diff --git a/app/controllers/concerns/idv/threat_metrix_concern.rb b/app/controllers/concerns/idv/threat_metrix_concern.rb
index 7a264dcb04e..22de6ca98cd 100644
--- a/app/controllers/concerns/idv/threat_metrix_concern.rb
+++ b/app/controllers/concerns/idv/threat_metrix_concern.rb
@@ -6,7 +6,7 @@ module ThreatMetrixConcern
     THREAT_METRIX_WILDCARD_DOMAIN = '*.online-metrix.net'
 
     def override_csp_for_threat_metrix
-      return unless IdentityConfig.store.proofing_device_profiling_collecting_enabled
+      return unless FeatureManagement.proofing_device_profiling_collecting_enabled?
 
       return if params[:step] != 'ssn'
 
diff --git a/app/controllers/idv/gpo_verify_controller.rb b/app/controllers/idv/gpo_verify_controller.rb
index 6616c44f940..e42eafd9431 100644
--- a/app/controllers/idv/gpo_verify_controller.rb
+++ b/app/controllers/idv/gpo_verify_controller.rb
@@ -101,7 +101,7 @@ def confirm_verification_needed
     end
 
     def threatmetrix_enabled?
-      IdentityConfig.store.lexisnexis_threatmetrix_required_to_verify
+      FeatureManagement.proofing_device_profiling_decisioning_enabled?
     end
   end
 end
diff --git a/app/controllers/idv/personal_key_controller.rb b/app/controllers/idv/personal_key_controller.rb
index 580cd0ba3ee..0e251cbc5a8 100644
--- a/app/controllers/idv/personal_key_controller.rb
+++ b/app/controllers/idv/personal_key_controller.rb
@@ -88,11 +88,8 @@ def pending_profile?
     end
 
     def blocked_by_device_profiling?
-      return false unless IdentityConfig.store.lexisnexis_threatmetrix_required_to_verify
-      proofing_component = ProofingComponent.find_by(user: current_user)
-      # pass users who are inbetween feature flag being enabled and have not had a check run.
-      return false if proofing_component.threatmetrix_review_status.nil?
-      proofing_component.threatmetrix_review_status != 'pass'
+      !idv_session.profile.active &&
+        idv_session.profile.deactivation_reason == 'threatmetrix_review_pending'
     end
   end
 end
diff --git a/app/forms/gpo_verify_form.rb b/app/forms/gpo_verify_form.rb
index 70f080de79a..8b33bb18dec 100644
--- a/app/forms/gpo_verify_form.rb
+++ b/app/forms/gpo_verify_form.rb
@@ -81,7 +81,7 @@ def pending_in_person_enrollment?
   end
 
   def threatmetrix_enabled?
-    IdentityConfig.store.lexisnexis_threatmetrix_required_to_verify
+    FeatureManagement.proofing_device_profiling_decisioning_enabled?
   end
 
   def threatmetrix_check_failed?
diff --git a/app/jobs/resolution_proofing_job.rb b/app/jobs/resolution_proofing_job.rb
index 4e81098f6c5..23cc3b6334b 100644
--- a/app/jobs/resolution_proofing_job.rb
+++ b/app/jobs/resolution_proofing_job.rb
@@ -106,7 +106,7 @@ def proof_lexisnexis_ddp_with_threatmetrix_if_needed(
     request_ip:,
     timer:
   )
-    return unless IdentityConfig.store.lexisnexis_threatmetrix_enabled
+    return unless FeatureManagement.proofing_device_profiling_collecting_enabled?
 
