Fraud, Wirecard and the Future of Fintech

I. Fraud

Finance companies have a unique relationship with fraud. They are at the same time victims of it, vehicles for it and occasional perpetrators of it. 

As victims they are continually exposed to many small-scale attacks. Data from the UK suggests that fraud skims off 7.5p from every £100 spent on credit and debit cards. Over a billion pounds was pilfered through the banking system last year, with close to two billion more apprehended at the exit. Insurance companies wage a similar battle against false claims. Last year they detected fraudulent claims in excess of a billion pounds. 

In their commercial business units the numbers get bigger. ABN AMRO has disclosed that three-quarters of the impairments it has suffered in its Trade and Commodity Finance business over the past ten years stem from fraud. Its latest hit here was a €225 million clanger originating out of Singapore-based commodities trading firm Hin Leong.

Even bigger numbers, though, require a man on the inside. When asked why he robbed banks, bank robber Willie Sutton famously replied, “because that’s where the money is.” Bank managers see the money every day and sometimes lapse into complicity. The firm ORX compiles loss data for banks globally. In each of the past three years internal fraud losses have exceeded external fraud losses; across the three years combined internal fraud outstrips external fraud nearly four times over. 

Previously, I wrote up the case of Punjab National Bank in India, which was defrauded of US$2.23 billion in 2018. The fraud was facilitated by a low-level employee on behalf of a client. The case brings up a question: Although the employee was clearly complicit, to what degree was the bank institutionally culpable? Punjab National Bank had a system in place which allowed the fraud to happen, a system characterised by weak fraud detection mechanisms. So it bears some responsibility even though the intent wasn’t there. 

There are other cases where the link between employee behaviour and corporate responsibility is clearer. A good example is Wells Fargo. In the years leading up to 2016, Wells Fargo employees set up millions of fake accounts in customer names in order to meet sales targets. The fraud was born out of an incentive structure put in place by management to bolster cross-selling. Unlike Punjab National Bank whose not doing something allowed the fraud to happen (i.e. establish robust fraud detection mechanisms) Wells Fargo was guilty of doing something to allow the fraud to happen (design a misaligned incentive structure). 

When it comes to corporate fraud there’s kind of a hierarchy:

At the base are frauds that emerge from systems of omission like at Punjab National Bank. The market is typically quite forgiving of these — CEOs don’t lose their jobs and litigation is restrained. In stock market terms they have a P/E of one.

Further up there are frauds that emerge from systems of commission. These tend to cost CEOs their jobs and attract the wrath of regulators. Wells Fargo had to pay US$3 billion to settle civil and criminal charges. The additional fines and lost revenues inflate the P/Es of these frauds above one. 

At the apex are what William Black, a former bank regulator, calls control frauds. Further down the hierarchy fraud emerges as an unintended consequence of the system — there isn’t a Blofeld-like character orchestrating the whole thing. With control frauds there is a Blofeld — a person of power who subverts the organisation for personal gain. Black elaborates on the framework in his book, wonderfully entitled: The Best Way to Rob a Bank is to Own One. These frauds have a P/E of whatever equity is left in the company. 

---

Help us grow 🌱

If you enjoy Breezy Briefings, there are three things you can do to help us grow and reach more people. Which would be lovely!

1. Share it with someone else. Forward the email. Post on social.

2. Click/tap the little ❤️ icon at the top or bottom. It actually helps.

3. Subscribe for free.

---

At the individual corporate level control fraud tends to be the most lucrative. In 2018 two financial companies reported even larger fraud-related losses than the multi-billion loss reported by Punjab National Bank; both were orchestrated by the men at the top. The owners of PrivatBank in Ukraine allegedly stole US$5.5 billion, allegedly syphoning the money off to Cyprus via insider loans. The former head of the central bank called it one of the biggest financial scandals of the 21st century. (I use the word allegedly judiciously because she has had several threats on her life.) Even bigger was the loss suffered by Angbang Insurance of China whose chairman unallegedly stole US$12 billion in a scheme involving falsified accounts and diversion of funds — he is now serving an eighteen year jail sentence.

II. Wirecard

The latest example of control fraud in the sector is Wirecard of Germany.

Last week auditor EY refused to sign off on accounts over a missing €1.9 billion and the CEO was subsequently arrested. At this stage we don’t know the motivation of the people involved. But already the reputations of many have been tarnished. The German financial regulator BaFin comes out looking especially bad. Rather than investigate allegations that came to light over a year ago it sought to shut them down. It launched criminal proceedings against two FT journalists and it put up a short selling ban on Wirecard stock. 

There are suggestions that BaFin may not survive this episode. But it wouldn’t be the first body to shoot the messenger, a practice that dates back to Roman times. That and regulatory capture are corruptions which have been widely studied and for which mechanisms have been created to address. (Short selling being an excellent foil for regulatory capture.)

Of more general concern is a comment the regulator made after the fact. According to Bloomberg, the regulator said: “As a technology company, Wirecard wasn’t considered a financial institution directly supervised by BaFin.” In a follow-up, the regulator’s head of press doubled down: “Wirecard is not supervised by BaFin… I am not aware of any separate entity that is in charge of supervision of Wirecard.”

The reason why this is concerning is because of the increasingly blurred demarcation between financial institutions and technology companies. Now, BaFin may just be slow; it has a more limited legal remit than regulators in other markets and it has traditionally been dominated by lawyers rather than practitioners.

