Skip to content
WyomingLLC

Banking

Mercury Mobile App Tips for International Travel

Mercury's security system watches for unusual sign-in patterns, and few users trigger more of them than non-resident founders who move between countries ever…

Zawwad profile photo

By Zawwad, Founder & CEO, WyomingLLC by Topslice LLC.

Published March 29, 2026 · Last updated July 2, 2026

Banking - illustrative header image
Table of Content

Answer

Mercury's security system watches for unusual sign-in patterns, and few users trigger more of them than non-resident founders who move between countries every few weeks. A login from Lisbon on Monday, Dubai on Wednesday, and Bangkok on Friday looks, to an automated fraud model, exactly like a stolen credential being passed around. The good news: almost every travel-related lockout is preventable with a handful of setup choices you make once. This guide walks through how to configure the Mercury mobile app so you keep uninterrupted access to your Wyoming LLC's bank account no matter where you are - and what to do in the rare case you still get flagged.

Why Mercury flags traveling founders in the first place

Mercury is a financial technology company, not a chartered bank - deposits are held at partner banks (Choice Financial Group and Column N.A.), and Mercury layers its own risk and fraud tooling on top. Like every US fintech, it is bound by Bank Secrecy Act and Know Your Customer (KYC) obligations enforced by FinCEN. Those rules require Mercury to monitor for account takeover and money laundering, and one of the cheapest signals to monitor is geography of access.

The fraud model is not judging you for traveling. It is reacting to a pattern: a session that originates from an IP address in a different country than the last session, especially when the gap between logins is shorter than a plane could physically cover the distance ("impossible travel"). Combine that with a new device fingerprint or a fresh phone number, and the model's confidence that "this might not be the account owner" climbs high enough to demand re-verification or temporarily restrict the account.

For a US-resident founder this rarely fires. For a non-resident founder from India, Pakistan, Bangladesh, Nigeria, or anywhere else who is also a digital nomad, it can fire constantly. The fix is to make your access boring and predictable even while your physical location is not.

The signals that actually matter

SignalWhat triggers itTravel riskHow to neutralize it
Impossible travelLogins from two distant countries within hoursHighStay logged in on one trusted device; use push-based 2FA
New device fingerprintSigning in from a borrowed laptop or new phoneHighUse the same phone/laptop everywhere; register a passkey
Rotating VPN exit nodesVPN that jumps country every sessionHighUse one stable exit node, or no VPN
SMS 2FA to a roaming/changed numberNew SIM card, number ported, SMS fails abroadMediumUse an authenticator app, not SMS
Expired ID on filePassport lapses during a long tripMediumRenew before travel if within 12 months of expiry
Long dormancy then sudden activityAccount untouched, then large transfer abroadLow–MediumLog in periodically; pre-notify large moves

Set up 2FA the right way before you leave

This is the single most important section. According to Mercury's support documentation, Mercury requires every user to configure at least one 2FA method, and you are prompted for a second factor on every login. Configure this while you still have stable connectivity at home, never from an airport lounge with five minutes before boarding.

Option 1: Use the Mercury mobile app as your authenticator (recommended)

Mercury's own guidance notes that the Mercury mobile app doubles as a 2FA app. Once it is set up, Mercury sends a push notification to your phone every time a login is detected - you tap to approve and you are in. This is the smoothest method for travelers because:

  • It works over any internet connection, including hotel Wi-Fi and eSIM data, with no SMS dependency.
  • The push is tied to your device, which becomes a stable, trusted fingerprint that reduces flag risk rather than adding to it.
  • You never type a code, so there is nothing to fumble on a weak connection.

Option 2: Add a third-party authenticator app as backup

Per Mercury's guide to 2FA apps, you can use Authy, Google Authenticator, 1Password, or any TOTP-compatible app instead of (or alongside) the Mercury app. Time-based one-time passwords generate offline - the app computes the six-digit code from a shared secret and the current clock, so it works on a plane in airplane mode. Add at least one so you are not dependent on a single device.

A strong traveler setup: Mercury mobile app (push) as primary, plus Authy with cloud-encrypted backup as secondary. If your phone is lost or stolen, Authy's multi-device sync lets you recover the codes on a new device.

