- Fintech Brainfood
- Posts
- We need to talk about scams
We need to talk about scams
They're the perfect crime. Nobody is liable and with RTP they're easy to get away with. We can fix this, but we've got to up our game.
Welcome to Fintech Brainfood, the weekly deep dive into Fintech news, events, and analysis. You can subscribe by hitting the button below, and you can get in touch by hitting reply to the email (or subscribing then replying)
Hey Fintech Nerds 👋
Stripe is going hard to become a multi-processor and transitioning from being a payments company to a software company. 👀
Meanwhile, successful Fintech companies are acquiring smaller ones. Pockit acquired Monese, and it looks like LendingClub got some Tally assets. 👀
Fintech is healing.
And just when you thought Fintech was the compliance bad guy. TD Bank reminds everyone that banks fail at AML, too, and when they do, they do so spectacularly.
One thing that is not healing is scams. We’re in a scamdemic. It is the biggest issue in our industry. We have to fix it. That’s your Rant this week 📣 We need to talk about scams.
PS. Congratulations to Round Treasury* on their Seed.
PPS. Excited to check out Fintech Wars by James DaCosta. If you need a modern Fintech canon book start here.
Here's this week's Brainfood in summary
📣 Rant: We have to fix scams
💸 4 Fintech Companies:
Ask Silver - Is it a scam? Your AI companion
Rogo - Investment Analyst A.I. as a Service
Liveflow - The Ultimate Accountant Dashboard
Dotfile - Middesk for Europe
👀 Things to Know:
📚 Good Read: Visa vs the USA
If your email client clips some of this newsletter click below to see the rest
Weekly Rant 📣
We need to talk about scams.
Scams are the perfect crime. They pay well, they're poorly regulated, and nobody wants to take responsibility for fixing them.
Now, LLMs and deep fakes have made scams cheaper, more efficient, and more effective.
Find someone through a social network, coach them into an investment opportunity or romance, and slowly, gradually convince them to move money. Ideally, this will happen in real-time, like with RTP, Faster Payments, Pix, or UPI.
Why?
Because once the money is gone, it's gone. There are often no refunds and no consumer protection.
Except in the U.K. as of this week.
It's the world's first major economy to offer a full reimbursement model for scam victims with losses up to £85,000 ($110k). A court case in the Southern District of New York against Citi could also extend Reg E to promote payment fraud (payments resulting from a scam) in the USA.
If you're in payments or a bank. The trend is you're liable for the loss, even if you're not the cause of the scam or lack any ability to prevent it.
This is the issue of our time in finance.
If we're going to solve scams, its going to take:
An understanding of scams vs fraud (and the regulation gaps)
Why faster payments means faster fraud
The rise of LLMs and deep fakes compounding the issue
The rise of regulation to counter scams
The data we can share
The skills we have to learn
1. When is it a scam, not fraud?
I wrote a longer piece about scams vs fraud here. The key takeaway is one of definition:
Fraud is when the bad actor moves money illegally
A scam is when a bad actor uses communications like telephone or email to trick someone into moving money.
Fraud is illegal in the U.S. under a patchwork of laws:
Fair Credit Billing Act (FCBA): Protects consumers from unfair billing practices and provides a mechanism for addressing billing errors in credit card accounts.
Electronic Fund Transfer Act (EFTA): Protects users of electronic fund transfer systems, including provisions for lost or stolen cards.
Truth in Lending Act (TILA): Limits liability for unauthorized credit card charges and outlines disclosures that lenders must provide.
Identity Theft and Assumption Deterrence Act: Criminalizes identity theft and allows for restitution to victims.
Fair Credit Reporting Act (FCRA): Promotes accuracy and ensures the privacy of information in credit reports.
The following two laws cover scams:
Telephone Consumer Protection Act (TCPA): Addresses scams via phone calls and messages, including telemarketing fraud.
CAN-SPAM Act: Regulates commercial email and sets requirements for commercial messages to combat email scams.
As I wrote in the other piece:
Immediately, it's clear that fraud law focuses on financial transactions, and scam law focus on communications (except, notably, social media).
The gap is between the two.
Scams can easily become fraud.
