Fintech 🧠 Food - March 13th 2022 - Fintech's dirty little secret, Sberbank on UnionPay, and Interchange Fee rise coming
Hey everyone 👋, thanks for coming back to Brainfood, where I take the week's biggest events and try to get under the skin of what's happening in Fintech. If you're reading this and haven't signed up, join the 12,058 others by clicking below, and to the regular readers, thank you. 🙏
Hey Fintech Nerds 👋. Hope you're finding your way through the world this week. I'm grateful to MX for a wonderful event in Utah, where I spoke about the future of open finance. The theme of the keynote I gave was that America may not have "Open Banking," but it has something better; "Open Finance." What is Open Finance?
The answer to that is coming in a future rant.
Speaking of future rants, I have to cover the Biden Executive Order on Crypto next week. The Crypto markets seemed absolutely convinced the government was coming for their Crypto, and draconian measures were coming. Yet the report is quite balanced and doesn't have a single policy recommendation.
For me, this speaks to how cynical the Crypto world is about the government and, at the same time, how effective the Crypto lobby is becoming (especially folks like Global Blockchain Business Council). Crypto has risks like volatility, wash trading, and scams, but the government recognizes it's a potential opportunity for financial inclusion and the competitiveness of the US globally.
Crypto won't be banned. Crypto needs thoughtful policy, and the US will take its time to get it right. Meanwhile, the private sector will continue to innovate. If that's not a fantastic result, nothing is.
Weekly Rant 📣
Fintech's dirty little secret; Fraud.
Fraud is quietly the biggest issue facing consumer Fintech. Fraud volumes, especially during the pandemic, absolutely skyrocketed (by as much as 70%), and real-time payments are leaving consumers with no recourse if they get scammed. We need to get better as an industry.
It's an unfortunate rite of passage that every company that launches a card or new Neobank is quickly hit by significant fraud volumes. Fraudsters know a new card product is vulnerable and will not yet have sophisticated controls behind the scenes.
Larger Fintech companies that do implement traditional fraud controls see horrible UX and user churn, so may be tempted to prioritize UX vs blocking transactions. This leads to higher fraud rates with Fintech products.
And let’s not let the banks off the hook here either, we saw just this week that Zelle fraud is absolutely massive, and banks are leaving consumers with massive losses and no support.
Small start-up, scale-up, or incumbent bank.
Everyone shares this problem.
And we have to tackle this collectively.
So let’s look at the types of attack a fraudster will make, and unpack fraud risk from first principles to see if there’s anything we as an industry can do about it.
Example fraud techniques.
With card products fraudsters will try several techniques like:
Account opening fraud: This is, as it sounds, opening an account either with a fake identity or using someone else's real-world identity.
Card testing: Trying small transactions across several online websites or in-person to see if the transactions go through. This behavior is rarely seen in consumers (how often do you scour the internet for random, very low-value items)
Card present fraud: A fraudster uses a lost, stolen, or improperly opened account to purchase items at a physical store.
Card not present fraud: A fraudster uses a lost, stolen, or improperly opened account to purchase items at an online store.
(there are many more, but let's work with these for now)
Not all fraud risks are created equal.
For example, "Card not present fraud" is a much higher risk than card present.
In-store, the presence of the physical card is the second factor of authentication. What is a factor of authentication? Glad you asked.
The factors of authentication.
On my first day working for TSYS (a card issuer processor) in 2009 in the UK, I got a visit from the office Infosec guy, Ben. Ben had two things he did with everyone. First, if they ever left their PC unlocked and unattended, he'd open an email to the CEO, type "I resign" in the subject header, and leave the mouse cursor over the send button. He'd then watch for your return and gently haze you about the need to always lock your PC when moving from your desk
(To this day, I always lock my laptop by habit).
Second, Ben would then talk about the factors of authentication.
Something you know (like a password)
Something you are (like biometrics)
Something you have (like a debit card)
Single-factor authentication is the use of any one of the above. Logging into a website with a username and password is a relatively low-security approach. Consequently, if you've stored your card information at a retailer like Amazon and a fraudster compromised your password, there's a high risk of fraud.
