holders when they receive their purchase cards/accounts.

How do program management tools make it easier to audit and manage the use of purchase cards/accounts?

Program management tools such as online reports make it easier to identify questionable transactions from proper transactions. Online reports provide auditors and A/OPCs with immediate access to information such as the merchant name, the type of merchant, the dollar amount of the transaction and the date of the transaction. In some instances, merchants also provide line item detail for transactions, including quantities, prices and product descriptions. GSA continues to work with the associations to increase the availability of line item detail.


An official website of the General Services Administration

Looking for U.S. government information and services?