We have created a ORG to throw DENY after 10th attempt for User velocity but it won't honor the rule.
Release : 9.1
Risk Authentication ( Riskfort)
User is a mandatory parameter for the User Velocity to trigger and if that is not found then the rule will not trigger.
User velocity rule related information is maintained in the USERCONTEXTINFO column in ARRFUSERCONTEXT table. This table contains the user login information corresponding to the user so if for some reason the User information is not found the entries in this table can not be updated and User Velocity Rule will not trigger.
Please make sure the user exists if User Velocity Rue is enabled in your environment.