• Fintech Brainfood
  • Posts
  • 🧠 Synapse is Bankrupt. Plus: KYC is still, still broken. But there's hope.

🧠 Synapse is Bankrupt. Plus: KYC is still, still broken. But there's hope.

Bumper edition! Synapse CEO blames Mercury lawsuit for Chap 11. Plus my favorite Rant in ages: Most companies have no idea how easy it is to beat their customer due diligence (CDD) processes.

Welcome to Fintech Brainfood, the weekly deep dive into Fintech news, events, and analysis. Join the 39,749 others by clicking below. 

Hey Fintech Nerds 👋

The first casualty of the BaaS consent orders has fallen.

Synapse is bankrupt, with some assets to be acquired by Tabapay. After a long series of twists with their sponsor bank, Evolve, under consent orders, and lawsuits with Mercury.

Synapse pioneered a model that has changed the market but never got that home-run client like CashApp or Chime. (More in Things to Know)

BaaS isn’t dead; it’s changing shape and becoming compliance-led and tech-enabled.

Everything is Compliance.

Compliance is everything.

And yes, KYC is still astonishingly, staggeringly, horrendously broken. But there might be hope. This is one of my most ranty 📣 Weekly Rant’s in a while. (And one of my favorites).

Meanwhile, B2B Fintech Mercury is going consumer. Out of the frying pan into the fire?

Anti-credit card Klarna is launching a credit card.

And Ramp is nearly back to its Fintech bubble peak valuation.

Never a dull week in Fintech.

Here's this week's Brainfood in summary

📣 Rant: KYC is still, still broken. But there's hope.

💸 4 Fintech Companies:

  1. Modamakers - A family banking app that might actually work

  2. Silver - HSA/FSA expenses as a service

  3. Shiboleth - The call compliance Audit AI 

  4. Eunice - Moody's for Tokens

👀 Things to Know:

Weekly Rant 📣

KYC is still, still broken. But there's hope.

Most companies have no idea how easy it is to beat their customer due diligence (CDD) processes.

Not because the providers suck, but because the idea itself and the way its implemented sucks. It's a 20th-century solution to a 21st-century economy, and it is inadequate.  

A couple of weeks ago, I spent some time with the team at We Fight Fraud, which consists of academics and former criminals who do "penetration testing for fraud." It was, frankly, eye-opening how easily they could beat even the most sophisticated onboarding programs.

The way we do identity is a leaky bucket.

Now, before you say, "Digital identity fixes this." The US and the UK will never have an identity system like China or India; it's politically unappealing.

Criminals are the fastest-evolving species on the planet. Most financial institutions' onboarding policies move in 7-year increments.

And we wonder why fraud and money laundering are becoming the world's number one form of crime and security issue.

We need to do two things

  1. Remove the taboo around penetration testing for fraud, just as we did for cybersecurity

  2. Move into the 21st century for Government identification and verification

But first.

How did we get here?

(For a first-principles explainer on Fraud, KYC, and AML, you might want to check out this previous piece.)

  1. Why is digital KYC broken?

    1. We optimized for conversion, not crime prevention (although thats changing)

    2. We don't know how effective the controls are (but we could)

    3. Criminals evolve faster than institutions

    4. Onboarding processes are static and not easy to upgrade

  2. What is penetration testing for fraud and AML?

    1. Periodic testing for financial crime vulnerabilities

    2. With clear reccomendations

    3. And best practices

    4. That ultimately breaks the taboo of fraud and AML knowledge sharing

  3. Government identity projects that might work

    1. Travel is the impetus for identity innovation

    2. As is waiting in line for a bar

    3. PKI is a key piece of identity infrastructure

  4. So what would you build if you had tamper-proof documents and did regular pen testing?

1. Why is digital KYC broken?

It's not all the provider's fault. They're trying to fix a leaky bucket with great software. It's not entirely the companies operating onboarding processes either.

The problem is we're moving way too slow.

a) The "onboarding as a conversion problem." mindset created an opportunity for criminals. Something I've covered plenty in the past in Fintech Brainfood is that the Fintech bubble created a generation of companies who saw digital onboarding as a conversion optimization problem. The goal was to get as many customers to download the app, complete KYC and make a payment as possible.

One way to do that is to make the "checkbox process" as frictionless as possible.

The small problem with that is criminals get very good at speed-running through KYC and onboarding with stolen credentials, synthetic identities and stolen selfie pictures. I've seen it demonstrated on most large Fintech apps and banks' digital onboarding. It's astonishingly easy

If you think your app is safe. It isn't.

