Growing Fast and Fighting Fraud in Fintech: Get it Right, or Go Home
Fighting Fraud on the Front Lines: Tal Yeshanov, Head of Strategic Risk and Financial Operations, Plastiq
As Head of Strategic Risk and Financial Operations at fast-growing fintech Plastiq, which enables consumers to make smarter cash flow choices through their all-in-one payment platform, Tal Yeshanov is no stranger to the pressures which make fighting fraud at a high growth company both challenging and exciting.
In this interview, she shares what she’s seen work best during her experience at Plastiq, and before that at Uber, Eventbrite and Google, explains what she’s learned to prioritize, and describes the directions in which she sees the future of fraud fighting heading.
What would you say are the greatest fraud prevention challenges that come with being a high growth company?
I don’t know if these challenges are different to those at slower growing companies, but I for sure know that at high growth companies, these challenges become very pressing, fast. Successful fraud leaders need to get ahead of the issues proactively. If you aren’t expecting to come up against these two key challenges, and don’t have a plan to circumvent them, you’re going to struggle continually to get anything meaningful done.
These are the main challenges I see at fast-growing companies:
1) Getting alignment from stakeholders with conflicting goals. Product wants to acquire more users and remove friction, which causes more fraud - counter to what Risk needs. Risk wants to reduce fraud so wants to hire more analysts and/or bring on vendors. Risk needs to spend money to reduce fraud, but Finance wants to reduce costs. All 3 departments are moving fast to deliver on their goals, and getting all to align and reach an eventual compromise is a huge challenge.
2) To overcome this, listen to the goals of your counterparts, and then explain - with data - why you feel the tradeoff for them is worth it. Come prepared with the data from the very start of discussions, or you’ll be wrong-footed right away.
3) Ruthless prioritization. Every company wants to do more with less. To do that, ruthless prioritization is a MUST. How can a company take on the task? Data! It’s best to use data to tell a story, to make decisions. “Gut decisions” in the world of product and risk are usually wrong. Companies should consider user acquisition costs, vendor costs, and workforce costs, while balancing against product and feature builds that would bring transactions, essentially increasing payment volume, which hopefully would result in a higher net revenue.
4) It seems obvious - but it’s important not to lose sight of what will help you reduce cost and increase revenue, and oftentimes the only way to really know that is to look at the data! Fraud and Risk Teams are well-placed to lead this data-driven exercise, because of their deep understanding of what’s behind transaction numbers. Going through the exercise takes emotion out of the equation, and helps show that even though you’re focused on protecting the company, encouraging company growth is just as important to you.
You’ve seen fraud and risk from within a number of amazing, high growth, innovative companies. Have you seen significant differences depending on the industry?
“One size fits all” can work for clothes, but not for preventing fraud in high-growth companies. Each company needs to consider:
Tolerance: Tolerance considers how much risk you can take on; that risk is different depending on your average transaction size, industry type, market type (for example, does the merchant run a ‘Software as a service’ or a ‘marketplace’ or a ‘recurring subscription model’).
Levers available. Levers refers to what is in your control to influence. Some examples of levers could include: hiring Operational or Data Analysts, onboarding a vendor, and/or asking users to validate their phone or email; though keep in mind this causes friction. It’s important to weigh the pros and cons of each lever (aka actions). It’s critical to strike the right balance when turning away revenue (good users) versus turning away fraudsters (bad users) as it’s a delicate balancing act. This is because anti-fraud measures your company would take could have an adverse effect on customer experience, and thus revenue.
Are there lessons you think other industries could usefully take from the way high growth companies manage fraud and risk?
Absolutely! At the end of the day, all industries are looking to gain users and make money. Some universal concepts are: Leverage data to make decisions, consider the amount of friction imposed on users and how to balance reducing fraud without hurting users.
High growth companies are particularly good at these, in my experience, because they have to be. They’re always aware of a ticking clock, and the need to gain new users and give them an experience that they’ll love. There’s a sense of urgency that comes along with that which makes it easy for people to remember what’s really important, and to want to put data behind their decisions. Generally speaking, though, these are excellent practices for any business, although it may take some thoughtful effort for more traditional companies to adopt the same practices.
What’s the cleverest/sneakiest trick you ever saw a fraudster pull?
Masking themselves - using proxy IPs, VOIP phone numbers, stolen credit cards, jailbroken phones, device settings in the “local” timezone, and changing the language setting on the device to match their credit card billing and IP locations. It’s remarkable how many levels of disguise fraudsters create for themselves, especially when you think about the scale and speed at which they don different masks.
