Fraud & compliance isn’t an issue – until it is the only issue

Block is facing allegations from well-known short-seller Hindenburg Research, who claims that the company has "inflated user metrics" through "frictionless fraud facilitation."

While the veracity of these allegations remains unproven, the stock has already taken a 13% hit today (March 23, 2023).

It's important to allow Block time to respond before forming a fully-informed opinion.

True or not, one huge takeaway – fraud & compliance is not an issue until it’s the only issue.

After carefully reading the Hindenburg report, it's clear that fraud and compliance are critical considerations for fintech and financial institutions. The Hindenburg report highlights several red flags. In our report below, we offer solutions to help our clients counter them.

1. Perform sanctions checks – OFAC, PEP (Politically Exposed Person), SDN (Specially Designated Nationals) –  as well as negative news screening at the time of account opening. While from a compliance point of view, you are only required to do sanctions checks. Negative news screening is typically an afterthought within Compliance programs but it can be an important layer in a risk program. We have had great success at many fintech neobanks in stopping fraudulent PPP deposits based on negative news/criminal reports.

Sardine provides fraud & compliance in one API, and once integrated, you can turn on sanctions/negative news screening with the flip of a config switch. For example, we provide an automated score based on fuzzy matching logic if someone’s name, address and date-of-birth match a previously incarcerated person.

As anyone working in fraud, compliance or data science can attest, when dealing with names and addresses, we are often dealing with messy data and incomplete ground truth. Hence, we provide fuzzy match scores indicating whether your customer matches someone mentioned in any of the lists; and you can make a risk-based decision in case of doubt.

Based on your financial institution’s risk appetite, you may allow someone with a medium fuzzy match score (80-90) to onboard but only allow them a small deposit limit, while paying strict attention to their continued transaction monitoring behavior over time. Suppose there was a negative news hit on an account suspected of sex trafficking but the data wasn’t clear on whether your customer is indeed that suspected individual, you can then continue observing that person over time – e.g. does that person end up spending only between 1am - 6am local time and the IP locations always appear to be near hotels?

Figure 1: Sardine dashboard showing a PEP (Politically Exposed Person) alert

Source: Hindenburg report about a gang that was using Cash App for drug trafficking

2. Perform transaction monitoring in real-time and offboard users if they match suspected typologies around drug trafficking, sex trafficking, terrorism financing or general money laundering. ​Often, this is the achilles heel for many fintechs as there is no open source database of well-known Anti-Money Laundering (AML) typologies.

This is one of the reasons why we started Sardine to provide easy access to this information that is currently locked up in the minds of compliance professionals across the industry. We work with 200+ fintechs and our founding team & heads of legal, compliance, fraud-ops, etc. previously led fraud & compliance teams at various financial institutions of all shapes and sizes before – BofA, Wells Fargo, Chase, Coinbase, Step, Revolut, etc.

Given our extensive experience in this space, we have built a comprehensive rule bank with 500+ typical AML and fraud typologies. And all of our customers get a jump-start with these typologies.

Source: Hindenburg report about an AML typology

Figure 2: Sardine provides a comprehensive rule bank with 500+ pre-created fraud & AML rules around various checkpoints: onboarding, account funding, logins, payments, card swipes, and general money movement etc. The above is a small sample of the rules we have pre-created.

3. Customer risk rating: At the time of onboarding a customer, create a customer risk score. It's one thing for a user to recite static PII information (name, address, date-of-birth, SSN), but it's another for them to confirm ownership of the identity they are purporting to be in possession of. Sardine provides a variety of ways to confirm ownership of the identity:

• One way to verify ownership of identity is to ask for a documentation verification (passport, national ID card, drivers license) as a step-up on medium/high risk users after the SSN checks. At Sardine, we provide both SSN verification as well as documentary KYC checks, with an elegant way to step-up between the two via a low-code policy engine.
  This policy engine can be easily configured by the compliance team without any coding changes from the engineering team.
  
• Another way you can check if someone really knows their SSN is via behavioral biometric profiling – Is the speed at which they are typing their SSN indicative of them typing it from long-term memory (shows they know this SSN) vs. they are copy/pasting it (they stole the info)?
  
• A third way is comparing the identity package to a verified phone number – does the info at the telco match the identity info being provided at onboarding. Sardine provides access to telco ownership data via our partnership with multiple data partners. We also provide fuzzy matching rules to configure and establish this matching.
  

4. Combining Customer risk rating with Transaction Monitoring: This is one of the areas where I’ve found neobanks and banks in the UK way ahead of the US.

