ValueWalk’s interview with Michael Lynch, Chief Strategy and Product Officer, Deep Labs. In this interview, Michael discusses his and his company’s backgound, fraud-prevention strategies for real time payments, the problems with Zelle, Venmo and other big fintech giants, the three-day good funds model that banks use for wire transfers, if Chase is offering safe real time transfers, fraudsters using social engineering to transfer money, FedNow, the role of Libra and crytocurrencies in real time payments, using AI or machine learning to predict problematic payments, legislation related to consumer protection, and the the potential for fraud in persons to person payments.
Interview with Deep Labs’ Michael Lynch
Q2 hedge fund letters, conference, scoops etc
Can you tell us about your background?
Here at Deep Labs I am the Chief Strategy and Product officer.
Prior to Deep Labs I was with American Express after they acquired my former company InAuth, a device intelligence company. At American Express, I worked across a few lines of business on risk, fraud, and identity verification.
At InAuth, prior to acquisition I was the Chief Strategy Officer and led product and marketing for a period of time as well.
Prior to that role, I spent nearly 15 years with Bank of America, including senior vice president roles, responsible for authentication strategy, fraud prevention, risk. I was specifically accountable for login, transaction risk assessments, new applications fraud, money movement risk, etc. Part of that would be responsibility for the defenses and authentication strategies for financial transactions and money movement such as in real time payments.
What about your company?
Founded in 2016 by a team of experienced payments and signals intelligence experts, Deep Labs has created a machine intelligence platform that leverages persona-based dynamic risk & propensity profiles.
Deep Labs’ context-aware platform can use persona-based intelligence to better differentiate between a fraudulent transaction and a legitimate one. We are therefore able to provide a solution, based on our ability to distinguish between different contexts, that allows the banks, the payment networks and the various merchants to really understand the context surrounding that transaction.
The use of personas improves consumer activity verification and engagement by determining the likely needs or activities of that individual, based on past behaviors and external variables.
Deep Labs’ patented machine learning technology provides key insights on identity behavior through billions of calculations, iterative insights and process analytics.
Our platform connects authentication, device, behavior, and transaction data for modeling across customer interaction points and solves for siloed views of customer interactions across channels.
On problems with real time payments - can you in provide a brief breakdown of the basics for us?
There are several vulnerability points in real time payments, and specifically person to person payments.
Account takeover is the biggest opportunity for fraudsters. Account takeover, where a fraudster gains access to a victim's account, typically leads to unauthorized fraudulent transactions.
Account takeover fraud (ATO) is still trending upward, especially in the financial services sector. According to Javelin, existing account takeover fraud tripled in 2018 to 1.5% of all US-based consumers.
Contributing factors to the account takeover increase include:
- Mass data breaches
- Poor consumer hygiene on passwords
- Social engineering
- Slow adopters to biometrics
- Malware
- Credential theft and credential stuffing
- Increasing sophistication of BOTS
All organizations need new fraud-prevention strategies for real time payments
Any organization that conducts real time payments transactions via mobile or web browser, and is transmitting sensitive information such as the case with real time payments, can benefit from a machine intelligence platform. By combining the right signals such as device intelligence, behavior analytics, session and user data, it finds anomalies in real time that a human could not detect, with no additional friction to the user.
Devices have thousands of attributes, such as device operating system, product information and display information. The behavior patterns with such factors such as movement, navigation, geolocation, and detection on man vs. machine are critical.
By using a data-driven approach and conducting machine learning interrogation across both an individual session and the universe of authentication sessions and transactions, profiles of legitimate “personas” can be created based on user patterns, devices, transaction history, and behaviors. Machine learning based on context helps create this persona, which is a 360 degree customer view and 360 degree view of the objects around that person – that’s persona-based intelligence. The use of persona is critical as knowing how a person, their behavior, and the actors around them change as someone travels through space and time are important to authentication, particularly account takeover, to both find risk and eliminate false declines.
Purely rules-based and supervised learning platforms are no longer enough. Using historical patterns can predict some fraud, but will not prevent new evolving patterns as they emerge for the first time. True machine intelligence, based on deep learning, can make inferenced-based decisions through activity related to a user’s account or groups of accounts, across channels, without generating false declines.