     # The API call will fail without a session ID, so do not attempt to make
     # it to avoid leaking data when not required.
diff --git a/app/services/idv/session.rb b/app/services/idv/session.rb
index 506b5a675cf..4e5f9a396ff 100644
--- a/app/services/idv/session.rb
+++ b/app/services/idv/session.rb
@@ -171,11 +171,20 @@ def in_person_enrollment?
     end
 
     def threatmetrix_failed_and_needs_review?
-      return unless IdentityConfig.store.lexisnexis_threatmetrix_required_to_verify
-      return unless IdentityConfig.store.lexisnexis_threatmetrix_enabled
+      failed_and_needs_review = true
+      ok_no_review_needed = false
+
+      if !FeatureManagement.proofing_device_profiling_decisioning_enabled?
+        return ok_no_review_needed
+      end
+
       component = ProofingComponent.find_by(user: @current_user)
-      return true unless component
-      !(component.threatmetrix && component.threatmetrix_review_status == 'pass')
+
+      return ok_no_review_needed if !component.threatmetrix
+
+      return ok_no_review_needed if component.threatmetrix_review_status == 'pass'
+
+      return failed_and_needs_review
     end
   end
 end
diff --git a/app/views/idv/shared/_ssn.html.erb b/app/views/idv/shared/_ssn.html.erb
index 0bc2e473493..92ba4092df0 100644
--- a/app/views/idv/shared/_ssn.html.erb
+++ b/app/views/idv/shared/_ssn.html.erb
@@ -28,21 +28,19 @@ locals:
   <%= new_window_link_to(t('doc_auth.instructions.learn_more'), MarketingSite.security_and_privacy_practices_url) %>
 </p>
 
-<% if IdentityConfig.store.proofing_device_profiling_collecting_enabled %>
-  <% unless IdentityConfig.store.lexisnexis_threatmetrix_org_id.empty? %>
-    <% if threatmetrix_session_id.present? %>
-      <% threatmetrix_javascript_urls.each do |threatmetrix_javascript_url| %>
-        <%= javascript_include_tag threatmetrix_javascript_url, nonce: true %>
-      <% end %>
-      <noscript>
-        <%= content_tag(
-              :iframe,
-              '',
-              src: threatmetrix_iframe_url,
-              style: 'width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;',
-            ) %>
-      </noscript>
+<% if FeatureManagement.proofing_device_profiling_collecting_enabled? %>
+  <% if threatmetrix_session_id.present? %>
+    <% threatmetrix_javascript_urls.each do |threatmetrix_javascript_url| %>
+      <%= javascript_include_tag threatmetrix_javascript_url, nonce: true %>
     <% end %>
+    <noscript>
+      <%= content_tag(
+            :iframe,
+            '',
+            src: threatmetrix_iframe_url,
+            style: 'width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;',
+          ) %>
+    </noscript>
   <% end %>
 <% end %>
 