And if you think this is a uniquely Fintech problem, it isn't. The recent spate of regulatory pressure aimed at "novel activities" in the US and its equivalents in Europe has forced the larger Fintech companies to react and develop much more sophisticated digital onboarding. However, the digital onboarding of bigger institutions is evolving much slower.

b) Most organizations have no clue how "effective" their KYC programs are. Most companies measure their BSA/AML program with sample testing. e.g., Find 100 or 1,000 users onboarded in a recent cohort and have analysts pull data from various systems (like transaction monitoring). 

This highly manual (and costly) process only evaluates a fraction of the user population. It then confirms that the process exists and is within the law, which is not the same as understanding whether the process is catching criminals

To this day, most companies throw people at the problem. 

If you sample 100 users per year but onboard millions, you're flying blind.

c) Criminals are the fastest-evolving species. Criminals will find new ways to break something much faster than companies will change their onboarding approach. 

Standard approaches are simple to game because:

  • Most documents have been stolen and can be forged. Large-scale hacks have also meant that most "secure" personal data, such as DOB, address, or SSN, is available on the dark web. 

  • There is no document provenance from issuance to being validated. When you take a photo of a driver's license, the company onboarding you has no way to see if it hasn't changed or is the original. They have to work that out from the photograph. There's some amazing software to help with that (of varying quality), but there's no cryptographic proof.

  • Most digital onboarding solutions don't require a liveness check. A recent study by We Fight Fraud found that 9 out of 10 of the largest digital KYC apps in the United Kingdom did not require a liveness check. 

  • Most companies don't have mature policies or controls to manage social engineering in their onboarding flow. Criminals will crawl through glass with customer support if it helps them open an account. They'll do the same, coaching a victim in a scam scenario. 

These issues all share a root cause.

d) Onboarding controls do not evolve nearly fast enough. In a world where most digital companies push new code into production 100s of times per day, the real change on KYC is, at best, months and, at worst, years

Often, the onboarding flow is the vanilla solution from a provider, and the underlying risk signals companies use aren't tested for effectiveness. There are some things you have to do by law, then there's others you need to layer on if there's a higher risk.

For example, "expert behavior" is a sign that someone is completing the KYC and onboarding so fast that it's like they've done it 100 times before. Perhaps they have, and perhaps they're a criminal. There' are literally 1,000s of signals like this to look for. Many do, but they're not evolving what those are very often.

Onboarding is your front door to new customers, but it's also the front door to risk and regulatory action. The answer isn't as simple as overcorrecting to an insanely hard-to-use but secure onboarding approach.

Like any complex problem, the metaphor is an F1 car, not a drag race. It's constantly monitoring data, making tweaks, and micro upgrades, obsessing over details and getting better with every commit.

Speed is everything.

Another idea. Penetration testing.

2. What is penetration testing for fraud and AML?

I'm old enough to remember when "white hat" hacking was controversial. We renamed it penetration testing because corporates and regulators don't like the word "hacker." lol.

Today, penetration testing is a widely accepted practice in cybersecurity. Most mobile banking apps are unhackable because they've been tested into oblivion by professional "ethical hackers." 

a) Penetration testing should be run at least annually. An authorized test looks for vulnerabilities and intentionally tries to break onboarding. The best pen tests summarize successes, failures, and recommendations. 

The nature of this testing risks coming close to lawbreaking, so clear controls are needed to state what is included and excluded. There are ways to straw man an attack, and set up clear controls and guidelines.

It might find that a criminal was able to use a stolen selfie, forged documents or quickly handover the account to a 3rd party without adequate checks.

b) Recommendations updated in production. It's now second nature for companies to ensure any vulnerabilities discovered during penetration testing are updated asap. Changing onboarding flows, or identifying solutions may take some time, but once you know what the problem is, the task becomes solving it.

c) Best practices published. The cybersecurity industry does this well. Your CISO is probably bugging you about the upcoming SOC2 audit. Conferences, standards, and industries are dedicated to best cybersecurity practices. We have nothing like that in financial services. There are great efforts like ACAMS and MRC where the industry gets together to share knowledge. There is data sharing and public-private partnerships like Early Warning Services and CIFAS (in the UK).

