We need to talk about scams

Welcome to Fintech Brainfood, the weekly deep dive into Fintech news, events, and analysis. You can subscribe by hitting the button below, and you can get in touch by hitting reply to the email (or subscribing then replying)

Subscribe

Hey Fintech Nerds ??

Stripe is going hard to become a multi-processor and transitioning from being a payments company to a software company. ??

Meanwhile, successful Fintech companies are acquiring smaller ones. Pockit acquired Monese, and it looks like LendingClub got some Tally assets. ??

Fintech is healing.

One thing that is not healing is scams. We’re in a scamdemic. It is the biggest issue in our industry. We have to fix it. That’s your Rant this week ?? We need to talk about scams.

Here's this week's Brainfood in summary

?? Rant: We have to fix scams

?? 4 Fintech Companies:

1. Ask Silver - Is it a scam? Your AI companion
2. Rogo - Investment Analyst A.I. as a Service
3. Liveflow - The Ultimate Accountant Dashboard
4. Dotfile - Middesk for Europe

?? Things to Know:

1. Stripe goes fully multi-processor, partners with Nvidia.
2. Big things in UK Fintech - Pockit has acquired Monese

?? Good Read: Visa vs the USA

If your email client clips some of this newsletter click below to see the rest

Read online

Weekly Rant ??

We need to talk about scams.

Scams are the perfect crime. They pay well, they're poorly regulated, and nobody wants to take responsibility for fixing them.

Now, LLMs and deep fakes have made scams cheaper, more efficient, and more effective.

Find someone through a social network, coach them into an investment opportunity or romance, and slowly, gradually convince them to move money. Ideally, this will happen in real-time, like with RTP, Faster Payments, Pix, or UPI.

Why?

Because once the money is gone, it's gone. There are often no refunds and no consumer protection.

Except in the U.K. It's not the world's first major economy to offer a full reimbursement model for scam victims with losses up to ￡85,000 ($110k). With a court case in the Southern District of New York against Citi, we could also see an extension of Reg E to push payment fraud (payments resulting from a scam).

If you're in payments or a bank. The trend is you're liable for the loss, even if you're not the cause of the scam or lack any ability to prevent it.

This is the issue of our time in finance.

If we're going to solve scams, its going to take:

1. An understanding of scams vs fraud (and the regulation gaps)
2. Why faster payments means faster fraud
3. The rise of LLMs and deep fakes compounding the issue
4. The rise of regulation to counter scams
5. The data we can share
6. The skills we have to learn

1. When is it a scam, not fraud?

I wrote a longer piece about scams vs fraud here. The key take away is one of definition:

Fraud is when the bad actor moves money illegally - A scam is when a bad actor uses communications like telephone or email to trick someone into moving money.

Fraud is illegal in the U.S. under a patchwork of laws:

The following two laws cover scams:

As I wrote in the other piece:

Immediately, it's clear that?fraud law focuses on financial transactions, and scam law focus on communications (except, notably, social media).

The gap is between the two.

Scams can easily become fraud.

This is less of an issue in the world of cards because consumer protections like the dispute process create a clear framework for customer compensation. If you're tricked into buying something from a fake website and the goods never arrive, hit the dispute button.

The nature of the payment mechanism means it is reversible.

It's also not as easy to move large amounts of money with a card as with push payments. Push payments, such as ACH, Faster Payments, Pix, etc., are often used to send one-off amounts to a person or business. When these payments become real-time, the recipient gets paid immediately.

This is ideal for scammers, who can then move that money two, three, or more times to hide it from authorities and make it almost impossible to claw back.

The regulation isn't clear, and there's no obvious consumer protection.

2. Faster payments mean faster fraud

In most jurisdictions, including the U.S., banks have long claimed that if a consumer authorizes a payment, the bank has no liability for losses. If the consumer is tricked but authorizes the payment, they argue it is a scam, not a fraud.

They've authorized a push payment. (Hence, APP Fraud)

The only problem is, well, everything.

• Pensioners are losing their life savings. One lost $740,000, and another lost $661,000 in a tech support scam.
• In the U.K., fraud is now the #1 crime, accounting for 40% of all reported crimes.
• In Brazil, it's common for gangs and criminals to pressure victims into sending money via Pix.

Scams are a global issue everywhere RTP exists.

Why?

