Fintech
Robinhood Pays Fine, Files For IPO
July 2, 2021
Fractional retail investing app Robinhood filed for IPO on Thursday, registering for a public listing on the Nasdaq under the stock ticker HOOD. The S-1 filing shows the platform has 18 million accounts and made $7.45M last year.
The news comes days after FINRA fined Robinhood $57M and ordered the firm to pay $13M in restitution to retail investors locked out of trading during the GameStop and meme stock craze in Q1 2021. FINRA is a self-regulating brokerage industry organization that handed Robinhood its largest fine ever.
The firm also paid out $65M to settle an SEC charge that alleged the firm did not accurately disclose how Robinhood made money: the truth is they sell orders they receive to larger market-making hedge funds.
After the firm’s leadership faced questioning by Congress over allegedly disenfranchising traders, the filing shows that Robinhood has paid dearly. The filing reports the firm lost $1.4B in Q1 2021 after being forced to raise billions of dollars overnight to cover the cost of the trading explosion. While options trading ballooned prices through the roof, Robinhood found itself strapped for cash.
The firm has raised $5.5B since 2013, including a combined $3.4B during and since the meme stock craze. They plan to raise $100M from the listing, though that number is regularly used as a stand-in for public filings.
The firm said that the FINRA judgment was part of a deal to release the S-1 filing at long last, delayed by regulators and their concerns over the cryptocurrency side of the trading app. The filing said that Robinhood plans to allocate up to 35% of its shares for its platform users.
8.4 Billion Passwords Breached: Are you sure the customer you’re emailing with is really your customer?
June 18, 2021
Most financial companies consider their own security, ever-vigilant for attacks on their own systems, but data breaches taking place everywhere else still create new risks to deal with. What happens if those around you are severely compromised and nobody knows?
Will LaSala, the Director of Security Solutions at OneSpan, saw a giant red blip on the radar last week, the largest compilation of leaked passwords in history. A file containing 100 GB of 8.4 billion passwords appeared on a popular hacker forum.
Need your merchant to send you their bank log-ins to set up ACH payments? That is exactly when hackers can get you, LaSala said. LaSala said that these leaks have become more common this past year as the world became digital-first.
“So passwords are really a weak form of authentication, right? If you’re using a password today, you’re asking to be hacked,” LaSala said. “With this breach alone, it’s probably close to 25 billion credentials that are out in the dark web today.”
Dubbed ‘RockYou2021,’ it’s a shocking breach of collected data, even larger than the 3.2 billion email and password combinations leaked in February this year.
There are only 4.5 billion internet users, according to Statista, so that’s a lot of passwords. The only way to stop the steal is to get ahead of the blistering rate algorithm tech is evolving through multi-factor authentication, LaSala said. Many believe their passwords are safe, he said, because just five years ago they were unbreakable. Some of these now can be cracked in seconds.
“We saw the death of an [encryption] algorithm called DES about six or seven years ago now,” LaSala said. “Very soon after that, we saw the death of the next algorithm, which was called triple-DES. People did not believe that those algorithms could be cracked in the amount of time that it was.”
LaSala said that ultimately, without multiple factors, data is easy to take. Some hackers don’t just steal data or finances the moment they get access to it either, LaSala warned, but instead dig deep into systems for years, even decades. There, they may steal data quietly undetected or focus on installing backdoors to ensure their access is permanent.
Perhaps many financial companies are already monitoring for this type of intrusion, but what to make of the possibility that their customers have been compromised? How do they know that they’re even communicating with their actual customers? They could do well to advise their customers to use multi-factor authentication in everything else they do online, not just with them. It would probably be to everyone’s benefit.
“The ability to use something you have like a mobile device, plus something like a pin, or even a fingerprint or a base ID, you combine those different factors of authentication together, and it makes it so that breaches like this, you’re not going to get caught up in anymore,” LaSala said.
