The fintechs blocking fraudsters by sharing data
There has been plenty of talk in recent years about how neobanking has upended the traditional finance world. But the latest crop of fintech challengers is still struggling with an old problem: fraud.
In the past few years alone, neobank N26 has been fined for its “weak” anti-money-laundering (AML) systems, Monzo has been investigated in a money-laundering probe, car rental firms, hotels and other companies have banned users from paying with Chime and CashApp because of fraud issues, and investment app Robinhood has chalked up some significant fraud losses.
Technological innovations such as AI have been hailed as a potential salve, but according to a new group of fintech reformers, there’s a back-to-basics method that could help too: sharing intel.
“A pattern that we’ve seen since the beginning of our journey was that the companies we worked with wanted to learn about what others were seeing in terms of fraud,” says Clarence Chio, co-founder of Unit21, a risk and compliance infrastructure platform that is a member of this new group. “But there wasn’t a solution that helped them to do that.”
A new solution to an old problem
Financial consortiums that share information on fraud risk have existed in the traditional finance sector for decades. But the wave of new fintech firms, neobanks and crypto companies deal with a slightly different set of risks. One day, Chime co-founder and CTO Ryan King pointed out to Chio that Unit21 already held the user and transaction data of more than 100 fintech companies – planting the idea for a new kind of consortium. Soon afterwards, Unit21 set up the Fintech Fraud DAO, a decentralised autonomous organisation consisting of fintech organisations that swap their user data to identify and stop fraud before it can spread.
The DAO lets participating organisations share aggregated user data through an open-source platform, facilitating the rapid identification of suspicious and potentially fraudulent activity, and helping to overcome the fact that traditional AML and know-your-customer systems are not designed for data-sharing at the scale required to effectively prevent fraud. Right now, participating fintech firms include Brex, Chime, PrimeTrust, Yotta and Airbase.
Typically, neobanks have not had much incentive to share their data, because they don’t want to risk a competitor using it to extract marketing intelligence, Chio says. But the inherent fear of data-sharing is outmatched by the desire to learn from others – especially as fraudsters tend to be repeat offenders. “The same fraudsters are targeting everyone, not just one company,” Chio says. “And they go after the lowest hanging fruit.”
Unit21 decided to incorporate a distinct entity to operate the consortium. Chio says this is because the company didn’t want it to run on a profit-driven model, where the data could be packaged up and sold to external buyers. This is where the idea for a decentralised autonomous organisation came in. The DAO employs Web3 governance principles, where each of the participating companies owns tokens that give them a stake in the network and allow them to vote on issues as a collective.
“All of this makes for a community-led, community-owned effort, rather than something that’s built by a vendor that we can later go and monetise,” Chio says. Participation in the DAO is free of charge; companies just have to agree to share data.
Isn’t privacy a concern?
One of the most hotly debated issues in the DAO so far has been how to ensure data privacy. By collective decision, members opted to implement the same type of privacy mechanism often used by national healthcare systems and pharmaceutical companies, called Privacy Preserving Record Linkage. This is because sharing healthcare records incurs the same kind of privacy risks as personal financial data. In the DAO, personally identifiable data is shared as bloom filters (a probabilistic data structure based on hashing).
The way this works is that if one of the participants is defrauded by, say, John Smith, participants can tip off others by sharing the tokenised form of John’s details with them. “If they don’t already know who John is, the mechanism of tokenising John’s information makes it computationally impossible to generate the hashes,” Chio says.
This method means participants get an early warning about potential fraudsters among new sign-ups to their services. They receive a time stamp of all accounts across the sector (“Something to the tune of ‘John Smith has been active in seven fintechs for the past three weeks and has been blocked by five of them’,” says a Unit21 spokesperson). This can help tackle not only account takeover-type fraud but things like promotional abuse (where fraudsters join a new service to take advantage of a promotional deal before exiting).
Some promising discoveries
Chio can’t share data on how much fraud has been prevented by the consortium so far or how this rate compares with traditional methods. But he claims that about 20% of all the fintech data in the US flows through the DAO today and that the group has already turned up some interesting findings.
Before working with the DAO, Chio says he and others suspected that the same fraudsters were targeting more than one financial services provider in the same way. This hunch was soon borne out by the data. The DAO has found that at least 10% of the dollar fraud loss experienced by one company was experienced seven to 10 days earlier by at least one other participant in the DAO.
“What this means is that if participants don’t respond to the signal provided by the DAO within a short time frame, they stand to lose 10% more to fraudsters, which at scale could mean multiple millions of dollars,” Chio says. “That’s interesting validation for us because there was no real way to prove this without any data-sharing between the participants.”
A way to rehabilitate crypto?
The group launched with its focus firmly on the neobank and crypto segments of the finance industry, Chio says. But it quickly encountered interest from traditional financial services too. When digging into why that was the case, Chio says the group realised that for a lot of banks and credit unions, a steadily growing segment of their user base is now transacting in crypto, or storing some of their money in neobanks. Cash flowing between these services and traditional banks means the latter are increasingly exposed to the same risks.
“Banks today have no real visibility over crypto sources or different online transacting methodologies because the traditional sources they use for risk don’t give them that signal,” Chio says. In the past five years, banks including TSB and lenders including Lloyds, NatWest and Virgin have taken steps to ban crypto transactions, but Chio believes this will change. “I think traditional banks are starting to realise that they can’t take the most conservative route and block everything that they don’t understand, indefinitely,” he says.
Traditional institutions have approached the DAO and asked whether they can buy the group’s data without joining, but the DAO has refused. Instead, it’s working on pilots with two traditional banks to bring them into the fold. Although he can’t name the institutions yet, Chio says they are regional banks that are operational in multiple US states and each has more than $5bn (£4bn) in assets under management.
Crypto regulation is finally advancing in countries like the UK and the US. But Chio sees consortiums like the Fintech Fraud DAO playing a potentially greater role in tackling fraud across the industry. He says the crypto companies he works with are all eager for more regulation because operating in a legal grey area is challenging. Even so, slow and patchy crypto regulation around the world means that motivating platforms to work together could prove a more fruitful approach to legitimising the industry. “Crypto companies will be incentivised to work together to clean this up,” he says, “just like the banking system did.”