Welcome to Money In Transit, the newsletter for startup founders who find themselves dragged into payments technology. I’m Alvaro Duran.

Last weekend, I was in Southern France, where I had to be a stand-in godfather. That made me think about how the payment industry assesses that clients are who they say they are when they pay.

Today’s post provides a primer for those who haven’t been exposed to credit card fraud prevention technology. AI can make things better, but not in the way you would expect.

This is your chance to learn why.

Consider sharing this post with someone who has recently started in the payment industry.

Why don’t people rob banks anymore? Because it’s no longer where the money is.

It has a very low ROI nowadays: not only are you very likely to get caught, FBI data shows that the median haul is just $8000.

Effective Criminality is no longer about entering a bank branch wearing a mask and carrying a gun. It’s buying credit card data from stolen card bazaars like BriansClub or ValidCC, and using that data to buy from clueless merchants.

The schemes protect the cardholders. Visa, Mastercard and the rest default to giving them their money back, with very little hustle. As a result, it’s merchants the ones paying the costs associated with fraud.

In Europe, regulators have been very aggressive at cracking down online fraud. With the Payment Services Directives (version 3 is expected to go live in 2025), EU regulators have established a framework for merchants and payment providers to fight fraudsters.

However, the conversation around fraud prevention online focuses not on protecting clients, but on the friction they experience when they buy online.

See, when you buy online, you’re often required by your own bank to leave the page open, go to your cranky mobile banking app, and confirm that you’re OK with the payment. In the industry, this payment flow is called 3DS.

What’s problematic about this flow is not that it isn’t secure. It’s the buyer's remorse.

Clients’ having second thoughts is the single most frequent reason for lost revenue for merchants.

On the one hand, EU regulators are demanding merchants to be more vigilant of fraud online. On the other hand, being vigilant makes clients less likely to buy. Incentives are very perverse!

However, there’s good news.

Regulators left a door open for an alternative, simpler payment flow called Frictionless, where the client doesn’t have to go through 3DS. For that, merchants have to request an exemption, which signals both their own bank and the client’s that they are willing to accept the responsibility for paying the costs of fraud.

Have you noticed that you don’t have to enter your PIN on the terminal when you swipe your card to pay for small purchases? That is because the supermarket was granted a “low value” exemption. Transactions under €30, online and offline, usually don’t require a 3DS challenge.

Crucially, the exemption where merchants have the most control over is the one by which they ask for it on the basis of having assessed the transaction as low risk.

How on earth do merchants can figure out if a transaction is legit?

It’s 2024: with AI.

The client’s bank has the last say in the matter, which means that these exemptions, called TRAs (Transaction Risk Analysis) shouldn’t be requested willy-nilly. A merchant that accepts too many fraudulent transactions could see that many of their exemption requests start being rejected!

Despite that, TRAs are the opportunity for merchants to become data powerhouses, even when they rely on fraud prevention providers to do their data analysis for them.

Two factors are at play here: banks’ legacy systems, and the context of the merchant’s data.

Gremlins and Data

The credit card ecosystem is, behind the scenes, a Jenga-like tower of software systems that have been humming along for several decades. What you see is a somewhat cute interface that hides a monster that consists of mainframes and humans in cubicles.

Relying on this ecosystem to assess fraud can very often lead to spurious declines. These are situations where a piece of code, somewhere deep inside the monster, decides to act up and decline an otherwise perfectly valid payment.

This happens more often than banks care to admit. But credit cards are so lucrative, there is very little incentive to open the hood and start tinkering with it. That’s one of the reasons why, in a recent interview, Stripe advisor Patrick McKenzie said that the most likely reason for a false decline was “gremlins”.

Banks have little observability as to what is really going on, and nobody in a position to look into would be rewarded for it.

But even if banks hunted down all those gremlins, merchants can make 10x improvements on fighting fraud than banks ever will able to. That’s because their data is of higher quality.

One of the most widespread beliefs about data for nonspecialists, subsumed within the aphorism “AI is the new oil”, is the idea that data has a fungible value, and that companies can use it interchangeably. You may remember that, not so long ago, the media was arguing tirelessly over China or America having “more data”, and that Google was in a monopolistic position thanks to “their data”.

This is nonsense. There is no such thing as data. It’s not interchangeable: how much can delivery service companies do with missile guidance systems data?

The value data relies, not in its amount, but in its context.

Unlike what banks tell you, their hoarding of data from multiple industries puts them at a disadvantage against data-savvy merchants with built-in fraud prevention applications.

This surprises nonspecialists, but it makes a lot of sense. Fraud has a particular flavor for each merchant that banks can’t capture accurately. “Who the fraudster is?” becomes an easier question to answer if you’re smaller. The picture is clearer for merchants. Fraud simply happens often enough, and is perpetrated by similar people.

Merchants can’t tell the early signs. Banks fight ghosts using systems ruled by gremlins.

In partnership with fraud prevention companies, scale-up merchants have gained the resources to build analytics that are superior to that of their acquirers. It can be tested, empirically.

Merchants should own fraud detection. The tools to capture and make sense of payment data have become better and easier to use over the years. There is little push back against projects that include LLMs as part of the deal. TRAs provide the regulatory coverage to do it.

In the end, it’s not the technical, nor the regulation, what makes building fraud applications in-house.

It’s courage.