Sarah Mirsky-Terranova is the chief compliance officer at Synctera.
I’m fortunate to work in a role where I can help plan, execute and assist fintech builders with compliance and risk. When I mention fraud mitigation efforts, oftentimes developers think fraud is conducted by a shadowy group of information brokers and state-backed hackers operating on the dark web. The reality is quite different.
A common type of fraud most fintechs will experience is “friendly fraud” – when adept and resourceful fraudsters masquerade as customers and submit chargeback disputes. It might sound innocuous, given the euphemistic phrasing, but friendly fraud is not nice at all to a company’s bottom line or reputation.
Friendly fraud isn’t going away either. According to data from 2021, nearly 80% of merchants surveyed admitted to experiencing an increase in friendly fraud attacks over the past three years, with 68% stating that the pandemic has caused a growth in their chargeback rates.
Friendly fraud occurs when an onboarded customer fraudulently claims there is a charge on their account they didn’t make. Part of what makes friendly fraud tricky to deal with are rules around what financial institutions have to do when customers escalate issues. Regulation E, a Consumer Financial Protection Bureau rule that protects consumers when they use electronic funds and remittance transfers, dictates that a fintech has ten days to provide a customer with provisional credit after submitting a dispute.
Some fintechs investigate disputes on their own and determine whether or not to provide provisional credit to the customer. More seasoned fintechs will provide provisional credit for disputes that are under a certain threshold, e.g., $20. If that dispute is higher than the designated threshold, a fintech will escalate the dispute to their payment processor to determine whether or not it’s authentic.
But the problems don’t typically stop there. If an investigation isn’t complete within 10 days, a fintech has to provide provisional credit to their customer, advising them that an investigation is ongoing. If the dispute is fraudulent, the fintech will attempt to claw the funds back from the customer. But what happens if the customer spent the money? It’s gone, without a way to get it back.
Many fintechs assume their sponsor bank covers fraud losses — even those associated with friendly fraud. While the bank still needs to be made aware of fraud (and file a Suspicious Activity Report with government authorities, if certain thresholds are met), a fintech is ultimately responsible for all financial fraud losses. While $20 here and there may not seem like much, losses resulting from friendly fraud can add up quickly.
Friendly fraud can also affect what money can’t buy: reputation. Occasionally, fraudsters will file disputes and then threaten to post negative online reviews about the company or disparaging comments on social media if they don’t receive a provisional credit. Alternatively, they might threaten to report the company to the Federal Deposit Insurance Corporation or Better Business Bureau. A bad comment or tweet may not seem material, but every opinion matters when operating in increasingly competitive markets.
Any of these approaches could put fintechs in a difficult position, and many might choose to offer a provisional credit to appease the customer before conducting any investigation into the dispute. This is especially true for fintech startups trying to build a customer base. But a better, more long-term option to protect capital and reputation should be prioritizing fraud mitigation.
When setting up compliance and risk programs to combat friendly fraud, I advise fintechs to cover three key areas: creating records, having a team of specialists to help and setting up rules and procedures on how to react to customer disputes.
Fraud might not seem like a top priority when you’re trying to get a fintech company off the ground, but it can be the difference between your ultimate success and failure.