But the place for best practices? It's mostly in the marketing of the providers. It's not a thing we do as an industry.

d) Breaking the taboo on fraud and AML pen-testing. People don't like to talk about fraud or AML. It's framed as a "zero upside" conversation, where the best outcome stands still and the worst is a regulatory issue. This isn't universally true (and, thankfully, is changing). But the mindset still dominates.

It's so very different in cybersecurity. Today, even the United States Government has a standardized approach to pen-testing (ISSAF). The Payments industry expects pentesting as part of a wider security audit.

But isn't it nuts that we don't expect this on fraud or money laundering?

If we all get better, that will help. But the industry needs help, too. 

Government credentials are laughably easy to fake or compromise in the Anglo-saxon economies.

3. Some work by governments that will actually work

Even if the private sector became incredible at upgrading KYC/AML processes, it would be hampered by government documents and identity data that is easily stolen or forged.

The solution seems obvious; implement a secure digital government identity service. 

There's just one problem.

a) Centralized identity programs don't work in the Anglosphere. The UK's "Gov.Verify" program is a cautionary tale of spending billions and achieving the square root of 0. It was a great idea on paper to have multiple private companies bid to be identity providers to the public with a single standard. That identity would be used across the entire government and economy for everything from taxes to proving you're over 18 at a bar.

Like all big government-led procurement programs, it was crawling with consultants, vendors, and program management teams that shipped processes rather than products. When it did finally go live it was so incredibly hard to use, I tried for three hours and couldn't complete onboarding.

The political backlash any time you brush up against the subject is staggering.

We won't be getting Aadhaar in the UK any time soon. Now, imagine trying to do it in the US. Yeah no.

a) Travel is the center for identity innovation and will be again. Machine-readable passports were originally developed because the airline industry needed more efficiency and security at check-in. In 1968, the Convention on International Civil Aviation (IACO) created a standard for machine-readable passports (Document 9303).

This document is updated periodically to include new security advances like biometrics. My British readers who don't regularly travel to the US won't have seen it, but the US has transformed its airline experience over the last five years. Whether you use CLEAR, TSA Precheck, or increasingly just regular TSA, facial biometrics are becoming a default.

b) Getting into a bar is another trigger for innovation. Americans really don't like waiting in line (something that separates them from Brits; we just accept it, along with rain and bad teeth). You can now add a digital driver's license to an Apple Wallet in Arizona, Colorado, Maryland, and Georgia.

There's something cool going on here. When that Apple wallet-stored driver's license is validated, the bar owner doesn't get to see or store the underlying personal data (PII) about you. Now think about how many times you've gone to a hotel, and someone has taken a photocopy of your passport and how much of a data leak that is.

While this is only on Apple devices and only in 4 states, this will, in time, expand to all states. Slowly, then suddenly.

 DMV credentials in devices with provenance

c) Public Key Infrastructure (PKI) is amazing and not exploited for KYC. What makes these DMV credentials so compelling is that we have cryptographic proof of:

  1. Who issued the license (i.e., it really did come from the DMV and hasn't been forged)

  2. If it has been tampered with

  3. Who it was issued to and;

  4. Which device + biometrics combination makes up the signature

Imagine if banks and fintech companies could leverage PKI to verify the authenticity and integrity of digital identity documents during onboarding. They could cryptographically confirm that the relevant authority genuinely issued the document and that it has not been tampered with.

It would become nearly impossible to forge or alter digital credentials without breaking the underlying encryption. It becomes much harder for criminals to share or reuse stolen credentials by tying digital identity to a specific device and biometric combination. 

The authentication process would require a direct match between the user, their biometrics, and the registered device.

Government moves in 10-year increments. The US states will all issue driver's licenses to work with Apple, Google, Samsung, and any other OEM.

Which prompts the question:

4. What would you build if we had tamper-proof documents?

One thing we forget as the "private sector" is just how much we can change the industry. We build the products all consumers and businesses use for their money and assets.

If we change how we build those products; we change the economy.

I'll bet you that every Fintech company and bank innovation team bought an Apple Vision Pro at launch, but how many have tried working with the new DMV credentials in an Apple Wallet?

Ten percent? One percent?

KYC and AML is where all of the things you hate in this world happen. Child sexual exploitation, arms dealing, human trafficking and scamming older adults out of their entire 401k. 

We must make identity better.


4 Fintech Companies 💸

1. Silver - HSA/FSA expenses as a service

Silver has three steps. Users scan receipts, AI analyzes them for valid expenses, and submits them to your provider on your behalf. It works with receipts from retailers like Costco, Walmart, Target, Walgreens, and Amazon. Eligibility evaluation takes a huge amount of time and effort, leading many to not bother. 

