Fintech
Fraudsters May Leverage Their PPP Approvals to Get Business Loans and MCAs
July 21, 2021
A small business finance underwriter torn between approving or declining an applicant probably should not consider whether or not that business got PPP funding as evidence of the applicant’s legitimacy.
A new alert put forth by Experian claims that “greater than 75% of PPP loans originated by commercial fintech lenders were NOT run through a fraud screening and have a greater probability of containing bad actors.” Experian says that “lenders will need to be more vigilant as they assess these businesses for future offers of credit.”
Experian cites data from the FTC that shows fraud and identify theft have surged since the pandemic started, climbing to even higher levels in 2021 over 2020.
Fraudsters that successfully obtained PPP loans with altered documents, for fake businesses, or on behalf of real businesses using stolen identities, may now use those as leverage to obtain additional money, particularly through sources where the perceived consequences of being found out are low. Non-bank funders and fintech lenders are an attractive target.
Just because an applicant got a PPP loan, underwriters should not assume it has passed a fraud check.
Cross River Bank Makes Moves as Fintech Acquirer, VC
July 13, 2021
Known in the space as the fintech partner bank, Cross River took another step down the path leading the industry: Last month, the bank bought PeerIQ, a company that does data analytics for loan underwriting. The bank also launched a venture capital arm to continue investing in startup fintechs in a more formalized way- though they have been partners for years.
“PeerIQ is a company we’ve known for a number of years; we’ve been working with them, partnering with them and in various ways for two or three years,” Phil Goldfeder, Senior Vice President of Public Affairs at Cross River, said. “We recognized that we would probably better serve our customers and partners if we came together, so we’re happy that we’re able to acquire Ram [Ahluwalia, CEO of PeerIQ] and his team at PeerIQ and we’re excited about the collaboration moving forward.”
PeerIQ will function as a part of Cross River, bringing intelligent analytics to every transaction. Cross River, located 14 floors up just across the George Washington Bridge in New Jersey, has about $13.5 billion of assets and has originated more than $46 billion in loans since 2008, Bloomberg estimates. The way forward, as Goldfeder said, was through innovation, leveraging tech and teams like PeerIQ’s to better serve clients. That also means using the formal VC branch to help new firms grow their platforms and future acquisitions.
“Number one is to grow on PeerIQ’s core business, providing data analytics, and creating technology in the secondary market, but more importantly, for Cross River to help our partners and our clients serve,” Goldfeder said. “There’s, no question that we will continue to explore companies that would help strengthen Cross River and the fintech ecosystem and provide additional services to our partners.”
The bank has over 15 partnerships with top fintechs, like publicly traded Affirm, Rocket Loans, Coinbase, and private firms funded through VC rounds like Stripe. The bank most recently became a significant part of the PPP government emergency loan program. Ranking among giants like JP Morgan and Bank of America, Cross River ranked 6th overall for dollar amount approved. According to the bank, they doled out 490,000 PPP loans for a total of $13 billion, making up 4% of the entire program volume.
The way forward is clearly through embracing what it always has been at its base: the bank across the Hudson that is willing to partner with upstart brands and help them take over the world. With a flurry of consolidation purchases in the “post-pandemic” world (if that isn’t too early to say) that are only going to increase, Cross River seems to be on to something. Goldfeder said that Covid showed the rest of the world what the fintech space has known for ten years, that added value for customers and partners means innovation.
“Post-pandemic, where I think there was a larger recognition from the financial services industry of the need to innovate,” Goldfeder said. “Cross River is always known that we need to innovate… The post-pandemic dynamic we recognize that there’s tremendous value in creating a more formal venture arm to examine, explore companies that we can invest in to help them grow, help them succeed, and …. increase our support of our partners.”
Bloomberg reported Cross River is in secret talks to raise $200 million of funding at a valuation of $2.5 billion or more. The bank previously raised $100 million in 2018 in a round led by KKR, deBanked reported, and in 2016 raised $28 million.
Robinhood Pays Fine, Files For IPO
July 2, 2021
Fractional retail investing app Robinhood filed for IPO on Thursday, registering for a public listing on the Nasdaq under the stock ticker HOOD. The S-1 filing shows the platform has 18 million accounts and made $7.45M last year.