But in form Wirecard offered many of the services that banks do. Its prepaid cards are used by many underbanked consumers as an alternative to bank accounts. Earlier today the Financial Conduct Authority in the UK shut down the UK subsidiary of Wirecard, preventing customers from accessing their money. It feels reminiscent of an ‘FDIC Friday’ when the US Federal Deposit Insurance Corporation shuts down failing banks (although the FDIC tends to wait until after business hours). 

The Wirecard episode exposes a regulatory gap between finance and tech.

III. Future of Fintech

Underpinning this gap is a convergence between tech and finance, happening more quickly than regulators can accommodate. Regulators were caught out before the financial crisis of 2008 by the growth that had taken place in shadow banking outside their purview. They have spent the last ten years dimensioning the boundaries of shadow banking and assessing the risks it presents. In the meantime, a lot of financial activity is being taken on by tech companies. 

The latest example of this is Facebook’s strategy to add payments functionality to Whatsapp. Having been rolled out in Brazil this month, it was swiftly shut down by the central bank pending an evaluation. Perhaps they realised that they need to understand the advertising business before allowing the strategy to proceed, something central bank regulators would not normally be expected to have expertise in. At his AGM in May, Mark Zuckerberg said:

“So one way to think about, I guess, not just Libra, but all of the commerce work that we're doing is that you should really think about it in terms of our ads business…

…when we offer additional tools, whether it's around commerce like Facebook Shops or around payments like Libra or Facebook Pay, if we can make commerce be more effective for businesses if when they run an ad, somebody who clicks on that ad is now going to be more likely to buy something because they actually have a form of payment that works that's on file, then it basically becomes worth it more for the businesses to bid higher in the ads than what we see are higher prices for the ads overall. So that's broadly the strategy around going deeper on commerce and payments.”

Whether it’s as an adjunct to advertising or as an adjunct to other business lines like software, payments are gradually seeping out of the banking system. Two models are emerging. One, like Facebook, seeks to add payments as a tool to capture more value from a core product. The other model is the opposite — to give away the core product and capture value instead from the payments. This is the model Shopify is pursuing; it now generates the majority of its revenue from payments. 

Other examples include Toast, which provides software and facilitates payments in the restaurant industry and Mindbody which does the same in the fitness/wellness industry. The logic is clear. A restaurant or fitness studio with US$1 million in annual sales might pay US$5k a year for software, but they’re also paying as much as US$25–30k into the payments value chain. As a Sequoia partner said, “You don’t have to capture much of the payments value to double your revenue overnight. Offering payments is a force multiplier on revenue, unit economics, and total addressable market.”

For the market overall, some estimates suggest that 8% of US merchant payments have already migrated to software companies and away from traditional payments companies. 

This broad trend makes joined up thinking between financial and technology regulation critical. A group of Princeton economists published a paper last year, suggesting that the trend could presage a new financial hierarchy. In the current financial hierarchy banks play the central role and payments play a subsidiary role, being dependent on banks. However in a more platform-based economy, activity could organise itself around the central payment functionality at the centre of a platform. A consumer’s point of contact would be the platform rather than the bank. In this new type of financial hierarchy, traditional financial institutions such as banks could be replaced by fintech subsidiaries of payment systems. Already in China such systems have emerged, with Yu’e Bao a subsidiary of Ant Financial, becoming the world’s largest money market fund and Sesame Credit, another subsidiary, becoming a dominant credit scoring system.

Financial regulators may have already inadvertently tipped the system closer towards this structure. In their eagerness to boost competition in retail financial services European policymakers introduced directives requiring financial services companies to open up their data to third parties. Last year the CEO of Italy’s largest bank, Unicredit, complained: “We are asked to open up our data to everyone, which is fine, that's the rule, but if one of my clients wants me to have access to his data on Amazon or Google that is not possible… There is no reason why there should be an asymmetric treatment of banks.”

It’s not just in data where the playing field isn’t level; it’s in capital, too. In Europe, a new payments company can get started with initial capital of just €50k euros; a new bank requires 100 times that amount.

The European Commission seems to realise the risks being run here. It recommended a few months ago that EU regulation conforms to principles ensuring a level playing field for incumbent market participants and new entrants in the form of start-ups and BigTech. The Financial Stability Board also picked up the risk, and it is possible that the Brazil central bank has now done the same. 

IV. Afterword

“Evil is the root of all money” — Nobuhiro Kiyotaki and John Moore

Finance emerges from a lack of trust, which is why there is a need for strong regulation to hold the whole thing together. But it can be undermined by fraud. Ultimately the buck stops with central banks (literally). Over the past decade central banks have been quite good at coming to terms with systemic risk. But payments systems are getting more complex and the participants are shifting. BaFin may be a maverick regulator, but a focus on one part of the system at the expense of another is clearly not good practice. 

How quickly the big picture comes into focus may depend on the nature of the Wirecard fraud. If it turns out to be ‘just’ an accounting fraud then progress may be made but the urgency could be low. If it turns out to be a money laundering fraud as well then the implications are more severe. And if it turns out that Wirecard has misappropriated customer funds, then we have an old-fashioned banking scandal on our hands.

Marc Rubinstein is an angel investor in fintech and writes on financial sector themes. He is a former hedge fund manager at Lansdowne Partners, one of the oldest long/short hedge funds in Europe. Prior to that, he was a managing director of Credit Suisse, one of the youngest in his cohort. He started off as an equity research analyst at BZW (investment banking arm of Barclays) specialising in banking sector and moved to Schroeders.