Fraud Examples in consumer real time person to person payments
There are several ways criminals attack real time person to person payments, including social engineering, spoofed calls, and phishing.
Criminals are also using more sophisticated and automated attacks that can quickly overwhelm detection systems. For example, Bots are used to attempt logins to accounts at a high rate of speed using information obtained from breaches or purchased on the dark web. Also, financial crimeware is a type of malware that looks for credentials such as passwords and user IDs on a victim’s device for financial-based applications. Consumers may be tricked into loading these apps from third party sites rather than official app stores.
Venmo had significant fraud in 2018. In response, it stopped allowing customers to transfer funds instantly to their bank accounts and blacklisted tens of thousands of users. At the time, Venmo also stopped letting customers send and receive money through its website. In the process, legitimate user transactions were also declined.
Fraudsters attacked Venmo in a few different ways. One was traditional account takeover, getting access to existing Venmo users accounts and transferring out their funds. Another was creating new Venmo accounts and loading stolen credit cards to send money to accomplices. Fortunately for consumers, Venmo will most times reimburse the consumer for this type of fraudulent activity.
Venmo users have also been scammed in other ways. For example, a “buyer” contacts a seller about something they are selling online such as tickets. They offer to pay with Venmo and the payment appears in the seller’s account. The owner of the item will ship or electronically send the goods. After a few days, Venmo reverses the transaction. The fact is that it takes several days for payments to be processed but payments appear to be instant. If the Venmo user is a fraudster, the funds may never truly be moved to the sellers account. It’s possible that the person who paid will file a claim with Venmo, or the person might use a stolen credit card number to fund the payment. The real owner of that credit card may notify their credit card company, or the credit card company may detect the fraud, and the payment will be cancelled.
Another popular platform is Zelle which allows you to send money simply using a person’s email address or phone number. The cash is transferred in minutes, versus what used to take days.
However, Zelle was also a target of fraud in the past. Fraudsters may have targeted Zelle because it's embedded within banking apps and automatically connected to user bank accounts.
The Zelle platform itself is secure. It’s not the fault of Zelle, which applies multifactor authentication, identity verification, and real time fraud alerts. Fraudsters know the weak part is the consumer. Criminals will use social engineering, appearing to be their bank fraud department calling to verify a customer’s identity, asking for their one-time passcode, the information they need to complete a transaction. Thieves use spoofed calls, phone calls that look like they’re coming from an individual’s bank.
Consumers should know that their bank won’t call and ask for info such as a passcode or text code. Consumers should set up alerts so that any time money is moved from their account they are alerted.
I once sent a payment on zelle which was one number off and I was unable to retrieve the money - can you tell us more about the problems with Zelle, Venmo and other big fintech giants?
Zelle’s consent (terms and conditions) is pretty clear that once you send money to someone, the payment can’t be cancelled. Your options would then be to work through your bank or Zelle customer service to hope to retrieve the funds, although there are no guarantees.
When you send money to a Venmo user, the amount is automatically added to their account balance. Because sending money through Venmo is instantaneous, you can't cancel a payment once it's been sent. If the person to whom you accidentally sent money is a Venmo user, you'll have to send them a request for the amount to be returned.
What about more established fintech firms like Paypal?
PayPal - If the payment status is completed, you need to ask the recipient to send you a refund. If the funds are not returned, you can set up a dispute via PayPal.
Why do wire transfers normally take a few days - is this really for protection or is that just an excuse?
Large transfers move through a process of many steps. For fraud protection and due to the larger limits on wires and therefore the greater the loss potential, banks have slowed down the process to reduce the chance of fraud. The receiving banks often take days for funds to be released to customers because they are following a "three-day good funds model", holding the funds for three days to ensure it’s not a fraudulent transaction.
The other timing factor is that there are multiple steps in the process:
- The originating bank sends transactions in batches to an automated clearinghouse.
- The automated clearinghouse sorts through the batch transactions and the moves them on to the receiving bank.
- The receiving bank may actually have the funds the same day or the next day. But the receiving bank may hold the funds due to potential fraud.
