Content Library

When is a bank account not a bank account?

Bank neobank fraud

I love fintech. I believe the wide availability of digital-first consumer/SMB financial services helps drive fees down, increases access for hard-to-reach populations, and generally helps drive better experiences for consumers and businesses. There are exceptions, of course, and not every fintech company is good, but the trend over the last ten years has been positive, and I'm proud to be part of the ecosystem.

One of the core factors that allows fintech to thrive is the existence of payment networks (Visa/Mastercard/Swift/ACH), standards (FDIC/SIPC insurance), and regulations (FCRA, BSA, Dodd-Frank) that allow new products to launch features that are generally on equal footing to legacy products. A new bank doesn't have to go convince every merchant to accept their cards or every consumer that their deposits are safe.

I'm concerned this premise is in danger. The rapid rise of fintech companies over the last two years from upstarts into major players is converging with fraud and financial crime to create some cracks in the level playing field. This issue has significant impacts on financial access and equity, as well as the competitive landscape for financial services broadly.

I rarely comment on things like this, especially because it can appear self-serving. After all, Alloy spends all our time thinking about how to manage the interplay between risk and user experience. But this is a problem we need to take seriously before the ecosystem evolves to be permanently less open.

What we are seeing

The first sign of this breakdown is at the merchant acceptance layer. Earlier this year, news stories were published of car rental companies blocking neobanks because too many of their customers were committing fraudulent transactions using their cards. Normally this kind of bank ban by merchants would violate Visa/Mastercard rules, but rental car companies are exploiting a loophole by using a required "pre-authorization" transaction.

There are currently limits to how bad this can get. Only merchants who require pre-authorizations (hotels, rental car companies, etc.) can effectively fully block customers of certain institutions. Some other merchants are treating neobank cards as "high risk" and declining them as fraud at higher rates, but are not able to institute outright bans without running afoul of Visa/Mastercard network rules.

There is a more alarming trend emerging, however. Fintech companies are starting to block each other's accounts from moving money between them. There are public anecdotes about this in the press and social media, but it's also something we see more and more from our clients at Alloy. I recently experienced this as a consumer where my deposits from my fully-chartered digital bank were blocked from being moved into my well-known fintech brokerage account that I've had for 6+ years.

The combined implications are startling: a bank account is no longer a bank account.

A bank account is what the network of participants will let it be; merchants may or may not accept your debit card transactions, and other banks and fintech companies may or may not accept your deposits. Wow.

3 converging trends

The basics of what is happening here are simple: merchants and fintech companies alike are seeing more fraud as a percentage of transactions from certain banks (identified by their primary account numbers or routing numbers) and deciding it's not worth it to accept transactions/deposits from those banks. The further a transaction is from being regulated by card network rules — pre-authorizations or non-network transactions like ACH — the deeper the blocks.

Three converging trends are causing this in my view:

1. Fintech client bases skew "new”: digital-only banks are almost all new and growing quickly. This means as a percentage of their client base, compared to large legacy banks, their accounts are overwhelmingly "new accounts." No matter which institution you're talking about, "new accounts" are more often fraudulent than old accounts, purely because fraudsters tend to take advantage of the accounts very quickly after opening them. Therefore, even if digital banks are better at fraud prevention than traditional banks, their client base will still skew more fraudulent.

New fintech bank fraud in line chart
Each experience a total .4% fraud rate. While the neobank has a smaller fraud rate, they have more new accounts. However, they do not see fraud in existing accounts.

2. Fintech is getting big: digital-only banks used to make up a small absolute percentage of bank accounts in the US, so even if they were riskier to the ecosystem, they were small in number, so the absolute risk was low. This has changed quickly over the last 2-3 years.

3. Fraud is on the rise everywhere: there is simply more fraud being attempted and successfully perpetrated everywhere in fintech over the last 12-18 months. While macro factors can probably explain the rise in the number of fraud attempts, the increase in the number of successful attempts is more complicated and could be attributed to new techniques for social engineering that are hard to prevent.

These trends combine to create a megatrend: the relative risk that a fintech PAN/routing number poses is higher than others (because of the percentage of new accounts), and the absolute risk posed overall is high (because the fintech is bigger and fraud is rising). Suddenly, and seemingly all at once, the ecosystem is deciding it must do something. And it is gravitating towards the simplest possible solution: let's just block them!

