Episode 85 of the Public Key podcast is here and we are happy that you love the refreshed look. Fraud is the leading concern for many traditional and crypto companies navigating the non-face to face onboarding process and we speak with Tommy Nicholas (CEO of Alloy), who has been helping companies combat fraud for over 8 years.
You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 85.
Public Key Episode 85: Your fraud model is broken and here is why
When Tommy Nicholas (CEO of Alloy) wrote a blog titled, Your Fraud Model Is Broken, you had to know Ian Andrews (CMO, Chainalysis) was going to have a fun and insightful conversation.
In this episode, Tommy discusses how early NFTs and Bitcoin transaction speed got him interested in the space, and years later his company Alloy is now servicing Fintechs, Crypto and TradFi companies managing their compliance, AML, credit, and fraud risk.
He explains the broken fraud model and the need for a shift in approach to focus on the person rather than just the transaction. He emphasizes the importance of transparency and accountability by regulators in the industry and the burdensome requirements placed on the private sector.
Tommy also breaks down Alloy’s Annual State of Compliance Benchmark Report 2023 and how automation and even AI can support compliance teams in any industry.
Quote of the episode
“It’s widely believed, and it is true that the best way to stop fraud is at the front door. Like, just don’t open accounts for people … who are stealing other people’s identities, creating synthetic identities or just here to commit fraud in the first place.” – Tommy Nicholas (CEO, Alloy)
Minute-by-minute episode breakdown
- (2:10) – Alloy’s role in managing wide variety of risks for companies dealing with money
- (5:08) – Alloy as an operating system for risk management instead of just another risk solution
- (7:23) – The frustration behind the blog “Your Fraud Model is Broken”
- (14:33) – The burden and costs of money laundering controls on the private sector
- (18:27) – The inefficiency of processing suspicious activity reports
- (22:56) – Threat actors taking advantage of online onboarding
- (30:03) – How Alloy got into the crypto industry and fraudulent practices they have identified
- (33:13) – Involvement in the NFT community and the potential of digital collectibles
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
- Website: Stop fraud, stay compliant, and solve your identity risk problem
- Report: Alloy’s Annual State of Compliance Benchmark Report 2023
- Article: Your fraud model is broken
- Blog: Banks have a friction challenge
- Blog:: How an SDK can help companies catch more fraud
- Report: The Chainalysis 2023 Geography of Cryptocurrency Report (Available Now)
- Placeholder
- Video: De Grandpré Chait navigates crypto tax challenges for clients
- YouTube: Chainalysis YouTube page
- Twitter: Chainalysis Twitter: BuildCareers at Chainalysising trust in blockchain
- Tik Tok: Building trust in #blockchains among people, businesses, and governments.
- Telegram: Chainalysis on Telegram
Speakers on today’s episode
- Ian Andrews * Host * (Chief Marketing Officer, Chainalysis)
- Tommy Nicholas (CEO, Alloy)
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Transcript
Ian:
Hey, everyone. Welcome back to another episode of Public Key. This is your host, Ian Andrews. Today I’m joined by the CEO of Alloy, Tommy Nicholas. Tommy, welcome to the program.
Tommy:
Hey Ian, thanks for having me. Excited to be here.
Ian:
I think your company is one of the firms that I never heard of until I got into this world of crypto compliance, and now I have an appreciation for the scale and importance of the role your technology plays across the fintech ecosystem. Maybe let’s assume the rest of the audience is kind of like me and maybe not as familiar. Where did Alloy come from, and catch us up to the present of what you all are doing today?
Tommy:
It’s actually funny that you mentioned crypto compliance because Alloy’s main role is not necessarily to work with crypto companies, it’s to work with all companies that deal with money of any kind, to manage risk for them without impacting their users. So compliance, AML risk, credit risk, and fraud risk in retail financial services. But how we actually started the business was from experiences that we had had working in ACH payment processing, not specifically for, but largely for money services businesses, which included crypto companies, and realizing that the systems behind the scenes that needed to make sure people were who they said they were, weren’t there to commit fraud, weren’t using, buying, for example, buying cryptocurrency to commit money laundering, weren’t looking for margin or credit that they couldn’t pay back, inclusive of floating payment times to be faster, that those systems were very hard to build for technical companies that needed to do… Issue bank accounts, transfer payments, sell crypto, whatever it was that touched money on the internet.
And we were surprised to find that while there were a lot of solutions in the space to address parts of the problem, there were no sort of infrastructural level solutions to what we would call decision-making or full risk management, and that’s what we set out to build. We’re really the operating system and the decision-making layer that integrates the entire ecosystem of, again, AML compliance, fraud, and credit providers, to stitch them together into a cohesive, automated, and effective decision-making apparatus for companies that need to make decisions about their customers in real time in financial services on the internet.
Ian:
That sounds awesome because I can just think about the landscape in my head and I can probably come up with half a dozen companies that do just one piece, like KYC. And really within know your customer, they’re really doing identity verification at the point of account opening, but that’s really just one slice of the problem that you’re trying to tackle at Alloy, right? That would be either a plugin to your solution or you could potentially roll up a bunch of point solutions that a company is maybe trying to assemble on their own, I’m guessing.