diff --git a/config/application.yml.default b/config/application.yml.default
index 2fb784129f9..3c1a439a8f8 100644
--- a/config/application.yml.default
+++ b/config/application.yml.default
@@ -173,15 +173,9 @@ lexisnexis_trueid_noliveness_cropping_workflow: customers.gsa2.trueid.workflow
 lexisnexis_trueid_noliveness_nocropping_workflow: customers.gsa2.trueid.workflow
 ###################################################################
 # LexisNexis DDP/ThreatMetrix #####################################
-lexisnexis_threatmetrix_api_key: test_api_key
-lexisnexis_threatmetrix_base_url: https://www.example.com
-lexisnexis_threatmetrix_org_id: test_account
-lexisnexis_threatmetrix_policy: test-policy
+lexisnexis_threatmetrix_mock_enabled: true
 lexisnexis_threatmetrix_support_code: ABCD
 lexisnexis_threatmetrix_timeout: 1.0
-lexisnexis_threatmetrix_enabled: false
-lexisnexis_threatmetrix_mock_enabled: true
-lexisnexis_threatmetrix_required_to_verify: false
 lexisnexis_threatmetrix_js_signing_cert: ''
 ###################################################################
 lockout_period_in_minutes: 10
@@ -234,7 +228,6 @@ piv_cac_verify_token_url: https://localhost:8443/
 platform_auth_set_up_enabled: false
 poll_rate_for_verify_in_seconds: 3
 proofer_mock_fallback: true
-proofing_device_profiling_collecting_enabled: true
 proof_address_max_attempts: 5
 proof_address_max_attempt_window_in_minutes: 360
 proof_ssn_max_attempts: 10
@@ -445,6 +438,7 @@ production:
   kantara_2fa_phone_restricted: false
   kantara_2fa_phone_existing_user_restriction: false
   kantara_restriction_enforcement_date: '2022-07-19'
+  lexisnexis_threatmetrix_mock_enabled: false
   logins_per_ip_limit: 20
   logins_per_ip_period: 20
   logins_per_ip_track_only_mode: true
diff --git a/lib/feature_management.rb b/lib/feature_management.rb
index 9e82e5dfca5..14df655716a 100644
--- a/lib/feature_management.rb
+++ b/lib/feature_management.rb
@@ -116,4 +116,41 @@ def self.voip_allowed_phones
       allowed_phones.map { |p| Phonelib.parse(p).e164 }.to_set
     end
   end
+
+  # Whether we collect device profiling information as part of the proofing process.
+  def self.proofing_device_profiling_collecting_enabled?
+    case IdentityConfig.store.proofing_device_profiling
+    when :enabled, :collect_only then true
+    when :disabled then false
+    # BEGIN temporary transitional fallback
+    when nil
+      if IdentityConfig.store.proofing_device_profiling_collecting_enabled.nil?
+        false
+      else
+        IdentityConfig.store.proofing_device_profiling_collecting_enabled
+      end
+    # END temporary transitional fallback
+    else
+      raise 'Invalid value for proofing_device_profiling'
+    end
+  end
+
+  # Whether we prevent users from proceeding with identity verification based on the outcomes of
+  # device profiling.
+  def self.proofing_device_profiling_decisioning_enabled?
+    case IdentityConfig.store.proofing_device_profiling
+    when :enabled then true
+    when :collect_only, :disabled then false
+    # BEGIN temporary transitional fallback
+    when nil
+      if IdentityConfig.store.lexisnexis_threatmetrix_required_to_verify.nil?
+        false
+      else
+        IdentityConfig.store.lexisnexis_threatmetrix_required_to_verify
+      end
+    # END temporary transitional fallback
+    else
+      raise 'Invalid value for proofing_device_profiling'
+    end
+  end
 end
diff --git a/lib/identity_config.rb b/lib/identity_config.rb
index fab027d7b62..f9a45d05628 100644
--- a/lib/identity_config.rb
+++ b/lib/identity_config.rb
@@ -60,7 +60,7 @@ def add(key, type: :string, allow_nil: false, enum: nil, options: {})
 
     converted_value = CONVERTERS.fetch(type).call(value, options: options) if !value.nil?
     raise "#{key} is required but is not present" if converted_value.nil? && !allow_nil
-    if enum && !enum.include?(converted_value)
+    if enum && !(enum.include?(converted_value) || (converted_value.nil? && allow_nil))
       raise "unexpected #{key}: #{value}, expected one of #{enum}"
     end
 
