It’s a familiar scenario: A financial company offers a new high-tech service, and hackers immediately begin trying to game the system and drain money out of it.
“The biggest challenge we faced initially after launch was an influx of prospective fraudsters,” said Lamine Zarrad, co-founder and CEO of Joust,
Fintech startups are often ill-equipped to deal with the fraud-investigation and dispute-resolution work that follows.
“That’s a fundamental problem,” Zarrad said. “It's a function of the nature of fintech. Fintech is a child of venture funding and someone's big ideas. And quite frequently a lot of fintech companies and founders don't come from financial services or banking or even risk management for that matter. They’re bringing fresh ideas and perspective. But what they frequently ignore are established problems that most bankers know all too well, like fraud.”
Fintech startups tend to aggressively focus on growth because that is what venture investors demand of them. Then they realize fraud has skyrocketed.
The founders of Joust realized early on that their efforts to combat fraud had to work on a large scale, so that as the company grows from its current 2,700 users to, say, 270,000 users, they could still manage the problem.
In Joust's nine months of operation, as it has worked on refining its services and improving settlement times, developers have been working to harden its risk systems and anti-fraud systems. They have built a system that pulls nearly real-time data related to identity, including credit and behavior information, to create user profiles against which they match incoming transactions. To help meet know-your-customer requirements, which are a piece of managing fraud risk, they have worked with Alloy, which draws on different data sources for help in identifying customers; Socure, which provides authentication; and other data providers including LexisNexis and WhitePages Pro.
Why fintechs are a ripe target
Their very newness makes fintech startups and new financial services irresistible to criminal minds, explained Brian Mullins, vice president of risk at Chime. He formerly held similar roles at Facebook and Groupon.
“If I’m a fraudster and I have a list of compromised credentials that I've stolen from breached websites and e-commerce platforms, or if I have a bunch of stolen identities from the Equifax breach, every possible location where I can use those credentials becomes a new opportunity to monetize them,” Mullins said. “So whenever there's a new entity that comes onto the space in financial services, even a new popular e-commerce platform, that becomes a new place that you might be able to use your list of stolen assets to try to test against their controls.”
Many of the
When a new bank joins the network, “the bad guys have a playbook of how to successfully commit fraud on most members on the network, and they’ve been accumulating the raw material needed to commission the crime, such as stolen credentials,” explained Trace Fooshee, senior analyst at Aite Group and former head of fraud strategy at SunTrust Banks. “As soon as the new bank gets on the network, it’s open season. The bad guys are immediately off to the races and start hitting the new member hard. The result is that bank will see unusually high rates of fraud per total transactions in the opening weeks of their launch as the bad guys race to run through their inventory. Eventually they’ll burn through the inventory and it will normalize.”
Chime, which has now opened 5 million accounts, is past this early fraud-testing period, Mullins said. But companies that are just starting out need to invest heavily in risk, fraud and information-security data and software, he said.
“It's challenging sometimes to look at the costs associated with these things, but it's really an investment in the future and investment in your brand and your net economics,” Mullins said.
Salaryo, a fintech focused on serving freelancers, small businesses and others using co-working spaces, has been investing in identity-verification and fraud-prevention technology, according to CEO and founder Yair Levy.
Salaryo has one advantage over fintechs that are mobile-only or digital-only: Its users are in office spaces where they can be vetted in person.
“Through our relationships with workspace providers, we know the person that applies for our service is actually a member physically of that office space,” Levy said. “The staff on all sites are required to verify their identity as well, so we have a safe space there for [know your customer].”
The company conducts financial scoring and professional background checks for each applicant that include banking data, credit scores and professional reputation benchmarks.
Fooshee expects fintechs will get better at dealing with fraud the way Zelle member banks have.
“The lack of confirmed fraud patterns makes fraud-detection systems less effective,” Fooshee said. “They get better as the collective volume of good transactions and bad transactions accumulate.”
