2026-01-08 05:12:19
Programming note: Happy New Year! Bits about Money is made possible—and freely accessible to all—by the generous support of professionals who find it useful. If you’re one of them, thank you—and consider purchasing a membership.
The U.S. is often maligned as being customer-hostile compared to other comparable nations, particularly those in Europe. One striking counterexample is that the government, by regulation, outsources to the financial industry an effective, virtually comprehensive, and extremely costly consumer protection apparatus covering a huge swath of the economy. It does this by strictly regulating the usage of what were once called “electronic” payment methods, which you now just call “payment” methods, in Regulation E.
Reg E is not uniformly loved in the financial industry. In particular, there has been a concerted effort by banks to renegotiate the terms of it with respect to Zelle in particular. This is principally because Zelle has been anomalously expensive, as Reg E embeds a strong, intentionally bank-funded anti-fraud regime, but Zelle does not monetize sufficiently to pay for it.
And thus a history lesson, a primer, and an explanation of a live public policy controversy.
If you were to ask your friendly neighborhood reference librarian for Electronic Fund Transfers (Regulation E), 44 Fed. Reg. 18469 (Mar. 28, 1979), you might get back a document yellowed with age. Congress, in its infinite wisdom, intended the Electronic Funds Transfer Act to rein in what it saw as the downsides of automation of the finance industry, which was in full swing by this time.
Many electronic transactions might not issue paper receipts, and this would complicate he-said bank-said dispute resolution. So those were mandated. Customers might not realize transactions were happening when they didn’t have to physically pull out a checkbook for each one. Therefore, institutions were required to issue periodic statements, via a trustworthy scaled distribution system, paper delivered by the United States Postal Service. And electronic access devices—the magnetic-stripe cards, and keyfobs [0], and whatever the geeks dreamed up next—might be stolen from customers. And therefore the banks were mandated to be able to take reports of mislaid access devices, and there was a strict liability transfer, where any unauthorized use of a device was explicitly and intentionally laid at the foot of the financial institution.
Some of the concerns that were top of mind for lawmakers sound even more outlandish to us, today. Financial institutions can’t issue credit cards without receiving an “oral or written request” for the credit card. That sounds like “Why would you even need to clarify that, let alone legislate against it?!” unless you have the recent memory of Bank of America having the Post Office blanket a city with unsolicited credit cards then just waiting to see what happened. [1]
The staff who implemented Reg E and the industry advocates commenting on it devoted quite a bit of effort to timelines, informed by their impression of the cadence of life in a middle class American household and the capabilities of the Operations departments at financial institutions across the U.S.’s wide spectrum of size and sophistication. Two business days felt like a reasonable timeline after the theft of a card to let the financial institution know. They picked sixty business days from the postmark for discovering an unauthorized transaction in your periodic statements. That felt like a fair compromise between wanting to eventually give financial institutions some level of finality while still giving customers a reasonable buffer to account for holidays, vacation schedules, the time it takes a piece of mail to travel from New York City to Hawaii, and the reality that consumers, unlike banks, do not have teams paid to open and act upon mail.
And, very importantly for the future, Congress decided that unsophisticated Americans might be conned into using these newfangled electronic devices in ways that might cost them money, and this was unacceptable. Fraudulent use of an electronic fund transfer mechanism was considered an error as grave as the financial institution simply making up transactions. It had the same remedy: the financial institution corrects their bug at their cost.
“Unauthorized electronic fund transfer” means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.
Reg E provided for two caps on consumer liability for unauthorized electronic fund transfer: $50 in the case of timely notice to the financial institution, as sort of a deductible (Congress didn’t want to encourage moral hazard), and $500 for those customers who didn’t organize themselves sufficiently. Above those thresholds, it was the bank’s problem.
Reg E also establishes some procedural rights: an obligation for institutions to investigate claims of unauthorized funds transfers (among other errors—Congress was quite aware that banks frequently made math and recordkeeping mistakes), to provisionally credit customers during those investigations, strict timelines for the financial institutions, and the presumptive burden of proof.
In this privately-administered court system, the bank is the prosecutor, the defendant, and the judge simultaneously, and the default judgment is “guilty.” It can exonerate itself only by, at its own expense and peril, producing a written record of the evidence examined. This procedural hurdle is designed to simplify review by the United States’ actual legal system, regulators, and consumer advocates.
The institution's report of the results of its investigation shall include a written explanation of the institution's findings and shall note the consumer's right to request the documents that the institution relied on in making its determination. Upon request, the institution shall promptly provide copies of the documents.
Having done informal consumer advocacy for people with banking and debt issues for a few years, I cannot overstate the degree to which this prong of Reg E is a gift to consumer advocates. Many consumers are not impressively detail-oriented, and Reg E allows an advocate to conscript a financial institution’s Operations department to backfill the customer’s files about a transaction they do not have contemporaneous records of. In the case that the Operations department itself isn’t organized, great, at least from my perspective. Reg E says the bank just ate the loss. And indeed, several times over the years, the prototypical grandmother in Kansas received a letter from a bank vice president of consumer lending explaining that the bank was in receipt of her Reg E complaint, had credited her checking account, and considered the matter closed. It felt like a magic spell to me at the time.
Banks do not like losing money, citation hopefully unnecessary, and part of the business of banking is arranging for liability transfers. Insurance is many peoples’ paradigmatic way to understand liability transfers, but banks make minimal use of insurance in core banking services. (A bank which is robbed almost always self-insures, and the loss—averaging four figures and trending down—is so tiny that it isn’t worth specifically budgeting for.)
The liability transfer which most matters to Reg E is a contractual one, from issuing banks to card processors and from card processors to card-accepting businesses. These parties’ obligations to banks and cardholders are substantially broader than the banks’ obligations under Reg E, but the banks use a fraction of those contracts to defray a large portion of their Reg E liability.
For example, under the various brands’ card rules, an issuer must have the capability for a customer to say that a transaction which happened over plastic (or the electronic equivalent) simply didn’t meet their expectations. The issuer’s customer service representative will briefly collect facts from the customer, and then initiate an automatic process to request information from a representative of the card-accepting business. On receipt of that information, or non-receipt of it, a separate customer service representative makes a decision on the case. This mechanism is called a “chargeback” in the industry, and some banks are notorious for favoring the high-income quite-desirable customers who hold their plastic over the e.g. restaurant that the bank has no relationship with. “My eggs were undercooked” is a sufficient reason to ask for a chargeback and will result in the bank restoring your money a large percentage of the time.
In the case where the complaint is “My card was stolen and used without my knowledge”, essentially the same waterfall activates, perhaps with the internal note made that this dispute is Reg E sensitive. But mechanically it will be quite similar: bank tells processor “Customer asserts fraud”, processor tells business, business replies with a fax, bank staff reviews fax and adjudicates.
There are on the order of 5 million criminal cases in the formal U.S. legal system every year. There are more than 100 million complaints to banks, some of them alleging a simple disagreement (undercooked eggs) and very many alleging crime (fraud). It costs banks billions of dollars to adjudicate them.
The typical physical form of an adjudication is not a weeks-long trial with multiple highly-educated representatives debating in front of a more-senior finder of fact. It is a CSR clicking a button on their web app’s interface after 3 minutes of consideration, and then entire evidentiary record often fits in a tweet.
“Customer ordered from online store. Customer asserts they didn’t receive the item in six weeks. No response from store. Customer wins. Next.”, “Customer ordered from online store. Customer asserts they didn’t receive item. Store provided evidence of shipping via UPS. Customer does not have a history of fraudulent chargebacks. Customer wins. Next.”, “Customer’s bookkeeper asserts ignorance of software as a service provider charge. Business provided written statement from customer’s CEO stating chargeback filed in error by new bookkeeper. Customer wins. Next.” (I’m still annoyed by that last one, years later, but one has to understand why it is rational for the bank and, in a software company’s clearer-minded moments, rational for them to accept the risk of this given how lucrative software is.)
The funds flow in a chargeback mirrors the contractual liability waterfall: the issuing bank gets money back from a financial intermediary, who gets it back from a card processor (like Stripe, which I once worked for, and which doesn’t specifically endorse things I write in my own spaces), who will attempt to get it back from the card accepting business.