@@ -248,13 +248,13 @@ def self.build_store(config_map)
     config.add(:lexisnexis_trueid_noliveness_cropping_workflow, type: :string)
     config.add(:lexisnexis_trueid_noliveness_nocropping_workflow, type: :string)
     config.add(:lexisnexis_trueid_timeout, type: :float)
-    config.add(:lexisnexis_threatmetrix_api_key, type: :string)
-    config.add(:lexisnexis_threatmetrix_base_url, type: :string)
-    config.add(:lexisnexis_threatmetrix_enabled, type: :boolean)
+    config.add(:lexisnexis_threatmetrix_api_key, type: :string, allow_nil: true)
+    config.add(:lexisnexis_threatmetrix_base_url, type: :string, allow_nil: true)
+    config.add(:lexisnexis_threatmetrix_enabled, type: :boolean, allow_nil: true)
     config.add(:lexisnexis_threatmetrix_mock_enabled, type: :boolean)
-    config.add(:lexisnexis_threatmetrix_org_id, type: :string)
-    config.add(:lexisnexis_threatmetrix_policy, type: :string)
-    config.add(:lexisnexis_threatmetrix_required_to_verify, type: :boolean)
+    config.add(:lexisnexis_threatmetrix_org_id, type: :string,  allow_nil: true)
+    config.add(:lexisnexis_threatmetrix_policy, type: :string,  allow_nil: true)
+    config.add(:lexisnexis_threatmetrix_required_to_verify, type: :boolean, allow_nil: true)
     config.add(:lexisnexis_threatmetrix_support_code, type: :string)
     config.add(:lexisnexis_threatmetrix_timeout, type: :float)
     config.add(:lexisnexis_threatmetrix_js_signing_cert, type: :string)
@@ -323,7 +323,13 @@ def self.build_store(config_map)
     config.add(:platform_auth_set_up_enabled, type: :boolean)
     config.add(:poll_rate_for_verify_in_seconds, type: :integer)
     config.add(:proofer_mock_fallback, type: :boolean)
-    config.add(:proofing_device_profiling_collecting_enabled, type: :boolean)
+    config.add(
+      :proofing_device_profiling,
+      type: :symbol,
+      enum: [:disabled, :collect_only, :enabled],
+      allow_nil: true,
+    )
+    config.add(:proofing_device_profiling_collecting_enabled, type: :boolean, allow_nil: true)
     config.add(:proof_address_max_attempts, type: :integer)
     config.add(:proof_address_max_attempt_window_in_minutes, type: :integer)
     config.add(:proof_ssn_max_attempts, type: :integer)
diff --git a/spec/controllers/concerns/idv/threat_metrix_concern_spec.rb b/spec/controllers/concerns/idv/threat_metrix_concern_spec.rb
index a6ea567e454..e3b1f066f04 100644
--- a/spec/controllers/concerns/idv/threat_metrix_concern_spec.rb
+++ b/spec/controllers/concerns/idv/threat_metrix_concern_spec.rb
@@ -15,8 +15,8 @@ def index; end
     let(:ff_enabled) { true }
 
     before do
-      allow(IdentityConfig.store).to receive(:proofing_device_profiling_collecting_enabled).
-        and_return(ff_enabled)
+      allow(IdentityConfig.store).to receive(:proofing_device_profiling).
+        and_return(ff_enabled ? :enabled : :disabled)
     end
 
     context 'ff is set' do
diff --git a/spec/controllers/idv/gpo_verify_controller_spec.rb b/spec/controllers/idv/gpo_verify_controller_spec.rb
index fe6bfded679..b766190954d 100644
--- a/spec/controllers/idv/gpo_verify_controller_spec.rb
+++ b/spec/controllers/idv/gpo_verify_controller_spec.rb
@@ -30,10 +30,8 @@
     allow(decorated_user).to receive(:pending_profile_requires_verification?).
       and_return(has_pending_profile)
 
-    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).
-      and_return(threatmetrix_enabled)
-    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
-      and_return(threatmetrix_enabled)
+    allow(IdentityConfig.store).to receive(:proofing_device_profiling).
+      and_return(threatmetrix_enabled ? :enabled : :disabled)
   end
 
   describe '#index' do
diff --git a/spec/controllers/idv/personal_key_controller_spec.rb b/spec/controllers/idv/personal_key_controller_spec.rb
index 02a468d1b2c..4a26b0a066b 100644
--- a/spec/controllers/idv/personal_key_controller_spec.rb
+++ b/spec/controllers/idv/personal_key_controller_spec.rb
@@ -236,8 +236,7 @@ def index
     context 'with device profiling decisioning enabled' do
       before do
         ProofingComponent.create(user: user, threatmetrix: true, threatmetrix_review_status: nil)
-        allow(IdentityConfig.store).
-          to receive(:lexisnexis_threatmetrix_required_to_verify).and_return(true)
+        allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
       end
 