Have you ever tried a fraud prevention tactic to see if it would work, and been surprised by the results?
1000%! Always do this. A/B testing is the way to go!
I think this might be another practice that fraud and risk in fast-growing companies naturally pick up from elsewhere in their organization. There’s a willingness to experiment, and a desire to measure what works best, that comes with being in a high growth company, whether you’re working in marketing or product or business development or fraud. Again, it’s something more traditional companies could benefit from as well.
Are there any fraud prevention approaches that work particularly well for high growth companies, because of that fast growing nature?
Keep your data clean. Trash data in, will yield trash data out. That can be challenging when you’re in a company where everything moves fast all the time, but if you don’t prioritize it, you’ll regret it later. The cost of fixing it in the future is far greater than the cost of doing it right now.
I know collaboration within the industry is close to your heart. Can you explain a little about why your experiences have made you so passionate about it?
The payments and fraud space is complex, nuanced, and ever-changing. Which means it attracts a certain type of person: someone who is curious, ambitious, and enjoys problem-solving. To me, collaboration is all about the PEOPLE you work with, and knowing that I get to work with the most amazing, smart, thoughtful, curious, ambitious people is a lot of fun.
Also! I truly believe that everyone (except the fraudsters) wins when merchants collaborate.
Fraudsters don’t need to play by the rules, so they get to try whatever they want, however they want, whenever they want. Merchants are not able to be as flexible. They’re blocked from acting by Terms of Service, vendor agreements, regulators, lack of ability/bandwidth of busy engineering teams to quickly and securely drop everything and build a defense… and most importantly - not wanting to falsely decline legitimate users.
So when merchants collaborate, it could set them up for success by reducing some of the aforementioned blockers.
What are the new ways you’ve seen fraud fighters collaborate in the last few years, and what do you expect for the next few years?
The trend to collaborate is growing via conferences, chat forums, vendors that put on ‘roundtables’ (shout out to the Identiq roundtable discussions!), small ‘merchant-only’ forums. I’m here for it!
How do you see the day-to-day of fraud fighting changing in the future?
I think the space will reach for more and more automation. We already have data that gets turned into variables, that then gets used by rules and models - I think that will continue.
I also think that it’ll become more robust. The types and quality of data will evolve - we’ll go from looking at raw data elements such as device, IP, phone, email, to ingesting more telemetric and biometric data.
I think storing data will become cheaper, and I think cleaning, organizing, and leveraging data will also improve. New ways of leveraging the data are also emerging. Identiq’s providerless network is a good example: it means you can validate identities against other companies’ data without sharing any personal user information at all, which in turn means that we can do even more with the data we have, in a way that protects PII.
If you could give one piece of advice to someone just starting out in fraud and risk, what would it be?
Be curious! Ask questions. If something looks off, it probably is.
On my team we have a saying “See something, say something” and the Risk Team gives a monthly award to anyone in the company who points out something fun/interesting/suspicious to the Risk Team. We call it ‘The 4-S Award’ and it comes with a nice all-company call-out and gift card.
If you could give one piece of advice to a fraud fighting veteran, what would it be?
Don’t become jaded. Keep fighting for your headcount and vendor budgets.
It’s easy to get flustered when Product teams build, but risk operations teams don’t get the resourcing they need fast enough, or as much as they’d hope. It’s okay. You’re not alone. It’s just part of the job - a delicate “negotiation” to always keep advocating for more $ for your team.
About Tal Yeshanov
Tal Yeshanov is a risk industry expert with deep understanding of the complex dynamics between merchants, payment processors, issuing banks, and acquiring banks. Her day to day work focuses on credit fraud, CNP/transaction fraud, chargebacks, digital identity, and payment processing. She is passionate about using artificial intelligence and machine learning technologies to combat fraud. She has ~15 years experience working at companies including Google, Uber, Eventbrite and Wells Fargo.
This blog post is part of our Fighting Fraud on the Front Lines series, bringing the expertise and experience of veteran fraud fighters to a wider audience. Identiq is all about collaboration, and we firmly believe that the more we pool our knowledge (though not our data!) the stronger we become as an industry.
Do you have something burning to share with the community? Or do you know someone who has a lot of fraud prevention wisdom to share? Reach out to us!
What’s a Rich Text element?
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
Static and dynamic content editing
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
How to customize formatting for each rich text
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Working Together: What Works? The Panel That Got Real About Collaboration