That word “attempt” is important. What if the business doesn’t have sufficient money to pay the aggrieved customer, or they can’t be located anymore when the system comes to collect? Reg E has a list of exceptions and those aren’t on it. The card processor then eats the loss.
The same frequently happens to cover the provisional credit mandated while the bank does its investigation, and the opposite happens in the case where the issuing bank decides that the card accepting business is in the right, and should be restored the money they charged a customer.
This high-frequency privately-funded alternative legal system has quietly ground out hundreds of millions of cases for the last half century. It is a foundation upon which commerce rests. It even exerts influence internationally, since the card brand rules essentially embed a variant of the Reg E rights for cardholders globally, and since nowhere in Reg E is there a carveout for transactions that a customer might make electronically with their U.S. financial institution while not physically located in the United States. If you are mugged and forced to withdraw money at an ATM in Caracas, Uncle Sam says your bank knows that some tiny percentage of cardholders will be mugged every year, and mandates they pay.
Zelle, operated by Early Warning Systems (owned by a consortium of large banks), is a substantially real-time electronic transfer method between U.S. bank accounts. Bank web and mobile apps have for decades supported peer to peer and customer to business transfers, via push ACH (and, less frequently, by wire), but ACH will, in standard practice, take a few days to be credited to the recipient and a few hours until it will become known to them as pending.
Zelle is substantially a blocking play, against Venmo, Cash App, and similar. Those apps captivated a large number of mostly-young users with the P2P payments, for use cases like e.g. splitting dinner, spotting a buddy $20, or collecting donations for a Christmas gift for the teacher from all the parents in a class. After attracting the users with those features, they kept them with product offerings which, in the limit, resemble bank accounts and which actually had bank accounts under the hood for at least some users.
And so the banks, fearing that real-time payment rails would not arrive in time (FedNow has been FedLater for a decade and RTP has relatively poor coverage), stood up Zelle, on the theory that this feature could be swiftly built into all the bank apps. Zelle launched in 2017.
Zelle processes enormous volumes. It crowed recently that it did $600 billion in volume in the first half of 2025. Zelle is much larger than the upstarts like Venmo (about $250 billion in annual volume) and Cash App (about $300 billion in customer inflows annually). This is not nearly in the same league as card payments (~$10 trillion annually) or ACH transfers (almost $100 trillion annually), but it is quite considerable.
All of it is essentially free to the transacting customers, unlike credit cards, which are extremely well-monetized. And there is the rub.
“Hiya, this is Susan calling from your bank. Your account has been targeted by fraudsters. I need you to initiate a Zelle payment to yourself to move it to a safe account while we conduct our investigation. Just open your mobile banking app, type the password, select Zelle from the menu, and send it to your own phone number. Thank you for your cooperation.”
Susan is lying. Her confederates have convinced at least one financial institution in the U.S. that the customer’s phone number is tied to a bank account which fraudsters control. That financial institution registered it with Zelle, so that when the victim sends money, the controlled account receives it substantially instantaneously. They will then attempt to immediately exfiltrate that money, sending it to another financial institution or a gift card or a crypto exchange, to make it difficult for investigators to find it faster than they can spend it. This process often repeats; professionals call this “layering.”
So, some days later, when the victim calls the bank and asks what happened to the money the bank was trying to secure from fraud, what does the bank tell them?
Zelle is quick to point out that only 0.02% of transactions over it have fraud reported, and they assert this compares favorably to competing payments methods. Splendid, then do the banks want to absorb on the order of $240 million a year in losses from fraudulent use of a technology they built into their own apps which is indisputably by any intellectually serious person an electronic funds access device?
Frequently in the last few years, the bank has said “Well, as Gen Z would say, that sounds like a bit of a skill issue.” And Reg E? “We never heard of it. Caveat emptor.”
To be slightly more sympathetic to the banks, they’re engaged in fine-grained decisioning on Zelle frauds, which have many mechanisms and flavor texts. They are more likely to reimburse as required in the case of account takeovers, where the criminal divines a customer’s password, pops an email address, or steals access to a phone number, and then uses it to empty a bank account. They are far less likely to reimburse where the criminal convinces the customer to operate their access device (mobile phone) in a way against their interests. Skill issue.
Why do banks aggressively look for reasons to deny claims? Elementary: there is no waterfall for Zelle. If there is a reimbursement for the user, it has to come from the bank’s balance sheet. (Zelle as originally shipped was incapable of reversing a transaction to claw back funds. That mechanism was something of an antipriority at design time, since funds subject to a clawback might be treated by receiving banks as non-settled, and the user experience banks wanted to deliver was “instantly spendable, like on Venmo.” Instantaneous funds availability exists in fundamental tension with security guarantees even if the finality gets relaxed, as Zelle’s was in 2023 under regulatory pressure.)
Banks like to pretend that the dominant fraud pattern is e.g. a “social media scam”, where an ad on Facebook or a Tiktok video leads someone to purchase sneakers with a Zelle payment from an unscrupulous individual, who doesn’t actually send the sneakers. This pattern matches more towards “well, that’s a disagreement about how your eggs were done, not a disagreement about how we operate payment rails.” Use a card and we’ll refund the eggs (via getting the restaurant to pay for them); don’t and we won’t.
So, in sum and in scaled practice at call centers, the bank wants to quickly get customers to admit their fingers were on their phone when defrauded. If so, no reimbursement.
This rationale is new and is against our standard practice, for decades. If you are defrauded via a skimming device attached to an ATM, the bank is absolutely liable, and will almost always come to the correct conclusion immediately. It would be absurdly cynical to say that you intended to transact with the skimming device and demonstrated your assent by physically dipping your card past it.
Bank recalcitrance caused the Consumer Financial Protection Bureau to sue a few large banks in late 2024. The CFPB alleged they had a pattern and practice of not paying out claims for fraud conducted over Zelle rails. The banks will tell you the same, using slightly different wording. Chase, for example, now buries in the fine print “Neither Chase nor Zelle® offers reimbursement for authorized payments you make using Zelle®, except for a limited reimbursement program that applies for certain imposter scams where you sent money with Zelle®. This reimbursement program is not required by law and may be modified or discontinued at any time.”
The defensible gloss of banks’ position on “purchase protection” is that the purchase protection that customers pay for in credit cards which makes them whole for eggs not cooked to their liking is not available for Zelle payments. Fine.
The indefensible extension is that banks aren’t liable for defrauded customers. That is a potential policy regime, chosen by the polity of many democratic nations. The United States is not one of those nations. Our citizens, through their elected representatives, made the considered choice that financial institutions would need to provide extraordinary levels of safety in electronic payments. In reliance upon that regime, the people of the United States transacted many trillions of dollars over payment rails, which was and is very lucrative for all considered.
The CFPB’s lawsuit was dropped in early 2025, as CFPB’s enforcement priorities were abruptly curtailed. (Readers interested in why might see Debanking and Debunking and Ctrl-F “wants some examples made.”) To the extent it still exists after being gutted, it is fighting for its life.
But knifing the CFPB doesn’t repeal Reg E. In theory, any bank regulator (and many other actors besides) can hold them to account for obligations under it. One of the benefits of Reg E is that the single national standard is easiest to reason about, but in the absence of it, one can easily imagine a patchwork of state-by-state consumer protection actions and/or coalitioning between state attorneys general. I will be unmoved if banks complain that this is all so complicated and they welcome regulation but it has to be a single national standard.
Having for the moment renegotiated their Reg E obligations by asserting they don’t exist, and mostly getting away with it, some banks might attempt to feel their oats a bit and assert that customers bear fraud risks more generally.
For example, in my hometown of Chicago, there has been a recent spate of tap-to-pay donation fraud. The fraudster gets a processing account, in their own name or that of a confederate/dupe, to collect donations for a local charitable cause. (This is not in itself improper; the financial industry understands that the parent in charge of a church bake sale will not necessarily be able to show paperwork to that effect before the cookies go stale.) Bad actors purporting to be informal charities accost Chicagoans on the street and ask for a donation via tap-to-pay, but the actual charged donation was absurdly larger than what the donor expected to donate; $4,000 versus $10, for example. The bad actor then exits the scene quickly.
