A core practice for most fraudsters is to try many attempts at payments. Many refusals in a row can indicate a fraud attack that is being detected by the issuing bank, but not blocked by the merchant. This check is aimed at identifying users whose rate of refusals fits the profile of a fraudster.
You can establish a threshold for both the number of refused transactions and the timeframe allowed. The default is 3 times over 7 days.
The risk check fired on the refused transactions after the set threshold (assuming that all the refusals occur consecutively with no authorizations breaking the chain). So, if you set a threshold of 3 in 7 days, it fires on the fourth consecutive refusal recorded in that 30-day period.