Tommy:
Yeah, you got it, man. So the jobs to be done are, you’re applying… Let’s just use applying. You’re applying for a credit card. The jobs to be done are to verify the customer is who they say they are, make sure that their intent is not to commit fraud, but also to assess their credit worthiness and whether they’re a money launderer. Across that, you’ve got to go assemble data and other things from third parties that can do the things I just described. When it comes to credit worthiness, it’d be like the credit bureaus and things like that. When it comes to identity verification, lots of different folks who could do that when it comes to fraud prevention, lots of different folks who could do that sanction screening, et cetera, et cetera. So we got to go get the information for them. Then we’ve got to put together a policy for how do we even say yes or no to each of these things?
Then we may have to have a person intervene to do some sort of manual intervention, or the customer may need to intervene. Hey, your credit was frozen. We need to tell you that so you can unfreeze your credit and we can restart the process. Hey, we couldn’t verify you. We need you to do a step-up authentication. We need to facilitate that process. So all of that is very complicated and we facilitate it.
Then there’s also the behind the scenes work of keeping an audit trail of that, keeping records of that, iterating it over time, back testing to see how you can make improvements, AB testing and split testing. So you can just think about everything that you might build to facilitate risk decision-making on the internet when it needs to be real time and touch your customer. Instead of having to build those systems, you just install one simple API and SDK, and we can control all of that for you regardless of how you decide to actually go about it in the future, regardless of the providers you decide to use, regardless of how your policy evolves over time, regardless of how many different ways you want to split, regardless of how you want to split on geography or customer type or whatever. And so we’re really, I almost think of us like a core or a processor or an operating system for the risk ecosystem, not a particular application or product within the risk ecosystem.
Ian:
I mean, to me it sounds very much like the first experience I had when someone showed me Stripe. It was like, oh my gosh, you’ve simplified what was a stack of paperwork and months to years of developer complexity to integrate something as simple as accepting credit cards down to a really simple API call, and you’ve made the entire experience pleasant. I feel like you’re tackling the next pillar in financial services complexity for companies that are trying to get into the space.
Tommy:
I used to resist that analogy because I misunderstood Stripe’s business, I actually think. Because I would’ve thought, I would say no, actually the Stripe of KYC would be more like one of our partners, like an underlying provider who does some part of that or whatever. But over time it’s become a very good analogy because ultimately what are they doing? They aggregate things a little bit more than we necessarily do. Because you don’t even need to go have anything to do with Visa, MasterCard or AMX, right? Whereas we wouldn’t necessarily keep you away. You still can have relationships with our underlying partners like the fraud providers and the authenticators and all of that. Other than that, the analogy holds because they’re going and saying, no need to go do all the crazy connection and certification, no need to figure out how to manage next steps. Oh, by the way, there’s a bunch of back office processes that if we don’t provide them, you’re going to have to build them. Reconciliation, audit trail, manual review, even eventually for them, fraud prevention, et cetera.
And if you really think about it, financial services is like ledgering payments and risk, and there’s core system for ledgering. So that’d be like the banking cores like FIS, Jack Henry, Pfizer. They just do the core functions of facilitating deposit holding and lending and a whole bunch of other things. There’s payments that’s like Stripe and all sorts of other payment processors. They are not Visa, AMX, et cetera. They are just the facilitators of the whole process. In the risk ecosystem, fraud, credit, and compliance risk, there really weren’t… That wasn’t really considered a category, but it’s like to me one-third of financial services. It’s like the money you hold, that’s the ledger, the way the money moves, that’s the payments, and then the risk of all of that. And so I think it was inevitable that as financial services moved online, that gap would become obvious and it’s very obvious to the market now. Even nine years ago, it wasn’t necessarily obvious that that category needed to exist, but it definitely does, and that’s what we do.
Ian:
Well, and I think it trends along with the digitization of everything, right? As we get more and more of the back office or infrastructure layer technology brought online, it allows us to iterate much more quickly in the retail user land experience and there’s much better products that come out of it.
Tommy:
You got it.
Ian:
Catching up on some of your marketing content, I, as a CMO, kind of enjoy putting a stake in the ground. So you published a blog this summer. Your Fraud Model is Broken was the title. Unpack that for us a little bit. What led you to pen this blog and what’s really the story here about why most people are approaching fraud the wrong way?
Tommy:
Well, the real reason that we penned that blog is actually my own frustration, and it’s pretty rare that we make a statement that really does come from me. We have a lot of smarter people than me thinking of things all the time, but I’ve spent a lot of time with our customers, with the technology in the space. I’ve been in the guts of the problem of predicting whether a customer is going to defraud you for a long time. And something that was really frustrating me was, we were having difficulty explaining a concept to folks who would come to us and say, “Okay, so we are issuing a credit card. We need somebody to figure out if our credit card transactions are fraudulent.” And I would constantly try to break this down for people. Just credit cards are just one example, but this is the one that really… I’d say, well, there’s two things that could happen where… There were actually really three things that could happen where the transactions could… Well, first of all, transactions can’t be fraudulent because transactions are not sentient, so the person is the fraudulent one, so let’s start with that.