Marqeta Goes Public on The NASDAQ
June 9, 2021
Marqeta went public on the Nasdaq this afternoon, raising $1.2 billion and pricing higher than expectations. The firm priced 45.5 million shares at $27, and prices rose to over $30 a share.
Marqeta sells payment tech designed to detect fraud by issuing physical cards to independent contractor firms like DoorDash and Instacart. Contractors use Marqeta cards at point-of-sale in restaurants and supermarkets. Marqeta also enables Square’s Cash App debit card and Buy Now Pay Later fintech firms Affirm and Klarna to move money.
The firm applied for a public offering on May 15th, posting an annualized first quarter 2021 revenue growth of 123% to $108 million and a 2020 annual revenue that had doubled to $290.3 million.
Hey Cool Cats and Kittens, Let’s Reform Banking
May 12, 2021
“Hey, all you cool cats and kittens in the banking industry, it’s Carole Baskin from Big Cat Rescue, you might remember from Tiger King i’m married to a former banker,” Carole Baskin, TV star of Tiger King, said. “Yeah, love that Howie Baskin. Anyway, I just wanted to tell you guys about a new report….”
Baskin, known for her competing tiger tourism venture in Florida, and the myth that she had something to do with the disappearance of her late husband Don Lewis sometime in 1997, appeared in a Cameo video for banking-as-a-service company called 11:FS. It’s an advertisement for a special report available on their website.
11:FS offers a “financial service operating system,” information and reports, and digital services.
This week Baskin also launched a $CAT cryptocurrency to let users buy her t-shirts without the US dollar.
AFC Trade Group Surpasses 100 Members
May 12, 2021
Two months ago, the Marketplace Lending Association and Online Lending Policy Institute merged, forming the American Fintech Council (AFC).
American Fintech Council has grown to 107 members. The trade group is a cross-section of payments, lending, legal, and data sectors of the fintech industry, set to lobby Washington lawmakers and set standards. The member list includes names like LendingClub, Varo, SoFi, Cross River, and Rocket Mortgage. The group also launched a Community Advisory Board, with Boston University and Cambridge departments of alternative finance working on “responsible practices in the industry.”
“The American Fintech Council is poised to play a critical role in the US regulatory landscape,” Colin Walsh, founder-CEO of Varo, said in a press release.
According to the website, the group’s core principles include:
1. Supporting the use of technology to develop financial services to enrich people’s lives.
2. Offering affordable, transparent, and responsible products.
3. Advancing financial inclusion and racial equity.
4. Embracing and supporting regulation that furthers and promotes responsible innovation.
Members must support a 36% APR cap on the cost of loans, adhere to the Small Business Borrower’s Bill of Rights, and offer “transparent products and fees.”
“We are thrilled to welcome these new members and leadership groups to the AFC team and look forward to working with them to promote policies that create an open and efficient marketplace that benefits everyone,” said Garry Reeder, CEO of the AFC. “Our members are constantly working to better serve consumers and communities around the country.”
The Death of A Thousand Financial Companies
April 28, 2021Unfortunately, Deleting Your Business May Not Be An Option One Can Risk.
In March 2021, deBanked revealed that 7.5% of DailyFunder’s user base that had existed in March 2020, was lost during the pandemic. DailyFunder, of course, is the most widely used forum for small business finance brokers and the statistic offered one of the most compelling insights into the damage inflicted on the industry.
A loss was defined as a user whose email address ceased to exist. It was either deleted or the domain name was not renewed. It was a startling revelation. And yet, in a sign of optimism, DailyFunder added more new users in that 12 month time frame than were lost.
And yet, is anything ever truly deleted in the digital age? And how did it come to pass that the owners of these companies believed deletion to be a preferable outcome to transference? Surely as a thousand brokerages closed, there would have been an eager buyer to scoop them up, even if the sales price was for pennies?