(A donor who discovers the fraud in the moment is then confronted with the unfortunate reality that they are outnumbered by young men who want to rob them. This ends about as well as you’d expect. Chicago has an arrest rate far under 1% for this. A cynic might say that if you don’t kill the victim, it’s legal. I’m not quite that cynical.)
But Reg E doesn’t care about the safety of city streets, in Chicago or anywhere else. It assumes that payment instruments will continue to be used in an imperfect world. This case has a very clear designed outcome: customer calls bank, bank credits customer $4,000 because the customer was defrauded and therefore the “charity” lacked actual authority for the charge, bank pulls $4,000 from credit card processor, credit card processor attempts to pull $4,000 from the “charity”, card processor fails in doing so, card processor chalks it up to tuition to improve its fraud models in the future.
Except at least some banks, per the Chicago Tribune’s reporting, have adopted specious rationales to deny these claims. Some victims surrender physical control of their device, and banks argue that that means they authorized the transaction. Some banks asserted the manufactured-out-of-their-hindquarters rationale that Reg E only triggers when there is a physical receipt. (This inverts the Act’s responsibility graph, where banks were required to provide physical hardcopy receipts to avoid an accountability sink swallowing customer funds.)
Banks will often come to their senses after being contacted by the Chicago Tribune or someone with social power and gravitas who knows how to cite Reg E. But it is designed to work even for less sophisticated customers who don’t know the legislative history of the state machine. They just have to know “Call your bank if you have a problem.”
That should work and we are diminished if it doesn’t.
With a limited number of carveouts (e.g. wire transfers), Reg E is intentionally drafted to be future-proof against changes in how Americans transact. This is why, when banks argue that some new payments rail is exempt because it is “different,” the correct legal response is usually some variation of: doesn’t matter—that’s Reg E.
Our friends in crypto generally believe that Reg E is one star in the constellation of regulations that they’re not subject to. They created Schrödinger’s financial infrastructure, which is the future of finance in the boardroom and just some geeks playing with an open source project once grandma gets defrauded. There is an unresolved tension in saying “Traditional institutions like Visa are adopting stablecoins” and in the see-no-evil reimburse-no-losses attitude issuers and others in the industry take towards fraud which goes over their rails.
Reg E doesn’t have an exception in its text for electronic funds transfers which happen over slow databases.
A hypothetical future CFPB, given the long-standing premise that fraud is not an acceptable outcome of consumer payment systems, would swiftly come to the conclusion that if it walks like a checking account, quacks like a checking account, and is marketed as an alternative to checking accounts, then it is almost certainly within Reg E scope.
Casting one’s eyes across the fintech landscape, many players seem to have checking account envy. In the era of the “financial superapp” where everyone wants to bolt on high-frequency use cases like payments to e.g. AUM gathering machines like brokerage accounts, that is worth a quick chat with Legal before you start getting the letters from Kansan grandmas.
[0] The first “credit cards” were not the plastic-with-a-magstripe form factor which came to dominate but rather “charge plates.” They were physical tokens which pointed at a record at e.g. a department store’s internal accounts, usually by means of an embossed account number, to be read by the Mk 0 human eyeball and, later, physically copied to a paper record via ink. Many were metal and designed to be kept around a key ring. As Matt Levine and many others have mentioned, the crypto community has speedrun hundreds of years of financial history, and keeping your account identifier on etched metal enjoyed a short renaissance recently. Unlike the department stores’ bookkeepers, crypto enthusiasts lost many millions of dollars of customer funds by misplacing their metal (see page 20 particularly).
[1] Market research in the 1950s was hard. Short version of the Fresno drop: they lost money due to abuse by a small segment of users, but successfully proved that the middle class would happily use plastic to transact if they were offered it and it was generally accepted by businesses as opposed to being tied to a single store. They then scaled the 60,000 card pilot to millions within a year. Visa is the corporate descendant of that program; Mastercard that of what competitors did in response.
2025-12-20 04:45:06
Programming note: Merry Christmas! There will likely be another Bits about Money after the holiday but before New Year.
Bits about Money is supported by our readers. If your education budget or business can underwrite the coming year of public goods in financial-infrastructure education, commentary, and policy analysis, please consider supporting it. I’m told this is particularly helpful for policymakers and others who cannot easily expense a subscription, and who benefit from all issues remaining publicly available with no paywall.
The American Association of Retired People (AARP, an advocacy non-profit for older adults) has paid for ads on podcasts I listen to. The ad made a claim which felt raspberry-worthy (in service of an important public service announcement), which they repeat in writing: Asking to be paid by gift card is always a scam.
Of course it isn’t. Gift cards are a payments rail, and an enormous business independently of being a payments rail. Hundreds of firms will indeed ask you to pay them on gift cards! They also exist, and are marketed, explicitly to do the thing that the AARP implicitly asserts no business or government entity will ever do: provide a method for transacting for people who do not have a banked method of transacting. [0]
Gift card scams are also enormous. The FBI’s Internet Crime Complaint Center received $16.6 billion in reports in 2024 across several payment methods; this is just for those consumers who bothered reporting it, in spite of the extremely real received wisdom that reporting is unlikely to improve one’s direct situation.
The flavor texts of scams vary wildly, but in substance they’ll attempt to convince someone, often someone socially vulnerable, to part with sometimes very large sums of money by buying gift cards and conveying card information (card number and PIN number, both printed on the card) to the scammer. The scammer will then use the fraud supply chain, generally to swap the value on the card to another actor in return for value unconnected to the card. This can be delivered in many ways: cash, crypto, products and services in the scamming economy (such as purloined credit cards or even “lead lists” of vulnerable people to run more scams on), or laundered funds within regulated financial institutions which obscure the link between the crime and the funds (layering, in the parlance of AML professionals). A huge portion of running a gift card marketplace is trying to prevent yourself from being exploited or made into an instrumentality in exploiting others.
It surprises many people to learn that the United States aggressively defends customers from fraud over some payment methods, via a liability transfer to their financial institution, which transfers it to intermediaries, who largely transfer it to payment-accepting businesses. Many people think the U.S. can’t make large, effective, pro-consumer regulatory regimes. They are straightforwardly wrong… some of the time.
But the AARP, the FBI, and your friendly local payments nerd will all tell you that if you’re abused on your debit card you are quite likely to be made whole, and if you’re abused via purchasing gift cards, it is unlikely any deep pockets will cover for you. The difference in treatment is partially regulatory carveouts, partially organized political pressure, and partly a side effect of an accountability sink specific to the industrial organization of gift cards.
There exists an ecosystem of gift card program managers, who are essentially financial services businesses with a sideline in software. (I should probably mention that I previously worked for and am currently an advisor to Stripe, whose self conception would not be precisely that, but which a) supports many ways for people to pay money for things and b) does not necessarily endorse what I say in my personal spaces.)
Why does the program manager exist? Why not simply have the retailer keep some internal database of who the retailer owes money to, updating this when someone buys or loads a gift card and when they spend the balance at the store? Because this implies many capabilities that retailers do not necessarily have, such as e.g. software development teams.
There is also a large regulatory component to running a gift card program, despite gift cards’ relatively lax regulatory drag (we’ll return to that in a moment). Card programs are regulated at both the federal and state levels. One frequent requirement in several states is escheatment. (Essentially all states have a requirement for escheatment; many but not all exempt gift cards from it.)
As discussed previously in Bits about Money, a major component of the gift card business model is abandonment (“breakage”). Consumer advocates felt this was unfair to consumers, bordering on fraudulent really. They convinced states to take the money that retailers were keeping for themselves. (Many states didn’t take all that much convincing.)
In theory, and sometimes even in practice, a consumer can convince a state treasurer’s office of unclaimed property (e.g. Illinois’) that the $24.37 that Target remitted as part of its quarterly escheatment payment for an unused gift card 13 years ago was actually theirs. A consumer who succeeds at this, which is neither easy nor particularly inexpensive to do, will receive a $24.37 check in the mail. The state keeps the interest income; call it a fee for service. It also keeps the interest income of the tens of billions of dollars of accumulated unclaimed property, which it generally promises to dutifully custody awaiting a legitimate claim for as long as the United States shall exist.