This is less of an issue in the world of cards because consumer protections like the dispute process create a clear framework for customer compensation. If you're tricked into buying something from a fake website and the goods never arrive, hit the dispute button.
The nature of the payment mechanism means it is reversible.
It's also not as easy to move large amounts of money with a card as with push payments. Push payments, such as ACH, Faster Payments, Pix, etc., are often used to send one-off amounts to a person or business. When these payments become real-time, the recipient gets paid immediately.
This is ideal for scammers, who can then move that money two, three, or more times to hide it from authorities and make it almost impossible to claw back.
The regulation isn't clear, and there's no obvious consumer protection.
2. Faster payments mean faster fraud
In most jurisdictions, including the U.S., banks have long claimed that if a consumer authorizes a payment, the bank has no liability for losses. If the consumer is tricked but authorizes the payment, they argue it is a scam, not a fraud.
They've authorized a push payment. (Hence, APP Fraud)
The only problem is, well, everything.
Pensioners are losing their life savings. One lost $740,000, and another lost $661,000 in a tech support scam.
In the U.K., fraud is now the #1 crime, accounting for 40% of all reported crimes.
In Brazil, it's common for gangs and criminals to pressure victims into sending money via Pix.
Scams are a global issue everywhere RTP exists.
Why?
The lack of a clear liability model means scam prevention controls are limited. The incentives hadn't been there for heavy investment in detecting the early warning signs of a scam. Consumer warnings like "be careful; this could be a scam" in your Zelle, CashApp, banking, or Pix wallet are often ignored, but these aren't consistently applied.
The payment rails don't always have rules about collaborating to solve APP fraud. Zelle now has a clawback mechanism, and the U.K. now has regulations, but the mechanism for reimbursing customers is limited. It's also unclear how payment companies or banks should collaborate, share data, or secure transactions before they happen.
The criminal has likely gotten away with the stolen funds before the consumer can report the issue. Once a criminal has received the funds, the first thing they do is move it several times through multiple accounts. This means neither the sending nor receiving F.I. is likely to have those funds and would suffer a loss if they refunded consumers.
This would be fine if RTP volumes were not exploding.
They are.
During the pandemic, RTP became a lifeline in Brazil, India, and the U.K., and through services like Zelle as branches and traditional networks failed.
The rapid adoption of digital tools by elderly and vulnerable populations created a new pool of hundreds of millions of wealthy potential victims for scammers, where a single scam could have a huge payoff.
This all happened at the same time as LLMs appeared. LLMs then reduced the cost of creating a scam and improved its believability.
3. LLMs and deep fakes unlock believable and low-cost scams.
ChatGPT is a pushover.
You still don't have to work particularly hard to get it to generate a believable scam email or text message.
Grok 2 is even worse; it will break any ethical boundary if you accuse it of being "woke."
And if you don't want to go through the effort of jailbreaking an LLM, there are now Fraud-as-a-Service LLMs like WormGPT that will happily generate scams for you.
Gone are the days of the poorly spelled "Nigerian Prince" emails.
These are now often personalized, believable emails featuring logos and brands that are uncannily close to the real thing. Combine this with an RTP rail, and your attack cost will be massively reduced. Your likelihood of receiving the funds also increases (because RTP rails exist and vulnerable customers are using digital now).
For businesses, deep fakes can cost millions.
There's the famous story of Arup who were scammed out of $25m using deep fake technology to pose as the CFO for a finance analyst. (This story is wild if you haven’t seen it already).
A report by Deloitte found:
Just over half (53%) of businesses in the U.S. and U.K. have been targets of a financial scam powered by "deepfake" technology, with 43% falling victim to such attacks, according to a survey by finance software provider Medius.
Of the 1,533 U.S. and U.K. finance professionals polled by Medius, 85% viewed such scams as an "existential" threat to their organization's financial security, according to a report on the findings published last month.
RTP is caught in the middle of all this, but it's a multi-faceted issue.
If you can scam someone, the ROI is high, and the controls are weak.
4. Regulation is what happens when something must be done
If enough headlines are written about vulnerable customers losing money, new regulations will soon follow.
In the U.K., that happened on Monday, October 7th.
Under the Payment Services Regulator's new directive, all banks and payment companies must
Refund customers up to £85,000 ($110k) in the event of a scam on the U.K.'s Faster Payments (instant payments) rail.