Worrying implications

Imagine your non-fintech savvy friend asks you if they should open a fintech bank account as their primary bank account. It used to be so easy to answer this question: your money is FDIC secured, your card is a Visa card, and everything else is up to your taste. It is much harder to say that now.

If you're building a digital banking product, it's no longer just a question of what your fraud risk tolerance is at your institution. The calculation used to be customer acquisition cost vs. lifetime value vs. fraud risk. Now, your institution's reputation at the network level determines what your users can and can't do. It's no longer in each institution's control.

This could have a big impact on entrepreneurs' willingness to start fintech companies because there is too much risk they can’t control. Fewer fintech companies means less innovation and less competition which negatively affects the consumer, especially those underbanked or niche populations who may want something that traditional banking institutions aren’t providing.

Also, consumers and businesses are demanding a digital-first experience, simplified onboarding and more. In a world where even a short term increase in fraud exposure by your client base can result in a long-term impact on your customers’ experience, I’m not sure startups or community banks will be able to keep up with better resourced incumbents.

This is a huge shift.

I am worried about what this means for financial access, the fintech ecosystem in general and the ability for innovation to thrive.

This could be a temporary trend as fintech companies get a handle on their fraud, merchant/fintech companies find better ways to manage high-risk counterparties, and the overall fraud/risk stack retools to handle the converging trends. But if it's not temporary, it means a permanent segmentation of all "new" banking products (again: by definition riskier as a percentage) into a lower tier of product offering than "legacy" banking products.

Chisel not a sledgehammer

We need to think of ways to address this to ensure an open banking ecosystem.

The baseline assumption people will make is that we need to invest in better fraud tools, more signals, more machine learning, etc. “If we can just get the sweet, sweet data we need and do some machine learning we will be Golden Grahams!”

I think that's partly right, and I'm glad to be part of a fraud provider ecosystem working on this side of the problem.

But I don't think that's all there is to the story. For the fintech ecosystem to manage fraud risk across an exploding and growing population, we need to have more nuanced ways to respond.

Four things I'm thinking about:

1. Countermeasures/tactics: once suspected fraud is identified, what do we do about it so we don't throw out the baby with the bathwater?

What would you add to the onboarding/account linking process to give customers a chance to sift themselves into the "good" column instead of dumping everything in the “bad” column? Options include: step-up verification, forced account linking, additional questions, ACH hold times. What else can we develop and how widely deployed are each of these?

2. Typologies: it's getting harder to lump "fraud" into a single model or score and still know what to do about it.

Which fraudsters would be caught with step-up verification (document/selfie/liveness) vs. additional validations (valid phone ownership and possession) vs. needing a source of funds confirmation (verify name/contact info match the externally linked account) is not possible without modeling the exact "shape" of the fraud being committed (aka "typologies").

It’s rare to see a company prepared to model the specific countermeasure appropriate for each customer and customer interaction, resulting in an “all or nothing” approach. This leads us down the path of degrading the customer experience in the name of risk - something we should avoid at all costs!

3. Systems: do the systems to label typologies and turn them into countermeasures (end to end) exist, and are they widely deployed?

Once you have modeled the shape of each fraud attack and found a countermeasure you’re confident in, the actual deployment of the detection => countermeasure technology is a pretty big lift. I’ve been asking folks recently: if you had a new fraud attack today and the head of the fraud ring attacking you sent you their playbook, including instructions for how to stop it, how long would it take you to act?

Perhaps if the instructions were “block everyone with the last name Fraudster” it would be easy. But it’s never that simple. Across the entire fraud stack, from data collection and decisioning to step-ups and investigations, it’s worth asking how many of those are software defined and software connected, and of those that are not, how agile you could be in iterating them when you need. Because you will need to!

4. Cooperation: where can the ecosystem collaborate more than they do today?

We all win by lowering the fraud risk of the entire ecosystem, but the growth mindset of the last 5-10 years has lacked the incentives for deep collaboration at almost all levels. There are efforts underway to correct some of this but I think more needs to be done.

For our part at Alloy, we've been honing in on "what's changed?" for the last 6 months and making plans. Our partners seem to be making plans we think are helpful as well. We want to collaborate to ensure an open ecosystem. More to come from us, so stay tuned.

Related content