And second of all, there’s three things that can happen. One, the customer was always going to commit fraud from the beginning, and they are who they say they are. The second is that they’re not… They signed up with somebody else’s identity in some way. There’s a bunch of different ways that could happen. That becomes super multifaceted. They stole an identity, they created one from scratch, they tricked somebody into using their identity for them, a million things that could happen. And the third is that the card was stolen and somebody else used it, but the person who originally got it was who they said they were. The transaction matters very little other than as a signal for whether the person always intended to commit fraud from the beginning, which is the first two types and the by far most prominent types of fraud online.
It’s so easy to sign up for the thing that you go figure out some way to sign up for it, use somebody else’s identity to commit fraud. And then even in the instance where the transaction can be determined to be not the kind of transaction the original cardholder would’ve normally done, and therefore something you should block, where the transaction in that sense is pretty important because you’re just… Different type of transaction than this customer usually makes. Well, you’re still trying to figure out whether the person changed from one person to another person.
And so the whole framing of trying to figure out whether these transactions are fraudulent makes actually no sense, almost literally no sense for the instance where the customer was always intending to defraud you in the first place. Because at most, the transaction’s details are an enhancement on the information that you really know or should know about the customer, which is really what you’re trying to figure out. And even in the instance where the transaction is probably the key point of information because trying to figure out using a transaction, whether the card changed hands, any information you can possibly know about how the person changed, it would be more impactful. And increasingly with digital devices, we have hints that that could have happened. And so-
Ian:
Yeah, this is what I was curious to dig in on is, what’s the solve here? So if instead of focusing exclusively at the transaction level, we need to focus on the person level, there’s a headline in the blog, people steal money. I’m on board with that. What’s the technical solution to enable companies to better prevent fraud? What should they be shifting in terms of their approach?
Tommy:
So just to even think about why is this not the dead most obvious thing anybody’s ever said? It’s actually just rewind and think about who had credit cards and bank accounts, just to use those two examples, even 10 years ago? It was people who had opened those accounts and to some extent in person. It’s very hard to commit fraud at scale in person. There’s lots of fraud committed in person. I just mean it’s hard to do it at the scale that you can do… Commit fraud on the internet in person. So there are people who’ve opened bank accounts in person, most of which weren’t fraudulent, and the products they were using were built for people who were operating things largely in person, like swiping at terminals and various stuff like that.
So the language that people have just used around fraud, particularly as it relates to payments, makes sense in the context of, well, most of the users of these products didn’t… Started off as strongly authenticated as you can possibly be because they walked into a branch and, yes, they may have always been intending to commit fraud, but we have credit bureaus and other things to try to figure that out and make it so you can only do that a maximum of one time.
And then, B, we know, knowing a lot about that person wouldn’t tell us a ton other than we want to know, what do they typically do so we can figure out if they do something else because that’s probably not them. And that’s the whole job to be done in that world. The thing that’s changed is two things. One is, these products are by and large increasingly not being originated in the sort of most ultra strongly authenticated meet space that you could possibly… That’s not where the people are getting these products. They’re getting products online, a highly manipulatable process. No matter how strongly you authenticate them, it’s a manipulable process that could be done at scale. So the professional fraudsters are coming after you because if they get you, they can get you at scale. And then the people are operating these products in various ways on devices, not just with physical cards.
So the technological solution is to start from, let’s assess the identity of the person and let’s use transactions as an input to assess both the intent of that person from day one and the intent of that person today because they may have changed as people. But we’re not going to just use transactional information because we’re not just a transactional system. We’re going to use identity information, the information we know about how they signed up, where they were, where they live, what devices they use, what their history is, and various things like that. And that’s going to give us a more robust picture.
Ian:
And does that start to change? Have you actually been able to observe a shift in occurrence of fraud or detection of fraud in your customers that have adjusted their approach and model?
Tommy:
What was frustrating for me in trying to make this point originally is, even the people who are asking us had already had success with a more entity in person specific approach to fraud because it’s sort of known that the best way to stop fraud, it’s widely believed, and it is true that the best way to stop fraud is at the front door. Just don’t open accounts for people who are stealing other people’s identities, creating synthetic identities, or are just here to commit fraud in the first place.
What was frustrating was the assumption that once you’ve done that, if you got it wrong on the other side, that that information isn’t the key information for figuring out if you got it wrong. You did open an account for somebody who intended to commit fraud. I still think there’s a general orientation in the industry that the only way you would figure that out is by, I don’t know, looking at time series data of transactions and trying to build a model of what a fraudulent transaction looks like. But we’ve proven over and over and over again that it’s the merging of those datasets that tells you what you miss during the authentication stage, and that’s really the point we’re trying to make to people here with that blog.
Ian:
Yeah, sorry. Take your time. We’ll edit it out.
Tommy:
Yeah, give me like 15 seconds. I thought I had some
Ian:
Yeah, yeah, go ahead.
Tommy:
Fortunately I was done with that point anyway.
Ian:
Yeah, no, it is a perfect clean cut. No worries.
Tommy:
All right, great.
Ian:
You good?
Tommy:
Yep.
Ian:
All right, we’re back. So I’d love your organization’s produced some data on what’s actually going on in the industry. One of the interesting pieces of content we’ll link to in the show notes is your state of compliance benchmark report. One of the topics that I hear a lot from the compliance professionals that listen to this show is how much time and effort goes into suspicious activity reports. I mean, this is kind of a hallmark of the industry going back for years, and you put some numbers behind the scale of the number of SARS that are being produced by organization. I think 10,000 SARS on average for small- and medium-sized organizations who are dedicating one to 24 employees for reviewing and filing those suspicious activity reports, and that escalates for large organizations up to 50,000 SARS per year.