The news comes days after FINRA fined Robinhood $57M and ordered the firm to pay $13M in restitution to retail investors locked out of trading during the GameStop and meme stock craze in Q1 2021. FINRA is a self-regulating brokerage industry organization that handed Robinhood its largest fine ever.
The firm also paid out $65M to settle an SEC charge that alleged the firm did not accurately disclose how Robinhood made money: the truth is they sell orders they receive to larger market-making hedge funds.
After the firm’s leadership faced questioning by Congress over allegedly disenfranchising traders, the filing shows that Robinhood has paid dearly. The filing reports the firm lost $1.4B in Q1 2021 after being forced to raise billions of dollars overnight to cover the cost of the trading explosion. While options trading ballooned prices through the roof, Robinhood found itself strapped for cash.
The firm has raised $5.5B since 2013, including a combined $3.4B during and since the meme stock craze. They plan to raise $100M from the listing, though that number is regularly used as a stand-in for public filings.
The firm said that the FINRA judgment was part of a deal to release the S-1 filing at long last, delayed by regulators and their concerns over the cryptocurrency side of the trading app. The filing said that Robinhood plans to allocate up to 35% of its shares for its platform users.
8.4 Billion Passwords Breached: Are you sure the customer you’re emailing with is really your customer?
June 18, 2021
Most financial companies consider their own security, ever-vigilant for attacks on their own systems, but data breaches taking place everywhere else still create new risks to deal with. What happens if those around you are severely compromised and nobody knows?
Will LaSala, the Director of Security Solutions at OneSpan, saw a giant red blip on the radar last week, the largest compilation of leaked passwords in history. A file containing 100 GB of 8.4 billion passwords appeared on a popular hacker forum.
Need your merchant to send you their bank log-ins to set up ACH payments? That is exactly when hackers can get you, LaSala said. LaSala said that these leaks have become more common this past year as the world became digital-first.
“So passwords are really a weak form of authentication, right? If you’re using a password today, you’re asking to be hacked,” LaSala said. “With this breach alone, it’s probably close to 25 billion credentials that are out in the dark web today.”
Dubbed ‘RockYou2021,’ it’s a shocking breach of collected data, even larger than the 3.2 billion email and password combinations leaked in February this year.
There are only 4.5 billion internet users, according to Statista, so that’s a lot of passwords. The only way to stop the steal is to get ahead of the blistering rate algorithm tech is evolving through multi-factor authentication, LaSala said. Many believe their passwords are safe, he said, because just five years ago they were unbreakable. Some of these now can be cracked in seconds.
“We saw the death of an [encryption] algorithm called DES about six or seven years ago now,” LaSala said. “Very soon after that, we saw the death of the next algorithm, which was called triple-DES. People did not believe that those algorithms could be cracked in the amount of time that it was.”
LaSala said that ultimately, without multiple factors, data is easy to take. Some hackers don’t just steal data or finances the moment they get access to it either, LaSala warned, but instead dig deep into systems for years, even decades. There, they may steal data quietly undetected or focus on installing backdoors to ensure their access is permanent.
Perhaps many financial companies are already monitoring for this type of intrusion, but what to make of the possibility that their customers have been compromised? How do they know that they’re even communicating with their actual customers? They could do well to advise their customers to use multi-factor authentication in everything else they do online, not just with them. It would probably be to everyone’s benefit.
“The ability to use something you have like a mobile device, plus something like a pin, or even a fingerprint or a base ID, you combine those different factors of authentication together, and it makes it so that breaches like this, you’re not going to get caught up in anymore,” LaSala said.
Marqeta Goes Public on The NASDAQ
June 9, 2021
Marqeta went public on the Nasdaq this afternoon, raising $1.2 billion and pricing higher than expectations. The firm priced 45.5 million shares at $27, and prices rose to over $30 a share.
Marqeta sells payment tech designed to detect fraud by issuing physical cards to independent contractor firms like DoorDash and Instacart. Contractors use Marqeta cards at point-of-sale in restaurants and supermarkets. Marqeta also enables Square’s Cash App debit card and Buy Now Pay Later fintech firms Affirm and Klarna to move money.
The firm applied for a public offering on May 15th, posting an annualized first quarter 2021 revenue growth of 123% to $108 million and a 2020 annual revenue that had doubled to $290.3 million.
