FedNow: New Opportunities bring new risks

Sardine and the Shark - NYC edition

We held our first Sardine and the Shark roundtable discussion in NYC today. We had participants from neobanks, payment processors, crypto exchanges, embedded fintechs of all shapes and colors.

Topic 1: What happens when FedNow launches

The most common question that was raised was: what happens to fraud when RTP and FedNow take off?

In short things get worse before they get better.

With ACH, you have at least a few days within which you can return the funds before they are gone. With faster payment methods, the money is just gone instantly. Also, as a fraudster, if I can fund a stolen bank account via ACH debits, I can also easily fund it via RTP or FedNow.

The crucial difference with RTP/FedNow would be that the liability has now shifted to the bank whereas with ACH debits the liability sits with the Fintech wallet. International experience has taught that every RTP rail suffers significant scams and authorized push payment (APP) fraud shortly after launch.

So what can we do to fix this issue in the future?

The bank being used to fund a Fintech wallet via RTP/FedNow bears the responsibility to check if the money is going to a valid Fintech wallet e.g. does the name/address on the Fintech wallet match the name/address at the bank account. From the point of view of the bank, the Fintech wallet is the counterparty and the fraud problem shifts to being equal to a counterparty risk assessment problem.

The US isn’t the first country in the world to have RTP rails. This faster payments fraud problem is a global pandemic and exists in the UK, US, Brazil or India.

Counterparty Risk matters

In financial services a counterparty is the other company and their customers. While a financial institution may know their customers (KYC), they don’t know their counterparties' customers . There are good privacy and individual freedom reasons why this is a good thing, but it creates a significant challenge for companies wanting to solve fraud problems.

Historically financial institutions have solved parts of this problem. The classic example is Early Warning Services (EWS), built by my good friend and colleague Ravi Loganathan. EWS allows the largest banks to share intelligence about account fraud, in a way that protects privacy of individual users. However, with more real-time payments rails (like FedNow) and more Fintech companies emerging, we have a gap.

Fraudsters exploit gaps.

The RTP problem needs a data solution

In essence, the faster payments fraud problem is best solved by the entity that builds the most comprehensive counterparty database in the world. At Sardine, we are taking the first steps towards building exactly such a consortium, bringing together fintechs and banks to get ahead of this global pandemic.

Topic 2: Criminals expose the gaps between rails

The second topic that we discussed, was the fraud problems that exist at the interfaces between the various payment networks: e.g. money moving between Zelle and ACH debits or between Visa direct and ACH debits.

In this example lets consider a fraudster who has a stolen CashApp account, a Neobank and a destination Venmo account. They’re aiming to move money from CashApp to Venmo, via the Neobank.

1. Fraudster funds the neobank's 16 digit card number from CashApp via Visa Direct (push to card).
2. Money lands into the neobank card instantly because Visa direct settles instantly.
3. Now, the fraudster takes the money out of the neobank - by adding the neobank card as a payment method to fund the Venmo wallet.
4. So the money goes CashApp —> Fintech —> Venmo

For the victim whose CashApp account was stolen. They only see that their account was connected to Fintech - Venmo is completely invisible to them.

So what do they do? They go via the card scheme mechanism to dispute the money movement to CashApp.

There's so many nuances here. Let's dive in:

• First, this is a classic case of fraud and money laundering mixed together – Fintech is being used for layering of stolen funds.
• Second, there's an interaction between a push payment method (Visa direct) and regular card debit rails.

We have heard of similar weird interactions between Zelle and debit card rails, or Zelle and ACH debit rails. Each of these networks are governed by their own independent fraud and dispute resolution rules.

What happens when a fraudster operates at the edges ie at the intersection of these? Who's really liable for the fraud vector here?

Certainly not Fintech. They are just an unaware accomplice. I would expect that under Visa direct or Mastercard Send rules, it is the sending party that's liable for fraud losses i.e. CashApp in this case.

So it appears that lack of dispute resolution clarity is also mixed up with incorrect processes from the payment processors - the processors shouldn't even have allowed for such a dispute to be filed.