Tommy:
Yeah, that’s a lot.
Ian:
Which is staggering. You talk a lot about automation as being critical to solving this problem. Because I look at that and that’s just cost center of compliance inside of a business. You’re never going to get resourced, allocated correctly to the obvious demand and need that’s there. What’s the answer here? Because I feel like it ties into this conversation we’re just having about fixing the way people think about fraud.
Tommy:
They are related. I think just filling out a suspicious activity report, which is effectively a form, but it can be done via XML, but it’s effectively a form provided by FinCEN, which is money movement regulator for… I’m just trying to come up with a simple way to explain who they are… In order to track across… The theory is we’re going to track suspicious activity across all financial institutions in the US or globally, depending on how you’re looking at it, and we’re going to find trends and we’re going to catch bad guys and we’re going to do all this stuff.
Well, I think there’s two things. One is we would love to see, and I think the whole industry would love to see a little bit more accountability from regulators that that’s actually happening and it’s effective. And I think it is a little bit, but we’d love to… I think it would be good to show more of that or to share more information and data and actually allow more people to be helpful with the information they have from these SARS. Because filling out even one of these suspicious activity reports manually, I think it’s over a hundred questions. It’s a lot. It takes a long time and it’s not just filling out the information, but you have to come up with a narrative and you have to put a lot of stuff together.
I think the good news is that you can file… Oh, and so then you file a suspicious activity report and then there’s a bunch of other stuff that happens. You may have to file a continuing activity report if the customer you filed the suspicious activity about, Hey, this person might be money laundering. We’re not sure, file the report. They continue to do what they’re doing. You haven’t shut the account down because you’re not… It’s suspicious, not dispositive yet. You have to provide a continuing, and there’s even limitations on what you can even do if you suspect somebody of money laundering. Then you have to file a continuing activity report. Oh, you filled out one of these forms when you filled out one of the fields wrong. There’s feedback, there’s all this other stuff.
What we can do to help out, so it’s really, really hard. I think I covered that. What we can do to help out and what we do, but also this isn’t a pitch. It’s more of what the industry’s working on is like, well, how many of those hundred fields can we basically fill from a core system? How many of them are really about the identity of the person or the identity of the persons that are involved in all these transactions? Can we pre-fill this? A huge pain point is basically you fill out something wrong with the form and you get feedback. Can we automate that process inclusive of if FinCEN gives feedback in an asynchronous process that you couldn’t have known in advance because somehow they come up with some problem with what you wrote. Can we assist people in having really ready access to how they would construct the narrative?
That’s where automation comes in, and that is possible, and I think we are getting to more of a point where just deciding that the investigation showed money laundering and writing the narrative will be the bulk of the work that needs to be done. I think that can be done through our system if you’re combining the identity information and the transactional information in one place. I think we can help with that. And I also look forward to someday maybe even some of the narrative generation being computer assisted.
I think I’m a big skeptic of large language models as having a role in fraud prevention and compliance generally, but that’s one area I think they could be killer. I think it would be a great, safe, really good use of large language models to summarize a big set of information that a human’s already decided what happened with, but goddamn, they got to write a lot of stuff about it. I think like a GPT type, something like GPT-4 or another large language model could be appropriate for that. But I would say 98% of what needs to happen is actually just getting information from here and putting it there, and that’s a lot of what we’ve been working on automating for our customers.
Ian:
One of the critiques that I hear echoed a lot in the industry is the entire surveillance apparatus that has probably started in the seventies with the Bank Secrecy Act being passed in the United States and then was extended significantly post 9/11 with the Patriot Act is somehow like theater. It doesn’t actually serve a real purpose of protecting the United States from terrorists or protecting consumers. It’s just a huge expense and burden on everybody with very little real results. What’s your perspective on that, as somebody that sits in the industry and works with companies who are carrying that burden? It doesn’t feel realistic to me, but I’d love your opinion.
Tommy:
It’s not fully true at all, of course. And there’s a lot of money laundering that is prevented. There’s a lot of people who go to jail. There’s a lot, correctly, for having committed serious financial crime. But there’s two things I’ll say and I’ll first, I’ll defend the surveillance state, the deep state. Whatever term we use will be criticized by somebody, so I’ll criticize it… I’ll give credit to the surveillance state first, which is a lot of what’s happening is that they’re looking for big fish. They don’t want to chase down, they can’t chase down, or they’re not necessarily focused on chasing down every little thing that goes wrong and every bad thing that happens. They’re collecting this information so that when something really, really serious is happening, they can swoop in with insane precision and stop it and prosecute it successfully. Whether that’s with another nation state that they have to make the case to or whether that’s in the US judicial system.
That’s the biggest thing that I think people just lose is they’re just not interested in or capable of prosecuting and litigating every single case of money laundering that exists. They’re looking to stop big rings of it all at once so they don’t tip their hand because of resources, all this other stuff. So I think that’s… I’ll defend them there.