Two-factor authentication is when you combine two of the above. The obvious example would be a debit card + pin number. When you make a transaction in-store, you have to physically have the card and enter the pin for the transaction to complete. Two-factor authentication could also include something you have (e.g., your mobile phone and your fingerprint, or your mobile phone plus a one-time pin code)
Multi-factor authentication combines any of the above and even additional data. The fantastic thing about digital is how much data is available in real-time. When someone transacts in store, specialists providers may check if the mobile phone associated with the account is in the same geolocation as the merchant transaction.
So combing back to "card not present fraud," we essentially have higher-risk transactions whenever e-commerce is involved. Most e-commerce transactions just require the card number, expiry, and CVV (3 digit code).
This single factor can easily be stolen (in fact, stolen card details cost about $150 to buy on the dark web).
RTP and P2P payments increase the risk further
This week the NY Times published a massive Op-Ed piece about consumer Fraud on the bank P2P payment transfer service Zelle. Zelle is a P2P payment service founded by the banks in 2017 that allows customers to send money to other people. Last year customers sent more than $490bn through Zelle, which is embedded directly in mobile apps from banks like Wells Fargo or Chase.
The piece tells the story of a Wells customer defrauded of more than $500 and not refunded because "his phone had authorized the transaction." By stealing the device, the fraudsters can send money anywhere they please because the primary type of security is to send a one-time code to the device. In other words, by stealing a single factor (something you have), the fraudster can move as much money as they like.
Last year 18 million Americans were scammed through digital wallets and person-to-person payment apps. Fraudsters also love payment options like Zelle because the transfer is real-time. Without the one or two-day delay in ACH or Wire transfers, the fraudster has the money immediately without time for the bank to retrieve it or get it back.
We saw the same in the UK when real-time payments were introduced in July 2009, and through the 2010s, "faster payments" became the primary method of P2P payments via online and mobile banking. In the UK, pensioners are particularly vulnerable to this type of fraud, with examples of people being tricked into sending their entire pension fund to what they thought was their retirement fund only to lose it. People in their mid-70s were losing upwards of $100,000 with no support from their bank. (We'll come back to how the UK has begun to address this issue later)
Fraud prevention has often been seen as a cost of doing business.
For start-ups: Very few entrepreneurs or founders set up a Neobank specifically to prevent fraud. Fraud happens along the way and isn't always visible at first. Especially in the age of Banking-as-a-Service, fraud risk may initially be managed by the BaaS provider or partner to help the Fintech company (or product) focus on scale.
For scale-ups: In larger Fintech companies, the fraud teams tend to be more sophisticated, but ultimately, a drag on business and UX.
At one extreme, a Fintech company can prevent fraud entirely by blocking a high % of transactions. This will reduce fraud losses, but done poorly, it creates customer churn and a loss of revenue. If a primary revenue source is interchange (swipe fees), less transactions = less revenue.
At the other extreme, a Fintech company can grow their revenue by allowing more transactions assuming that underlying bank partners or 3rd party fraud systems have functioned well. This more permissive approach creates a better UX because users are rarely left frustrated by blocked transactions. However, the bigger banks and merchants will start to block these Fintech companies (as we now see).
The perverse incentive of venture-driven growth is that user growth plus revenue growth looks better when it's going up and to the right, regardless of how many fraudsters might be in that number. Now, clearly, not every Fintech company is doing that, but there's also a massive risk that not every Fintech company has found the balance between growth and fraud prevention.
For banks: Often it’s all about the bottom line. Banks don’t want to take on additional fraud liability. So with real-time payments products like Zelle, banks push the liability to their customer. If you as a customer send funds to the wrong person you are shit out of luck. Where in the card networks banks must take the liability, that is not the case with push payments (like Zelle).
(Some banks have implemented account name-checks to try and give customers an early warning of a possible scam, but it’s not consistent.)
The end result is we have an industry riddled with fraud, and nobody standing up to take responsibility for more than they have to.
Is that the industry we want to build?
But there is a better way.