And so if you are a regional or national retailer who wants to offer gift cards, you have a choice. You can dedicate a team of internal lawyers and operations specialists to understanding both what the laws of the several states require with respect to gift cards, which are a tiny portion of your total operations, not merely today but as a result of the next legislative session in Honolulu, because you absolutely must order the software written to calculate the payment to remit accurately several quarters in advance of the legal requirement becoming effective. Or you can make the much more common choice, and outsource this to a specialist.
That specialist, the gift card program manager, will sell you a Solution™ which integrates across all the surfaces you need: your point-of-sale systems, your website, your accounting software, the 1-800 number and website for customers to check balances, ongoing escheatment calculation and remittance, cash flow management, carefully titrated amounts of attention to other legal obligations like AML compliance, etc. Two representative examples: Blackhawk Network and InComm Payments. You’ve likely never heard of them, even if you have their product on your person right now. Their real customer has the title Director of Payments at e.g. a Fortune 500 company.
And here begins the accountability sink: by standard practice and contract, when an unsophisticated customer is abused by being asked to buy a BigCo gift card, BigCo will say, truthfully and unhelpfully, that BigCo does not issue BigCo gift cards. It sells them. It accepts them. But it does not issue them. Your princess is in another castle.
BigCo may very well have a large, well-staffed fraud department. But, not due to any sort of malfeasance whatsoever, that fraud department may consider BigCo gift cards entirely out of their own scope. They physically cannot access the database with the cards. Their security teams, sensitive that gift card numbers are dangerous to keep lying around, very likely made it impossible for anyone at BigCo to reconstruct what happened to a particular gift card between checkout and most recent use. “Your privacy is important to us!” they will say, and they are not cynically invoking it in this case.
As mentioned above, Regulation E is the primary driver for the private enforcement edifice that makes scarily smart professionals (and their attached balance sheets) swing into action on behalf of consumers. Reg E has a carveout for certain prepaid payments. Per most recent guidance, that includes prepaid gift cards, gift certificates, and similar.
And so, if you call your bank and say, “I was defrauded! Someone called me and pretended to be the IRS, and I read them my debit card number, and now I’ve lost money,” the state machine obligates the financial institution to have the customer service representative click a very prominent button on their interface. This will restore your funds very quickly and have some side effects you probably care about much less keenly. One of those is an “investigation,” which is not really an investigation in the commanding majority of cases.
And if you call the program manager and say, “I was defrauded! Someone called me and pretended to be the IRS, and I read them a gift card number, and now I’ve lost money,” there is… no state machine. There is no legal requirement to respond with alacrity, no statutorily imposed deadline, no button for a CS rep to push, and no investigation to launch. You will likely be told by a low-paid employee that this is unfortunate and that you should file a police report. The dominant reason for this is that suggesting a concrete action to you gets you off the phone faster, and the call center aggressively minimizes time to resolution of calls and recidivism, where you call back because your problem is not solved. Filing a police report will, in most cases, not restore your money—but if it causes you not to call the 1-800 number again, then from the card program manager’s perspective this issue has been closed successfully.
The people of the United States, through their elected representatives and the civil servants who labor on their behalf, intentionally exempt gift cards from the Reg E regime in the interest of facilitating commerce.
It is the ordinary and appropriate work of a democracy to include input from citizens in the rulemaking process. The Retail Industry Leaders Association participated, explaining to FinCEN that it would be quite burdensome for retailers to fall into KYC scope, etc etc. Many other lobbyists and industry associations made directionally similar comments.
The Financial Crimes Enforcement Network, for example, has an explicit carveout in its regulations: while FinCEN will aggressively police rogue bodegas, it has no interest in you if you sell closed-loop gift cards of less than $2,000 face value. This is explicitly to balance the state’s interest in law enforcement against, quote, preserving innovation and the many legitimate uses and societal benefits offered by prepaid access, endquote.
FinCEN’s rules clarify that higher-value activity—such as selling more than $10,000 in gift cards to a single individual in a day—brings sellers back into scope. Given the relatively lax enforcement environment for selling a $500 gift card, you very likely might not build out systems which will successfully track customer identities and determine that the same customer has purchased twenty-one $500 gift cards in three transactions. That likely doesn’t rate as a hugely important priority for Q3.
And so the fraud supply chain comes to learn which firms haven’t done that investment, and preferentially suggests those gift cards to their launderers, mules, brick movers, and scam victims.
And that’s why the AARP tells fibs about gift cards: we have, with largely positive intentions and for good reasons, exposed them to less regulation than most formal payment systems in the United States received. That decision has a cost. Grandma sometimes pays it.
[0] Indeed, there are entire companies which exist to turn gift cards into an alternate financial services platform, explicitly to give unbanked and underbanked customers a payments rail. Paysafe, for example, is a publicly traded company with thousands of employees, the constellation of regulatory supervision you’d expect, and a subsidiary Openbucks which is designed to give businesses the ability to embed Pay Us With A Cash Voucher in their websites/invoices/telephone collection workflows. This is exactly the behavior that “never happens from a legitimate business” except when it does by the tens of billions of dollars.
As Bits about Money has frequently observed, people who write professionally about money—including professional advocates for financially vulnerable populations—often misunderstand alternative financial services, largely because those services are designed to serve a social class that professionals themselves do not belong to, rarely interact with directly, and do not habitually ask how they pay rent, utilities, or phone bills.
2025-12-06 05:16:46
Programming note: Bits about Money is supported by our readers. I generally forecast about one issue a month, and haven't kept that pace that this year. As a result, I'm working on about 3-4 for December.
Much financial innovation is in the ultimate service of the real economy. Then, we have our friends in crypto, who occasionally do intellectually interesting things which do not have a locus in the real economy. One of those things is perpetual futures (hereafter, perps), which I find fascinating and worthy of study, the same way that a virologist just loves geeking out about furin cleavage sites.
You may have read a lot about stablecoins recently. I may write about them (again; see past BAM issue) in the future, as there has in recent years been some uptake of them for payments. But it is useful to understand that a plurality of stablecoins collateralize perps. Some observers are occasionally strategic in whether they acknowledge this, but for payments use cases, it does not require a lot of stock to facilitate massive flows. And so of the $300 billion or so in stablecoins presently outstanding, about a quarter sit on exchanges. The majority of that is collateralizing perp positions.
Perps are the dominant way crypto trades, in terms of volume. (It bounces around but is typically 6-8 times larger than spot.) This is similar to most traditional markets: where derivatives are available, derivative volume swamps spot volume. The degree to which depends on the market, Schelling points, user culture, and similar. For example, in India, most retail investing in equity is actually through derivatives; this is not true of the U.S. In the U.S., most retail equity exposure is through the spot market, directly holding stocks or indirectly through ETFs or mutual funds. Most trading volume of the stock indexes, however, is via derivatives.
The large crypto exchanges are primarily casinos, who use the crypto markets as a source of numbers, in the same way a traditional casino might use a roulette wheel or set of dice. The function of a casino is for a patron to enter it with money and, statistically speaking, exit it with less. Physical casinos are often huge capital investments with large ongoing costs, including the return on that speculative capital. If they could choose to be less capital intensive, they would do so, but they are partially constrained by market forces and partially by regulation.
A crypto exchange is also capital intensive, not because the website or API took much investment (relatively low, by the standards of financial software) and not because they have a physical plant, but because trust is expensive. Bettors, and the more sophisticated market makers, who are the primary source of action for bettors, need to trust that the casino will actually be able to pay out winnings. That means the casino needs to keep assets (generally, mostly crypto, but including a smattering of cash for those casinos which are anomalously well-regarded by the financial industry) on hand exceeding customer account balances.
Those assets are… sitting there, doing nothing productive. And there is an implicit cost of capital associated with them, whether nominal (and borne by a gambler) or material (and borne by a sophisticated market making firm, crypto exchange, or the crypto exchange’s affiliate which trades against customers [0]).