Hey Cool Cats and Kittens, Let’s Reform Banking
May 12, 2021
“Hey, all you cool cats and kittens in the banking industry, it’s Carole Baskin from Big Cat Rescue, you might remember from Tiger King i’m married to a former banker,” Carole Baskin, TV star of Tiger King, said. “Yeah, love that Howie Baskin. Anyway, I just wanted to tell you guys about a new report….”
Baskin, known for her competing tiger tourism venture in Florida, and the myth that she had something to do with the disappearance of her late husband Don Lewis sometime in 1997, appeared in a Cameo video for banking-as-a-service company called 11:FS. It’s an advertisement for a special report available on their website.
11:FS offers a “financial service operating system,” information and reports, and digital services.
This week Baskin also launched a $CAT cryptocurrency to let users buy her t-shirts without the US dollar.
AFC Trade Group Surpasses 100 Members
May 12, 2021
Two months ago, the Marketplace Lending Association and Online Lending Policy Institute merged, forming the American Fintech Council (AFC).
American Fintech Council has grown to 107 members. The trade group is a cross-section of payments, lending, legal, and data sectors of the fintech industry, set to lobby Washington lawmakers and set standards. The member list includes names like LendingClub, Varo, SoFi, Cross River, and Rocket Mortgage. The group also launched a Community Advisory Board, with Boston University and Cambridge departments of alternative finance working on “responsible practices in the industry.”
“The American Fintech Council is poised to play a critical role in the US regulatory landscape,” Colin Walsh, founder-CEO of Varo, said in a press release.
According to the website, the group’s core principles include:
1. Supporting the use of technology to develop financial services to enrich people’s lives.
2. Offering affordable, transparent, and responsible products.
3. Advancing financial inclusion and racial equity.
4. Embracing and supporting regulation that furthers and promotes responsible innovation.
Members must support a 36% APR cap on the cost of loans, adhere to the Small Business Borrower’s Bill of Rights, and offer “transparent products and fees.”
“We are thrilled to welcome these new members and leadership groups to the AFC team and look forward to working with them to promote policies that create an open and efficient marketplace that benefits everyone,” said Garry Reeder, CEO of the AFC. “Our members are constantly working to better serve consumers and communities around the country.”
The Death of A Thousand Financial Companies
April 28, 2021Unfortunately, Deleting Your Business May Not Be An Option One Can Risk.
In March 2021, deBanked revealed that 7.5% of DailyFunder’s user base that had existed in March 2020, was lost during the pandemic. DailyFunder, of course, is the most widely used forum for small business finance brokers and the statistic offered one of the most compelling insights into the damage inflicted on the industry.
A loss was defined as a user whose email address ceased to exist. It was either deleted or the domain name was not renewed. It was a startling revelation. And yet, in a sign of optimism, DailyFunder added more new users in that 12 month time frame than were lost.
And yet, is anything ever truly deleted in the digital age? And how did it come to pass that the owners of these companies believed deletion to be a preferable outcome to transference? Surely as a thousand brokerages closed, there would have been an eager buyer to scoop them up, even if the sales price was for pennies?
And so I arrived at a theory, that companies that simply wound up and disappeared rather than sold themselves off, probably left behind a digital footprint that still drew in prospective customers, a path that ultimately led nowhere. A competitor might rejoice at that outcome but it’s not exactly a net gain because that customer may have decided to go somewhere else or nowhere else instead. Someone else’s loss wasn’t their win. Even the customer was a net loser. That could be resolved, of course, if the competition simply acquired the expired domain names of their fallen competitors, something that could be reasonably achieved for the price of ten bucks through any domain name registrar.
Outside of the small business finance industry, such tactics are commonplace. One can simply go on Godaddy’s domain auctions to see the never-ending revolving door of expiring domains which are often ranked and priced on the basis of how much traffic they stand to generate, mainly because of the past owners’ efforts.
According to WhoIsHostingThis, 70% of all web domains fail to be renewed 1 year after they’re purchased. “[41% of these expired domains] go on to be snapped up and registered by other users to potentially benefit and profit from,” they say. And there is nothing controversial about this. This is simply a standard of the world wide web. Your fallen online business is recycled as someone else’s marketing tool.