Next, let's make this example even more complicated.

What if the CashApp account being used wasn't even a stolen account. What it was instead a legit account that was indeed set up by a Fraudster using a stolen/synthetic identity; and this CashApp account was funded by a stolen bank account.

In this case, the flow of stolen funds becomes:

Bank (ACH debits) → Square CashApp
Square CashApp (Visa Direct) → Neobank
Neobank (Visa AFT) → Venmo

Now,

1. The original owner of the bank account would file an ACH return with CashApp.
2. But CashApp wouldn't really have any funds to return back to the bank cause it's left for the Neobank.
3. CashApp could try to find the fraud or compliance leads at the Neobank. But by then money has already left CashApp.
4. Also in the ACH dispute leg between the stolen bank and cashApp, there's no repudiation for cashApp because ACH doesn't have any dispute resolution.
5. At best, when $$ amounts are high, the stolen bank and cashApp would settle in a court after an expensive court case.

This sucks.

The need for data sharing

What if instead, the stolen bank, CashApp and Fintech could share all of this info with each other facilitated by a third party that allows them to do so under 314b?

Sardine can certainly play a role here.

We are excited to report that we have received approval from FinCEN to allow our association of financial institutions to share information with other financial institutions regarding individuals, entities, and organizations for purposes of detecting, identifying, or reporting activities that may involve possible money laundering or terrorist activities.

Which means we can allow participants in our consortium to share info about counterparties via us, allowing us to triangulate a bad actor. Or in this case, to quite literally follow the chain and tie up the ACH fraud vector with the Visa direct vector.

Topic 3: Sunlight is the best disinfectant

Finally, one topic touched a nerve for me personally. While leading fraud for previous employers, I was never allowed to speak openly about the fraud vectors we were facing. It was always redacted heavily or simply shrugged off and pushed under the rug because the prevailing wisdom from marketing teams was – we don't discuss fraud issues publicly.

However fraud is as old as money.

Actually it's older than money.

You can't shrug it off.

And if we don't share it publicly without the risk of being shamed, we can't grow as an ecosystem.

My pitch back to all the companies who came today, and to everyone else reading this - if your marketing team is preventing you from speaking up, just call us.

We would love to have you come and speak about the issues under Chatham house rules at one of our fraud dinners. Fraudsters are well organized and pretty sure they have their own dinners in some deep dungeons, and that's one reason why they are ahead. Why can't we do the same?

We hold these fraud dinners under the Chatham house rules where topics discussed aren't attributable to the individuals or companies discussing them. If you would like to join a future dinner, let us know in comments below or reach out to me: soups@sardine.ai

Thanks to everyone who came and participated in our roundtable. Sardines swimming in a shoal can evade a shark.

• Andrew Steele - Partner at Activant Capital
• Carl Bartsch - Chief Risk Officer at Konfio
• Cesar Medina - Head of Financials Product at Buildertrend
• Corinne Bartow - VP Fintech Partnerships at MX
• David Berkowitz ( Co-Founder) and ZevMo Green, (Principal Product Manager and Fintech Product Owner) at Boss Money by IDT
• Dipanjan Bhattacharjee - Head of Risk at ONE
• Guillaume Bajczman - (Head of Crypto Desk and Treasury operations Manager)
• Justin Saslaw - Partner at Ribbit Capital
• Matt Chiogioji - Product Manager at Blockchian.com
• Maxim Spivakovsky - Sr. Director of Strategy and Operations, Global Payments Risk Management at Galileo / SoFi
• Mike Garris, Head of Debit Operations at Propel Inc.
• Neeha Velavarthy - Fraud Analytics Manager at Klarna
• Sidharth Shah - Sr. Product Manager
• Simon Macadar ( Product Owner of Client Payments)  at Xapo Group
• Stefany Velasquez - BSA/AML Analyst at Piermont Bank
• Sumeet Singh - Partner at A16Z
• Vik Scoggins - Product Lead at Coinbase