F.I.s have 5 days to issue the refund and can charge £100 to prevent service abuse.
These rules don't apply when the victim is complicit (first-party fraud) or when the victim is a business or charity. They also don't apply for any other payment rail or international payment.
How does reimbursement work between banks and PSPs in practice? Alex put it eloquently.
Despite the rule going into effect today, there is not yet a formal mechanism for the sending and receiving banks to transfer money back and forth to each other and resolve disputes. So banks in the U.K. are reportedly going to be handling it manually for the time being (via channels like email), which seems like it will quickly become a complete clusterfuck.
In the USA, a court case in the Southern District of New York argues that the Electronic Fund Transfer Act (EFTA) applies when a consumer initiates a wire transfer through a mobile app or digital platform. While this is far from rule-making, it is already forcing banks to rethink their refunds and reimbursement strategies for APP fraud.
Meanwhile, in Europe, not to be left out, a series of measures will be introduced under the Payment Service Directive 3 (PSD3). This coincides with the bloc-wide introduction of SEPA instant, the new payment rail for all member states.
It will:
Include mandatory reimbursement of consumers (mechanism to be defined)
Mandatory confirmation of payee
Stricter requirements on step-up authentication (strong customer authentication) above payment amount thresholds.
Brazil's central bank and India's National Payments Corporation (NPCI) are in ongoing discussions with industry as scams become a global issue.
All of these existing and future regulations have one goal: to encourage banks and payment companies to invest more energy in fraud prevention.
Getting there will require more than buying whatever shiny new vendor appears on the scene. The bad actors upped their game, and the industry has to do the same.
5. We have to close data gaps
Liability models won't fix scams; it will create a prize fund for scammers.
Refunding victims is good, but we all get better at scam and fraud prevention.
All risk problems are data problems; we have data gaps to close (while staying mindful of privacy boundaries
For consumers, we need to close the gap between social media, the search for payment companies, and between payment companies and payment networks.
a) We can improve data sharing from digital platforms to F.I.s. Digital platforms like WhatsApp, Telegram, and Facebook are breeding grounds for scammers. They offer fake jobs and investment opportunities or pretend to be friendly ears to lure a victim into sending them money. Similarly, search engines like Google often have sponsored ads for fake airline customer support numbers, etc.
💡 A simple allowlist/blocklist of known bad identities, accounts, emails, and devices that can be shared among these companies would be a start (mindful of privacy, of course).
These platforms tried to remove this behavior, but there was no concerted effort to identify and root financial scams.
That was at least, until last week.
Meta announced they're partnering with U.K. banks to share intelligence and data for scam prevention. That's good, but it's a pilot with several U.K. banks. We have to start somewhere. This needs to be expanded internationally, and at a much wider scale.
b) We can close the data sharing gap between F.I.s. In a push payment the sending bank has no idea who the beneficiary of the payment will be. Are they a known bad actor? A new account? Using a stolen device?
The U.K. has had "confirmation of pay U.K." live for a few years, which requires you to match the account name against the account number before a payment goes through. But we need more.
💡 There are several initiatives in the U.K. and elsewhere to screen the recipient of a payment before a payment is sent (like Plaid Beacon and Sardine Sonar). Payments companies like Form 3 are making collectively screening beneficiaries a part of their pre-payment workflow (they see 50% of U.K. faster payments traffic).
The use of open banking and the proliferation of open finance will increase across Europe, too. Under PSD3, all financial institutions, wealth, insurance, payments, Fintech, and everything else will be required to make consumer-permitted data access available.
c) We can close the data-sharing gap between payment rails. It was telling that APP fraud reimbursement in the U.K. only applies to faster payments in the U.K.
The regulators are limited by their jurisdiction. The private sector is not.
If a customer is using a wallet (like Wise or Revolut) to send a cross-border payment into the U.K., it would look like a Faster Payment to the receiving F.I., but to the sending F.I., it may have come from a card or even Crypto.
We're just beginning to think this way, and have a long way to go. Imagine starting a transaction on CashApp, pushing money to a card that involves RTP and cross-border, and finishing in a crypto transaction. How the hell do you trace that?
