What happens if disruptive innovations are driven by people who lack experience running financial operations?
- Fintech startups aim to disrupt current practices and do it fast, but disruption can also create new opportunities for fraud.
- Lack of experience working in financial services may correlate with increased vulnerability to financial crime.
- Knowing what to look for can help investors and operations managers assess risks.
Identity Crisis
One enormous change with modern financial services is that clients can open accounts and send money without ever having met an adviser face to face. ClearVest CCO Sara Malak of New York City loses sleep worrying about how her firm can be sure it’s dealing with who it thinks it’s dealing with. ClearVest, a platform that provides independent advisers with access to alternatives and commodity managers, facilitates manager choice and online enrollment to enable client onboarding. “Our client advisers are non-institutional shops with two bosses, 10 employees with 20 clients [who] each have a household account, two spousal accounts, the kids, and trusts,” she says. “Many clients use the client account software to manage client relations.”
Though its client advisers do have personal relationships with clients, ClearVest has an electronic-only relationship with the investor. Despite this, the platform has a fiduciary responsibility to investors: It must comply with know-your-customer and anti-money-laundering (AML) regulations and protect itself from false identities. “We operate within structured guidelines provided by the US government,” says Malak, who spoke at the New York Society of Security Analysts’ 2016 Fintech Symposium last fall. “Our processes are designed to assure compliance with AML obligations, and yet we take special care with special situations like reviewing lists from [the Office of Foreign Assets Control] and the US Department of the Treasury.”
While ClearVest has brought advanced technology to the onboarding process, the process isn’t finished until human and machine insights are combined to determine whether the funds coming in and going out belong to the person whose name is on the account. Even after all the checks—making sure the IP address matches the user, the signature matches, and the bank account information is consistent—ClearVest may still need to flag certain situations. “Say a form comes in with the name Imelda Marcos,” says Malak. “The machine is not smart enough to recognize if it’s a different person with the same name as the famed leader or an intent to defraud. But sometimes the machine just does better because it finds information quicker.”
Identity fraud is relatively easy and made easier by the amount of personal data we post online every day. All one needs to access most online financial services is a photo with accompanying contact information. Even seemingly benign sources are vulnerable. Consider the fate of the 600,000 people who had work history, social security numbers, photo IDs, and contact information listed at joblink.alabama.gov. After the site was hacked, the follow-up analysis was unable to determine how much and whose information may have been exposed. Events such as this increase the risk of fraudulent transactions being introduced to investment companies and other financial institutions. As a result, online banks must go through their identity check procedures thousands of times a day. “With identity fraud, thieves see your information,” says Abhishek Agarwal, CFA, founder and CEO of Croudify in Fremont, California. “Once they know a little about you, it’s easy to create an account for you.”
After nearly 15 years of product and finance experience at Montgomery Securities and Bank of America Merrill Lynch, Agarwal started Croudify in late 2016 to maximize gains on person-to-person (P2P) lending platforms using machine learning and artificial intelligence. His services let fintech firms automate customer interactions more completely. “Some of the best companies’ online processes still do a lot through paperwork and offline activities,” he says—a fact he hopes to change.
Cryptocurrency investing introduces a special risk for identity fraud. Agarwal describes how it can happen. Someone steals your identity and buys bitcoins using a fake credit card and bank account. The bitcoins are then transferred to the fraudster’s private bitcoin wallet immediately, leaving no trace. “Even if you find out in minutes, it’s too late,” says Agarwal. “Compare this to a traditional ATM theft, when you have literally days to find the problem.”
From an investor’s point of view, fraud issues are critical. Because investments in fintech innovations usually happen during the startup phase, established financial institutions dedicate substantial resources to predicting the amount of write-offs due to fraud and arrange a balance sheet to accommodate the losses. New companies don’t have the same luxury, and even smaller losses can crater the stock price. Add in hackers who steal information from small companies with the intent to drive down the stock price and profit from their already-established short positions, and one quickly sees the benefits of monitoring for potential frauds.
Sly Velocity
Increased speed in initiating relationships and transactions is what attracts customers to fintech applications, but these same characteristics are exploited for ill-gotten gains. Consider the risks that come with the speedy approvals touted by online lenders. Applications come in over mobile devices, personal data is entered, permission is granted to access bank accounts, and decisions on whether to approve get turned around within 24 hours. The lender checks a great range of personal data, which always includes a credit rating.
Still, the speed of approval doesn’t leave time for real-time updating of applicant credit information, and that opens an opportunity for a growing problem for online lenders called “loan stacking.” In this scheme, the borrower submits applications to several online lenders. He might get $35,000 from Lending Club and the same from Prosper and SoFi. Instead of a single loan, he gets five and banks the total amount. The risk in the system is that none of the lenders know about the other applications. “Desperate people can stack loans and do it without the intent to defraud,” says Jan Beranek, principal of Beranek Consulting Group, a P2P fintech/marketplace-lending consulting firm in San Francisco. “But many times, the applicant never intends to pay back the loans.”