I’ll criticize them in like, well, how do we know that? Citizens have to be… It just is what it is. I know that people will come up with all sorts of reasons why, well, certainly you can’t know this or that. Citizens have a right to be and I think have to be informed about the effectiveness of their government, and especially a private sector that’s being asked this much. The burden of, I’m a guy who’s pro the government asking things of the private sector. That’s my general bent. What is asked of the private sector when it comes to money laundering controls in particular is a lot. It is large. It is a humongous cost burden, et cetera, et cetera, and it has humongous costs on consumers, too. Time, access, et cetera. Those costs need to be taken into consideration, and I think the absolute minimum the federal government in particular could be doing is providing more transparency on what is being done, what isn’t being done, what can be done, what’s being worked on.
I’m not saying, Hey, let me show you some cases that are in progress so we can screw them up and let some criminals off, but there needs to be more transparency and narrative provided because even industry professionals who work in AML will say, oh, it doesn’t catch any money laundering, right? You’ll even hear that from people who are as educated as they could possibly be on the topic. They’re wrong, but they’re not totally wrong, and then they’re also not wrong for thinking that, and I really think there should be change.
Ian:
Well, and even going back to the topic of SARS, I mean, I think it’s a burden on industry to produce those reports. Equally, governments consuming them, actually processing them and yielding some useful insight that allows us to catch a bad guy who’s running a terrorist financing ring. They’re overwhelmed with the amount of data that’s coming inbound, so it’s a problem on both sides. There’s such inefficiency there. They-
Tommy:
And if the government doesn’t provide transparency and feedback, it’s like if a team at a company doesn’t provide transparency and feedback. Sometimes it’s because they’re geniuses and they’re just crushing it, but sometimes it’s because they’re screwing everything up and they don’t know what they’re doing and they could use help. That is sometimes what is going on, and the American people will lose trust in institutions where they suspect that maybe they’re screwing everything up. It comes to light a decade later that they were, and they say, well, everything must be screwed up like that, and it’s certainly not the case.
I really think that this is an area where the narrative will always be, this is a waste of time. This is a waste of money, but we have to do it, and it could be this is the most important duty that we have as a private sector is to help with this. We feel really, really good that we helped, and it’d be the last thing I would ask the government. That should be how people feel about it and instead people should feel like the crime that’s… Largely the crime that’s being detected by filing SARS is the most non-controversially awful stuff in the world. It’s like child trafficking. We should all feel really, really good about stopping.
Ian:
That’s right. Yeah.
There’s nobody that’s in favor of enabling human trafficking. I mean, you’ve got a great slide in one of the compliance reports that talks about leading indicators for suspicious activity. Money laundering, tax evasion, identity theft, bribery and corruption, insider trading, human trafficking, terrorist financing. This is-
Tommy:
Pretty bad, pretty bad.
Ian:
… pretty bad stuff.
Tommy:
Not great, not great. Yeah, so we feel like we’re Sisyphus, did I say that right, pushing the rock up the hill. And we could feel like Captain America or whatever. It’s a miss by the federal government not to provide, I’ve said my piece, but the information that would make us feel that way, I think.
Ian:
Well, let’s shift gears a little bit. You touched on it earlier that one of the interesting things that’s happened over the last two decades is this transition from where you used to, if you wanted a bank account or a credit card, you walked into a bank branch in person with a bunch of identity documentation. Perhaps you already have a relationship with the bank in some capacity. But even if you’re a new customer, they go to great lengths to verify your identity. Now you can get a new credit card in under 15 minutes via an internet browser anywhere in the world. It’s a pretty straightforward, streamlined, simplified process. What has that done in your impression from a threat landscape perspective? Who are the threat actors that you see taking advantage of that shift in the customer onboarding model, and where’s the money being made if you’re the bad guys taking advantage of this?
Tommy:
Yeah, okay, so I think the easiest way to explain this is to just go ahead and say, let’s say that the online 15-minute credit card application actually went to exactly as many lengths to verify the identity as the in-person branch application. That is often not true. Let’s just say it is. Why is the threat landscape still changed dramatically? It’s just meet space versus bits. It’s just if it turns out that an exploit can be found even with all the intent, let’s say you even have to do a video call with somebody to move your head around and show your ID and all sorts of different stuff. It doesn’t matter what you do. It’s the fact that if an exploit was found, it could be automated at scale. That’s the real problem. And even if it couldn’t be automated at scale, maybe it could be Mechanical Turked at scale. You could recruit a bunch of people to exploit the whole that you find in this process at scale.
That might even include tricking people, which it often does, tricking people into opening accounts and then handing them over to you unknowingly and then committing fraud. So there’s always an exploit and now it can be committed at scale. That basically creates this unvirtuous cycle, which is exploit found, organization of some kind, whether that’s a state actor or a semi-state actor, or quite often just a group of people that are just motivated to do this and form a loose affiliation, maybe even on telegram, maybe in person, whatever it is, go exploit an exploit. And then they do it at a bigger scale. Then they do it at a bigger scale. Now they have a bunch of money, they invest in technology, they build AI to actually try to fool the exploit. Now they have more exploits they can… Now they have more money. Now they’re basically like a startup with a billion dollars of funding to do all this stuff.