Weirdly, the Crypto businesses are most mature here because they're used to scammers and hacks trying to exploit the gaps between rails. They also developed a standard for collaboration on data sharing (IVMS101) for KYC wallets to comply with FATF rules for international payments.
💡 What if we extended IVMS to multiple payment rails, and data types?
Closing data gaps will take time, and it will also require learning new skills. Even if we had perfect, privacy-preserving data sharing, great data is nothing without great analysis, UX, and product design.
6. The skills we have to learn
The best way to have no fraud is to have no transactions.
Finding the balance is all about building a UX that can bake in security with just enough friction when required while collecting as much data as possible (while also being mindful of privacy).
Non-trivial.
But doable.
Thinking beyond the payment transaction is crucial. You can't detect a scam on a payment that hasn't happened yet. You have to screen a beneficiary before the transaction is instructed.
Thinking outside the payment rail is also crucial. The users' other data, such as their social networks, devices, behavior, and open banking data, could all be critical.
Early warning signs for a scam include a user on the phone while trying to make a large payment, or transactions in other accounts moving large sums from savings into checking.
Thoughtful UX design is more than a warning, "Hey, this could be a scam." One step is to capture beneficiary info before a payment instruction is created. This buys time to screen the beneficiary. It could involve sharing a little bit more about the recipient, requesting a step-up verification (like fingerprint or FaceID), or even getting a call from the bank.
Sharing learnings and best practices. Many forums like PayUK, NACHA, and The Fed Payments Improvement WGs talk about getting better, but often, they're not practical and problem-solving. The fraud and customer safety teams need to spend more time together in a room. 💡 Perhaps we could open-source these best practices.
Anonymous benchmarking. 💡 One idea from a Fintech company was to benchmark more about what features companies have and how effective they are. So teams could use it in a positive way to figure out what to do better.
While keeping privacy as a non-negotiatble. Best practice and innovation are our friends here. Fraud and AML is already carved out by data privacy regulators as an exception for PII data sharing. That said, we don't want any data leaks. So Federated Machine Learning is a way to train A.I. and risk models without sharing data.
I was at dinner on Wednesday with 20+ fraud leaders in UK Fintech, from high-street banks, digital banks, and payments companies. One bank shared its findings from effectiveness benchmarking they did globally.
They found the most effective user-facing scam-prevention mechanisms are
The Revolut payment flow. If they suspect a scam, they'll make you go through multiple warnings, a video about scams, and a 3 hour cool down period.
The Monzo call confirmation in app. Monzo allows users to see in their app if it really is the bank calling them or someone else.
A killswitch. Banks in Asia are now giving users a button to break everything related to their account until they Re-KYC in person if they're at risk of harm or injury.
Summary
We can fix scams if we talk about them.
Faster payments, LLMs, and digital adoption don't have to mean we suffer from scams. As an industry with a problem-solving mindset, we can improve and move the dial on scams.
Detecting scams well requires us to get much better at data sharing, while getting much better at using new privacy-preserving techniques. It requires us to push the boundaries of thoughtful UX design and introduce friction correctly at the right time.
We can develop best practices, benchmark, and share data and lessons. At their core, anyone in the fraud squad is a problem solver.
We need to do more than talk about scams.
We need to get proactive.
"We're not liable under the law" won't cut it.
Be better.
Get better.
S.T.
4 Fintech Companies 💸
1. Ask Silver - Is it a scam? Your AI companion
Silver is a free AI-powered scam-checking tool that lives in WhatsApp. Users can snap a screenshot of any email or message they've received or take a photo of any letters. The AI then assesses this against known scam types and suggests staying safe.
🧠 Why didn't this already exist? And why didn't the banks or big tech companies do it? Every bank and every Fintech company should at least white-labell this or partner with it in some way. It might not be perfect, so much better than nothing!
2 Rogo - Investment Analyst A.I. as a Service
Rogo helps hedge funds, asset managers, and investment banks ask questions about their data. The fine-tuned LLMs can perform market research and make data-driven decisions and materials. It can analyze proprietary internal documentation alongside public data sources to summarize for senior leaders.