• The lack of a clear liability model means scam prevention controls are limited. The incentives hadn't been there for heavy investment in detecting the early warning signs of a scam. Consumer warnings like "be careful; this could be a scam" in your Zelle, CashApp, banking, or Pix wallet are often ignored, but these aren't consistently applied.
• The payment rails don't always have rules about collaborating to solve APP fraud. Zelle now has a clawback mechanism, and the U.K. now has regulations, but the mechanism for reimbursing customers is limited. It's also unclear how payment companies or banks should collaborate, share data, or secure transactions before they happen.
• The criminal has likely gotten away with the stolen funds before the consumer can report the issue. Once a criminal has received the funds, the first thing they do is move it several times through multiple accounts. This means neither the sending nor receiving F.I. is likely to have those funds and would suffer a loss if they refunded consumers.

This would be fine if RTP volumes were not exploding.

They are.

During the pandemic, RTP became a lifeline in Brazil, India, and the U.K., and through services like Zelle as branches and traditional networks failed.

The rapid adoption of digital tools by elderly and vulnerable populations created a new pool of hundreds of millions of wealthy potential victims for scammers, where a single scam could have a huge payoff.

This all happened at the same time as LLMs appeared. LLMs then reduced the cost of creating a scam and improved its believability.

3. LLMs and deep fakes unlock believable and low-cost scams.

ChatGPT is a pushover.

You still don't have to work particularly hard to get it to generate a believable scam email or text message. (Grok 2 is even worse; it will break any ethical boundary if you accuse it of being "woke.")

And if you don't want to go through the effort of jailbreaking an LLM, there are now Fraud-as-a-Service LLMs like WormGPT that will happily generate scams for you.

Gone are the days of the poorly spelled "Nigerian Prince" emails.

These are now often personalized, believable emails featuring logos and brands that are uncannily close to the real thing. Combine this with an RTP rail, and your attack cost will be massively reduced. Your likelihood of receiving the funds also increases (because RTP rails exist and vulnerable customers are using digital now).

For businesses, deep fakes can cost millions.

There's the famous story of Arup who were scammed out of $25m using deep fake technology to pose as the CFO for a finance analyst. A report by Deloitte found:

Just over half (53%) of businesses in the U.S. and U.K. have been targets of a financial scam powered by "deepfake" technology, with 43% falling victim to such attacks, according to a survey by finance software provider Medius.

Of the 1,533 U.S. and U.K. finance professionals polled by Medius, 85% viewed such scams as an "existential" threat to their organization's financial security,?according to a report on the findings?published last month.

RTP is caught in the middle of all this, but it's a multi-faceted issue.

If you can scam someone, the ROI is high, and the controls are weak.

4. Regulation is what happens when something must be done

If enough headlines are written about vulnerable customers losing money, new regulations will soon follow.

In the U.K., that happened on October 7th.

Under the Payment Services Regulator's new directive, all banks and payment companies must

• Refund customers up to ￡85,000 ($110k) in the event of a scam on the U.K.'s Faster Payments (instant payments) rail.
• F.I.s have 5 days to issue the refund and can charge ￡100 to prevent service abuse.

These rules don't apply when the victim is complicit (first-party fraud) or when the victim is a business or charity. They also don't apply for any other payment rail or international payment.

How does reimbursement work between banks and PSPs in practice? Alex put it eloquently.

Despite the rule going into effect today, there is not yet a formal mechanism for the sending and receiving banks to transfer money back and forth to each other and resolve disputes. So banks in the U.K. are reportedly going to be handling it manually for the time being (via channels like email), which seems like it will quickly become a complete clusterfuck.

In the USA, a court case in the Southern District of New York argues that the Electronic Fund Transfer Act (EFTA) applies when a consumer initiates a wire transfer through a mobile app or digital platform. While this is far from rule-making, it is already forcing banks to rethink their refunds and reimbursement strategies for APP fraud.

Meanwhile, in Europe, not to be left out, a series of measures will be introduced under the Payment Service Directive 3 (PSD3). This coincides with the bloc-wide introduction of SEPA instant, the new payment rail for all member states.

It will:

• Include mandatory reimbursement of consumers (mechanism to be defined)
• Mandatory confirmation of payee
• Stricter requirements on step-up authentication (strong customer authentication) above payment amount thresholds.

Brazil's central bank and India's National Payments Corporation (NPCI) are in ongoing discussions with industry as scams become a global issue.