Instead of accepting fraud losses as a cost of doing business, we can prevent fraud without creating a horrible UX. Instead of pushing liability for real-time payments to the consumer, we can proactively prevent fraud before it happens. And as an industry, we could be a lot more consistent about how we prevent fraud.
Lower fraud losses are a better outcome for the Fintech company, bank, and consumer.
It’s the ultimate no-brainer.
So how do we get better?
Reducing false positives. False positives are when a fraud system flags a transaction as potential fraud and blocks it, even though it turns out to be a good transaction. When I started in issuer processing in the mid-2000s, the fraud systems would average 20 false positives to 1 fraudulent transaction. Today specialist "Fraud-as-a-Service" Fintech companies have gotten this figure much lower (we'll come back to how).
Real-time checks for real-time payments. Real-time payments move money instantly and are often as secure as those who push the send or pay button. For this reason, fraudsters focus much of their effort on tricking users. Again, the specialists run a series of checks to identify a high-risk payment and run a real-time fraud check before payment is sent. (There’s probably more we can do as an industry here to be consistent)
With more sophisticated fraud tools, we can check, for example:
Card present payment: Is this card in the same location as the transaction?
Card not present payment: Were the card details entered on the website in a copy-paste pattern or from the browser?
Real-time payment: Is the receiving account a known fraud account? Is the device being used to make this payment, the same one the customer always uses? Is the device behaving consistently or could it be stolen and accessed by a fraudster?
By running these (and thousands more), sophisticated checks in real-time modern fraud tools can prevent fraudulent transactions with much better UX than the banks or Fintech companies had historically done by themselves. It used to mean real-time payments meant much higher fraud losses, but that doesn't have to be the case with more sophisticated use of data.
There are also possible industry-wide solutions.
In the UK, the payment services regulator (PSR) set up a community fund to repay fraud victims and introduced a standard called "confirmation of payee." Whenever a customer goes to make a P2P or real-time payment, they are asked to take a second step and confirm the person they're trying to pay matches the account info they entered. Some banks will even flag "known scam accounts."
Could the US do the same? Even voluntarily?
The biggest solution to fraud is to work together as an industry.
We should all work on preventing consumers from losing their life savings.
There's no competitive advantage in fighting fraud better; this is something the whole industry should be good at and share knowledge on.
The largest banks (Chase, BofA, Capital One, Wells, etc.,) set up Early Warning Services (EWS) to identify individuals who have previously committed fraud. These banks (and many smaller banks) use the service to screen customers at various intervals or events like account opening or check cashing as an industry utility.
This has pros and cons. On the one hand, banks are better placed to prevent fraud for their customers, but on the other, they can also report customers for minor issues like not paying a fee on time. Fintech companies don't get access to EWS and can find themselves "de-risked" by the banks and industry. Especially if some (not all) Fintech companies have historically been more growth focussed than fraud prevention focussed.
The business case for lower fraud losses and adding real-time payments writes itself. But we have to protect consumers along the way.
Wouldn't it be great if the Fintech Industry had its own EWS?
Wouldn't it be great to use better data to prevent false positives and reduce fraud?
So let's do this.
PS. If you want to go much deeper on fraud, especially real-time ACH Fraud, Sila is running a webinar with an absolute all-star lineup and you can check it out here.
4 Fintech Companies 💸
1. Twisp - Ledger as a Service
Twisp allows developers to build ledgers manage transactions and accounting through auto-generated Graph QL APIs. Twisp includes protocol adapters for payment files like NACHA and ISO 8583. Single and double entry balance calculations are automatically calculated for developers too. Put another way, this is "ledger as a primitive" and allows anyone to build use cases like their own modern treasury, their own fraud prevention, etc.
🤔 If every company becomes a Fintech company, every company may want its own ledger. Every tech stack choice is a trade-off between control and opinion, and Twisp leans heavily into developer control. This is now a category with several payments orchestration companies starting at ledgering and pure-play developer-focused ledgers like Fragment.dev. What intrigues me is the long-term impact this could have on "core banking" software vendors, who essentially bundled a lot of product stuff around a ledger. Fintech companies could build their own banking stack from primitives in the not too distant future.