Option 3: Add a passkey or hardware security key

Mercury supports passkeys and physical security keys (FIDO2/WebAuthn). A passkey stored in your phone or password manager is phishing-resistant and travels with you. If you carry a YubiKey, register it as a high-assurance backup that no remote attacker can replicate.

Download and protect your backup codes

This is the step travelers skip and then regret. Mercury issues one-time-use backup codes that each log you in once if you lose access to your 2FA app. If your phone is stolen in Barcelona and it held your only authenticator, backup codes are the difference between logging in from a new device that afternoon versus waiting days for an identity-verification reset.

Before you travel:

  1. Generate your backup codes in Mercury's security settings.
  2. Store them somewhere that does not depend on the phone you are carrying - an encrypted note in a password manager that syncs to the cloud (1Password, Bitwarden), or a printed copy in your luggage separate from your phone.
  3. Do not screenshot them to your camera roll, which syncs to the same cloud account a thief may access if they have your unlocked phone.
  4. If you ever use one, regenerate the full set so you always have unused codes in reserve.

If you lose both your 2FA app and your backup codes, Mercury's account-recovery process requires an identity-verification reset request, which is slower and asks for documents - exactly the friction you want to avoid while abroad.

Keep one phone number, one device, one identity

The model rewards consistency. The more of your "digital identity" that stays fixed while you move, the less you look like an attacker.

  • One phone number. Swapping SIM cards across countries means your 2FA destination keeps changing. Use an eSIM data plan (Airalo, Holafly) for local internet while keeping your original number active for verification, or use a number that travels - a Wise account number, a Google Voice line, or a number you keep on roaming. Mercury does not require a US phone number at signup, but it does benefit from a stable one.
  • One primary device. Logging in from your own phone and laptop everywhere keeps a consistent device fingerprint. Borrowing a hostel computer or a friend's laptop is a textbook trigger.
  • Current ID. Your passport on file should have 12+ months of validity. If Mercury runs a periodic KYC refresh - which our banking notes flag can take up to two weeks for certain countries - an expired passport stalls it. Renew before a long trip if your expiry is close.

VPN strategy for travelers

VPNs are not banned, but how you use one matters. A static VPN that always exits in the same country looks like a single consistent location - that is fine, sometimes better than the alternative. A rotating VPN that exits in Germany one minute and Singapore the next manufactures the exact impossible-travel pattern the fraud model hunts for.

Rules of thumb:

  • If you use a VPN, lock it to one exit country and leave it there.
  • Do not toggle the VPN on and off mid-session.
  • If you are in a country with restricted internet and must use a VPN to reach Mercury at all, pick one reliable exit node and stick with it for the whole trip.
  • Connecting directly (no VPN) from your travel country is also fine - what Mercury dislikes is churn, not foreign IPs per se.

Pre-notify Mercury for long or unusual trips

For multi-week or multi-country trips, a short heads-up to Mercury support meaningfully lowers your flag risk. Email help@mercury.com with something like:

"I am the owner of [LLC name], account ending [last 4]. I'll be traveling and accessing my account from India and the UAE between October 1 and November 30. Please note this is expected activity."

This puts a human-readable note on your file so that when the automated model raises a flag, the reviewer sees context and clears it faster. It is the banking equivalent of the old "travel notice" on a credit card - most useful right before a large international wire or a stretch in a higher-scrutiny country.

What to do if your account gets flagged anyway

Do not panic, and do not open five support tickets - that fragments your case across reviewers and slows everything down. One clear thread resolves fastest.

  1. Read the exact message. A "verify your identity" prompt is routine; a "your account is under review" notice is more serious but usually still resolvable.
  2. Respond in a single thread with: confirmation of who you are, where you are traveling, and any document Mercury requests (usually a fresh photo of your passport).
  3. Use backup codes if the block is purely a 2FA-access problem rather than a full account review.
  4. Be patient. Most identity re-verifications clear within a few business days; extended reviews for higher-scrutiny countries can take up to two weeks.
  5. Keep a fallback. This is the strongest argument for maintaining a second account - see below.

The non-resident reality: never rely on a single account

Mercury accepts a meaningful share of non-resident applicants, with stronger acceptance for UK, EU, India, Pakistan, Bangladesh, Brazil, and UAE founders and tighter review for some others (approval is not guaranteed). Accounts also get reviewed, restricted, and occasionally closed - and a restriction always seems to land at the worst possible moment, like the week a client payment is due.