Perpetual futures exist to provide the risk gamblers seek while decreasing the total capital requirement (shared by the exchange and market makers) to profitably run the enterprise.
In the commodities futures markets, you can contract to either buy or sell some standardized, valuable thing at a defined time in the future. The overwhelming majority of contracts do not result in taking delivery; they’re cancelled by an offsetting contract before that specified date.
Given that speculation and hedging are such core use cases for futures, the financial industry introduced a refinement: cash-settled futures. Now there is a reference price for the valuable thing, with a great deal of intellectual effort put into making that reference price robust and fair (not always successfully). Instead of someone notionally taking physical delivery of pork bellies or barrels of oil, people who are net short the future pay people who are net long the future on delivery day. (The mechanisms of this clearing are fascinating but outside today’s scope.)
Back in the early nineties economist Robert Shiller proposed a refinement to cash settled futures: if you don’t actually want pork bellies or oil barrels for consumption in April, and we accept that almost no futures participants actually do, why bother closing out the contracts in April? Why fragment the liquidity for contracts between April, May, June, etc? Just keep the market going perpetually.
This achieved its first widespread popular use in crypto (Bitmex is generally credited as being the popularizer), and hereafter we’ll describe the standard crypto implementation. There are, of course, variations available.
Instead of all of a particular futures vintage settling on the same day, perps settle multiple times a day for a particular market on a particular exchange. The mechanism for this is the funding rate. At a high level: winners get paid by losers every e.g. 4 hours and then the game continues, unless you’ve been blown out due to becoming overleveraged or for other reasons (discussed in a moment).
Consider a toy example: a retail user buys 0.1 Bitcoin via a perp. The price on their screen, which they understand to be for Bitcoin, might be $86,000 each, and so they might pay $8,600 cash. Should the price rise to $90,000 before the next settlement, they will get +/- $400 of winnings credited to their account, and their account will continue to reflect exposure to 0.1 units of Bitcoin via the perp. They might choose to sell their future at this point (or any other). They’ll have paid one commission (and a spread) to buy, one (of each) to sell, and perhaps they’ll leave the casino with their winnings, or perhaps they’ll play another game.
Where did the money come from? Someone else was symmetrically short exposure to Bitcoin via a perp. It is, with some very important caveats incoming, a closed system: since no good or service is being produced except the speculation, winning money means someone else lost.
One fun wrinkle for funding rates: some exchanges cap the amount the rate can be for a single settlement period. This is similar in intent to traditional markets’ usage of circuit breakers: designed to automatically blunt out-of-control feedback loops. It is dissimilar in that it cannot actually break circuits: changes to funding rate can delay realization of losses but can’t prevent them, since they don’t prevent the realization of symmetrical gains.
Perp funding rates also embed an interest rate component. This might get quoted as 3 bps a day, or 1 bps every eight hours, or similar. However, because of the impact of leverage, gamblers are paying more than you might expect: at 10X leverage that’s 30 bps a day. Consumer finance legislation standardizes borrowing costs as APR rather than basis points per day so that an unscrupulous lender can’t bury a 200% APR in the fine print.
Prices for perps do not, as a fact of nature, exactly match the underlying. That is a feature for some users.
In general, when the market is exuberant, the perp will trade above spot (the underlying market). To close the gap, a sophisticated market participant should do the basis trade: make offsetting trades in perps and spot (short the perp and buy spot, here, in equal size). Because the funding rate is set against a reference price for the underlying, longs will be paying shorts more (as a percentage of the perp’s current market price). For some of them, that’s fine: the price of gambling went up, oh well. For others, that’s a market incentive to close out the long position, which involves selling it, which will decrease the price at the margin (in the direction of spot).
The market maker can wait for price convergence; if it happens, they can close the trade at a profit, while having been paid to maintain the trade. If the perp continues to trade rich, they can just continue getting the increased funding cost. To the extent this is higher than their own cost of capital, this can be extremely lucrative.
Flip the polarities of these to understand the other direction.
The basis trade, classically executed, is delta neutral: one isn’t exposed to the underlying itself. You don’t need any belief in Bitcoin’s future adoption story, fundamentals, market sentiment, halvings, none of that. You’re getting paid to provide the gambling environment, including a really important feature: the perp price needs to stay reasonably close to the spot price, close enough to continue attracting people who want to gamble. You are also renting access to your capital for leverage.
You are also underwriting the exchange: if they blow up, your collateral becoming a claim against the bankruptcy estate is the happy scenario. (As one motivating example: Galois Capital, a crypto hedge fund doing basis trades, had ~40% of its assets on FTX when it went down. They then wound down the fund, selling the bankruptcy claim for 16 cents on the dollar.)
Recall that the market can’t function without a system of trust saying that someone is good for it if a bettor wins. Here, the market maker is good for it, via the collateral it kept on the exchange.
Many market makers function across many different crypto exchanges. This is one reason they’re so interested in capital efficiency: fully collateralizing all potential positions they could take across the universe of venues they trade on would be prohibitively capital intensive, and if they do not pre-deploy capital, they miss profitable trading opportunities. [1]
Gamblers like risk; it amps up the fun. Since one has many casinos to choose from in crypto, the ones which only “regular” exposure to Bitcoin (via spot or perps) would be offering a less-fun product for many users than the ones which offer leverage. How much leverage? More leverage is always the answer to that question, until predictable consequences start happening.
In a standard U.S. brokerage account, Regulation T has, for almost 100 years now, set maximum leverage limits (by setting minimums for margins). These are 2X at position opening time and 4X “maintenance” (before one closes out the position). Your brokerage would be obligated to forcibly close your position if volatility causes you to exceed those limits.
As a simplified example, if you have $50k of cash, you’d be allowed to buy $100k of stock. You now have $50k of equity and a $50k loan: 2x leverage. Should the value of that stock decline to about $67k, you still owe the $50k loan, and so only have $17k remaining equity. You’re now on the precipice of being 4X leveraged, and should expect a margin call very soon, if your broker hasn’t “blown you out of the trade” already.
What part of that is relevant to crypto? For the moment, just focus on that number: 4X.
Perps are offered at 1X (non-levered exposure). But they’re routinely offered at 20X, 50X, and 100X. SBF, during his press tour / regulatory blitz about being a responsible financial magnate fleecing the customers in an orderly fashion, voluntarily self-limited FTX to 20X.
One reason perps are structurally better for exchanges and market makers is that they simplify the business of blowing out leveraged traders. The exact mechanics depend on the exchange, the amount, etc, but generally speaking you can either force the customer to enter a closing trade or you can assign their position to someone willing to bear the risk in return for a discount.
Blowing out losing traders is lucrative for exchanges except when it catastrophically isn’t. It is a priced service in many places. The price is quoted to be low (“a nominal fee of 0.5%” is one way Binance describes it) but, since it is calculated from the amount at risk, it can be a large portion of the money lost. If the account’s negative balance is less than the liquidation fee, wonderful, thanks for playing and the exchange / “the insurance fund” keeps the rest, as a tip.
In the case where the amount an account is negative by is more than the fee, that “insurance fund” can choose to pay the winners on behalf of the liquidated user, at management’s discretion. Management will usually decide to do this, because a casino with a reputation for not paying winners will not long remain a casino.
But tail risk is a real thing. The capital efficiency has a price: there physically does not exist enough money in the system to pay all winners given sufficiently dramatic price moves. Forced liquidations happen. Sophisticated participants withdraw liquidity (for reasons we’ll soon discuss) or the exchange becomes overwhelmed technically / operationally. The forced liquidations eat through the diminished / unreplenished liquidity in the book, and the magnitude of the move increases.
Then crypto gets reminded about automatic deleveraging (ADL), a detail to perp contracts that few participants understand.
(Pray we do not alter them further.)
Risk in perps has to be symmetric: if (accounting for leverage) there are 100,000 units of Somecoin exposure long, then there are 100,000 units of Somecoin exposure short. This does not imply that the shorts or longs are sufficiently capitalized to actually pay for all the exposure in all instances.