2. Noah - The Global Cash App alternative.
On the surface, Noah is a P2P transfer wallet that uses Bitcoin's Lightning Network for instant payments. (If that sounds familiar, that's the same one used by Block's Cash App). Users create a username (e.g., firstname.lastname@example.org) and send value globally, 24/7, instantly, and near free.
🤔 The founder of Noah told me they intend to add debit cards linked to the Lightning Network and Eth and Solana-based payment rails in time. In other words, this is not a Bitcoin Maxi wallet; it's an "any to any" wallet. The founder believes there will be many wallets, but we need a single addressing solution (like .pay) that's interoperable across all of them. When he outlined this, it struck me as a possible global alternative to Cash App (but that would also be interoperable with Cash App because it supports a lightning network).
3. Frich - Social Savings for Students
Frich is a savings app that adds community-based savings challenges and spending comparison tools to help break the taboo of savings vs. spending. Frich includes rewards for better savings habits (like money off coffees etc.). Frich connects over the top of existing checking accounts with open banking (Plaid) and stores / moves money with Sila.
🤔 There's something quite nice about breaking the peer pressure of spending and keeping up appearances, especially for students. Not everyone is rich; most people aren't, but you can be more financially healthy. A mix of making it ok with friends and making it ok with benchmarking is quite well handled in the Frich proposition. Also, look how simple this provider stack is Plaid + Sila, and you have a savings app.
4. Fonbnk - Airtime onramp to Crypto
Fonbank allows users to convert airtime to digital assets (or traditional prepaid cards). Fonbank has a network of market makers who will swap airtime for a digital asset to deposit to your favorite wallet. The service can be used by Airtime customers in LATAM, APAC or Africa, provided there is a market maker for that airtime.
🤔 I remember Stellar talking about "market-making airtime" back in 2015, and since then, I'm surprised we haven't seen someone do it sooner. But when you see Fonbank you get why. Fonbank is the user-focused front-end app and the market makers on the back end. For institutions with the right appetite (or people in DeFi), would you market-make Airtime vs. UDSC? Someone would, and that could be really, really significant.
Things to know 👀
Russia's largest bank Sberbank has been the target of western sanctions, cut off from SWIFT, Visa, and Mastercard. Sberbank will now switch to issuing all its cards on China's China Union Pay (CUP) network.
🤔 The biggest beneficiary of western sanctions on Russia may be China. China Union Pay (CUP) is larger than Visa or Mastercard by payment value made by customers (and has been since 2015). However, CUP only saw 0.5% of that come from non-China transactions (and nearly all of that was cards issued to Chinese nationals transacting abroad). Russia is now essentially the first non-Chinese country to use CUP (and interestingly, not WePay or Alipay).
🤔 Russian companies are currently trying to open accounts at Chinese banks and hold the Yuan currency. While the Yuan is less than 2% of global trade, Russia could materially change that as a significant oil exporter. Chinese banks are wary of secondary US sanctions, so this won't happen fast, but drip, drip drip.
🤔 However, China holds a significant amount of US Dollar debt and reserves as a net exporter to the US. We've already seen trade wars, next comes currency wars. And each one, the US Dollar, wins forces its competitors to build alternatives.
🤔 The world is a geopolitically interesting place. China is expanding its territorial ambitions in the South China Sea and views Taiwan as a part of wider China. If we see a repeat of Hong Kong, will the West look to sanction China? Is that politically possible?
🤔 So far, countries like India and Brazil have stayed somewhat neutral in the "West vs. Russia" economic war. Each of these countries has its own agenda and doesn't lose if the dollar has a smaller role in the global financial system. But they also might not win if China's Yuan is eventually the alternative.
Visa and Mastercard will increase the fees paid by merchants to accept cards in the next month. The costs had been delayed by two years due to the pandemic. Last year merchants paid an estimated $55.4bn to Visa and Mastercard in interchange fees.