🧠 Should this be a feature for Microsoft Co-pilot? I doubt that the foundation models themselves will be ready to tightly integrate with internal and market data in an "enterprise-ready" way soon. But when you say Enterprise, you think Microsoft. There's an Azure ++ play here (as there is for the hyperscalers). That said, the capital markets space is one of the fastest adopters of this technology. Anything that gives you an edge is worth it.
3. Liveflow - The Ultimate Accountant Dashboard
Liveflow aggregates data automates manual tasks, and helps manage communication between accountants and their clients. It automates client reporting, streamlines account reconciliation, consolidates accounts, and integrates with your favorite Spreadsheets.
🧠 Accounting is so hot right now. While there are countless spend management platforms, the accounting firm's experience is still unloved. The experience of a modern finance team is often way better than their accounts. Live low fixes this.
4. Dotfile - Middesk for Europe
Dotfile provides KYB (Know Your Business) verification for companies in France and the U.K. It collects data from business registries (secretary of state) and manages AML screening and document verification. risk scoring, and case management.
🧠 They've aggregated hundreds of data providers. Acce sing those data providers isn't easy, and KYB has been tricky to implement in Europe. That situation is improving with one or two players now in the Dotfile airspace. Also, French Fintech is on fire rn.
Things to know 👀
Stripe will soon support processing on 12 non-Stripe acquirer processors, including WorldPay. Stripe billing will also support multi-processors. Stripe will support non-Stripe terminals for in-store payments. They also announced new clients like Nvidia, Cloudflare, and Pepsico.
🧠 Every sentence is counter-positioned marketing vs Adyen.
🧠 Adyen is unlikely to sell its ability to modular or put as much focus on being multi-processor.
Their strength is their "single, global platform." Adyen is a bank, so it's almost irrational for them to promote multi-processor support. Stripe’s multi-processor implementation is still somewhat janky, but will improve.
🧠 Adyen's "omnichannel" offering for in-store and online is best-in-class, but you have to go full Adyen.
You can go "full Stripe" without changing your in-store terminals by supporting non-Stripe terminals.
🧠 Stripe has positioned itself further up the stack.
Stripe billing and checkout are the product not the processing. Stripe billing is a unicorn by itself (with $500m in revenue run rate). Applying those on any processor optimizes conversion at checkout or recurring billing. That's what Stripe sells, not processing.
🧠 Billing for AI Inference is hard.
Stripe is a big customer of Nvidia and supplies checkout experiences to many companies like OpenAI or Mistral (everywhere you see AI, you see Stripe). But it's not surprising they also did the hard yards on how the heck to bill for inference.
🧠 We need to talk about Shopify.
Shopify is now processing with Adyen and PayPal. Enterprises that Stripe signs are rarely exclusive. They have a right to play there but not a right to win.
🧠 Adyen is an efficiency machine, and PayPal has its mojo back.
The biggest beneficiaries of Stripe moving up the stack could be processors that are really strong in some areas. Venmo has R&D again, and if the sleeping PayPal giant wakes, Stripe could have a much harder time soon.
PS. I heard a rumor Stripe just made a massive Stablecoins acquisition. If true, that would be an incredible bet.
TD Bank will pay more than 3$bn in fines after pleading guilty to charges that they allowed criminals and cartels to transfer hundreds of billions of funds. Prosecutors said that for over a decade, criminals could deposit cash amounts as high as $1m. TD said it’s hiring 700 compliance staff to help manage the issue. By 2018, it failed to monitor more than 90% of the transactions on its network, activity worth more than $18tn
🧠 Fines don’t work; hiring won’t work; this keeps happening.
Hiring 700 people to start manually reviewing alerts and file SARs is a drop in the ocean if you’re not monitoring 90% of transactions. This is the default for Fintech companies.
🧠 AML Policy, technology, and approaches are broken, and it is an emergency.
I’m baffled how a bank failed to monitor more than 90% of transactions. Baffled. Compliance was a sleepy backwater of banking budget and investment. It should be the technology R&D hub. It should be where the talent is. If we want to stop cartels and criminal gangs, this is how you cut off their money supply. What talented individual is not motivated by that as a reason to go to work?
🧠 The focus is on tried-and-true techniques that cannot keep up with the scale of 21st-century crime.