All of these existing and future regulations have one goal: to encourage banks and payment companies to invest more energy in fraud prevention.

Getting there will require more than buying whatever shiny new vendor appears on the scene. The bad actors upped their game, and the industry has to do the same.

5. We have to close data gaps

Liability models won't fix scams; it will create a prize fund for scammers.

Refunding victims is good, but we all get better at scam and fraud prevention.

All risk problems are data problems; we have data gaps to close (while staying mindful of privacy boundaries

For consumers, we need to close the gap between social media, the search for payment companies, and between payment companies and payment networks.

a) We can improve data sharing from digital platforms to F.I.s. Digital platforms like WhatsApp, Telegram, and Facebook are breeding grounds for scammers. They offer fake jobs and investment opportunities or pretend to be friendly ears to lure a victim into sending them money. Similarly, search engines like Google often have sponsored ads for fake airline customer support numbers, etc.

?? A simple whitelist/blacklist of known bad identities, accounts, emails, and devices that can be shared among these companies would be a start (mindful of privacy, of course).

These platforms tried to remove this behavior, but there was no concerted effort to identify and root financial scams.

That was at least, until last week.

Meta announced they're partnering with U.K. banks to share intelligence and data for scam prevention. That's good, but it's a pilot with several U.K. banks. We have to start somewhere. This needs to be expanded internationally, and at a much wider scale.

b) We can close the data sharing gap between F.I.s. In a push payment the sending bank has no idea who the beneficiary of the payment will be. Are they a known bad actor? A new account? Using a stolen device?

The U.K. has had "confirmation of pay U.K." live for a few years, which requires you to match the account name against the account number before a payment goes through. But we need more.

?? There are several initiatives in the U.K. and elsewhere to screen the recipient of a payment before a payment is sent (like Plaid Beacon and Sardine Sonar). Payments companies like Form 3 are making collectively screening beneficiaries a part of their pre-payment workflow (they see 50% of U.K. faster payments traffic).

The use of open banking and the proliferation of open finance will increase across Europe, too. Under PSD3, all financial institutions, wealth, insurance, payments, Fintech, and everything else will be required to make consumer-permitted data access available.

c) We can close the data-sharing gap between payment rails. It was telling that APP fraud reimbursement in the U.K. only applies to faster payments in the U.K.

The regulators are limited by their jurisdiction. The private sector is not.

If a customer is using a wallet (like Wise or Revolut) to send a cross-border payment into the U.K., it would look like a Faster Payment to the receiving F.I., but to the sending F.I., it may have come from a card or even Crypto. We're just beginning to think this way, and have a long way to go. Imagine starting a transaction on CashApp, pushing money to a card that involves RTP and cross-border, and finishing in a crypto transaction. How the hell do you trace that?

Weirdly, the Crypto businesses are most mature here because they're used to scammers and hacks trying to exploit the gaps between rails. They also developed a standard for collaboration on data sharing (IVMS101) for KYC wallets to comply with FATF rules for international payments.

?? What if we extended IVMS to multiple payment rails, and data types?

Closing data gaps will take time, and it will also require learning new skills. Even if we had perfect, privacy-preserving data sharing, great data is nothing without great analysis, UX, and product design.

6. The skills we have to learn

The best way to have no fraud is to have no transactions.

Finding the balance is all about building a UX that can bake in security with just enough friction when required while collecting as much data as possible (while also being mindful of privacy).

Non-trivial.

But doable.

• Thinking beyond the payment transaction is crucial. You can't detect a scam on a payment that hasn't happened yet. You have to screen a beneficiary before the transaction is instructed.
• Thinking outside the payment rail is also crucial. The users' other data, such as their social networks, devices, behavior, and open banking data, could all be critical.
• Early warning signs for a scam include a user on the phone while trying to make a large payment, or transactions in other accounts moving large sums from savings into checking.
• Thoughtful UX design is more than a warning, "Hey, this could be a scam." One step is to capture beneficiary info before a payment instruction is created. This buys time to screen the beneficiary. It could involve sharing a little bit more about the recipient, requesting a step-up verification (like fingerprint or FaceID), or even getting a call from the bank.
• Sharing learnings and best practices. Many forums like PayUK, NACHA, and The Fed Payments Improvement WGs talk about getting better, but often, they're not practical and problem-solving. The fraud and customer safety teams need to spend more time together in a room. ?? Perhaps we could open-source these best practices.
• Anonymous benchmarking. ?? One idea from a Fintech company was to benchmark more about what features companies have and how effective they are. So teams could use it in a positive way to figure out what to do better.
• While keeping privacy as a non-negotiatble. Best practice and innovation are our friends here. Fraud and AML is already carved out by data privacy regulators as an exception for PII data sharing. That said, we don't want any data leaks. So Federated Machine Learning is a way to train A.I. and risk models without sharing data.