       context 'threatmetrix review status is nil' do
@@ -282,6 +281,7 @@ def index
       context 'device profiling fails' do
         before do
           ProofingComponent.find_by(user: user).update(threatmetrix_review_status: 'reject')
+          profile.active = false
           profile.deactivation_reason = :threatmetrix_review_pending
         end
 
diff --git a/spec/controllers/idv/review_controller_spec.rb b/spec/controllers/idv/review_controller_spec.rb
index 82d1289c759..710ee00625b 100644
--- a/spec/controllers/idv/review_controller_spec.rb
+++ b/spec/controllers/idv/review_controller_spec.rb
@@ -600,10 +600,7 @@ def show
               threatmetrix: true,
               threatmetrix_review_status: 'review',
             )
-            allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).
-              and_return(true)
-            allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
-              and_return(true)
+            allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
           end
 
           it 'creates a disabled profile' do
diff --git a/spec/features/idv/doc_auth/ssn_step_spec.rb b/spec/features/idv/doc_auth/ssn_step_spec.rb
index de50dac54e4..e249f80d6e3 100644
--- a/spec/features/idv/doc_auth/ssn_step_spec.rb
+++ b/spec/features/idv/doc_auth/ssn_step_spec.rb
@@ -6,6 +6,9 @@
   include DocCaptureHelper
 
   before do
+    allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
+    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('test_org')
+
     sign_in_and_2fa_user
     complete_doc_auth_steps_before_ssn_step
   end
diff --git a/spec/features/idv/in_person_spec.rb b/spec/features/idv/in_person_spec.rb
index 839b6cc7b2f..22ac2b005e6 100644
--- a/spec/features/idv/in_person_spec.rb
+++ b/spec/features/idv/in_person_spec.rb
@@ -14,9 +14,8 @@
     let(:user) { user_with_2fa }
 
     before do
-      allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).and_return(true)
-      allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
-        and_return(true)
+      allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
+      allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('test_org')
     end
 
     it 'allows the user to continue down the happy path', allow_browser_log: true do
diff --git a/spec/features/idv/steps/gpo_otp_verification_step_spec.rb b/spec/features/idv/steps/gpo_otp_verification_step_spec.rb
index 3839c2e690f..9c8d2ff00b8 100644
--- a/spec/features/idv/steps/gpo_otp_verification_step_spec.rb
+++ b/spec/features/idv/steps/gpo_otp_verification_step_spec.rb
@@ -24,24 +24,26 @@
   end
   let(:user) { profile.user }
   let(:threatmetrix_enabled) { false }
-  let(:threatmetrix_required_to_verify) { false }
   let(:threatmetrix_review_status) { nil }
   let(:redirect_after_verification) { nil }
   let(:profile_should_be_active) { true }
   let(:expected_deactivation_reason) { nil }
 
   before do
-    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).
-      and_return(threatmetrix_enabled)
-    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
-      and_return(threatmetrix_required_to_verify)
+    allow(IdentityConfig.store).to receive(:proofing_device_profiling).
+      and_return(threatmetrix_enabled ? :enabled : :disabled)
   end
 
   it_behaves_like 'gpo otp verification'
 
+  context 'ThreatMetrix disabled, but we have ThreatMetrix status on proofing component' do
+    let(:threatmetrix_enabled) { false }
+    let(:threatmetrix_review_status) { 'review' }
+    it_behaves_like 'gpo otp verification'
+  end
+
   context 'ThreatMetrix enabled' do
     let(:threatmetrix_enabled) { true }
-    let(:threatmetrix_required_to_verify) { true }
 