Visa pointed out that the fees apply mainly to online and e-commerce transactions. These fees can be avoided if Merchants provide additional data and use a new token service that makes transactions more secure. Mastercard is removing fees on transactions below $5, and Visa is reducing fees for merchants with less than $250k in transaction value per year.
🤔 A clear motivation for these fee increases is the e-commerce fraud risk. Most card fraud is e-commerce, and e-commerce fraud increased by 70% during the pandemic. The new fees will go some way to helping card issuers manage some of the fraud loss cost.
🤔 The moves by Visa and Mastercard to limit the impact on smaller merchants are interesting. Visa has gone for a flat 10% fee reduction for merchants with less than $250k in transaction value. This applies regardless of online or in-store. The fact remains these smaller merchants have almost no negotiating leverage and pay sticker (or close to a sticker) price for accepting card payments. Mastercard aims to encourage more low-dollar transactions with no fees below $5, hopefully encouraging mom and pop stores to lean into accepting cards much more.
🤔 The massive merchants will make angry noises (especially margin-sensitive businesses like Amazon). But without better technology to prevent fraud, card payments online will be a huge source of losses.
🤔 For merchants and issuers, fraud can either be a cost of doing business or a cost to manage. Bigger merchants like Amazon have historically leaned into accepting slightly more fraud in return for higher sales. If your fraud engine is agressive, it may reject more good transactions than bad ones, reducing sales overall. So the balance is always fraud losses vs. revenue increases. But there's another dimension, as a merchant, if you have too much fraud, the card issuers might start blocking the transactions themselves.
🤔 If we could see more data about a customer and their transactions, we'd get much better at predicting, preventing, and managing fraud. This is where long-term BNPL players could have an edge; they have time to profile and get to know their customers and the quality of that transaction. This is why Visa wants merchants to share more data. As an industry, we need to get better at sharing data (and using the data already out there) to prevent fraud without preventing good transactions.
Good Reads 📚
Having read the above, I felt the need to write the below, I've summarised in my own words much more than usual here:
There are many potential scaling solutions for Ethereum, but if you've been following the Eth ecosystem, you may have heard of Rollups. Ethereum is a machine that performs computation (like Amazon EC2) and then stores the results of that computation (like Amazon S3). It does all of that together today using a single approach. Adding the transactions to a queue and then having a distributed network of computers (miners) perform that computation. Crucially, every computer performs every computation.
One the reasons Ethereum is considered slow and expensive is because of this duplication of computation. A good metaphor might be having 10 different virtual machines perform the same computation; it seems wasteful, right? Well, the goal is decentralization. So having lots of computers perform the computation ensures the software has run as written, regardless of who runs it.
Rollups are a scaling solution that prevents each computer from performing the computation. Only the data required to recreate the computation is entered on-chain with a rollup. That means the computation can be done in a much more efficient way. If anyone has a problem with the result, the data is all there for someone else to process. That way, users can ensure software still runs as written, regardless of who runs it.
The Ethereum ecosystem also has economic incentives for the validators who execute rollups to ensure this happens. Rollup operators have costs to run their equipment but receive revenue for performing the computations.
🤔 Overwhelmingly, Ethereum is the dominant Crypto network for NFTs, and NFTs are currently the largest mainstream use case. If they're going to get more usable, Ethereum will have to scale. Rollups would be one major approach to achieving that.
🤔 I wonder if there needs to be one standard for Crypto networks, or if they will all specialize. Perhaps we see Ethereum as the master chain and other specialist chains used for more performance-focused use cases? In consumer tech, we saw Blueray beat HD-DVD, VHS beat Betamax, and so on. But in the open-source world, Linux has many distributions, Apache is supported by countless cloud platforms.
🤔 Understanding the economic incentives in Crypto is crucial to understanding the whole ecosystem. The market is competing to provide the most complete and accurate data storage and computation. The network rewards them for doing this work. Because any other node can do the same computation, unless a node faithfully does their job consistently, they stop getting paid.
Tweets of the week 🕊
That's all, folks. 👋
Remember, if you're enjoying this content, please do tell all your fintech friends to check it out and hit the subscribe button :)