A combination of, I would say, the exploits that came from pandemic relief and then the exploits that have come from the sort of broad digitization of financial services, inclusive of crypto hacks that is a subset of the broader digitization of financial services, have left some of these organizations very well funded. Some of them were well funded in the first place because they’re state sponsored actors, and states can sponsor quite a bit of funding in my experience. But some of them weren’t and they were just people on the street that are now wildly sophisticated, really, really, really tough actors, and they might also be in countries where we can’t necessarily go swoop in and stop them from happening. That’s what makes the threat landscape so complicated. I think what’s weird about the US that I still can’t totally figure out is some of those people are in the United States and they’re not being prosecuted.
I would like answers to that. There’s groups of people. This is kind of where the transparency comes in. If I just even felt like some of the groups of people that we know that are committing fraud in different geographies or whatever, were eventually going to be prosecuted and we’re just building our case and we’re just going to have to eat some pain for a little bit, that’d be great. I don’t even know if that’s true. I just don’t know if there’s just a non-intervention policy that’s come around to some certain types of credit card fraud. I don’t know what the deal is, and I would like to know what the deal is, and I would feel like if anyone would know what the deal was, it would be me. And we don’t necessarily. But then there’s also, I understand it’s very complicated to go invade a country to pull somebody out because committing fraud. There’s these two different things, but some of these groups are just fully in California committing fraud. Everyone knows who they are. Not sure what’s going on.
Ian:
That’s incredible. It is interesting, though, your point about how many of these fraud shops have actually become software businesses under themselves. I’ve spent a bit of time reading about some of these organizations where in some cases they’re building software frameworks that allow you to stand up, then an entirely fraudulent website that maybe is a trading platform for crypto or for stocks, and they give you an entire playbook to run to recruit people who think they’re using a legitimate service, and eventually fleeces them of large sums of money. We hear about this all the time under the banner of pig butchering scams. I didn’t appreciate quite how frequently that software is cloned, and so there’s been take-downs recently of a couple of these strains and it’s like hundreds or thousands of copies of that trading platform that they’ve found across a variety of domains, variety of different languages. And it goes to your point about the ability to scale. If you can automate anything when we’re out of Meetware and into ones and zeros.
Tommy:
The curveball that really threw me was when I started to notice that people were being manipulated by… Manipulated, and then sometimes they get in on it and kind of know what’s happening, but manipulated or pseudo manipulated by social media, telegram, et cetera. I don’t mean to imply at any level that Facebook, the website manipulated people into committing fraud. I just mean the connections people are able to form through these are turning into a weapon that I didn’t totally grok. And we first saw this, we saw this really bad in 2020 and 2021 of our customers being like, “Hey, I’m under a fraud attack.” Okay, we figured it out. It seems to be TikTok, and we like, with TikTok? And there’d be some TikTok who’s like, here’s how you defraud Bank X. And then maybe it didn’t say exactly that, but it was effectively that’s what they were doing.
Ian:
That’s amazing.
Tommy:
That sort of thing just shows you if there’s an exploit including manipulating other people to do the exploit for you, it’ll be found. And so
Ian:
Not even being shared on the dark web. They wanted to get their view count up, so they’re pushing it on their TikTok platform.
Tommy:
No, we have this whole list of these. We have this big download of all the ones that, or a bunch of the ones that we’ve seen, so we can show people what it looks like when somebody’s… What to look for, what to actually see, and say, oh, that’s actually a scam. I wish I could send them to my friends, but they’re a little sensitive.
Ian:
Hey, different topic. We’re a crypto podcast, obviously. We’re 35 minutes into the conversation. We haven’t really talked about crypto at all, but you guys actually do quite a lot of work in the crypto industry. Touch on the scope of that and really how you got into crypto in the first place would be I think a fascinating story.
Tommy:
So what we do for crypto companies is fairly simple. If they’re dealing with money at any level, they have the same… They are concerned about chargebacks, so they’re worried about fraud. Money can be deposited and charged back, and now the customer has the crypto and platform doesn’t have the money, so they need to prevent that. Or they need to comply with AML regulations, and so we do the verification as it relates to that and the transaction monitoring, SAR filing, et cetera. So it’s really no different than any other money services business, and we do that with some pretty interesting companies and would love to… We always love to work with anyone doing interesting that touches money. We don’t do so much in the world of totally crypto to crypto. It’s still regulated in all these different ways. We’re just less involved in that. It’s usually when there’s some fiat component of it somewhere, either an on-ramp, an exchange, any sort of off-ramp, anything like that. Or even things like issuing a credit card on top of your crypto rewards, which we’ve worked with people on.
How I got into crypto, I mean actually it was back in working in the company that inspired us to start Alloy. We were doing ACH processing and we realized there was, Bitcoin was getting really hot in 2013. If you look at the price chart, doesn’t look hot to us now, but it felt hot at the time. It was like Bitcoin’s over $300 in the world. And there was sort of a bunch of other stuff, really interesting things happening. There was the, I don’t know what to call them, but the Ripple Stellar type, replace Swift pitches going around and doing a lot of interesting stuff. There was a lot of thoughts about how you might run compute on the blockchain, et cetera. And we were just doing a lot of payment processing for those companies and I got pretty interested in it.