I was at dinner on Wednesday with 20+ fraud leaders in UK Fintech, from high-street banks, digital banks, and payments companies. One bank shared its findings from effectiveness benchmarking they did globally.

They found the most effective user-facing scam-prevention mechanisms are

1. The Revolut payment flow. If they suspect a scam, they'll make you go through multiple warnings, a video about scams, and a 3 hour cool down period.
2. The Monzo call confirmation in app. Monzo allows users to see in their app if it really is the bank calling them or someone else.
3. A killswitch. Banks in Asia are now giving users a button to break everything related to their account until they Re-KYC in person if they're at risk of harm or injury.

Summary

We can fix scams if we talk about them.

Faster payments, LLMs, and digital adoption don't have to mean we suffer from scams. As an industry with a problem-solving mindset, we can improve and move the dial on scams.

Detecting scams well requires us to get much better at data sharing, while getting much better at using new privacy-preserving techniques. It requires us to push the boundaries of thoughtful UX design and introduce friction correctly at the right time.

We can develop best practices, benchmark, and share data and lessons. At their core, anyone in the fraud squad is a problem solver.

We need to do more than talk about scams.

We need to get proactive.

"We're not liable under the law" won't cut it.

Be better.

Get better.

S.T.

4 Fintech Companies ??

1. Ask Silver - Is it a scam? Your AI companion

Silver is a free AI-powered scam-checking tool that lives in WhatsApp. Users can snap a screenshot of any email or message they've received or take a photo of any letters. The AI then assesses this against known scam types and suggests staying safe.

?? Why didn't this already exist? And why didn't the banks or big tech companies do it? Every bank and every Fintech company should at least white-labell this or partner with it in some way. It might not be perfect, so much better than nothing!

2 Rogo - Investment Analyst A.I. as a Service

Rogo helps hedge funds, asset managers, and investment banks ask questions about their data. The fine-tuned LLMs can perform market research and make data-driven decisions and materials. It can analyze proprietary internal documentation alongside public data sources to summarize for senior leaders.

?? Should this be a feature for Microsoft Co-pilot? I doubt that the foundation models themselves will be ready to tightly integrate with internal and market data in an "enterprise-ready" way soon. But when you say Enterprise, you think Microsoft. There's an Azure ++ play here (as there is for the hyperscalers). That said, the capital markets space is one of the fastest adopters of this technology. Anything that gives you an edge is worth it.

3. Liveflow - The Ultimate Accountant Dashboard

Liveflow aggregates data automates manual tasks, and helps manage communication between accountants and their clients. It automates client reporting, streamlines account reconciliation, consolidates accounts, and integrates with your favorite Spreadsheets.

?? Accounting is so hot right now. While there are countless spend management platforms, the accounting firm's experience is still unloved. The experience of a modern finance team is often way better than their accounts. Live low fixes this.

4. Dotfile - Middesk for Europe

Dotfile provides KYB (Know Your Business) verification for companies in France and the U.K. It collects data from business registries (secretary of state) and manages AML screening and document verification. risk scoring, and case management.

?? They've aggregated hundreds of data providers. Acce sing those data providers isn't easy, and KYB has been tricky to implement in Europe. That situation is improving with one or two players now in the Dotfile airspace. Also, French Fintech is on fire rn.

Things to know ??

1. Stripe goes fully multi-processor, partners with Nvidia.

Stripe will soon support processing on 12 non-Stripe acquirer processors, including WorldPay. Stripe billing will also support multi-processors. Stripe will support non-Stripe terminals for in-store payments. They also announced new clients like Nvidia, Cloudflare, and Pepsico.

?? Every sentence is counter-positioning vs Adyen.

?? Adyen is unlikely to become as modular or put as much focus on being multi-processor. Their strength is their "single, global platform." Adyen is a bank, so it's almost irrational for them to promote multi-processor support.