The defensive move is redundancy. Open a second account so a single flag never freezes your whole business:

  • Relay - narrower non-resident acceptance than Mercury (approval not guaranteed), with up to 20 sub-accounts; a different reviewer pool than Mercury, so a Mercury rejection does not predict a Relay one.
  • Wise Business - the highest acceptance rate of the three, accepting almost every country Mercury and Relay reject, and purpose-built for international users. Travel does not flag Wise the way it can flag a US-domestic-leaning fintech, because cross-border movement is Wise's entire design assumption.

Keeping operating cash in Mercury and a backup balance plus multi-currency receiving in Wise means a travel flag is an inconvenience, not an outage.

Use scheduled payments to remove time-zone risk

Travel does not just threaten access - it threatens timing. A wire you mean to send on the 1st is easy to forget when you are crossing three time zones and dealing with a flagged login on the same day. The defensive habit is to schedule recurring and known one-off payments in advance from the Mercury app or web dashboard, so a missed login does not become a missed payroll run or a late supplier payment. Set up the transfer while you have stable connectivity at home, and a temporary access flag during travel never turns into a missed obligation. For anything tied to a hard deadline - a contractor who stops work if unpaid, or your own quarterly set-asides - schedule it rather than relying on being online and unflagged on the exact day.

The same logic applies to your card. Before a long trip, confirm which physical card you are carrying, note its last four digits, and make sure you can identify it in the app's card list so that if you need to freeze one in a hurry you freeze the right one and keep the others live.

A TOTP detail that trips up travelers: clock drift

If you rely on a third-party authenticator (Authy, Google Authenticator) and your six-digit codes suddenly stop being accepted, the usual culprit is not a hacked account - it is clock drift. Time-based one-time passwords are computed from a shared secret plus the current time, so if your phone's clock is even a minute or two off from real time, the codes it generates fall outside the server's acceptance window and get rejected. This happens to travelers more than anyone, because a phone that has bounced between cellular networks, airplane mode, and foreign carriers sometimes fails to resync its clock automatically.

The fix is simple once you know it: set your phone's date and time to "automatic / network-provided," or in Google Authenticator use the built-in "Time correction for codes" sync option. The Mercury app's push approval sidesteps this entirely because it does not depend on your device clock, which is one more reason to keep push as your primary method and TOTP as the backup rather than the other way around.

What documents account recovery actually asks for

If you do fall all the way through to Mercury's identity-verification reset - both 2FA app and backup codes gone - it helps to know in advance what you will be asked for, so you can have it ready rather than scrambling from a hotel. Recovery generally hinges on re-proving you are the same person and beneficial owner who opened the account: a clear photo of the same passport on file (this is why letting it lapse mid-trip is a real risk), confirmation of identifying account details, and sometimes a short verification step to confirm control of the account. Keep a legible scan of your passport and your EIN confirmation letter (CP575) in the same cloud password manager as your backup codes. If your identifying document on file has changed - new passport number after a renewal - update it in Mercury before you travel, because a mismatch between the document you present and the one on file is itself a recovery delay.

Don't forget the federal tax obligation underneath the bank account

A bank flag is recoverable. A missed IRS filing is expensive. Every foreign-owned single-member US LLC is treated as a disregarded entity that must file Form 5472 attached to a pro forma Form 1120 for any year with a reportable transaction - and an initial capital contribution from you, the owner, counts as a reportable transaction. The IRS sets the penalty for failing to file a complete and correct Form 5472 at $25,000, with additional $25,000 increments if the failure continues after IRS notice. Submitting the 5472 without the 1120 (or vice versa) is treated as a failure to file. The deadline is April 15 (extendable to October 15 with Form 7004). Bank flags come and go; this filing is non-negotiable, so calendar it the moment your account is funded.