Applying that math to the small business finance industry at hand, that would mean that of 1,000 brokerage failures, 41% of the expired domain names are going to be acquired by someone else or they already have been. And if the expired domain only costs $10 (and they’re not all this cheap), then theoretically one could acquire the web traffic of 410 failed brokers for roughly $4,000.
WHOA.
The realization led me to conduct a controlled experiment, one in which I would try to prove this theory for a deBanked story.
I bought roughly twenty expired domains, intentionally leaning toward older ones, domains that had been expired for 2-10 years rather than recent casualties of the pandemic. Once completed, I jotted down my hypothesis, that these domain names probably produced some level of prospective customer traffic.
When my experiment concluded, I became alarmed, even sick, over what the results taught me. Deletion, I learned, is an outcome that no business, let alone a financial services company, can afford to surrender themselves to.
Here’s why:
Among the first steps taken was to create a “catch-all” email account on each domain so that if a former owner of a domain came along and tried to contact me, I would get it no matter which address they tried and that I would be able to tell them that I had acquired it accordingly and even tell them my theory!
No marketing or anything was done for any of the domains. I simply acquired them and let them sit stagnant. I did not resurrect whatever their old websites were. And yet, I received thousands and thousands of emails, none from what I could tell were from former owners.
It’s important to state that I did not use these accounts to actually do anything, but that these vulnerabilities came to light by virtue of monitoring the inbound emails these domains accrued.
Some domain names still had control of social media accounts like business facebook pages and twitter accounts. Someone could not only acquire your old domain, but use it to resurrect and use dormant social media accounts, including being able to view all past private correspondence on them. Yikes.
Some domain names were still attached to active bank accounts, credit card accounts, or financial services. Correspondence regarding these accounts was still being transmitted to them. When you delete a domain, you need to make sure its access is revoked from every account you have, especially bank accounts. Some received NSF notices or were being subject to debt collection efforts.
Every domain name was subscribed to newsletters or communities or some service in which one could use to learn personal information or business information about the previous owner.
Unknown but likely is that some of these domains may have been the “lost password” email address of record for other accounts online, a particularly troubling thought.
As the litany of stroke-inducing vulnerabilities piled up, then came live correspondence. Lenders wanted to know where to send a still-owed commission, a borrower was reaching out for customer service, old business partners were trying to rekindle past relationships.
Presumably such domains could give someone access to portals or databases where previous customer data was held. This implies that not only is the old domain owner at risk but that business vendors that had not disabled access to their systems for the defunct users could also be at risk from nefarious actors now in control of email addresses belonging to former customers.
A nefarious actor could surely dream up still more ways to carry out compromising acts. I disabled incoming email altogether for the domains pretty soon into my aforementioned discoveries so that emails to those domains would simply bounce back and indicate to the sender that there’s nobody there anymore.
And my original hypothesis had been blown to smithereens. These domains generated no material web traffic of note, except for probing “bots” instead of human users. What I thought might be a hidden source of web traffic, a clever insight on internet marketing 101, instead turned out to be a glimpse into a business’s worst nightmare.
No matter how much one’s business has failed, control over the domain name should be preserved at all cost, that is unless, all of the above vulnerabilities are addressed first and completely.
Originally, the costs of this journalistic experiment were to be recouped by simply reselling the domains onto the public market for fair market value. Instead, they were simply cancelled, cast back in the sea anonymously, where anyone else could buy them and do whatever they want with them. I, however, made no effort to alert anyone’s attention to them.
The publication of this story was delayed as I, the journalist, had to weigh the merits of disclosing my findings. But as the data says, 41% of expired domains are going to get snapped up anyway. And true to form, I was actually outbid by other unknown buyers by some of the original domain names I had hoped to acquire for my experiment. A financial service company’s domain and all the vulnerabilities with it, were sold to bidders willing to pay $30, $40, or $50+ versus my $10-$20 or so budget. That seems a terrifyingly small cost. And I highly doubt they were journalists.
Perhaps those domains are generating web traffic, but if they’re not, one has to ponder why someone would want to acquire the lapsed domains of so many dead financial service companies. And post-pandemic, there are too many to count.
If the death of a thousand companies has taught me anything, it’s that even business failure needs a well thought-out security plan. Otherwise one risks death by a thousand cuts.