Actually, my big aha moment about crypto that got me excited about it was actually a bit of a false moment, which was, there was a company called Change Tip. I don’t know if you remember Change Tip. It was the coolest thing ever. I still think it was the best, which is that you could tweet somebody, you could post on Reddit, you could post a bunch of different places, Hey, Change Tip you five, a coffee, and it would go send the person… It would either send the person $5 worth of Bitcoin or it would DM them, “You don’t have a Change Tip account. We’ve created a Bitcoin address for you and there’s $5 worth of Bitcoin in it.” And I got obsessed with that. I thought it was the coolest thing ever. They could only do it because transaction fees were zero, which is what I thought was going to happen with Bitcoin.
And I got super excited about it because I got pumped about what it would be like to be able to build a money thing where you could just do it permission-less dealing with money basically on the internet. And then I got excited about transaction speeds and fees, which within a couple of years I had been disabused of the notion that that’s what we were going to actually get from crypto in the short run. There was going to be a big academic and practical set of things that were going to need to happen before that was our reality and not speaking to whether I believe that has or hasn’t happened, just that it definitely wasn’t… By 2015, we knew that wasn’t what it was going to be like forIan:
I think you’re seeing a lot of people try and do that again with Lightning Network, right?
Tommy:
Lightning NetworkIan:
Where you’ve got the lower fee structures.
Tommy:
Yeah, starting something like Solana or doing all these different alternative blockchains, I think it could still happen. It may have even happened you could say. It definitely wasn’t happening in 2015. And, yeah.
Ian:
Have you ever added up all the tips that you handed out in Bitcoin at the time and benchmarked them back to-
Tommy:
We joke about it. I bought my co-founder a coffee that I think is up to a thousand dollars now. And he kept all his Bitcoin. I didn’t, but he kept all his Bitcoin, which not some crazy amount, but even these little amounts add up to just insane. It’s insane. Because we started, it was like Bitcoin was… By the time we were really interested in it, Bitcoin was fluctuating between $300, $1,000, $300, that kind of range, but when we started messing around, it was way below $300. So these $5 tips are, what is that, 100, 200, 300x. They’re out there. If you just Google, get on Twitter and look up Change Tip and Tommy RVA, which is my… I mean they’re just, I didn’t delete them. They exist. They’re out there.
Ian:
We’re going to have a listener who’s going to go out and pull all those out, and-
Tommy:
It’s there.
Ian:
… we’re going to get a summary of everything that you paid out in tips and what it would be worth today.
Tommy:
Sure. The more interesting project that it got me more into crypto and where I know a lot more about crypto is actually in 2017, Alloy was two years old and was a very small company and very stressful company to run at the time because we were very small and had very few customers and probably it seemed fairly likely that we wouldn’t make it just because it was so small. I’ve talked about this on a bunch of podcasts. It was a really hard time for us, and I’ll skip that unless you want me to go into it. But one of the things I started to do to just distract myself on the weekends, I had… This would sound obvious to a lot of founder people, but I guess I had stopped, I tried to stop working on the weekends because it had gotten too stressful to work 24/7 on something that was very uncertain. I went back to working on the weekends, unfortunately for my wife, although I’ve mostly stopped again now, shortly thereafter because things started going up into the right.
But there was this period in 2017 where there wasn’t a lot going on at work. We were still grinding our butts off and I needed something to focus on, on the weekends that was creative but wasn’t work, and I got really, really attracted to the… I know that this has become a little bit of a controversial thing, but stick with me and I promise that it wasn’t at the time. The rare Pepe Bitcoin counterparty wallet, what they called rare digital art at the time we would call NFTs, although the people who built the Rare Pepe project would strongly disagree with that classification. I got super into, not the Pepes themselves, but the idea of creating rare digital art. And I got so into it that I started messing around with solidity and basically built a standard and a framework for creating roughly the equivalent on Ethereum because I thought it was easier to program, and I did think and still think that was probably the future of programmable crypto.
And then actually ran, my buddy and I, who now actually works at Coinbase, ran a… Decided to start and run a festival for what we called Rare Digital Art at the time, the Rare Digital Art Festival. And we had the folks from Crypto Punks come. We had the rare Pepe folks come, CryptoKitties launched between the time we announced the festival and the festival happening. And we had this event in New York City. We didn’t know if anyone would come. We had about 400 people could come and there was-
Ian:
Wow.
Tommy:
… standing room only early 2018. But there was still no… I don’t think people were saying the term NFT yet. It was like two weeks after that NFTs became the thing.
Ian:
The thing.
Tommy:
The then NFTs weirdly died, kind of, and didn’t go anywhere and then came back in… During the pandemic. So where I’ve actually really cut my teeth a lot more on the ground and where I actually know the people who have done interesting work and have had just the most modest impact is actually in the NFT community of all things. And Ian:
And how are you feeling about things now? I mean, we’re sort of back in that same period that you just described where everybody was talking about NFTs for about a year there and now, save for maybe Bitcoin ordinals, the activity, at least in terms of trading volumes is way, way off the peak.
Tommy:
Yeah, it’s similar to how I felt about Bitcoin transaction fees, et cetera, which is that… And actually going back to Bitcoin, I got super excited about the transaction fees and the speed. I actually remain excited about whether I actually think this is a good thing or not. Like non-state money that’s plausibly censorship proof. That’s actually a really big idea and I think that’s the only idea that matters in Bitcoin, and I think that’s actually a humongous, transformational idea. Whether it’s for me or not is for another discussion, although I think I am interested in it, but I disabuse myself of a lot of those notions, but held on to this, it’s illegal to create a currency and yet this other currency exists because there’s no way to stop it. That’s fascinating. I think very important and powerful, and I think probably a force for good in the world probably. I have the same with NFTs, which I hate calling them NFTs. We’re going to call them NFTs because there’s nothing else to say. There’s no other word to call them. But I also, I still think
Ian:
We can call them rare digital art if you want. Doesn’t matter to me.