     context 'ThreatMetrix says "pass"' do
       let(:threatmetrix_review_status) { 'pass' }
@@ -68,16 +70,6 @@
       let(:threatmetrix_review_status) { nil }
       it_behaves_like 'gpo otp verification'
     end
-
-    context 'without verification requirement enabled creates active profile' do
-      let(:threatmetrix_required_to_verify) { false }
-
-      let(:threatmetrix_review_status) { 'review' }
-      let(:redirect_after_verification) { account_path } # TODO
-      let(:profile_should_be_active) { true }
-      let(:expected_deactivation_reason) { nil }
-      it_behaves_like 'gpo otp verification'
-    end
   end
 
   context 'with gpo feature disabled' do
diff --git a/spec/features/idv/threatmetrix_pending_spec.rb b/spec/features/idv/threatmetrix_pending_spec.rb
index 1ba1bbaccb5..d59fa5c1d13 100644
--- a/spec/features/idv/threatmetrix_pending_spec.rb
+++ b/spec/features/idv/threatmetrix_pending_spec.rb
@@ -4,9 +4,8 @@
   include IdvStepHelper
 
   before do
-    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).and_return(true)
-    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
-      and_return(true)
+    allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
+    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('test_org')
   end
 
   scenario 'users pending threatmetrix see sad face screen and cannot perform idv' do
diff --git a/spec/forms/gpo_verify_form_spec.rb b/spec/forms/gpo_verify_form_spec.rb
index fa8a6c79c23..df5348f6d73 100644
--- a/spec/forms/gpo_verify_form_spec.rb
+++ b/spec/forms/gpo_verify_form_spec.rb
@@ -159,10 +159,7 @@
         let(:threatmetrix_review_status) { 'reject' }
 
         before do
-          allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).
-            and_return(true)
-          allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
-            and_return(true)
+          allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
         end
 
         it 'returns true' do
@@ -184,8 +181,7 @@
 
         context 'threatmetrix is not required for verification' do
           before do
-            allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
-              and_return(false)
+            allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:disabled)
           end
 
           it 'returns true' do
diff --git a/spec/jobs/resolution_proofing_job_spec.rb b/spec/jobs/resolution_proofing_job_spec.rb
index f43a5898527..90a4f9a26a3 100644
--- a/spec/jobs/resolution_proofing_job_spec.rb
+++ b/spec/jobs/resolution_proofing_job_spec.rb
@@ -106,8 +106,7 @@
           to_return(body: AamvaFixtures.verification_response)
 
         allow(IdentityConfig.store).to receive(:proofer_mock_fallback).and_return(false)
-        allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).
-          and_return(true)
+        allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
 
         allow(IdentityConfig.store).to receive(:lexisnexis_account_id).and_return('abc123')
         allow(IdentityConfig.store).to receive(:lexisnexis_request_mode).and_return('aaa')
@@ -299,8 +298,7 @@
         allow(instance).to receive(:resolution_proofer).and_return(resolution_proofer)
         allow(instance).to receive(:state_id_proofer).and_return(state_id_proofer)
         allow(instance).to receive(:lexisnexis_ddp_proofer).and_return(ddp_proofer)
-        allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).
-          and_return(true)
+        allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
         stub_request(:post, 'https://example.com/api/session-query').
           with(
             body: hash_including('api_key' => 'test_api_key'),
diff --git a/spec/jobs/threat_metrix_js_verification_job_spec.rb b/spec/jobs/threat_metrix_js_verification_job_spec.rb
index 473d7aac72f..5390285ef46 100644
--- a/spec/jobs/threat_metrix_js_verification_job_spec.rb
+++ b/spec/jobs/threat_metrix_js_verification_job_spec.rb
@@ -1,7 +1,7 @@
 require 'rails_helper'
 
 RSpec.describe ThreatMetrixJsVerificationJob, type: :job do
-  let(:proofing_device_profiling_collecting_enabled) { true }
+  let(:threatmetrix_enabled) { true }
   let(:threatmetrix_org_id) { 'ABCD1234' }
   let(:threatmetrix_session_id) { 'some-session-id' }
 