?? Adyen's "omnichannel" offering for in-store and online is best-in-class, but you have to go full Adyen. You can go "full Stripe" without changing your in-store terminals by supporting non-Stripe terminals.

????Stripe has moved up the stack. Stripe billing and checkout are the product not the processing. Stripe billing is a unicorn by itself (with $500m in revenue run rate). Applying those on any processor optimizes conversion at checkout or recurring billing. That's what Stripe sells, not processing.

?? Billing for AI Inference is hard. Stripe is a big customer of Nvidia and supplies checkout experiences to many companies like OpenAI or Mistral (everywhere you see AI, you see Stripe). But it's not surprising they also did the hard yards on how the heck to bill for inference.

?? We need to talk about Shopify. Shopify is now processing with Adyen and PayPal. Enterprises that Stripe signs are rarely exclusive. They have a right to play there but not a right to win.

?? Adyen is an efficiency machine, and PayPal has its mojo back. The biggest beneficiaries of Stripe moving up the stack could be processors that are really strong in some areas. Venmo has R&D again, and if the sleeping PayPal giant wakes, Stripe could have a much harder time soon.

2. Big things in UK Fintech - Pockit has acquired Monese

The agreement is just days after HSBC wrote off its $35m investment into the struggling banking app Monese.

Monese was a banking app focussing on immigrant populations, but suffered years of heavy losses, including more than ￡30m in 2022.

?? Only the leanest survive.

Monese had spent a lot of money on building products and infrastructure but often lacked the revenue to justify that investment.

Its platform was so comprehensive that it spun out XYB to serve other non-Monese customers, which have done quite well.

?? Pockit stayed lean.

Pockit focused on its core card offering and customer segment, gradually increasing its user base and patiently building its business.

This positioned it perfectly to acquire Monese's distressed assets, as well as customers, products, and capabilities it likes.

?? UK Fintech has taken a beating from 2016 to 2022, but its healing.

Monzo is profitable, Revolut got a bank license, and now the stronger Fintechs are acquiring the struggling ones.

Good Reads ??

1. Visa vs the USA

Visa has a long history of battling the debit networks. In the 1970s, the ATM model used PINs, while Visa still used signatures. By 1 98, signature debit had a 60% market share. However, the first set of issues from merchants began as Visa forced any merchant who wanted to accept Credit to also accept signature debit. Visa and MC settled in 2003, saying merchants can accept anything they like and paying $3bn in damages.

After a long history with the DoJ (including the famous blocked Plaid acquisition), Visa now faces four main pressures.

• The Fed wants to lower regulated debit interchange from 21 cents to 14.
• The Fed in 2023 also ruled issuers must support at least one rival network.
• Alternatives like Pay by Bank are now gaining meaningful adoption, with Visa behind the market versus Mastercard or the aggregators.
• The Capital One / Discover tie-up potentially creates a meaningful rival.

?? This whole space is a lobbying minefield. Merc ants, issuers, and networks are all frenemies.

2. A couple of bonus bits here for anyone in A.I.

• The great data integration schlep. A.I. isn't revolutionizing the heavy industries because they all have speciaized equipment. Transport, Utilities, and chip makers all use custom hardware and software, making data access nearly impossible. ?? A.I. only works if you can get the data first.
• Tactics for A.I. adoption in corporates. Most A.I. users in corporations quietly use it because there's little upside to being seen using it. Good users are A.I. as heroes, fear "cost-cutting," and companies don't reward their use. Corp rates should 1) Reduce the fear, 2) Create incentives, and 3) Model positive use.

That's all, folks. ??

Remember, if you're enjoying this content, please do tell all your fintech friends to check it out and hit the subscribe button :)

(1) All content and views expressed here are the authors' personal opinions and do not reflect the views of any of their employers or employees.

(2) All companies or assets mentioned by the author in which the author has a personal and/or financial interest are denoted with a *. None of the above constitutes investment advice, and you should seek independent advice before making any investment decisions.

(3) Any companies mentioned are top of mind and used for illustrative purposes only.

(4) A team of researchers has not rigorously fact-checked this. Please don't take it as gospel—strong opinions weakly held

(5) Citations may be missing, and I've done my best to cite, but I will always aim to update and correct the live version where possible. If I cited you and got the referencing wrong, please reach out