From my interactions with the FCA in the UK, they would always ask neobanks if the transaction monitoring thresholds were set appropriately based on the customer’s risk rating.

For example, in the UK, there are many Russian expats and hence many Politically Exposed Persons (PEPs) with potential close affiliation to sanctioned individuals or politicians. So a neobank or financial institution in the UK has to ensure they can differentiate between – the son or daughter of a PEP spending on studies and living within the means of a student vs. going to buy 1000s of Gucci bags (potential money laundering).

On a similar note, in the US, it is imperative to ensure that the deposit and spend patterns of individuals match their source of funds (income, sale of property, etc). For example, someone is depositing >$100,000 but during onboarding they stated their occupation as a student. If so, you may want to pause the deposit and ask them questions around where the funds are coming from?

5. Connected user analysis via network graphs: When onboarding a customer, it is a great idea to utilize a network graph tool that takes into consideration previous accounts that are most likely related to, or created by, the same individual.

At Sardine, we provide a network graph tool; and we emphasize which shared attributes imply a strong relationship vs. a weak one. For example, if two accounts shared the same SSN, or same device-id, or same email-address, it’s highly likely they belong to the same individual. However, if they share the same IP-address, they may still be distinctive individuals, especially if that IP-address is a commercial IP-address or a mobile IP-address (not residential). Separately, we also provide signals to differentiate between the IP-address types (commercial vs residential).

Source: Hindenburg report

Figure 3: Sardine’s network graph visualization tool that allows you to find other users connected to a user via 10+ attributes: SSN, email, IP, phone, card number hash, account number/routing number pair, etc.

6. Automate discovery of connected users: Sardine is a feature store with 5,000+ features (or signals) that can be used to prevent fraud and money laundering. We have features that aggregate counts of users using the same device-id, or same email or same phone number.

We also count users within multiple hops that are strongly connected to a given user via strong attributes – we call that feature “Linked User count”. For example, you can see the distribution of that signal across one of our customers – if someone is connected to >3 other users via strong attributes, that could be indicative of a fraud ring.

Figure 4: Sardine’s rule editor that shows distribution of the “LinkedUser count” for all users for one of our customers. For this customer, 87+% of users are linked to <=3 other users. Hence, it would make sense to create a rule to flag if any user is connected to >3 users together with other red-flag conditions.

7. Address verification checks: Before shipping a card to a customer, do the following checks:

1. Is the address residential (ok to ship) or commercial or PO box (do not ship)?
2. Does the physical address where the card is being shipped match the latest address used for the customer as inputted during CIP (Customer Identification Program)?
3. What is the volatility of the address – has it been used associated with different names?
4. What is the address velocity – has it been seen too frequently in the last 90 days?

Sardine purchases address data from multiple data partners and we run 100s of checks for our fintechs in real-time before a card is shipped.

Figure 5: Sardine’s case management system as used by a neobank to verify if someone is requesting the physical card to be shipped to a suspicious address.

8. Name checks: Make sure the name on the account matches the name of the intended recipient.

Sardine partners with multiple bank data consortiums to validate the name, address, account number & routing number on the counterparty bank from where funds are being deposited.

ACH credits: Many neobanks offer checking account number & routing number, and someone can push funds via ACH credits from the state unemployment insurance website into the neobank. Sardine offers a low-code rule editor that allows you to quickly create a rule to do fuzzy matching between the name of the recipient on the ACH credit file and the name on the account.

ACH debits: If someone is going into the neobank app and then pulling funds via a different bank, in that case as well, we offer rules to fuzzy match the name on the bank account with the name given to the neobank at the time of account opening.

Source: Hindenburg report

Summary:

When it comes to fraud and compliance, many organizations may view them as burdensome regulatory requirements that can impede their business operations. However, when done correctly, fraud and compliance can actually be a strength that bolsters a company's reputation and increases customer trust.

At Sardine, we recognize the importance of fraud and compliance and offer a comprehensive and unified platform to help organizations effectively manage and mitigate these risks. Our team of experts brings extensive experience leading fraud and compliance initiatives across various industries – BofA, Wells Fargo, Chase, Zelle, Revolut, PayPal, Step & Coinbase – and we are committed to helping our clients stay ahead of emerging threats and regulatory changes.

By prioritizing fraud and compliance, businesses can not only protect themselves from financial loss and legal penalties but also build a stronger foundation for sustainable growth and success. Come and talk to us, if we can be of any help in bolstering your fraud & compliance programs.