Cross-border differences in regulations and cultural mores add opportunities for absconding with other people’s money. Beranek previously served as director of operations, risk management, and quality assurance at leading online lender Lending Club, where he implemented the organization’s quality control function. He now leverages his knowledge and experience to consult for global fintech providers and sees gaps available for exploitation. He points out that online banking, especially lending, is slow to take off in Europe, where people still have traditional relationships with banks. In the US, online lending took root because individuals can’t get loans from banks anymore; in the EU, the market is small (and thus competitive), regulation is not consistent across countries, and there’s no credit bureau.
China, in contrast, is a huge market, and many Chinese citizens’ first computer was a cell phone. With almost no banking infrastructure and even less access to financial services for individuals, China’s consumer financial services market has been captured by such mobile apps as WeChat and Alibaba. Each app performs multiple functions for users: WeChat, for example, can make online payments, is linked to a bank account into which paychecks are directly deposited, and is integrated with Bloomberg Tradebook, Yelp, LinkedIn, PayPal, and ticket and hotel purchases. Compared with the US, there are many more opportunities—and many more threats. “In China, they offer an app, and everything is mobile, including the process of opening the account,” says Beranek. “Some companies have it figured out, but with 800 million users all online, the opportunities exist.”
This mobile-only relationship with money transfers and transactions combined with card-not-present credit purchases keeps those charged with preventing fraud extremely busy. According to online fraud-protection company iovation, in July 2013, roughly 25% of its monitored transactions among subscribers in the financial services industry originated from a mobile device; in 2016, mobile traffic represented nearly 42% of all transactions. Based on these statistics and the incumbent risks associated with card-not-present transactions, iovation predicts that US retailers and financial institutions will lose $7.2 billion due to fraud by the end of 2020.
Of course, better fraud prevention could be baked into financial technologies through good product design. “Innovative people don’t understand the fraud world,” says Steve Morang, leader of fraud and forensics at Frank, Rimerman + Co. in Palo Alto, California. “Even with non-financial apps like Uber, product managers have to spend the resources to identify all of the possible illegal activities that could go on and build preventions into the app.”
As president of the local chapter of the Association of Certified Fraud Examiners, Morang runs an annual fintech conference in San Francisco. The event sold out this year, and he took frantic calls as late as midnight from attendees trying to get tickets for more team members. Speakers included such familiar names as online lenders Prosper and Lending Club, alongside fraud experts from EY and the SEC. Less familiar names, such as Croudify and Mindbridge, rounded out the panels. “We’re going to have more fraud in both numbers and dollar amounts,” says Morang. “The amount of data is growing exponentially, but the number of fraud professionals is growing linearly. Who’s prepared to handle all of this?”
The potential speed of transactions is often hampered by the threat of identity theft. ClearVest, for instance, initiates an account through its platform, but a third-party custodian handles all receipt and disbursement of clients’ money. There are several tiered steps that have to be followed, including human interaction. ClearVest looked for a custodian with solid cybersecurity, encryption, and identity-verification processes. “We are one stop on the path of money and securities,” says Malak. “We can’t tell Schwab how to handle their processes.”
Morang has seen a shift in recent years toward traditional institutions and fintech starting to work together to prevent fraud. He ran a panel on fintech in 2014 that degenerated into such hostility that the dialogue broke down. Presenters from online banks and lenders claimed to have processes so superior to traditional finance that they had solved the fraud issues inherent in financial services—arrogance met more by heckling than questioning. Fast forward to 2016, when the sold-out event saw everyone on the money chain wanting to work together and presenters from the same companies saying fraud prevention techniques, rather than being used as a competitive advantage, must be shared between organizations.
With online transactions taking only seconds, the lines between traditional businesses of all sorts are blurring. Consider online marketplace auction houses, which facilitate international buyers transferring frequent and sometimes large sums back and forth well in advance of the delivery of the goods being purchased. Airbnb is just a well-intended platform for renting vacation homes, but people with stolen IDs use the system fraudulently. In one case, guests found that what was advertised as a nice home was in fact a meth lab. Uber has partnered with GoBank to offer instant-payment business checking accounts and debit cards, among other services, to its drivers.
According to Morang, such fintech leaders as Ron Suber, president of Prosper, have proclaimed this desire to work together, following the reasoning that when a competitor is damaged by fraud, it hurts the entire industry.
“There’s no sense having borders between companies or countries in the process because the other side [doesn’t] have borders, really,” Morang adds. “Silicon Valley is the epicenter of new fintech, with brilliant people and great ideas to change the world. These entrepreneurs are now getting their identities stolen and realizing that there is a dark force that takes the innovation and puts it to an alternate use.”
