hello world [what’s up]

Hola Cartomancers! Welcome back to the Futurecast. Perhaps you missed us showing up in your inbox last week, but nothing to worry about - we just have decided to try Intermittent Casting, and publish when we hit our Bitworthy Mass Index.

I have found as much as I’d like to get quicker in pulling these together, my attention gets pulled in a strange direction - which might explain the rabbit hole I dive into re: Green Dot and Banking As A Service. This adventure we’re on is a ramble for sure.

BTW, turns out March is Fraud Prevention Month - at least in Canada. Definitely share some of those resources with friends & family as we head into tax season here in the US (yep, another year of text messages from the “IRS”). And, of course, please share this newsletter with folks who might enjoy.

Let’s get into it:

• Noodling in the Lab

  • Finally sorta getting started on the Big Credit Card Fraud article

• News nuggets 

  • Consumers in the Crosshairs

  • Pig Butchery Gets A Spotlight

  • Green Dot gets a Red Light: What to Know

a noodle from the lab [what we’re working on]

Today we begin an experiment, which is I’m going to slow-roll a fairly detailed resource - hopefully with your help. We’re going to deep dive into credit card fraud, which I consider the center of the “Trust” world. (Spam is the other primordial Trust being in the pantheon of fraud & abuse). 

Theoretically I could split this up into a series of articles, but I think it’s helpful to see where we’re going writ large, so here’s how we’re going to play this game: I’ve got an outline going, which I’m publishing here on the Futurecast site, I’ll also share a link to a Google doc that’s going to be publicly commentable. If you have questions or recommendations for items to be added into the outline, added into the narrative – or questions you’d like me to answer along the way, I’ll do so. If the commenting gets out of hand (see primordial Trust being “Spam” above), I’ll turn it off and you can just email me comments and questions. But the idea is, there’s a ton to cover here, and I think this will be a fun experiment.

Here it is: The Big Credit Card Fraud Resource [or rather, the very first dusty rough draft of said resource. We’ll enbiggen it soon.]

training data [what’s news]

🗨️ Consumers in the Crosshairs aka the Venn Diagram of Vulnerability: When we see security issues covered in the popular press, we find many examples that demonstrate the convergence of cybersecurity, privacy, & consumer trust, and however we discuss the tangled web of vulns and exploits and real world impact, it’s clear that consumers (and their data) are continuing to be under fire.

• We’ve seen product or system compromises leak private data and enable sensitive access to customer accounts and information, here’s a new example of “hacks” exploiting the brand reputation and trust to facilitate scams & phishing, as in eBay, VMware, McAfee Sites Hijacked in Sprawling Phishing Operation. By hacking poorly protected subdomains, phishers have been able to send email that appears to come from trusted domains (just like regular phishing), but also to easily bypass email-security measures in place to prevent phishing (yes, these emails pass Sender Policy Framework (SPF), DKIM, SMTP Server, and DMARC tests). 

• While increased breaches are a problematic trend, what is a good trend is the security of the underlying service being considered in product reviews, as in CNET Isn't Recommending Wyze Home Security Right Now: Here's Why. 

• And consumers themselves are noticing security and privacy problems showing-up in their everyday spaces, filing under “too creepy, even if fritos are involved”, a college is removing its vending machines after a student discovered they were using facial-recognition technology.

With all kinds of technologies capitalizing on AI and biometric tech (in addition to existing activity and authentication data in their databases), there’s no better time for consumers to be reviewing their own security plans, over on LinkedIn, Leigh Honeywell recommends the Consumer Reports Security Planner (thanks Leigh, for flagging), as well as another resource from the same author (Yael Grauer)  – the Big-Ass-Data-Broker-Opt-Out-List.

🗨️ Pig Butchery Gets A Spotlight: We talked about pig butchering scams (an expansion of romance scams, where it’s a longer con) and also scam camps (the worrying trend of human trafficking pipelines dumping into forced labor camps executing online scams). This is a big enough problem that we’re seeing articles in the popular press about it (e.g. NY Times), but John Oliver and his team also put together a strong overview of the situation, tying the elements together into a compact but meaty (no pun intended) segment on his show, Last Week Tonight. Take a look.

🗨️ Green Dot gets a Red Light: What to Know: At the high level, Green Dot getting called onto the carpet regarding regulatory issues would not feel like big news, as those of you in the payments and financial services industries know – non-banks that provide financial services, e.g. Money Services Businesses (MSBs) get a lot of attention from regulators. In this case, the stir is that Despite positive outlook and revenue growth, Green Dot Corp Faces Regulatory Challenges – specifically in the form of a proposed consent order from US Federal Reserve. 