@@ -68,8 +68,8 @@
         and_return(threatmetrix_org_id)
       allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_js_signing_cert).
         and_return(threatmetrix_signing_certificate)
-      allow(IdentityConfig.store).to receive(:proofing_device_profiling_collecting_enabled).
-        and_return(proofing_device_profiling_collecting_enabled)
+      allow(IdentityConfig.store).to receive(:proofing_device_profiling).
+        and_return(threatmetrix_enabled ? :collect_only : :disabled)
 
       stub_request(:get, "https://h.online-metrix.net/fp/tags.js?org_id=#{threatmetrix_org_id}&session_id=#{threatmetrix_session_id}").
         to_return(
diff --git a/spec/lib/feature_management_spec.rb b/spec/lib/feature_management_spec.rb
index bca45183128..03623eb4d56 100644
--- a/spec/lib/feature_management_spec.rb
+++ b/spec/lib/feature_management_spec.rb
@@ -366,4 +366,60 @@
       expect(FeatureManagement.voip_allowed_phones).to eq(Set['+18885551234', '+18888675309'])
     end
   end
+
+  describe '#proofing_device_profiling_collecting_enabled?' do
+    it 'returns false for disabled' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:disabled)
+      expect(FeatureManagement.proofing_device_profiling_collecting_enabled?).to eq(false)
+    end
+    it 'returns true for collect_only' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:collect_only)
+      expect(FeatureManagement.proofing_device_profiling_collecting_enabled?).to eq(true)
+    end
+    it 'returns true for enabled' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
+      expect(FeatureManagement.proofing_device_profiling_collecting_enabled?).to eq(true)
+    end
+    it 'falls back to legacy config if needed' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(nil)
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling_collecting_enabled).
+        twice.
+        and_return(true)
+      expect(FeatureManagement.proofing_device_profiling_collecting_enabled?).to eq(true)
+    end
+    it 'defaults to false' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(nil)
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling_collecting_enabled).
+        and_return(nil)
+      expect(FeatureManagement.proofing_device_profiling_collecting_enabled?).to eq(false)
+    end
+  end
+
+  describe '#proofing_device_profiling_decisioning_enabled?' do
+    it 'returns false for disabled' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:disabled)
+      expect(FeatureManagement.proofing_device_profiling_decisioning_enabled?).to eq(false)
+    end
+    it 'returns false for collect_only' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:collect_only)
+      expect(FeatureManagement.proofing_device_profiling_decisioning_enabled?).to eq(false)
+    end
+    it 'returns true for enabled' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
+      expect(FeatureManagement.proofing_device_profiling_decisioning_enabled?).to eq(true)
+    end
+    it 'falls back to legacy config' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(nil)
+      expect(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
+        twice.
+        and_return(true)
+      expect(FeatureManagement.proofing_device_profiling_decisioning_enabled?).to eq(true)
+    end
+    it 'defaults to false' do
+      expect(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(nil)
+      expect(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
+        and_return(nil)
+      expect(FeatureManagement.proofing_device_profiling_decisioning_enabled?).to eq(false)
+    end
+  end
 end
diff --git a/spec/services/idv/steps/verify_wait_step_show_spec.rb b/spec/services/idv/steps/verify_wait_step_show_spec.rb
index fd515c62916..50131a64948 100644
--- a/spec/services/idv/steps/verify_wait_step_show_spec.rb
+++ b/spec/services/idv/steps/verify_wait_step_show_spec.rb
@@ -75,9 +75,7 @@
     end
 
     it 'adds costs' do
-      allow(IdentityConfig.store).to receive(:proofing_device_profiling_collecting_enabled).
-        and_return(true)
-      allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).and_return(true)
+      allow(IdentityConfig.store).to receive(:proofing_device_profiling).and_return(:enabled)
 
       step.call
 
diff --git a/spec/services/proofing/lexis_nexis/ddp/verification_request_spec.rb b/spec/services/proofing/lexis_nexis/ddp/verification_request_spec.rb
index a34818f893e..d44daf1b058 100644
--- a/spec/services/proofing/lexis_nexis/ddp/verification_request_spec.rb
+++ b/spec/services/proofing/lexis_nexis/ddp/verification_request_spec.rb
@@ -28,6 +28,11 @@
     described_class.new(applicant: applicant, config: LexisNexisFixtures.example_ddp_config)
   end
 
