At SentiLink, we pride ourselves on our deep understanding of fraud, and to be the first team that our partners think of when they run into their most challenging risk and fraud problems. Over time, we realized that the most impactful questions we get from entrepreneurs and operators aren’t the tactical questions on how to stop specific fraud rings, but the strategic questions they wrestle with as they build their companies from 5 employees to 100 employees.
- "How much should I care about risk and fraud? Are we doing this right?"
- "What should I be looking for in my first risk hire?"
- "I already do KYC validation checks, what else do we need to do about onboarding accounts?"
- "My chargeback rate is X. Should I be concerned?"
As a team of former Risk analysts and managers from high-growth Fintech companies, we know that Risk teams are integral to building the next generation of consumer and SMB financial services. Our goal in this post is to help tackle the first question by sharing positive scaling patterns that we’ve seen in the past.
The R&D mindset
Risk management in lending, payments, and banking is not a new concept - financial institutions in the U.S. employ thousands of fraud investigators, data scientists, and analysts to help them control losses, meet their regulatory obligations, and launch new products. The mindset within these types of scaled organizations and sub-teams is often oriented around 1. Operational Efficiency, 2. Pure Loss Prevention, or 3. Compliance. All are valid goals for certain teams, in a scaled organization.
However, the ability to underwrite a consumer or small business for a loan in a new type of lending product, acquire customers for a new digital banking concept, or accept payments for merchants in a new way, requires early-stage Risk teams to adopt a more innovative mindset, as they need to balance all of these goals at once.
The most successful early-stage Fintech companies we’ve seen tend to view Risk as an “R&D” function with direct influence and ownership on the product, not on operations, compliance, or supporting function to solely stop fraud.
We’ve observed that the best early-stage risk teams tend to focus on:
- Customer experience and conversion funnels
- Understanding and truly owning losses
Risk R&D: Conversion Funnels and Owning Customer Experience
When growth is all that matters in an early-stage Fintech digital bank or lender, it’s common and appropriate for CEOs to spend the bulk of their time focused on customer acquisition strategies and growing distribution. We’ve observed that the best Fintech Risk teams tend to have ownership over key elements of the product and customer experience to help support this growth.
- They measure and fully understand the conversion funnel and user signup process.
- They test new signup flows using A/B testing, backtesting, or another experimental framework.
- They want to have a close relationship with Customer service.
- They create an “us versus criminals” mentality in fighting fraud - they get other teams in the company excited about stopping bad guys.
- They understand that having a proactive posture on fraud will create trust from key issuing banks and other partners
Lagging indicators that there may be a scaling problem in this area:
- Leaky conversion funnels, where you reject good consumers/businesses or have a high percentage of incomplete applications that do not get to a final decision status.
- A backlog of pending applications
- A backlog of Customer support tickets that are related to application decisions or risk issues such as declined card transactions
- A new product launch whose credit or fraud performance is totally misaligned with expectations
- We recommend setting up a basic dashboard or periodic report to measure conversion rates as new applicants move through the signup process, with a keen eye on where you have the highest drop-off rates, and the total % of new applicants that end up opening an account with a “happiest path” signup process (one with no exceptions flow or step-up verification required).
- Assign a risk product manager or a risk team to fully own these conversion and drop-off rate metrics.
- We recommend that your customer service team tracks and tags tickets if they are specifically due to a transaction decline or new application decline, and that risk owners manually reviews customer support tickets periodically to understand where their decisions have rejected good potential users (or potentially stopped persistent fraudsters!)
Risk R&D: Understanding and Owning Losses
Each time a loan is not paid, a chargeback for fraud is filed, or a bad user gets on the platform and abuses the product in an unforeseen way, can be stressful.
Best-in-class Fintech teams tend to view loss events as an opportunity to learn and an experimental data point, and here’s some of the positive scaling behaviors we’ve seen:
- They want to manually review loss events (unpaid loans, chargebacks for suspected fraud, other abuse or losses) with all of the data available on the user, the application, or transactions, as appropriate.
- They label or classify loss events to support data scientists in developing predictive models that will be needed to automate and scale risk decisions as the company expands in scale.
- When creating a “rule” to stop a fraud attack or activity, they backtest the rule before deployment to estimate the false positive rate of their rule.
Lagging indicators that there is a problem in this area:
- Lack of specific data science mapping or resourcing to a fraud or risk function.
- A loss event that is so material in size, that it would be material enough that you would need to tell a head of finance/FP&A about the event.
- An escalation or contact from a key partner, such as an issuing bank or card network, that is related to the company’s ability to onboard users or stop fraud.
- Knee jerk assumptions that users are making false claims of fraud.
- An ever-expanding set of rules to decline potential fraudsters, without the periodic removal of rules when they become ineffective or start blocking mostly good applicants.
- We recommend manually reviewing a substantial percentage (or all) loss events, to get a feel for what a “normal” v. “bad” user looks like.
- During review, loss events should be classified or labeled into a simple high-level taxonomy. It can be as simple as “credit loss”, “fraud”, and “new fraud or abuse”, and will refine over time as risk scoring and decision models are developed and refined.
- We recommend setting up a basic manual review tool to review applications and user behavior. There are great transaction review tools and software for purchase out there, but we think a scripting language and some SQL can get you a 90% solution. At a minimum this tool should include:
- A “clustered” view of applications that share common attributes (i.e. all applications with the same phone number, email, device, IP address)
- For a card product, a view of the user’s transaction history over time
- For any lending product, a view of the repayment history of the loan
If you found this post interesting and want to take a deeper dive into the topic of risk at high growth startups, some of our favorite content includes:
Over the next several months, SentiLink will be publishing a series of articles and webinars on the craftwork of Risk in high growth startups: best practices, organizational design and hiring, benchmarks, and insights we’ve seen from the most successful Risk teams in Fintech.
This content is designed to be a helpful guide for early stage Fintech entrepreneurs and operators as they scale their startups to their first 100 employees. We would love to hear if there are specific topics you’d like us to cover.
Vivek Ahuja’s background in Risk at high-growth Fintech companies includes risk product management at Marqeta, credit and fraud risk management as Affirm’s head of Merchant Risk, and as the co-founder leading anti-fraud efforts at Xendit.