Fintech 🧠 Food - Jan 24th - CapOne fined, Transferwise to IPO, Monzo CEO departs & why cash app is THE fintech case study

Hey everyone 👋, thanks so much for coming back for more brainfood. A space to learn in public and hopefully process everything happening in fintech.

This week I got all ranty about AML, excited about the India stack (as you should be too), and gave some thoughts on Tom leaving Monzo.

Thanks to the 138 people who signed up in the past week for this free newsletter.

If you haven't joined yet, you can subscribe right here 👇

We also have a ton more content over at the 11:FS Youtube 

PS. If you're in growth equity or know someone who is, please send them this way. Have something exciting to share from team 11 :)

Weekly Rant 📣

AML is the world’s most ineffective policy experiment. Imagine if you have a car that didn’t work 99.9% of the time. That would be annoying right?

It’s a bit more complex than that, but still, the failures keep coming.

This week Capital One was fined $390m for AML failures described as egregious, as well as willful and negligent violations of the bank secrecy act.  

Capital One allowed checks to be cashed by known criminals causing millions of dollars of tax evasion, fraud, and organized crime proceeds to be legitimized. Capital One has since closed this unit and taken steps to ensure procedures are followed.

But I'm viscerally angered by this. Not because a bank willfully allowed a crime. But because the solution is to file a suspicious activity report (SAR). This is the regulator's answer to everything. File a report. The banks can prevent transactions or close accounts, but the one thing the regulator insists on is that a report gets filed.

Let's unpack this a bit.

KYC (Know Your Customer) and AML (Anti Money Laundering) are complex terms. They're essentially catch-all procedures designed to prevent all kinds of horrors - from global arms dealing and terrorism to human trafficking and modern slavery.

KYC requires each bank to identify who their customer is with evidence (like your passport or social security number). Hence "know your customer". The bank must then follow a series of Customer Due Diligence (CDD) - and sometimes Enhanced Due Diligence - checks. The bank must also check that the person isn't on a sanctions list (e.g., they're not considered a danger by the USA or EU).

How it's supposed to work

What's vital to remember here is that banks are responsible for preventing, detecting, and reporting crime. Banks are, in effect, the "money police."

So in a perfect world, when a known criminal tries to open an account, the banks KYC and CDD would spot the criminal and either refuse them the account or report all of the transactions that the criminal did. The report (SAR) should then be followed up by law enforcement, leading to asset freezes, arrests, and potentially even prison. But do you want to know the dirty secret of AML?

Data for why AML is the world’s most ineffective policy experiment.

This week I had an opportunity to properly deep dive into this work by Ronald F Pol. It finds that AML policy has less than a 0.1 impact on criminal finances. Compliance costs exceed recovered illicit funds recovered more than 100x. Banks, taxpayers, and citizens are penalized more than criminals.  Policymakers keep blaming banks and hitting them with massive fines hoping to fix the problem, but it doesn't.

Imagine if you had a car that didn't work 99.9% of the time.

Annually anywhere between 3 to 5% of global GDP is estimated to be the proceeds of crime. Yet policymakers globally almost refuse to admit any policy failure. Instead, the "war on AML" continues, willfully and negligently. 

There is much we could do with Regtech.

If you look at AML as a data science problem, then we have two things to fix

1. Data Quality

2. Privacy

1. The Data Quality Problem

Consider someone who opened a bank account in the 1970s. Someone at a bank branch likely looked at the passport and was unable to take a copy. That customer could well continue to be using that account to this day. Today it is more usual for the digital account opening to be a thing. But the system is so interlinked. Having some customers with recent digital identity credentials isn't enough.

For example: If Bank A has perfect data about its customer, but Bank B's customer opened their account in the 1970s, Bank A has no way of knowing what happens inside Bank B. The regulator receives a report from Bank A and Bank B, but the data doesn't match.

The regulator is like the man with two clocks; he can't tell the time.

The regulator and law enforcement are also public servants with limited resources. They're as good as the data they're given, and the "regulatory reporting" bit of bank infrastructure is the last bit any bank wants to touch because if they get it wrong, they might get fined.

Policymakers have created an environment where the private sector has all of the responsibility but very few tools.  Imagine if we started having a data quality conversation instead of having a "compliance" conversation.

There are now good initiatives (like IIN from JP Morgan and GPI from SWIFT) from the private sector. There are many innovative regulators running hackathons in regtech around the edges. There are reasons for hope.

But what about policymakers? At the very top? They're still Yellin' at crypto. Secretary of the Treasury nominee Janet Yellen believes of cryptoassets "many are used—at least in a transactions sense—mainly for illicit financing." Despite the old finance world suffering nearly 5% of GDP as criminal activity, Bitcoin has closer to 0.5%.

2. The Privacy Problem

KYC relies on sharing your real identity with a bank or institution. If your real identity is a criminal, presto, we caught a bad one!

The problem with criminals is they tend not to walk into a branch with their real criminal identity. They tend to obfuscate that.