Indeed, if you checking out GDOT’s full 8-K filing on the SEC website, details of the FRB consent order are on the front page, along with a disclosure of the  impact – estimates of up to $50M in liabilities. (They’ve set aside $20M to cover the liability but acknowledge an outside possibility of losses up to that $50M number).

• And what is this about? Well, it’s about “compliance risk management, including consumer compliance and compliance with anti-money laundering regulations,” Green Dot said in their related press release. 

• This consent order appears to be part of a larger a trend: American Banker noted that several banking-as-a-service banks have received consent orders in recent months due to the compliance failings of their fintech partners, including Blue Ridge Bank, Cross River Bank and Lineage Bank.

• American Banker ALSO said: “Green Dot is an Austin, Texas, fintech and $4.8 billion-asset bank holding company that issues prepaid and debit cards and provides savings accounts, with a focus on serving the underbanked. It provides banking as a service to partners that include Apple, Walmart, Amazon and TurboTax.” (emphasis mine)

• What the heck is banking as a service? Is this about the practice we’ve seen in the past, where small community banks would “rent” their card BINs or ACH routing numbers to prepaid cards, or similar innovations? Well, yes - fintechs, who in many cases are not regulated as banks or MSBs, are often working with “sponsor banks” - relying on those banks for access to networks and services. But the banks are still the ones who are accountable for compliance, and in many cases the banks who become sponsor banks are ill-equipped to scale their operations to support the run rate of their fintech partners. 

• This reminds me a bit of what cybersecurity folks have been dealing with in Cloud, where accountability and liability become a bit opaque with service providers relying on service providers relying on service providers up and down a stack. I hadn’t clocked the similar pattern occurring in financial services, but now I can’t unsee it.

• Oliver Wyman’s describes The Rise Of Banking As A Service, noting “Digital challenger banks are now running at a fraction of the cost of incumbents. Some technology companies have obtained banking licenses, enabling them to offer their BaaS platforms to distributors that want to provide financial products to their customers”, your can read more in their nice paper here.

• Deloitte also has some work (and a paper) on Banking as a Service, Explained: What it is, Why it’s Important and How to Play, noting “BaaS is becoming ubiquitous, as non-banks embed financial services into their experience(s)”, and provides some examples about hwere these hybrid products are popping-up, like Point-of-Sale Loans, Convenience Stores as Bank Branches, Cashier-Less Shopping (using digital / mobile wallets), Bundled Renters Insurance (apartment buildings), and ERP-Facilitated Banking.

• Insider Intelligence describes BaaS in a way that sounds just like other SaaS models: “BaaS is an end-to-end model that allows digital banks and other third parties to connect with banks’ systems directly via APIs so they can build banking offerings on top of the providers’ regulated infrastructure, as well as unlock the open banking opportunity reshaping the global financial services landscape.” (emphasis is mine)

• The idea that products can ride on regulated infrastructure and assume that the products inherit the regulated bits of the infra without proactive design on the product’s part feels a bit - well, not always correct. KYC is a good test case, and perhaps is a leading indicator of regulatory questions to come.

What’s the takeaway here? Besides the obvious (which is that AML and KYC are hard and getting harder), bankers and fintech-ers need to note that interoperability and speed are great, but accountability models need to be adjusted to keep up with the very real threats emerging right as we’re moving into more open APIs. The regulators don’t care how “cool” the services are, they care that the foundational elements are rock solid, and it’s clear they intend to hold regulated entities to the regulatory standards.

find more cartomancy [what’s out there]

on demand

I was delighted to spend some time discussing cybersecurity career paths, leadership development, and industry trends while reconnecting with my friend and colleague Sandra Liu (if you haven't seen what she's working on over on YouTube I encourage you to check out her projects). this interview, we cover cybersecurity career and industry topics including:

• 🤝 What do hiring managers look for when hiring candidates for a job?

• 💻 What cybersecurity skills are most relevant?

• 💭 What are the biggest challenges facing organizations today?

ttyl [what’s next]

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

If you’ve read to the end and you find this content helpful, I’d love feedback. My news feed is full of leads, but my personal algorithm loves learning about what interests the community, so that I can focus in on what will be most useful. Just hit reply and your comments will come whizzing into my inbox. (It’s also a good way to find me if you are interested in working with me or with Cartomancy Labs).

See you next time on the Futurecast!

Allison

@selenakyle