🧠 How big can this be? Silver charges 4% of any eligible expenses it finds, on average $325. That's $13 ARPU. There are 72 million people with an FSA/HSA. So a 1% market share would net $9.4m ARR, a 10% share a meaty $94m. If they can make the experience so good, it's like using Ramp.com or something, then this may take off. But imagine if this was an API everyone could use? 

2. Modamakers - A family banking app that might actually work

Modamakers is an app for kids and teens with no monthly fees. What makes it unique is the rewards system, "Mobucks" (great name), which is given for chores, sensible savings habits, weekly challenges, and step count.

🧠 There are so many "meh" companies in this category, but this one looks actually great. So much thought has gone into making this app engaging and useful. I do worry that getting kids obsessed with step count might be a smidge on the pushy-parent side, but I'm 90% sure this is the future of kid-focused accounts. It could be special if you could really build this to balance that sense of freedom with good savings habits. 

PS, this company has some of the most conservatively written FDIC disclosures I've ever seen 👀

3. Shiboleth - The call compliance Audit AI 

Shiboleth will take call recordings, transcribe them, and audit them for UDAAP and FDCPA compliance. It works on 100% of calls instead of a sample and competes with audit firms who are often expensive and slow. Once complete, the report will provide a full summary of any violations spotted, what the issue was, and links to any CFPB notices or Trustpilot complaints that align with that issue.

🧠 AI is shifting compliance from sample testing to entire population audits. The reality is there are only so many calls a person will actively listen to. Large outsourcing firms do this today, but that process is slow and expensive. AI-sourcing is the new outsourcing. I reckon one day, someone is going to roll up a bunch of these companies and build Genpact for AI.

4. Eunice - Moody's for Tokens

Eunice is an automated tracking, alerting, and monitoring service for digital and crypto assets. Funds can get risk scoring for a specific token, like viewing how it is regulated (or not) by jurisdiction, create audits of tokens held, and get notifications of any changes that may impact the portfolio. Eunice is increasingly being used by governments to identify and track tokens against their own frameworks.

🧠 If every asset will be tokenized, every token will have to be risk assessed by institutions. As institutions enter Bitcoin, they'll also enter other assets like Stablecoins, Ethereum, and more. They could track all of that with a spreadsheet but will quickly get overwhelmed. Eunice is selling shovels, and the gold rush is coming. 

Things to know 👀

1. The first casualty of the BaaS consent orders has fallen. Synapse is bankrupt with some assets to be acquired by Tabapay. After a long series of twists with their sponsor bank Evolve under consent orders and lawsuits with Mercury. Synapse, founded in 2014, was a pioneer of the model. When we published the 11:FS BaaS report some 4 years ago now, Mercury, Evolve and Synapse were the canonical way to help people understand what made it different.

As you see in this picture. One huge thing was ownership of the fin crime and risk management staffing.

That is not compatible with regulators who want to see banks in control of their third parties. You are allowed to outsource this staffing, but you, the bank, must be in complete control.

As regulators pushed back countless programs, banks, and Fintech companies associated with Synapse ended with challenges, despite Synapse being one of the more revenue-successful “BaaS” companies.

While Synapse's CEO blames Mercury for its Chapter 11 bankruptcy, the market model has changed. A sale would have happened whether Mercury was being litigious or not. Even if Synapse had decent revenue, the BaaS model itself is in question. How much can it grow with this much regulatory push back? (Narrator: It can’t, that’s why Treasury Prime and Unit are pivoting)

Regulators and banks want to and need to own the sale and risk appetite.This makes compliance the competitive edge for banks, and any provider that’s helping those banks get to market.The twist? It always was.👉 Payments are easy; edge cases are hard 👉 Lending is easy; getting paid back is hard 👉 Everything is compliance Finance is F1 cars not drag racers. It's about being able to go brake quickly and accelerate quickly.

🧠 Does this make BaaS bad? I don't think BaaS as a concept is bad. I do think it's hard to make money in it unless you own the issuer processing (like Marqeta, Galileo, i2c). You also need that one power law customer who makes it big (e.g., Chime or CashApp).🧠 I sense many BaaS providers will either build issuer processing or get acquired by someone who already does that (e.g. Bond and FIS).