In cases where management deems paying winners from the insurance fund would be too costly and/or impossible, they automatically deleverage some winners. In theory, there is a published process for doing this, because it would be confidence-costing to ADL non-affiliated accounts but pay out affiliated accounts, one’s friends or particularly important counterparties, etc. In theory.
In theory, one likely ADLs accounts which were quite levered before ones which were less levered, and one ADLs accounts which had high profits before ones with lower profits. In theory. [2]
So perhaps you understood, prior to a 20% move, that you were 4X leveraged. You just earned 80%, right? Ah, except you were only 2X leveraged, so you earned 40%. Why were you retroactively only 2X? That’s what automatic deleveraging means. Why couldn’t you get the other 40% you feel entitled to? Because the collective group of losers doesn’t have enough to pay you your winnings and the insurance fund was insufficient or deemed insufficient by management.
ADL is particularly painful for sophisticated market participants doing e.g. a basis trade, because they thought e.g. they were 100 units short via perps and 100 units long somewhere else via spot. If it turns out they were actually 50 units short via perps, but 100 units long, their net exposure is +50 units, and they have very possibly just gotten absolutely shellacked.
In theory, this can happen to the upside or the downside. In practice in crypto, this seems to usually happen after sharp decreases in prices, not sharp increases. For example, October 2025 saw widespread ADLing as (more than) $19 billion of liquidations happened, across a variety of assets. Alameda’s CEO Caroline Ellison testified that they lost over $100 million during the collapse of Terra’s stablecoin in 2022, but since FTX’s insurance fund was made up; when leveraged traders lost money, their positions were frequently taken up by Alameda. That was quite lucrative much of the time, but catastrophically expensive during e.g. the Terra blowup. Alameda was a good loser and paid the winners, though: with other customers’ assets that they “borrowed.”
In the traditional markets, if one’s brokerage deems one’s assets are unlikely to be able to cover the margin loan from the brokerage one has used, one’s brokerage will issue a margin call. Historically that gave one a relatively short period (typically, a few days) to post additional collateral, either by moving in cash, by transferring assets from another brokerage, or by experiencing appreciation in the value of one’s assets. Brokerages have the option, and in some cases the requirement, to manage risk after or during a margin call by forcing trades on behalf of the customer to close positions.
It sometimes surprises crypto natives that, in the case where one’s brokerage account goes negative and all assets are sold, with a negative remaining balance, the traditional markets largely still expect you to pay that balance. This contrasts with crypto, where the market expectation for many years was that the customer was Daffy Duck with a gmail address and a pseudonymous set of numbered accounts recorded on a blockchain, and dunning them was a waste of time. Crypto exchanges have mostly, in the intervening years, either stepped up their game regarding KYC or pretended to do so, but the market expectation is still that a defaulting user will basically never successfully recover. (Note that the legal obligation to pay is not coextensive with users actually paying. The retail speculators with $25,000 of capital that the pattern day trade rules are worried about will often not have $5,000 to cover a deficiency. On the other end of the scale, when a hedge fund blows up, the fund entity is wiped out, but its limited partners—pension funds, endowments, family offices—are not on the hook to the prime broker, and nobody expects the general partner to start selling their house to make up the difference.)
So who bears the loss when the customer doesn’t, can’t, or won’t? The waterfall depends on market, product type, and geography, but as a sketch: brokerages bear the loss first, out of their own capital. They’re generally required to keep a reserve for this purpose.
A brokerage will, in the ordinary course of business, have obligations to other parties which would be endangered if they were catastrophically mismanaged and could not successfully manage risk during a downturn. (It’s been known to happen, and even can be associated with assets rather than liabilities.) In this case, most of those counterparties are partially insulated by structures designed to insure the peer group. These include e.g. clearing pools, guaranty funds capitalized by the member firms of a clearinghouse, the clearinghouse’s own capital, and perhaps mutualized insurance pools. That is the rough ordering of the waterfall, which varies depending geography/product/market.
One can imagine a true catastrophe which burns through each of those layers of protection, and in that case, the clearinghouse might be forced to assess members or allocate losses across survivors. That would be a very, very bad day, but contracts exist to be followed on very bad days.
One commonality with crypto, though: this system is also not fully capitalized against all possible events at all times. Unlike crypto, which for contingent reasons pays some lip service to being averse to credit even as it embraces leveraged trading, the traditional industry relies extensively on underwriting risk of various participants.
Many crypto advocates believe that they have something which the traditional finance industry desperately needs. Perps are crypto’s most popular and lucrative product, but they probably won’t be adopted materially in traditional markets.
Existing derivatives products already work reasonably well at solving the cost of capital issue. Liquidations are not the business model of traditional brokerages. And learning, on a day when markets are 20% down, that you might be hedged or you might be bankrupt, is not a prospect which fills traditional finance professionals with the warm fuzzies.
And now you understand the crypto markets a bit better.
[0] Brokers trading with their own customers can happen in the ordinary course of business, but has been progressively discouraged in traditional finance, as it enables frontrunning.
Frontrunning, while it is understood in the popular parlance to mean “trading before someone else can trade” and often brought up in discussions of high frequency trading using very fast computers, does not historically mean that. It historically describes a single abusive practice: a broker could basically use the slowness of traditional financial IT systems to give conditional post-facto treatment to customer orders, taking the other side of them (if profitable) or not (if not). Frontrunning basically disappeared because customers now get order confirms almost instantly by computer not at end of day via a phone call. The confirm has the price the trade executed at on it.
In classic frontrunning, you sent the customer’s order to the market (at some price X), waited a bit, and then observed a later price Y. If Y was worse for the customer than X, well, them’s the breaks on Wall Street. If Y was better, you congratulated the customer on their investing acumen, and informed them that they had successfully transacted at Z, a price of your choosing between X and Y. You then fraudulently inserted a recorded transaction between the customer and yourself earlier in the day, at price Z, and assigned the transaction which happened at X to your own account, not to the customer’s account.
Frontrunning was a lucrative scam while it lasted, because (effectively) the customer takes 100% of the risk of the trade but the broker gets any percentage they want of the first day’s profits. This is potentially so lucrative that smart money (and some investors in his funds!) thought Madoff was doing it, thus generating the better-than-market stable returns for over a decade through malfeasance. Of frontrunning Madoff was entirely innocent.
Some more principled crypto participants have attempted to discourage exchanges from trading with their own customers. They have mostly been unsuccessful: Merit Peak Limited is Binance’s captive entity which does this. It also is occasionally described by U.S. federal agencies as running a sideline in money laundering, Alameda Research was FTX’s affiliated trading fund. Their management was criminally convicted of money laundering. etc, etc.
One of the reasons this behavior is so adaptive is because the billions of dollars sloshing around can be described to banks as “proprietary trading” and “running an OTC desk”, and an inattentive bank (like, say, Silvergate, as recounted here) might miss the customer fund flows they would have been formally unwilling to facilitate. This is a useful feature for sophisticated crypto participants, and so some of them do not draw attention to the elephant in the room, even though it is averse to their interests.
[1] Not all crypto trades are pre-funded. Crypto OTC transactions sometimes settle on T+1, with the OTC desk essentially extending credit in the fashion that a prime broker would in traditional markets. But most transactions on exchanges have to be paid immediately in cash already at the venue. This is very different from traditional equity market structure, where venues don’t typically receive funds flow at all, and settling/clearing happens after the fact, generally by a day or two.
[2] I note, for the benefit of readers of footnote 0, that there is often a substantial gap between the time when market dislocation happens and when a trader is informed they were ADLed. The implications of this are left as an exercise to the reader.
2025-10-11 01:24:13
The ultimate goal of financial plumbing is to enable commerce in the real economy. Consider the humble window: it is a fairly expensive, surprisingly high-tech manufactured good, installed by the dozen in homes by artisans. A window represents a supply chain, and one part of that supply chain is a sales process, convincing a homeowner of the desirability of updating their windows. The sales representative running that process would urgently prefer to leave their single visit to the home with not just tentative measurements but with a durable commitment to buying the window and financing firmly in place for it.
