diff --git a/app/controllers/api/verify/password_confirm_controller.rb b/app/controllers/api/verify/password_confirm_controller.rb
index 77777aaaed3..67986381054 100644
--- a/app/controllers/api/verify/password_confirm_controller.rb
+++ b/app/controllers/api/verify/password_confirm_controller.rb
@@ -51,6 +51,8 @@ def completion_url(result, user)
           idv_come_back_later_url
         elsif in_person_enrollment?(user)
           idv_in_person_ready_to_verify_url
+        elsif device_profiling_failed?(user)
+          idv_come_back_later_url
         elsif current_sp
           sign_up_completed_url
         else
@@ -63,6 +65,14 @@ def in_person_enrollment?(user)
         ProofingComponent.find_by(user: user)&.document_check == Idp::Constants::Vendors::USPS
       end
 
+      def device_profiling_failed?(user)
+        return false unless IdentityConfig.store.proofing_device_profiling_decisioning_enabled
+        proofing_component = ProofingComponent.find_by(user: user)
+        # pass users who are inbetween feature flag being enabled and have not had a check run.
+        return false if proofing_component.threatmetrix_review_status.nil?
+        proofing_component.threatmetrix_review_status != 'pass'
+      end
+
       def handle_request_enroll_exception(err)
         analytics.idv_in_person_usps_request_enroll_exception(
           context: context,
diff --git a/app/controllers/idv/personal_key_controller.rb b/app/controllers/idv/personal_key_controller.rb
index 8251bd612b2..6ad76b1dc73 100644
--- a/app/controllers/idv/personal_key_controller.rb
+++ b/app/controllers/idv/personal_key_controller.rb
@@ -37,6 +37,8 @@ def next_step
         idv_come_back_later_url
       elsif in_person_enrollment?
         idv_in_person_ready_to_verify_url
+      elsif device_profiling_failed?
+        idv_come_back_later_url
       elsif session[:sp] && !pending_profile?
         sign_up_completed_url
       else
@@ -82,5 +84,13 @@ def in_person_enrollment?
     def pending_profile?
       current_user.pending_profile?
     end
+
+    def device_profiling_failed?
+      return false unless IdentityConfig.store.proofing_device_profiling_decisioning_enabled
+      proofing_component = ProofingComponent.find_by(user: current_user)
+      # pass users who are inbetween feature flag being enabled and have not had a check run.
+      return false if proofing_component.threatmetrix_review_status.nil?
+      proofing_component.threatmetrix_review_status != 'pass'
+    end
   end
 end
diff --git a/spec/controllers/api/verify/password_confirm_controller_spec.rb b/spec/controllers/api/verify/password_confirm_controller_spec.rb
index 79141f15f41..6f5dea8e334 100644
--- a/spec/controllers/api/verify/password_confirm_controller_spec.rb
+++ b/spec/controllers/api/verify/password_confirm_controller_spec.rb
@@ -315,6 +315,35 @@ def stub_idv_session
         end
       end
 
+      context 'with device profiling decisioning enabled' do
+        before do
+          ProofingComponent.create(user: user, threatmetrix: true, threatmetrix_review_status: nil)
+          allow(IdentityConfig.store).
+            to receive(:proofing_device_profiling_decisioning_enabled).
+            and_return(true)
+        end
+
+        it 'redirects to come back later path when threatmetrix review status is nil' do
+          post :create, params: { password: password, user_bundle_token: jwt }
+
+          expect(JSON.parse(response.body)['completion_url']).to eq(account_url)
+        end
+
+        it 'redirects to account path when device profiling passes' do
+          ProofingComponent.find_by(user: user).update(threatmetrix_review_status: 'pass')
+          post :create, params: { password: password, user_bundle_token: jwt }
+
+          expect(JSON.parse(response.body)['completion_url']).to eq(account_url)
+        end
+
+        it 'redirects to come back later path when device profiling fails' do
+          ProofingComponent.find_by(user: user).update(threatmetrix_review_status: 'fail')
+          post :create, params: { password: password, user_bundle_token: jwt }
+
+          expect(JSON.parse(response.body)['completion_url']).to eq(idv_come_back_later_url)
+        end
+      end
+
       context 'with gpo_code returned from form submission and reveal gpo feature enabled' do
         let(:gpo_code) { SecureRandom.hex }
 
diff --git a/spec/controllers/idv/personal_key_controller_spec.rb b/spec/controllers/idv/personal_key_controller_spec.rb
index 6c8aafb4e2d..a6c7190f45d 100644
--- a/spec/controllers/idv/personal_key_controller_spec.rb
+++ b/spec/controllers/idv/personal_key_controller_spec.rb
@@ -204,5 +204,33 @@ def index
         expect(response).to redirect_to idv_in_person_ready_to_verify_url
       end
     end
+
+    context 'with device profiling decisioning enabled' do
+      before do
+        ProofingComponent.create(user: user, threatmetrix: true, threatmetrix_review_status: nil)
+        allow(IdentityConfig.store).
+          to receive(:proofing_device_profiling_decisioning_enabled).and_return(true)
+      end
+
+      it 'redirects to account path when threatmetrix review status is nil' do
+        patch :update
+
+        expect(response).to redirect_to account_path
+      end
+
+      it 'redirects to account path when device profiling passes' do
+        ProofingComponent.find_by(user: user).update(threatmetrix_review_status: 'pass')
+        patch :update
+
+        expect(response).to redirect_to account_path
+      end
+
+      it 'redirects to come back later path when device profiling fails' do
+        ProofingComponent.find_by(user: user).update(threatmetrix_review_status: 'fail')
+        patch :update
+
+        expect(response).to redirect_to idv_come_back_later_path
+      end
+    end
   end
 end