If criminals can rapidly create identities and move money in real-time or near real-time through multiple banks and wallets, your transaction and identity monitoring needs to get 100x faster. There’s no amount of people you can hire to fix a lack of useful tech.
🧠 This puts the BaaS consent orders in perspective.
🧠 I bet no CEOs get fired or go to jail. The CEO will retire in April 2025 and “takes full responsibility.”
The agreement is just days after HSBC wrote off its $35m investment into the struggling banking app Monese.
Monese was a banking app focussing on immigrant populations, but suffered years of heavy losses, including more than £30m in 2022.
🧠 Only the leanest survive.
Monese had spent a lot of money on building products and infrastructure but often lacked the revenue to justify that investment.
Its platform was so comprehensive that it spun out XYB to serve other non-Monese customers, which have done quite well.
🧠 Pockit stayed lean.
Pockit focused on its core card offering and customer segment, gradually increasing its user base and patiently building its business.
This positioned it perfectly to acquire Monese's distressed assets, as well as customers, products, and capabilities it likes.
🧠 UK Fintech has taken a beating from 2016 to 2022, but its healing.
Monzo is profitable, Revolut got a bank license, and now the stronger Fintechs are acquiring the struggling ones.
Good Reads 📚
Visa has a long history of battling the debit networks. In the 1970s, the ATM model used PINs, while Visa still used signatures. By 1 98, signature debit had a 60% market share. However, the first set of issues from merchants began as Visa forced any merchant who wanted to accept Credit to also accept signature debit. Visa and MC settled in 2003, saying merchants can accept anything they like and paying $3bn in damages.
After a long history with the DoJ (including the famous blocked Plaid acquisition), Visa now faces four main pressures.
The Fed wants to lower regulated debit interchange from 21 cents to 14.
The Fed in 2023 also ruled issuers must support at least one rival network.
Alternatives like Pay by Bank are now gaining meaningful adoption, with Visa behind the market versus Mastercard or the aggregators.
The Capital One / Discover tie-up potentially creates a meaningful rival.
🧠 This whole space is a lobbying minefield. Merc ants, issuers, and networks are all frenemies.
2. A couple of bonus bits here for anyone in A.I.
The great data integration schlep. A.I. isn't revolutionizing the heavy industries because they all have speciaized equipment. Transport, Utilities, and chip makers all use custom hardware and software, making data access nearly impossible. 🤔 A.I. only works if you can get the data first.
Tactics for A.I. adoption in corporates. Most A.I. users in corporations quietly use it because there's little upside to being seen using it. Good users are A.I. as heroes, fear "cost-cutting," and companies don't reward their use. Corp rates should 1) Reduce the fear, 2) Create incentives, and 3) Model positive use.
Tweets of the week 🕊
Scammers never miss an opportunity.
There was a fake Tesla launch event with 250k viewers- QR code leads to a crypto scam 😭
— Sheel Mohnot (@pitdesi)
5:16 AM • Oct 11, 2024
PayPal got its Mojo back
Wow - at long last, we're seeing some real product releases out of @Venmo.
Recurring payments - not just push, but pull requests as well (something that real-time payment rails in the US don't yet support, which gives Venmo an edge as an RTP option) x.com/i/web/status/1…
— Nik (@NikMilanovic)
3:11 PM • Oct 9, 2024
Lendingclub got some Tally assets
Interesting news following Tally’s shutdown this summer. LendingClub and Pagaya to acquire its assets
— Cole Gottlieb (@Cole_Gottlieb)
1:37 PM • Oct 9, 2024
That's all, folks. 👋
Remember, if you're enjoying this content, please do tell all your fintech friends to check it out and hit the subscribe button :)
(1) All content and views expressed here are the authors' personal opinions and do not reflect the views of any of their employers or employees.
(2) All companies or assets mentioned by the author in which the author has a personal and/or financial interest are denoted with a *. None of the above constitutes investment advice, and you should seek independent advice before making any investment decisions.
(3) Any companies mentioned are top of mind and used for illustrative purposes only.
(4) A team of researchers has not rigorously fact-checked this. Please don't take it as gospel—strong opinions weakly held
(5) Citations may be missing, and I've done my best to cite, but I will always aim to update and correct the live version where possible. If I cited you and got the referencing wrong, please reach out