+  before do
+    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_policy).
+      and_return('test-policy')
+  end
+
   describe '#body' do
     it 'returns a properly formed request body' do
       expect(subject.body).to eq(LexisNexisFixtures.ddp_request_json)
diff --git a/spec/views/idv/shared/_ssn.html.erb_spec.rb b/spec/views/idv/shared/_ssn.html.erb_spec.rb
index 25829b40b13..112e5af8ba9 100644
--- a/spec/views/idv/shared/_ssn.html.erb_spec.rb
+++ b/spec/views/idv/shared/_ssn.html.erb_spec.rb
@@ -3,7 +3,7 @@
 describe 'idv/shared/_ssn.html.erb' do
   include Devise::Test::ControllerHelpers
 
-  let(:proofing_device_profiling_collecting_enabled) { nil }
+  let(:threatmetrix_enabled) { nil }
   let(:lexisnexis_threatmetrix_org_id) { 'test_org_id' }
   let(:session_id) { 'ABCD-1234' }
   let(:updating_ssn) { false }
@@ -20,9 +20,8 @@
   before :each do
     allow(view).to receive(:url_for).and_return('https://example.com/')
 
-    allow(IdentityConfig.store).
-      to receive(:proofing_device_profiling_collecting_enabled).
-      and_return(proofing_device_profiling_collecting_enabled)
+    allow(IdentityConfig.store).to receive(:proofing_device_profiling).
+      and_return(threatmetrix_enabled ? :enabled : :disabled)
     allow(IdentityConfig.store).
       to receive(:lexisnexis_threatmetrix_org_id).and_return(lexisnexis_threatmetrix_org_id)
 
@@ -37,49 +36,36 @@
   end
 
   context 'when threatmetrix collection enabled' do
-    let(:proofing_device_profiling_collecting_enabled) { true }
-
-    context 'and org id specified' do
-      context 'and entering ssn for the first time' do
-        describe '<script> tag' do
-          it 'is rendered' do
-            expect_script_tag_rendered
-          end
-        end
+    let(:threatmetrix_enabled) { true }
 
-        describe '<noscript> tag' do
-          it 'is rendered' do
-            expect_noscript_tag_rendered
-          end
+    context 'and entering ssn for the first time' do
+      describe '<script> tag' do
+        it 'is rendered' do
+          expect_script_tag_rendered
         end
+      end
 
-        context 'session id not specified' do
-          let(:session_id) { nil }
-
-          it 'does not render <script> tag' do
-            expect_script_tag_not_rendered
-          end
-          it 'does not render <noscript> tag' do
-            expect_noscript_tag_not_rendered
-          end
+      describe '<noscript> tag' do
+        it 'is rendered' do
+          expect_noscript_tag_rendered
         end
       end
-    end
 
-    context 'org id not specified' do
-      let(:lexisnexis_threatmetrix_org_id) { '' }
+      context 'session id not specified' do
+        let(:session_id) { nil }
 
-      it 'does not render <script> tag' do
-        expect_script_tag_not_rendered
-      end
-      it 'does not render <noscript> tag' do
-        expect_noscript_tag_not_rendered
+        it 'does not render <script> tag' do
+          expect_script_tag_not_rendered
+        end
+        it 'does not render <noscript> tag' do
+          expect_noscript_tag_not_rendered
+        end
       end
     end
   end
 
   context 'threatmetrix collection disabled' do
-    let(:proofing_device_profiling_collecting_enabled) { false }
+    let(:threatmetrix_enabled) { false }
 
     it 'does not render <script> tag' do
       expect_script_tag_not_rendered