Tommy:
I think rare digital art would’ve been better, but I’ll say NFTs. I got really excited about NFTs for all sorts of things, as representations of music and all these things that people have these ideas about. I’ve come back to the original idea that I never really should have… I should have stuck with the original idea in the first place, which is, it’s digital art and it’s digital trading cards. It’s the Joe who was really running a lot of the rare Pepe stuff. Always used to say the token is the art. It’s the ownership of the token that is the material thing. It’s a collectible, and collectibles are not to be diminished in their value. Collectibles are crazy important. Art is to a large extent, a collectible item if you can buy it and you can exchange it. And I still think a lot of the best… I still think there’s incredibly exciting collectibles that will be built, and I do think cryptocurrencies are specifically the only way to do that digitally.
I don’t think we’ll see another way. I wouldn’t be interested in another way. The fact that they’re plausibly decentralized, censorship-resistant, that I plausibly actually own it if I have it, is really, really unique and some of the NFTs I own and really value, I still love the Crypto Covens. I have a bunch of them. I think they’re the freaking best. I have some of the OG NFT stuff that’s best not to talk about. And I still really value them and I still think that they will be part of culture if cryptocurrency survives, assuming cryptocurrencies survive. I actually think they will be part of culture and there’ll be another revival, but I think we’ll get out of the sort of NFTs are your pass into a Taylor Swift concert, like weird era of NFTs are everything, and that drove me nuts. I think it’s just going to be the NFT is the NFT. The token is the art. Shout out to Joe. He’s the man.
Ian:
I like it. I like it. All right, last question as we wrap up. Bringing it back to your business at Alloy, where’s the whole market going? And maybe even broader than market, the entire industry of fraud and compliance. We touched on a lot of the effort that’s going in on both sides of industry and government. Any predictions about how we get more effective at stopping the really bad guys, but enabling businesses to do a better job serving their customers and satisfying all the various stakeholders along the way? Do we see that in the near term future for everybody or is that too optimistic on my part?
Tommy:
I’m a bad person to ask because I think I’m too close to the problem. It’s like if I zoom myself out and say, Tommy, get farther away from the problem and now answer the question, I do think I see things on the horizon. A lot of the digital IDs that are coming out, actually state, individual state, or nation state issued digital IDs, that’s going to be helpful. That’s going to make a step in the process more secure and more just frictionless. So that would be good. I think I’m just a lot less confident that there actually is the incentive apparatus to get some of the other things that I think need to happen done.
I’m not sure the… I’m not sure without visibility and accountability that some of the things that need to get done will necessarily get done, so I’m less of an optimist about that. I do think though, if I can say a good thing, the explosion of investment in technology to solve these problems, because they simply have to be solved in order to do business on the internet. And maybe they always existed, but they became exacerbated. That’s been a good thing. I mean, you just think about what you all do, just an incredibly good thing that required a lot of investment to get good at and that investment moving from investors into the private sector, into companies, that’s been a really good thing. And I think the fact that the market is very competitive for solutions to get better at this stuff will also benefit, be extremely beneficial.
I’m just a little, well, where I will say that I have some optimism. The European market and the European Union seem very focused on this in a way that… Or maybe I’ll say this a different way. The US and Europe are focused on these problems in two very different ways. So we will get innovation on two different spectrums. The European market sees fraud and money laundering largely as one thing. Financial crime. United States very focused on blocking and tackling on meat and potatoes money laundering, like the things that we talked about earlier, would love to stop other types of financial crime. Very focused on risk-based approach. You do it the way you think is best, so we will find a lot of ways that are best.
European markets tend to be more prescriptive. That has some benefits when you prescribe the right solution that has some detriments. There are some European markets that have prescribed really bad solutions and they’re going to need to figure that out. So that gives me some optimism. There’s a lot of money in the space, there’s a lot of innovation. Governments are regulating this from a lot of different angles, so we’ll see what works and what doesn’t.
I still just do get worried, though, when I think about what it’s going to take to kind of get the data, information, and transparency together to really unleash the true innovation of the crowd, to stop and spot patterns across the whole ecosystem, which I think could happen if governments were motivated. That seems unlikely in the short term. And I think we’re more going to see user experience improve because there’s a lot of innovation there. We’re going to see results on fraud prevention continue to chase after what the fraudsters are doing. Fraudsters are getting a lot of new tools in AI. Fraud prevention companies will have to fight back. So I see that more as a cat and mouse game. I think user experience is continuing to improve and I think the ultimate sort of dream of really collaborating to stop money laundering at scale is work I’m not even sure is in progress. I’m a little less optimistic.
Ian:
Well, thank you for the sobering assessment of the industry overall. Tommy, this has been an awesome conversation. Really enjoyed getting to meet you and learn about the business at Alloy. Thanks so much.
Tommy:
Hey, Ian, it’s been awesome, man. Talk to you soon.
Ian:
All right.