Now companies like Chase are offering real time transfers (at least between Chase accounts) how do they ensure this does not lead to fraud or other serious problems?
This should generally be a safe approach. If both are Chase accounts, they both would have been vetted via the AML and identity verification services. Chase would know the tenure of the accounts, be able to look for suspicious activity on either account, etc. From a bank to an external account would add more risk and they would have no visibility into whether that outside account was suspicious, or perhaps whether account takeover had occurred on the originating account and that the second account was a mule account. This is the situation as described with Zelle fraud scenarios previously.
If payments are going to be instant how can firms make sure they are not helping drug gangs, money laundering etc?
Money laundering, handling funding for drug gangs, or even terrorist financing is possible for criminals. Criminals may entice legitimate users to give them their account details, enabling them to transfer money.
In some known cases, legitimate users have been tricked via social engineering into transferring their money to fraudsters. Fraudsters offer payment for assisting with the transfers or pretend to be in need of help. The legitimate user becomes a “money mule” for the fraudster.
The use of money mules has become a significant issue. Santander publicly stated it closed about 11,000 accounts in suspected money mule cases that could have been associated with money laundering, terrorist financing or other economic crimes. (https://www.theguardian.com/business/2019/feb/13/banks-close-thousands-of-money-mule-accounts-mps-told)
Is the FTC, CFPB, OCC, FED or any of them doing anything about these practices? The Federal Reserve just announced a real-time payments system -- how does that fit in here?
The Federal Reserve announced it will create a real-time payments service, to be called FedNow. (https://www.pymnts.com/news/payments-innovation/2019/federal-reserve-to-launch-fednow-instant-payments/)
They plan to build and operate a new set of real-time payment capabilities, beginning with accelerated access to employer paychecks as its first use case. However, that will not replace private sector capabilities such as Venmo, Paypal and Zelle, in my opinion, even as they add use cases.
The OCC regulates financial institutions and ensures that they meet FFIEC guidance, which prescribes the defense in depth measures they need for digital security, money movement, and other consumer protections. Moving money via real time payments would fall under their jurisdiction for regulated entities, i.e., banks transferring via Zelle.
The CFPB announced its view on real-time payments in 2015. https://files.consumerfinance.gov/f/201507_cfpb_consumer-protection-principles.pdf
The CFPB outlined its principles to ensure that consumer protections are at the forefront of new and improved payment systems.
The CFPB’s principles deal with:
- Consumer controls over payments and the ability to revoke payments
- Data and privacy protection
- Fraud and error resolution procedures
- Transparency including real-time access to information about the status of transactions, funds availability, disclosure of costs, and security of payments
- Cost and disclosure of costs
- Access through qualified intermediaries and non-depositories, such as mobile wallet providers and payment processors
- Funds availability – faster access to funds
- Security protections and credential value limits
- Strong accountability mechanisms - Commercial participants are accountable for the risks, harm, and costs they introduce to payment systems and are incentivized to prevent and correct fraudulent, unauthorized, or otherwise erroneous transactions for consumers
What about Libra or cryptocurrencies how do they fit in there?
Cryptocurrency is used in some aspects of real-time payments.
For example, IBM has entered the real-time payments world, creating a real-time, global payments network using cryptocurrencies or “stable coins.”
In 2020, Facebook will roll out its global cryptocurrency called Libra. Facebook’s goal is to provide a fast, low-cost way for people around the world to transfer money, especially those who don’t have access to traditional banking services.
Privacy regulators and central bankers have voiced concerns with the proposed Libra cryptocurrency and have stated it will be subject to the highest standards of regulation.
Although blockchain and cryptocurrencies have been noted to be secure, there is still the possibility of account takeover, and therefore still has risks for the consumer.
How is your company helping with these problems?
All organizations need new fraud-prevention strategies for real-time payments.
Any organization that conducts real time payments transactions via mobile or web browser, and is transmitting sensitive information such as the case with real time payments, can benefit from a machine intelligence platform. By combining the right signals such as device intelligence, behavior analytics, session and user data, it finds anomalies in real time that a human could not detect, with no additional friction to the user.