But you and me? We have to share our underlying personal data to use the system. Meaning the mass collection of personal data can be collected and then miss-handled by institutions with aging technology. Then, centralized at a credit rating agency like Equifax to have an almighty personal data breach.

The whole system penalizes you and me much more than the criminals.  AML policy is so broken it's on my list of things that should be the headline of the news every day.

What's worse is privacy-preserving technologies not only exist, they're effective. End to end encryption has been around since the invention of PKI in the mid-1970s. Consumers can attest their identity without sharing underlying documents as evidence in Norway, Holland, and India.

Yet policymakers often attack privacy-preserving technology the most. Whether it's trying to bring down end to end encryption in chat apps, require paper-based AML for crypto-currency for fear of what criminals could do.

But here's the crazy thing.  Quietly, law enforcement LOVES Bitcoin. There's a global record of every transaction ever that is completely tamper-proof. It's so transparent; it's a bit of a privacy worry in its own right. If you ever reveal yourself on Bitcoin, you could be "financially stalked" every time you interact with that Bitcoin wallet. Crypto data analysis firms like Elliptic and Chainalysis have shown that you can very effectively detect and report criminal activity if you have better data quality.

Additionally, the open-source crypto community builds several privacy-preserving identity solutions (click here if you want to go down the self-sovereign identity rabbit hole).

Now here's a crazy idea.

What if, instead of trying to prevent privacy policymakers

1. Admit paper-based KYC, and AML is broken

2. Work with the open-source world of crypto, not against it

When the UK introduced a new way to get banking licenses, a generation of entrepreneurs saw an opportunity and unleashed a fintech innovation wave.

Small policy changes can create massive differences.

Let's do better.

Do you like me, struggle to keep up with everything happening in Fintech? Fortunately, Nik Milanovic does the best and most succinct weekly roundup. Including:

• Goldman’s partnership with GM

• ByteDance launching payments on China’s Tiktok

• All the fundings, financings, and SPAC news there is!

And much more on This week in Fintech

4 Fintechs 💸

Belvo - Account, Payroll, and Accounts APIs for LATAM

• It's tempting to call Belvo "Plaid for LATAM," but the reality is they do quite a bit more. Pull tax returns, accounts data, and invoice data. Ideal if you're building for the gig economy where an individual has their personal and business life as one. Belvo's site is clean, their API documentation incredibly accessible (even to a postman warrior like me). They've raised $10m to date and look well placed to benefit from the rise of LATAM fintech.

Dapi - Plaid for payments (USA)

• Account to Account payments feels like the real killer feature of open banking. Dapi has built an API to allow merchants to accept payments from a consumer's bank account via API. In Europe, this Payment Initiation Service Provider (PSIP) model is slowly gaining traction with companies like Vyne. It feels inevitable this "new rail as an abstraction above the account" will come. Now, what happens if Plaid acquired Dapi? Or Stripe acquired Fast.co and Dapi? E-commerce is still 1% done.

Volopay - Brex for Singapore

• Startup spend management is hard. Everyone is trying to fix it. Ramp, Brex, Cledera, and many more are making inroads across the Atlantic, but Volopay is bringing that across the rapidly expanding SEA startup sector. Volopay integrated with Airwallex, the low key Stripe / Currencycloud API player that's quietly massive to get moving quickly. Volopay's next stop is Australia, which has had a bit of a stop-start relationship with challenger banks lately, but SME accounts could be the key there. Volopay just raised their 2.1m seed.

Ophelos - Compassionate debt collections (UK)

• Debt collection has been a part of finance that has such a massive impact on society and borrowers' wellbeing. Ophelos focuses on helping people get out of debt and how they can help. Similarly, the US has Trueaccord, which takes an enlightened approach to collections and sees it less as an operational function and more of a responsibility. Compassion = less bad debt losses = good for business and society. I love this trend of taking the "target operating model" of a bank, deconstructing all of the bits they didn't see as a differentiator, and doing it well—Fintech, the patchwork of specialists.

Things to know 👀

1. Monzo founder Tom Blomfield is departing Monzo

• Monzo founder and former CEO Tom Blomfield, an in interview with Techcrunch, admits he had been unhappy over the past couple of years as the company scaled beyond being a scrappy startup.  The media narrative on Monzo has been sour, but they continue to grow weekly revenue, and it's now 30% higher than pre-pandemic, with 5 million customers.

• 🤔 My Analysis: Tom is refreshingly candid as always here, talking of mental health challenges and struggling openly. I've had the fortune of interviewing Tom several times for Fintech Insider (including this masterclass on product). He's always generous with knowledge of how Monzo built the first bank that its customers adore.  Last week, the UK regulator published its consumer survey of banks and found Monzo remains the undisputed king of customer service. That's Tom's legacy. If the new leadership can sort out revenue, Monzo will be around for a long time.

• 🤔 My Analysis: Getting a license is hard; keeping it is harder. Monzo is subject to stringent oversight with its license and has struggled to match competitors' product velocity.

