How neobanks mitigate fraud and manage AML while scaling accessible banking
Neobanks across the world have achieved unprecedented reach — 1 in 2 Brazilians has a Nubank account and over a third of the adult UK population has an account at a digital-first bank. Digital-first banks are relatively new. Nubank, SoFi, Monzo, etc. were all created in roughly the last ten years and really achieved scale during the pandemic. Chime had grown to 9.5M account holders by the time they raised their Series E in 2020. When I travel to visit my family in Colombia, I see Nubank ads all across the airport, encouraging Colombians to open a “Nu” account. These neobanks are not offering luxury products targeting upstream customers; they are offering core banking solutions to all regardless of socioeconomic status.
What’s impressive is not only the fact that they grew so quickly, but also how they’ve been able to bank many previously unbanked folks, without introducing significant fraud and compliance violations. Neobanks have won over legacy banks partly because of the ease of opening an account, which can be done in minutes (e.g. 20 minutes for Nubank or 2 minutes for Bangalore-based Open). This means they’ve somehow onboarded a population with possibly little to no existing credit header data, in minutes.
Regardless of country-specific KYC regulations, this introduces risk of money loss, whether the customers are third-party fraudsters or just trying to make a profit by transferring in money from invalid sources and spending it immediately on their card. Neobanks especially have to mitigate amount of losses in order to maximize their revenue, which is limited due to nascent user reserves and transaction activity. Investors will look for profitability when choosing to invest the funding needed for the neobank to continue growing.
How did these neobanks achieve scale while remaining compliant and mitigating risk?
- Larger risk tolerance for their customer base through post-onboarding monitoring
Traditional banks primarily monitor for risk post-data collection. They rely on a staff of risk analysts reviewing a list of suspicious activity (e.g. users changing account information, logins from different locations, making transfers between accounts with different account holder names), and decide whether to place an account on probation or place holds on future transfers.
However, neobanks are able to catch risk synchronously, enabling them to accept riskier customers while still mitigating fraud. For example, they have embraced AI/ML to detect fraudulent card transactions realtime. Over the past ten years, research on credit card fraud detection neural networks have made them more effective and easier to deploy. This has provided banks with a reliable, efficient transaction decision engine that takes into account customer transaction history and profile characteristics.
Often, neobanks don’t have to build this transaction monitoring from the ground up — there is a market of providers that power risk monitoring across all types of fintech companies. Companies like Fiserv provide not only card transaction risk monitoring APIs, but also entire BAAS solutions that equip fintechs with a host bank and access to aggregated data to verify customer identities.
Neobanks also rely on automatic account freezes to prevent fraud. When suspicious activity is detected on an account by Monzo’s algorithm, the account is immediately frozen. To preserve a positive UX, Monzo promises a human review on the account within 10 minutes of the freeze. For some neobanks, however, this level of risk control unfortunately still results in significantly poor UX. Chime received almost 1000 complaints filed at the Consumer Financial Protection Bureau in a year, and about 200 of them were about a “closed account.” By comparison, Wells Fargo only received about 300 complaints about closed accounts with six times as many customers. These Chime closures can result in customers not receiving their funds for months. Neobanks are able to grow quickly but aren’t able to ensure a quality experience for all users.
2. Improved KYC through a larger technology surface
Neobanks are uniquely poised to mitigate risk even better than traditional, less tech-saavy banks. Bart Leurs, chief digital transformation officer at Dutch mutual group Rabobank comments, “If you want to do KYC and anti-money laundering right, you can’t do it in a manual way.” There’s a plethora of digital tools, from identity verification to anomaly detection, that enable capturing rich customer data and detecting illegitimate activities. Any banking entities that aren’t using these methods are opening opportunities for fraudsters to take advantage of.
Similar to risk monitoring, identity verification can be powered by providers who have amassed a thorough database over the years. U.S. based companies like Persona and Footprint provide neobanks with an onboarding process that involves selfie verification and supplemental document scanning. This not only ensures KYC compliance but also deters fraudsters who are looking for avenues to onboard onto fintech products easily and without leaving a trace. Providers like Socure will raise flags on customers that are identified as serial fintech users: users that have created accounts with many different fintech products. The maturity of the fintech industry has helped contribute data to all of these providers’ aggregated databases.
In other countries besides the U.S., an important factor is the institutional identity infrastructure available. In the U.S., for example, fintech companies rely on identifiers such as a Social Security number and an
Individual Taxpayer Identification Number (ITIN). Other countries where neobanking has grown have similar centralized structures, as opposed to in countries such as Sri Lanka, where a lack adoption of central structures for identity verification has hindered fintech development.
In rural areas, potential customers may not have existing institutional identities or datapoints that neobanks can use when deciding to open accounts. However, they may already be customers of other, non-financial services. Some neobanks have therefore started from those existing customer networks. M-PESA was able to expand to 96% of households in Kenya by 2016 by offering payment services through telecommunications providers, which worked well in a population with such high mobile phone adoption. Similarly, companies like Alibaba and Tencent were able to quickly start offering access to credit to customers, assessing risk using their large existing amounts of data.
Post-account creation, neobanks have a growing set of tools to continue getting to know their users. Traditional banks usually do this by calling customers with occasional check-ins or meeting customers at a physical bank branch. However, neobanks don’t have a physical branch where they can screen their customers in person or as much staffing to manually contact customers. Instead, they observe their users’ biometric data. They can obtain a rich biometric user profile by observing user behavior, location, IP address, typing speed, etc. This allows them to easily detect cases of account takeover.
3. Adjusting risk controls as needed
Regardless of these risk monitoring and KYC methods, neobanks have still run into compliance issues and fraud loss, and it’s to be expected. Over 60% of fintech companies paid at least $250k in compliance fines in the past year. These fines become a multiple of that in certain cases, such as for N26, which paid 4.25M euros in fines in 2021 for weak anti-money laundering controls. Fintechs experience an average fraud rate of 0.30%, twice as high as the average credit card fraud rate and triple that of the debit card fraud rate. Rather than eliminate the possibility of fraud and compliance violations, neobanks focus on limiting potential downside and adjusting their levels of caution as necessary.
The good news for neobanks is that they have more freedom under compliance oversight than large banks. Even if they are partnered with a host bank, the host bank is typically not a D-SIB or G-SIB (domestic or global systemically important bank), which are subject to full-scale regulation. This is referred to as the proportionality principle in banking regulation and it’s made it easy for neobanks to quickly expand and secure venture funding.
Though regulation can be more lax on smaller banking entities, regulators can enforce additional scrutiny whenever they choose to. U.S. consumers lost more than 8.8B to fraud in 2022, representing a 30% increase from the year before, calling for additional scrutiny from regulators. That year, the IMF published a report stating that banks and fintechs need to compete on a level playing field. They highlighted the risk that neobanks pose and that their risk management and resilience “remains untested in an economic downturn.” This means neobanks have to remain agile and able to enforce more secure processes or work differently with consumers, such as when the UK’s Financial Conduct Authority gave six weeks to fintechs to notify customers about how protections they offer are different from licensed banks.
Neobanks are reshaping the banking industry by making financial services more accessible and user-friendly. They’ve managed to grow rapidly while addressing significant challenges in fraud prevention and regulatory compliance. As they continue to expand, maintaining this momentum will require a careful balance between innovation and risk management, ensuring they meet regulatory standards and maintain customer trust. The future success of neobanks will depend on their ability to adapt to an evolving financial landscape and maintain the integrity of their operations in the face of growing scrutiny.