And so I arrived at a theory, that companies that simply wound up and disappeared rather than sold themselves off, probably left behind a digital footprint that still drew in prospective customers, a path that ultimately led nowhere. A competitor might rejoice at that outcome but it’s not exactly a net gain because that customer may have decided to go somewhere else or nowhere else instead. Someone else’s loss wasn’t their win. Even the customer was a net loser. That could be resolved, of course, if the competition simply acquired the expired domain names of their fallen competitors, something that could be reasonably achieved for the price of ten bucks through any domain name registrar.
Outside of the small business finance industry, such tactics are commonplace. One can simply go on Godaddy’s domain auctions to see the never-ending revolving door of expiring domains which are often ranked and priced on the basis of how much traffic they stand to generate, mainly because of the past owners’ efforts.
According to WhoIsHostingThis, 70% of all web domains fail to be renewed 1 year after they’re purchased. “[41% of these expired domains] go on to be snapped up and registered by other users to potentially benefit and profit from,” they say. And there is nothing controversial about this. This is simply a standard of the world wide web. Your fallen online business is recycled as someone else’s marketing tool.
Applying that math to the small business finance industry at hand, that would mean that of 1,000 brokerage failures, 41% of the expired domain names are going to be acquired by someone else or they already have been. And if the expired domain only costs $10 (and they’re not all this cheap), then theoretically one could acquire the web traffic of 410 failed brokers for roughly $4,000.
WHOA.
The realization led me to conduct a controlled experiment, one in which I would try to prove this theory for a deBanked story.
I bought roughly twenty expired domains, intentionally leaning toward older ones, domains that had been expired for 2-10 years rather than recent casualties of the pandemic. Once completed, I jotted down my hypothesis, that these domain names probably produced some level of prospective customer traffic.
When my experiment concluded, I became alarmed, even sick, over what the results taught me. Deletion, I learned, is an outcome that no business, let alone a financial services company, can afford to surrender themselves to.
Here’s why:
Among the first steps taken was to create a “catch-all” email account on each domain so that if a former owner of a domain came along and tried to contact me, I would get it no matter which address they tried and that I would be able to tell them that I had acquired it accordingly and even tell them my theory!
No marketing or anything was done for any of the domains. I simply acquired them and let them sit stagnant. I did not resurrect whatever their old websites were. And yet, I received thousands and thousands of emails, none from what I could tell were from former owners.
It’s important to state that I did not use these accounts to actually do anything, but that these vulnerabilities came to light by virtue of monitoring the inbound emails these domains accrued.
Some domain names still had control of social media accounts like business facebook pages and twitter accounts. Someone could not only acquire your old domain, but use it to resurrect and use dormant social media accounts, including being able to view all past private correspondence on them. Yikes.
Some domain names were still attached to active bank accounts, credit card accounts, or financial services. Correspondence regarding these accounts was still being transmitted to them. When you delete a domain, you need to make sure its access is revoked from every account you have, especially bank accounts. Some received NSF notices or were being subject to debt collection efforts.
Every domain name was subscribed to newsletters or communities or some service in which one could use to learn personal information or business information about the previous owner.
Unknown but likely is that some of these domains may have been the “lost password” email address of record for other accounts online, a particularly troubling thought.
As the litany of stroke-inducing vulnerabilities piled up, then came live correspondence. Lenders wanted to know where to send a still-owed commission, a borrower was reaching out for customer service, old business partners were trying to rekindle past relationships.
Presumably such domains could give someone access to portals or databases where previous customer data was held. This implies that not only is the old domain owner at risk but that business vendors that had not disabled access to their systems for the defunct users could also be at risk from nefarious actors now in control of email addresses belonging to former customers.
A nefarious actor could surely dream up still more ways to carry out compromising acts. I disabled incoming email altogether for the domains pretty soon into my aforementioned discoveries so that emails to those domains would simply bounce back and indicate to the sender that there’s nobody there anymore.