🧠 The game of Durbin debit arb, and get to market quickly is over. The future is sustainable lending businesses with new distribution. I’ll have a longer piece next week on how the lending landscape and bank holding company act will be crucial.

Mercury, known for its B2B finance tech business, is launching a consumer service for founders who use its products. The service is aimed at power users who want more FDIC coverage and multiple debit cards. Meanwhile, Ramp just raised another $150m at a $7.65bn valuation nearing its 2022 peak of $8.1bn. 

🧠 Mercury is following founders which makes sense. The US has a gap for a great high-net-worth banking offering and the "founder card" is the natural cross sell. 

🧠 Mercury is charging an annual fee of $240, and I think founders would pay for this product, and it could make money. Their B2B business is doing well. One estimate suggested 40% of SVB customers now have an account at Mercury. If the "BaaS" landscape was clearer this would be a purely good news story.

🧠 The problem is they've been under the spotlight for regulatory scrutiny via their partner banking relationships. Not that they want my advice, but launching a consumer offering in the middle of that sh*t storm would be something I'd have postponed or kept in private beta under the smoke cleared. You can never come too correct on compliance.

🧠 Ramp was doing $300m of ARR a year ago. The company was founded in March 2019 and is barely 5 years old. I don't know what else to add, other than the contrast with all their competition is noteable. It could all yet go horribly wrong. But if they keep this going, we have a case study.

Canonical BNPL provider, and anti-credit card advocate Klarna is launching a credit card. The twist? It uses installments by default, and users will get up to 10% cashback at select merchants. While this has been in Europe for some time, it now joins Robinhood and the Apple Card in major tech entries to credit cards. 

🧠 Consumers love installments. This was a highly requested feature, Klarna is meeting demand. The sense of control from installments vs revolving credit is powerful. The lesson is anything that reduces the complexity of debt will do well.

🧠 They've incentivized early repayments. If customers pay back early, they pay 0%. The APR is 14.49% and up to 33.9% if someone wants to go over their installment period. If someone has a bad month, this could get expensive quickly, but it would no doubt print money for Klarna. But I like that the financial incentive is to pay back early.

🧠 The "pay" buttons are becoming ecosystems with BNPL and installments as a wedge. Affirm's debit card allows consumers to make purchases using the Affirm app and pay in installments. Apple gives this option too (but maxes out at 24.9%)

🧠 Every bank and merchant processor is launching installments, but few will be as successful at driving the checkout experience. Apple Pay, Affirm, and Klarna have built wrap-around "commerce" and delivery experiences that go much deeper than the installment itself. That's what re-activates users and brings them back to merchants.

Cross-border payments specialists Wise saw customer growth increase by 29% YoY and revenues up 24% YoY. It now has 7.5m consumers and 395,000 businesses and 60% of customers use them for more than cross-border transfers (e.g., using a card, local account details, or earning yield). 

🧠 FX is undefeated as the way to make money in Fintech. Despite Wise competing on price and transparency, they're still able to make a profitable business. 

🧠 Low fees and transparency are the default. Banks cannot compete with the price Wise and Revolut offer, and in Western markets, they dominate mindshare and market share growth.

🧠 The contrast between Wise and Revolut is noteworthy. Wise has been listed as patient and risk-averse, enabling it to slowly create a profitable business. Revolut has blitz-scaled like no other. Perhaps holding it back from a banking license, but driving massive expansion in Geography and feature offering. 

Good Reads 📚

CashApp Pay is the branded checkout button. Like Apple Pay, SHOP or PayPal buttons offer the user convenience. But to Block it offers a much higher take rate on every transaction. The vast majority of inflows to CashApp go back out in ways Block doesn't monetize, and neither does the CashApp button. Jvgenis believes analysts have missed a trick in how important this will be for Block over time.

That's all, folks. 👋

Remember, if you're enjoying this content, please do tell all your fintech friends to check it out and hit the subscribe button :)

(1) All content and views expressed here are the authors' personal opinions and do not reflect the views of any of their employers or employees. 

(2) All companies or assets mentioned by the author in which the author has a personal and/or financial interest are denoted with a *. None of the above constitutes investment advice, and you should seek independent advice before making any investment decisions.

(3) Any companies mentioned are top of mind and used for illustrative purposes only. 

(4) A team of researchers has not rigorously fact-checked this. Please don't take it as gospel—strong opinions weakly held 

(5) Citations may be missing, and I've done my best to cite, but I will always aim to update and correct the live version where possible. If I cited you and got the referencing wrong, please reach out