Stealth Protection
As part of the ongoing movement to inhibit and prevent fraud, an entirely new industry has sprung up. Regulation technology (regtech) addresses problems from cybersecurity to identity verification to banking and securities regulations. Beranek points to a solution to the problem of loan stacking, for instance. Cloud Lending Solutions, a cloud-based end-to-end lending platform with offices in the US, the UK, and India, created CL Originate, which provides lenders with a simple “6-click” interface for applying for online loans. According to the company’s website, the application “integrates traditional and non-traditional data sources from multiple third parties to enable real-time auto decisioning and funding”—that is, CL Originate allows investors to evaluate such customer data as credit scores and customer rankings in real time. “Once loans are originated on the CL Originate platform, they’re locked down, and no one can alter the data,” explains Beranek. “When it comes to finance data, accuracy is a critical aspect of everything.”
Artificial intelligence and machine-learning applications are also coming to the rescue. Mindbridge allows users to upload their data and run an application to quickly detect problem patterns and anomalies. Croudify applies machine learning to credit modeling, applying a neural network to the data and flagging whether the applicant is lying and thereby speeding up the process of identity verification. “This fraud detection is a big asset to managers that do a lot of loans,” says Agarwal. “We’re building a platform that lets risk management become an asset for the credit side.”
Faster identity verification lets lenders do more business, and accurate data opens another opportunity. Croudify expects to offer ratings on individual loans that allow investors to do an apples-to-apples comparison. The ratings also help investors know how to weight loans in a portfolio. These tech-enabled services solve some of the problems that new fintech companies have. “We’re working with the new platforms to develop ecosystems,” says Agarwal. “We hope that by working with us, they’ll grow assets faster, from the tens of billions to the hundreds of billions.”
Malak is keeping up with all developments that make catching and preventing identity fraud easier and more reliable. She’s half sold on biometrics and believes both tokenization and blockchain have something to offer as a solution. “Artificial intelligence is facilitating interesting things on certain sites now,” she says. “Clicking the box to say ‘I’m not a robot’ is easier than matching pictures, but there’s a lot more work going on behind the scenes.”
Blockchain technology, which promises fraud inhibition by transparently recording each step in the history of a transaction, has its own problems. A particularly promising blockchain platform, Ethereum, was launched in 2014. Promoted as a “decentralized platform that runs smart contracts,” Ethereum gives developers the tools to create markets and transfer and store documents and blockchain tokens with ostensibly no counterparty risk or intermediary taking a fee. The flaw in the system was exposed in 2016 when a cryptocurrency-based venture fund was hacked and $36 million was misappropriated to a fraudster’s account. Entreaties to get the funds back were in vain, and the platform had no choice but to create a hard fork in the chain and hope all developers would then work with the new chain. Not all did, leaving Ethereum, the venture capital fund using the platform, and all the developers scrambling for a new solution.
ClearVest is developing a completely different approach to fraud prevention, packaging the security work it does into content that can be learned and applied by others. “We see the need with colleagues and vendors to have a kind of academy to advise on these things,” says ClearVest’s co-founder Peter Murrugarra. “We’re thinking there’s even a need for a certification that people could pass to prove they know what they’re doing.”
Ancillary services around the burgeoning fintech industry provide meaningful information for analysts considering investments. Some organizations distinguish companies with awards for innovation. Finance Monthly named Signifyd, a company based in San José, California, the 2017 Fraud Innovation Firm of the Year. Signifyd uses machine learning and guarantees against fraud and chargebacks for merchants. Other organizations provide research on issues and companies working to solve problems. The Institute of International Finance’s recent report “Regtech in Financial Services: Solutions for Compliance and Reporting” highlighted a major concern that a “lack of a single global payments standard means that different systems use different metadata or differ in their ability to attach metadata to transactions”; for example, separate systems have been shown to have an inability “to consistently and accurately identify country information in payment messages.” Research from the IIF points to harmonizing payments as a solution, hoping to better service for banking customers and especially faster and more effective identification of transactions that could be linked to money laundering or terrorist financing.
The tonal shift at Morang’s recent conference spawned at least two new collaborative efforts. First, a group of both fintech and traditional financial services are forming a consortium that will collect and share intelligence on fraudulent actors. Second, internal fraud professionals have started talking with product and sales managers in their own companies, going past just technical security to walking step by step through the different layers of interaction with their products and processes to gain an understanding of the risks and vulnerabilities at each step.
Demand for Morang to create more events has continued after the event in San Francisco. Experts in global art fraud are working with Morang for an event on the implications of fintech fraud; wine merchants want a series of discussions and presentations for their industry. “All of this helps to raise awareness that while fintech makes finance more accessible, it makes fraud a regular topic,” says Morang. “I think we’ll need to do two regular events next year; one is not enough.”