With account takeover, it is important to be predictive but to also make inferences using machine intelligence. Predictive intelligence helps us know what a customer is going to do or not going to do (risk) next. But even more powerful is the importance of inference-based decisions. Deep Labs uses true machine intelligence. Where other modern day neural nets need to see an event many times to take action on it, Deep Labs is able to make inference-based AI decisions and make a determination on the first event. This results in true account takeover prevention, versus detecting a fraud pattern after a series of successful fraud events which may be detected long after the fact.
What type of products do you offer?
Deep Labs uses true machine intelligence to make decisions, via its DeepDecisionTM product, on risk or even consumer propensity. Whereas other modern day neural nets need to see an event many times to take action on it, Deeps Labs is able to make inference-based AI decisions and make a decision on the first event. This results in true account takeover prevention, versus detecting a fraud pattern after a series of successful fraud events which may be detected long after the fact.
DeepIdentityTM focuses on risk in the end to end consumer lifecycle, using signals such as device, behavior, transactional history, and identity attributes to solve issues such as fraudulent account opening and account takeover.
You use AI to help you predict problematic payments - is AI the real deal or just hype?
AI/ML is the real deal. It is more important than ever to analyze data available from multiple channels, and only artificial intelligence will be able to provide the necessary key insights on behavior through billions of calculations, iterative insights, and process analytics.
Purely rules based and supervised learning platforms are no longer enough. Using historical patterns can predict some fraud, but will not prevent new evolving patterns as they emerge for the first time. True machine intelligence, based on deep learning, can make inferenced-based decisions through activity related to a user’s account or groups of accounts, across channels, without generating false declines.
How do the tech giants play into this issue?
Google and Facebook have payments mechanisms, although they are not quite “real-time payments”. Facebook may take up to 5 days. With Google Pay, times vary. A debit card or direct to another Google Pay user is the fastest, potentially available in 24 hours. A bank account may take 5 days to receive the funds.
Google Pay:
Google now offers the ability to send money to someone by e-mail using the Google Pay app and Gmail. It also offers the ability to perform faster online checkout and to pay in stores using the cards saved to your Google account.
Google Pay is well-designed and easy to use. There are various ways to use Google Pay, via integrated Google services or the dedicated Google Pay app or through other integrated Google services. And as an added benefit, there are currently no fees to use Google Wallet.
Google claims they are protecting your payment with multiple layers of security, using advanced security infrastructure to keep your account safe.
However, consumers are still vulnerable to scams, such as by sellers that are pretending to sell an item online. The seller will mention they can accept a Google payment but will ask for the buyer’s name and contact information. They will then tell the buyer they will be notified by Google with instructions. The buyer may get an email from "Google Wallet" with instructions to buy a prepaid debit card or wire the money to the seller.
Facebook:
Facebook allows you to send funds to another Facebook user. They just need to add a debit card to be paid.
Facebook does a good job of privacy and keeping payment information private. The recipient only sees the amount, users name and their profile photo when money is sent. Once a payment is accepted, it shows up in the bank within five business days.
If you could craft any legislation related to consumer protection what would it be?
- Ensure adoption of the latest best practices in security by P2P payments companies; such as real-time payments risk analysis platforms (using machine learning platforms); biometric features, behavioral analysis, device intelligence, bot detection and other best of breed data signals and technologies. Use these latest best practices to prevent fraudulent account opening, account takeover, and payments fraud.
- Raise consumer awareness and education about potential fraud scenarios in P2P, adoption of biometrics, awareness of social engineering tactics to prevent customer losses.
- More transparent rules and processes for payments disputes, whether it’s due to social engineering, account takeover, or scams by fraudsters
Final thoughts on the matter?
In summary, the potential for fraud in persons to person payments, whether they are real-time payments or otherwise, is a very serious issue for consumers that may not get enough attention. As new players enter the market, the potential for fraud will continue to grow, as fraudsters tend to follow the money. Analysis needs to be made in real time so fraudulent activity can be stopped before it happens. Accounts need to continually be monitored for account takeover attempts, using risk assessments for transactions, suspicious changes to account information, or analysis that detects fraudsters attempting to open accounts using stolen or synthetic identity information.
