Instant rails move money before anyone can ask a question. That is useful for trusted counter-parties. It is catastrophic for autonomous agents. The settlement buffer is the window where the wrong decision becomes a reversal instead of a recovery operation.
Funds are held in the FBO buffer. Counter-party sees a verified receipt. Capture latency is milliseconds.
Automated checks validate the policy and counter-party. Low-confidence authorizations flag for operator review.
Invoices, shipment confirmations, and dispute signals are reconciled against the hold. Release is scheduled or cancelled.
Operators — or the SafetySwitch itself — can pull any held escrow back. No vendor involvement needed. No dispute form.
If no reversal or block has landed, the protocol releases funds to the counter-party and terminalizes the entry.
Card rails charge for the ability to dispute. RTP charges for the speed. Paystack charges for the window — and the window is where fraud, errors, and bad policies get corrected before they become accounting problems.
| Rail | Settle | Cost/txn | Reversal window | Who reverses |
|---|---|---|---|---|
| Card (CNP) | T+1 | 2.9% + $0.30 | ≤ 120d (chargeback) | Cardholder only |
| RTP / FedNow | T+0 · seconds | ~$0.045 | None — irrevocable | Nobody |
| ACH | T+1–3 | ~$0.08 | 60d (unauthorized) | Receiver’s bank |
| Paystack escrow | T+120h (configurable) | 0.6% + $0.10 | The whole window · 100% | Operator · SafetySwitch |
The moment an agent authorizes a payment, the counter-party sees a Verified Future Payment. Vendors plan on it. They just can’t spend it yet.
Receipts, shipment events, and dispute signals flow into the ledger during the window. Release fires automatically when conditions clear.
Counter-parties with a verified history can be whitelisted to a shorter window or instant rail — without giving up reversibility for the rest.
120 hours is the default. Set per-agent, per-counter-party, or per-category windows. High-risk policies get a longer buffer. Recurring trusted vendors can run at T+0. The ledger records the policy that chose the window, so audit can see why.
See the policy API →