Why finance the purchase? Windows cost $1,000 to $3,000 each and updating all or a large fraction of them quickly becomes a mid-five figures project; relatively few homeowners will pay upfront with cash. Moreover, the sales process would strongly prefer the purchase be financeable, because that will sell more windows than a counterfactual world where windows were only available for cash.
One could imagine a world in which window manufacturers or installers provided financing off of their own balance sheets. This would be a rough world for them: they have upfront capital outlay (the window) and would recoup only after extended periods, bearing credit risk all the while. No, they would prefer to sell windows for money. It’s frequently delivered in milestone payments, perhaps half prior to manufacturing the windows and half upon successful installation.
You could imagine the buyer could bring their own financing, perhaps by going to their usual bank and asking for a home improvement loan. That product very much exists, but it might be surprisingly less attractive to all parties: it will be costly, low margin for the bank, and have poor operational dynamics for the window company. And so you could imagine the window company asking the financial industry to come up with an alternative.
That alternative exists, and can underwrite and paperwork a four-party commercial loan in fifteen minutes, before the salesman has even left their home visit that sold the window. We’ll return to it in a moment.
Again, very many banks do actually make home improvement loans available. But they’re not wonderful loans for the banks.
We’ll begin with the somewhat awkward dollar amount: a home improvement loan is enough money to hurt if it goes bad, but not enough money to justify a high-volume well-oiled machine to underwrite, not like e.g. mortgages. And indeed that is what many banks will immediately try to sell you if you ask for a loan for the purpose of home improvement: can we instead counterpropose a home equity line of credit (HELOC)? You can then borrow against your existing home equity, withdrawing cash, and we have no objection to you swapping cash for a window, a decision we need hear no more about. We have a supply chain for mortgages, including HELOCs, and this supply chain will decrease our capital requirements while smoothing every part of underwriting.
Why does the bank want to take the window out of the window purchase? Because a home improvement loan otherwise requires multiple operationally intensive document reviews and conversations where bankers talk to construction company office managers. Those conversations are frequently unhappy ones.
Consider the case where a construction project flies off the rails, which has been known to happen. The window company says it has installed the windows, and potentially they have a certificate proving that they were indeed installed, allegedly signed by the homeowner or their spouse on the date of installation. The homeowner, however, is unhappy with the windows: they are drafty; the color isn’t the same as the brochure; and goodness was this what they agreed to pay e.g. $25,000 for?! They don’t want to pay it anymore.
The bank must be the adult in this scenario, to release that second milestone payment. They very possibly could be drawn into litigation over their decision, because a few tens of thousands of dollars is just enough to justify calling a lawyer. Then the bank will have to have their own lawyers defend their own contracts in an expensive proposition over what is, to it, a small-dollar loan.
It’s not nearly this hard to generate $25,000 of balances with a credit card issuing business. You mail out the cards and people buy airplane tickets. And then the airline pays you 200 basis points off the top even before you get to originate the high-interest loan! Great business to be in and you never have to talk about a stewardess spilling someone’s drink or it raining in Hawaii that week.
Meanwhile, the window installer has their own complaints about this loan, even before it is originated. Between the day the salesman shakes hands with the customer and the bank commits to the installation, they have very little they can do to influence success. The homeowner might develop buyer’s remorse and, while they might have signed a contract, it’s just rough to compel payment for windows which don’t exist yet. Your staff will not enjoy the process, your reviews will suffer, and it’s not guaranteed that your contract will hold up: in some states, your customer might even have legal right to sever during a cooling-off period. You would prefer to accelerate delivery to avoid them cooling on the idea of windows.
But the bank is slow and has a bespoke underwriting process which requires information from you but which you cannot control, because the window installer is not the bank’s customer. They can’t call the bank up and yell at the underwriters to move faster, and they can’t debate the bank over a credit decision, where a perfectly good sale gets nixed six weeks later because the bank just isn’t feeling it. Very few of those sales will result in the buyer arranging successful alternative financing, partly for very human reasons and partly for a mechanical one: the fact of the hard pull on the credit report for the original loan origination plus non-issuance of a loan from one’s home financial institution signals to the rest of the world “Oh goodness there are probably better ex-ante risks in the economy than this one!”
No, what the window installer wants is a lending product which can be issued at scale, very predictably, in as short a timeframe as possible, by financial institutions responsive to it who ask very few followup questions, always fund milestone payments promptly, and actually want this business.
That product exists.
Consumer credit issuance is, unless it comes directly from a manufacturer, a privilege reserved by law for regulated financial institutions. But, as we’ve established, regulated financial institutions don’t lust for this business on their own balance sheets at scale. (Recharacterizing the home improvement loan as a draw on a HELOC allows the bank to quickly get it off their balance sheet, because the HELOCs will generally be securitized. You could theoretically securitize a large pool of installment loans if you had a business process to generate them, but unless a bank specializes, they are unlikely to have core depositors simply ask for enough of these every year to justify building out the framework required to do this.)
Why is it reserved by law for financial institutions? As Bits about Money mentions often, financial institutions are a policy arm, and one thing the state requires is that Compliance make sure the financial institution is not abusing customers. The state believes that a e.g. window installer might use high-pressure sales tactics or say untrue things to a homeowner about how e.g. an interest-free financing period works, and then perhaps forget about those things when the customer complains. It believes, rationally, that financial institutions will keep extensive records of what they communicate about loans, that those records will be truthful by default, and that the financial institution will not endanger its permission to do business over a single product. Also, and this is a blunt but true observation, the state trusts white collar employees and executives at banks more than it trusts blue collar window installers.
So we need a bank involved, but that bank does not necessarily need to lend (from its own balance sheet). The bank could immediately sell a large portion of the loan, retaining perhaps 1% for form’s sake, to a private provider of capital.
But, again, it is unlikely that a bank will want to call around to hedge funds and see if there are any takers. Someone needs to have capital providers have a standing offer to snap at this product quickly.
That standing offer is variously called a forward funds flow agreement or warehouse financing. I’ve previously discussed the mechanics for Buy Now Pay Later (BNPL), and they’re the same here. Someone, typically a facilitator and not the bank itself, has brought the capital partners to the table, negotiated terms, and has prepared them to receive what they want: millions of dollars of loans, at attractive prices, with known-in-advance credit characteristics… originated by a massively scalable process, conducted partly by commission-earning sales reps bearing iPads into houses needing windows and partly by web applications and operational teams.
This machinery wasn’t originally perfected for windows. It was originally aimed mostly at solar installations, which were heavily tax-advantaged at the time. Capturing the tax credit required a sale and upfront capital outlay, and the pitch was essentially “Sign these loan docs for free money for all of us and, also, you’ll get some solar panels.” But the credits eventually expired, the addressable market for solar got more tapped, and the software and companies yearned for more originations. So, sign these documents, get windows at attractive prices.
The loan application begins with the customer verbally informing the salesman of their phone number or email address. They get given a link which swiftly brings them to a competently-designed web application. That application asks a few simple questions that are required for underwriting. The two most important ones that are not on a credit card application are “Is this your house?” and “Do you live in this house?” This is because the capital partners are much, much more confident that people will not welch on debts tied to their primary residence than that every real estate investor will be above water if 2008 happens again.
Questions about your finances are extremely pro-forma. You’ll be asked to self-state your income, but no attempt will be made to verify it. A credit report will be pulled, which satisfies the twin purposes of a) derisking the applicant pool and b) verifying, via checking for the presence of a mortgage, that you do actually own the house.
I ended up in a fraud queue at this point in the process. Story of my life. The facilitating company does not expose to the sales rep why you are in the fraud queue, but the clock is ticking, and the rep will (hypothetically) strongly prefer continuing to drink tea and chitchat rather than leaving and letting one resolve that issue asynchronously. It was resolved by a combination of automated submission of a passport photo (again, shockingly competent software by the historical standards of loan origination) and an analyst manually clicking a button in a web application.
If I were to speculate what that analyst was doing, it would be reviewing the facts: credit report says high credit score, credit report shows a mortgage, credit report does not match this address, but government-provided ID does match the asserted identity. And thus the wager: is he in his own house, or has he decided to pull a hilarious prank on a window installer and buy someone else windows with a hedge fund’s money? The analyst swiftly concluded I was probably in my own house. (Why did I end up in the fraud queue? I have a lot of weirdness, such as not being listed on the deed due to holding title through a land trust, for privacy reasons. Unfortunately, perhaps that sometimes makes it difficult for cron jobs to conclude I own the house.)