• 🤔 My Analysis: This leads me to a hypothesis: There are two ways to make money in fintech, be a bank on purpose, or be a non-bank that embeds finance on purpose.  Halfway between being a bank and a consumer PFM app is a hard place to be. If you have a license, monetize via lending and your platform. If you don't have a license, embed finance and solve broader problems and customer jobs.

2. Transferwise is heading for IPO

• Analysts are expecting a $5bn valuation for Transferwise at IPO. Transferwise has quietly become an international payments giant less than a decade after it was founded. It has been widely reported UK Prime Minister Boris Johnson had worked to persuade transferwise in the UK rather than US markets. Transferwise is adding investments alongside its international payments service, but has no plans to become a fully-fledged bank.

• 🤔 My Analysis: Transferwise is such a quiet success story. An example of a fintech choosing not to become a bank but solves a problem customers have with banking.

• 🤔 My Analysis: Transferwise has built an effective international payment and FX business, with all of the interbank relationships this requires. This is also a specialty of Revolut. It will be interesting to watch that battle play out in the coming decade.

3. Plaid incubator for BIPOC

• Plaid's new incubator is looking to accept three to five post-seed / pre Series B startups with a beta product. The startup should operate in fintech and focus on consumer or business finance data. Startups will get mentorship from Plaid leaders and a three-day virtual Bootcamp. The announcement follows rumors of Plaid secondary market shares trading for upwards of $15bn valuations since the Visa split.

• 🤔 My Analysis: I'm so here for this. Shopify in October committed to creating one million black-owned businesses, and both of these are examples of using the tools the company already has for inclusion. But this isn't charity. As our good friend John Hope Bryant says, it's a hand up, not a handout.  The entrepreneur still has to do the work, and the platform always absolutely benefits from growth. Do better by doing good.

Good Reads 📚

1. The internet country

• This is a playbook for creating economic primitives for a nation-state. It is simply staggering. The essay introduces the concept of "economic primitives" like digital identity, payments, and data. What if consumers had more control over all three? What if businesses did? Shouldn't these be public goods rather than locked inside walled gardens?

• Aadhaar, the identity program, elegantly ties some facts about you (your name, date of birth, phone number) to some unique features biometrically. Users can then e-auth public and private sector services with their Aadhar number and SMS two-factor authentication.

•  UPI is the real-time payments infrastructure introduced in 2016. It is now the 5th largest payment network in the world, which at its core is a payments markup language. It has a shared standard for addressable names (a bit like hashtags) that work across fintech apps (e.g., Nikhil@upi).

• For Data iSPIRIT proposed DEPA (excellent naming 😂) is the Data Empowerment and Protection Architecture. Implied is individuals and businesses own their data and get to choose how to protect it and use it for their gain.  Indians will have the right to know what data is stored about them, have it erased, the right to be forgotten, and port it anywhere they like. (ST: It's like if GDPR had an API and a standard).  It has yet to happen, but this is so well thought-through it's staggering.

• 🤔 My Analysis: China is now trying to retroactively introduce some of UPI's utility into its payments systems through DCEP.  China perhaps sees the risk of vendor lock-in to Ali / Tencent, where India can maintain interoperability with the intentional development of standards.

• 🤔 My Analysis: The USA is debating FedNOW real-time payments infrastructures, like Square, Venmo, and Zelle "battle" for the default payments rail. What if, instead, they had a UPI like interface standard? How would we build an iSPIRIT for the USA or the UK? What if Wharton fintech, MIT fintech, and Beondeck got together with some VCs?

• 🤔 My Analysis: Imagine the regtech possibilities for preventing AML if we had a proper digital identity in the west.  If I were building a new city-state somewhere, India would be my primary case study. There is so much to learn.

• 🤔 My Analysis: Long India.

2. Cashapp is King - A deep dive into Cashapp unit economics

• CashApp built a peer-to-peer product so great that people brought their entire networks to it. They then reinforce growth with innovative acquisition strategies (e.g., Bitcoin) at scale and cheaply. Then Square layers on adjacent products in ways that enhance user utility.

• Cashapp ARPU is estimated to be $45, with acquisition costs as low as $5. Customers who adopt Cash Card bring in 3x more revenue (with ARPU closer to $120).  CashApp sees margins over 70% on all revenue lines except for Bitcoin transactions. Cashapp is a story of exceptional execution, but the long term concern may be a relatively low 40% monthly active user rate (ST: although this would benchmark in line with most banks).

• 🤔 My Analysis: Compare these economics to a traditional bank, where CAC is in the $200 region, and the path to profit is to cross-sell lending. CashApp is already wildly profitable, and it's just about to get its lending game going.

• 🤔 My Analysis: Aika points to the possibility of building an ecosystem of buyers/sellers. Square has a network of small merchants and Cashapp users that seems ripe for a two-sided marketplace. The flywheel might just be starting.

Akia is a fantastic writer.

Tweets of the week 🕊

That’s all folks 👋