And my original hypothesis had been blown to smithereens. These domains generated no material web traffic of note, except for probing “bots” instead of human users. What I thought might be a hidden source of web traffic, a clever insight on internet marketing 101, instead turned out to be a glimpse into a business’s worst nightmare.
No matter how much one’s business has failed, control over the domain name should be preserved at all cost, that is unless, all of the above vulnerabilities are addressed first and completely.
Originally, the costs of this journalistic experiment were to be recouped by simply reselling the domains onto the public market for fair market value. Instead, they were simply cancelled, cast back in the sea anonymously, where anyone else could buy them and do whatever they want with them. I, however, made no effort to alert anyone’s attention to them.
The publication of this story was delayed as I, the journalist, had to weigh the merits of disclosing my findings. But as the data says, 41% of expired domains are going to get snapped up anyway. And true to form, I was actually outbid by other unknown buyers by some of the original domain names I had hoped to acquire for my experiment. A financial service company’s domain and all the vulnerabilities with it, were sold to bidders willing to pay $30, $40, or $50+ versus my $10-$20 or so budget. That seems a terrifyingly small cost. And I highly doubt they were journalists.
Perhaps those domains are generating web traffic, but if they’re not, one has to ponder why someone would want to acquire the lapsed domains of so many dead financial service companies. And post-pandemic, there are too many to count.
If the death of a thousand companies has taught me anything, it’s that even business failure needs a well thought-out security plan. Otherwise one risks death by a thousand cuts.
Governor Phil Murphy on Fintech in New Jersey
April 14, 2021
In a joint webinar between Choose New Jersey, FinTech Ireland, the New Jersey City University School of Business, and others, NJ Governor Phil Murphy kicked off the event by saying that his state’s object is nothing short of being the state of innovation, where new ventures can take shape, companies can expand, and people can raise a family.
Murphy’s participation in Irish fintech collaboration was steeped in his commitment to international relations and business.
“The fintech business in particular is a big part of our economy,” Murphy said. “We’ve got proximity to New York City’s financial markets and as a result we’ve become sort of the perfect home for fintech companies. We have 145 fintech companies headquartered in New Jersey.”
The island of Ireland, by comparison, is home to nearly 250 indigenous fintech companies, according to the latest Fintech Ireland map. Recently, Irish fintech companies ranked the United States and Canada as their #1 priority region for expansion.
New Jersey is hoping to benefit from transatlantic opportunities this might present.
“There’s no better place in America than to plant your flag here in New Jersey,” Murphy said. “To those who are considering [it], it’ll be the best decision you ever make.”
The Governor also revealed that his family is descended from Donoughmore, County Cork and that he hopes to make a state trip to the republic soon.
Ireland’s Fintech Industry May Be Coming to North America
March 16, 2021
Americans asked to name an Irish fintech company often say Stripe, the company founded by two Ireland-born brothers that is dual headquartered in San Francisco and Dublin. Recently valued at $95 billion, its financial backers include Sequoia Capital and the Irish government via the National Treasury Management Agency.
Stripe’s Irish roots may not be a one-off. Though the Republic’s entire population (4.9M) is less than that of New York City (8.7M), it is home to nearly 250 indigenous fintech companies, dozens of which offer lending and payment products, according to the latest Fintech Ireland map. And many have expansion plans in the works.
Despite the close proximity to the UK, the United States and Canada tied for the #1 priority region that homegrown Irish fintech companies said they want to expand to, according to Fintech Ireland’s industry survey. The UK came in 2nd. The majority of Irish fintech companies actually said they prioritized expansion plans for the US and Canada even over expansion in their home country.
A flight from New York to Dublin can be shorter than a flight from New York to San Francisco and Ireland’s primary language is English. 7,000 people work in fintech in Ireland, the bulk of which are based in Dublin.
deBanked evaluated the market in-person during the Fall of 2019 and determined that there are many cultural and operational similarities to the US. A follow-up piece in May 2020 captured how the industry there was faring through the Covid pandemic.