Pre-travel checklist

  • Mercury mobile app installed and set as a push 2FA method
  • Third-party authenticator (Authy / Google Authenticator) added as backup
  • Passkey or security key registered (optional but strong)
  • Backup codes generated and stored off-device in a synced password manager
  • One consistent phone number confirmed on file
  • Passport on file valid for 12+ months
  • VPN locked to a single exit country (or disabled)
  • Travel notice emailed to help@mercury.com for long trips
  • Second account (Relay or Wise) live as a fallback
  • Form 5472 deadline noted on your calendar

This article is educational and not legal, tax, or financial advice. Mercury's security policies and support procedures change; confirm current details at support.mercury.com. For your specific tax situation, consult a qualified cross-border CPA.

Sources: Mercury - Setting up 2FA; Mercury - Guide to 2FA apps; Mercury - Using backup codes; Mercury - Restoring account access; IRS - About Form 5472.

Frequently asked questions

Does Mercury require a US-based phone number?
No. Mercury does not require a US phone number at signup, and non-residents routinely use their home-country numbers. What matters more is consistency: your 2FA destination should not keep changing as you swap SIM cards across countries. Keep one stable number on file, or use the Mercury mobile app's push notifications so you do not depend on SMS at all.
Should I use SMS or an authenticator app for 2FA while traveling?
Use an authenticator app or the Mercury mobile app's push, never SMS. SMS depends on cellular roaming, which is unreliable and expensive abroad and breaks entirely if you swap to a local SIM. Authenticator apps generate codes offline from your device's clock, so they work on a plane, on hotel Wi-Fi, or anywhere with no signal at all.
What if I lose my phone abroad?
Use your downloaded backup codes to log in from a new device, then immediately reset your 2FA in security settings and re-register the new phone. If you saved backup codes off-device (in a cloud password manager), recovery takes minutes. If you did not, you must submit Mercury's identity-verification reset request, which is slower - which is exactly why you generate and store backup codes before leaving.
Will using a VPN get my Mercury account flagged?
Not by itself. A VPN locked to one consistent exit country looks like a single stable location and is fine. The problem is a *rotating* VPN that exits in a different country every session - that manufactures the impossible-travel pattern Mercury's fraud model watches for. Pick one exit node and leave it, or connect directly from your travel country.
Should I tell Mercury before I travel?
For long or multi-country trips, yes. Email help@mercury.com with your LLC name, the last four digits of your account, and your travel dates and countries. This puts context on your file so that when the automated system raises a flag, a human reviewer can clear it quickly. It is especially worth doing before a large international wire.
How long does it take to resolve a travel-related account flag?
Routine identity re-verifications usually clear within a few business days once you submit the requested documents. Extended reviews - more common for founders from higher-scrutiny countries - can take up to two weeks. Respond in a single support thread rather than opening multiple tickets, which slows the process by splitting your case across reviewers.
Can I freeze and unfreeze my cards from the Mercury app while abroad?
Yes. The Mercury mobile app lets you freeze and unfreeze both physical and virtual debit cards instantly. This is genuinely useful while traveling: if you spot a suspicious charge or misplace a physical card, freeze it from your phone in seconds and unfreeze it once you have located the card or confirmed the charge.
Does Wise have the same travel-flagging issues as Mercury?
Generally no. Wise Business is built for international users, so cross-border logins are its default expectation rather than an anomaly. Travel rarely flags a Wise account the way it can a US-domestic-leaning fintech. That is one reason many non-resident founders keep Wise as a second account alongside Mercury - it is resilient precisely when Mercury is most likely to balk.
What happens to my LLC's compliance if my bank account gets restricted while I'm traveling?
Nothing - they are separate systems. A bank restriction does not affect your Wyoming LLC's legal standing or your federal tax obligations. You still must file Form 5472 with a pro forma Form 1120 (the IRS imposes a $25,000 penalty for failure to file) and keep your Wyoming registered agent and annual report current. Resolve the bank flag through support, but never let a banking distraction cause you to miss the April 15 IRS deadline.
Is it worth opening a second business account before I travel?
For an active business, yes. Mercury accepts a meaningful share of non-residents (approval not guaranteed), but accounts still get reviewed and occasionally restricted. A second account at Relay (different reviewer pool, up to 20 sub-accounts) or Wise Business (highest acceptance, travel-resilient) means a single flag is an inconvenience, not a business outage. Keep operating cash in one and a fallback balance in the other.

Related guides

More Wyoming LLC guides

Form your Wyoming LLC in 24 hours.

$397. EIN, registered agent (1 year), and Mercury/Relay/Wise bank introductions included.