Once you’re approved for the loan, you are automatically sent loan documents for signature. This will not be compelled at the meeting, but the installer sure would appreciate you signing before they leave. Compliance has extensively briefed them on where the line is. Compliance has, in fact, extensively briefed them on many lines, and because Compliance cares more about the law than it does about paying programmers to code a login form, I was able to read their entire Compliance training series and presentations to installers.
Don’t lie. Don’t translate any loan docs from English or provide any gloss of the terms. Don’t say any of the forbidden phrases like “guaranteed approval”, “same-as-cash financing”, “interest-free financing”, etc. And definitely definitely do not touch their phone or computer during the application process.
The financial industry learned some things during the global financial crisis about aggressive salesmanship by its agents. Almost every bullet point in that 40 page PowerPoint has a stack of criminal convictions, billions of dollars of losses, or both to justify it.
The salesman will first quote a scary number designed to anchor you, then present the discount available if you commit within a month. They will then say there is a sweetener if and only if you sign before they leave. Compliance is very clear that if you say that in the context of acting as an agent for a financial institution it had better not be a lie, but percentages are percentages and window companies like making deals for windows, and I would not bet against the proposition that they would offer other inducements on other days for other reasons, perhaps summing to similar numbers.
They then present financing terms. I was pleasantly surprised that this was not presented in the typical obfuscating car dealer financing four square method. The real price stays onscreen on the iPad at all times and you are presented with columns for choices: pay cash (they mean immediately deliverable value, not actually specie), 12-month deferred interest financing, 15-year fixed rate financing, and pay in milestones (e.g. 50% deposit, 50% due on installation) on a credit card.
Compliance will inform representatives that you are absolutely not supposed to use the words “same as cash” and “interest-free” to describe 12 month deferred interest financing. This salaryman is unfortunately forgetful sometimes and so I cannot quite recall what the friendly local salesman actually said while pointing to the iPad. The offer is “If you fully pay for your windows within the next 12 months, you just pay the sticker price. If it takes you longer than that, you will pay us interest, starting from the date of installation, at a rate which is materially higher than the rate we quote in the next column.”
You might think, given that sketch, that the system is trying to trick naive homeowners and surprise them on day 366 with a nasty bill. I’m slightly more sympathetic. This offer is designed to be attractive to people who can bring their own financing without making the window installation dependent on that financing. If, for example, a customer does not currently have a HELOC, but is pretty sure they can get a HELOC, the window installer is saying “Great, convince any bank to give you a HELOC, then do a draw any time in the next year and repay us, and we’ll foot the interest until then. But to be clear this window is going in irrespective of your future discussions with banks. Our capital partners do not want you to attempt to skate if your financing falls through, if you get divorced, if your tax refund is smaller than expected, etc, and you will be penalized if you attempt to turn this into a backdoor installment loan.”
But the next column is where the real action is. I was quoted 6.99% APR for equal amortizing payments over 15 years. They, naturally, express this as a monthly number, but the contract floridly and in bold print (as required by regulations) discloses e.g. total interest cost over the life of the loan, the fact there is no pre-payment penalty, etc. This is as honest as consumer lending can possibly be.
You e-sign the loan documents and then the salesman thanks you for your time and arranges for another professional to come back and redundantly measure the windows. He measured for the quote, and the quote is good, but they’ll measure again because a quarter inch matters a lot more for the physical universe than it does for the spreadsheet. Then the order goes to the factory and, a few weeks later, they install the windows. You sign an acknowledgement, and then the automated software springs back into action, starting the clock on your interest and collecting payments.
Here I am going to speculate in reliance upon publicly available data sources rather than use information which I know as a result of private commercial negotiations. Window salesmen are not the only professionals who have been to Compliance training.
In the 15-minute window between the loan being applied for and signed, software has conducted a four-way commercial negotiation between the window installer, the facilitating entity, the bank, and the capital provider. The loan contract is between the customer and the bank (again, it has to be, regs) but the capital provider is a specialist institution.
There are a few banks which specialize in doing business like this. One of them is Cross River Bank, which keeps a keen eye on trends in consumer lending.
A bank which originates a loan might charge the facilitating entity an upfront fee-for-services, collect a servicing fee from the capital providers sliced out of the APR quoted to the customer, and of course retains actual economic interest in the loan… well, OK, a few hundred dollars of the loan, so that it can tell its regulators “No, really, we are lending money! It would be calumny to describe this situation as renting out a banking license!” Indicatively, that fee for services might look something like 1% of total loan volume, and the servicing fee might be 1% of the outstanding balance annually. (Mortgage servicing fees are about 0.25% but houses cost more than windows do and so you get an economy of scale. The servicing is essentially the same amount of work: you need a 1-800 number, lawyers on standby, the capability to receive checks, etc.)
So who is the capital provider and what are they getting? It will generally be a specialist fund, like say Sunlight Financial, whose name alludes to the solar business they got started in. You might naively assume “OK, 6.99% to the consumer, 1% servicing fee to the bank, so they get 5.99% APR on the loan, right?” I doubt that is the full calculation.
One reason is that loan sounds awfully cheap: the 10 year Treasury rate is currently a hair over 4%, so why would you give a consumer 15 years fixed rate financing for 6%? Even with excellent credit quality, 2% spread doesn’t sound like enough money to make a business out of this.
But: what if, like BNPLs, you could charge someone else a bit of money? Who benefits the most from this transaction? The window installer. So charge them for it. They’re clearly willing to pay something like 2.4% of the entire transaction size already, because they will happily let you buy windows with a credit card. So that’s the floor. A BNPL provider can charge Sephora something like 6% to sell lip gloss. That might be the ceiling. So can you get them to kick in… 5%? Probably.
That moves the APR as perceived by the lender to about 7.9%. (Ask Python or Excel if you don’t believe me.) It’s a bit better than this, too, because of what will happen to the fund if interest rates fall. The value of outstanding bonds increases if rates fall, but this consumer loan might get rolled into e.g. a newly cheap HELOC if rates fall. (The free no-penalty prepayment option is a fundamental challenge in mortgage finance.) So by default this is a lose-lose situation for the lender: if rates rise the value of the loan falls, if rates fall the loan very possibly gets repaid early. But with the origination fee from the installer, if rates fall and the loan is repaid early, the return on capital over the lifetime of the loan rises sharply.
If the loan is repaid after 7 years, which is approximately the average tenure in a house in the U.S., the real rate is about 8.15%. If it’s extinguished after a year, perhaps due to rates-related refinancing, about 12%.
These numbers start to sound attractive to credit funds, particularly when you have a repeatable process for generating them at 9 figure scales with independent credit quality.
As an additional wrinkle: is Sunlight the ultimate source of capital at risk? Well, if I were Sunlight, I might think of tapping the booming private credit market: borrow at a lower rate than I earn in expectation on my portfolio, collect the spread. If I were Apollo (such a natural brand to associate with sunlight, and among the world’s largest credit funds), I might buy an insurer or figure out how to get retail investors private credit exposure to fund billions of dollars to anyone who creates a loan origination engine with demonstrable credit quality.
For much more on that side of things, you should read Money Stuff or listen to Odd Lots, which cover “private credit is the new bank lending” all the time. I’m just presenting the speculative case for how private credit turns permanent capital vehicles into windows.
Compliance will tell you not to describe this as unsecured lending to the customer. I am so forgetful as to offhand comments made during sales presentations, though.
Formally, the lender does have a security interest. However, they do not want to go to the trouble of “dirtying the title” by getting a lien on the house. That can’t be done in 15 minutes. No, they only have a security interest in the window they financed.
A security interest in a car is valuable because people are quite attached to their cars and, if push comes to shove, you can repossess a car. A security interest in a house is valuable because people are quite attached to their homes and, if push comes to shove, you can foreclose on a mortgage and repossess the home. A security interest in a window is valuable because… a security interest in a window is actually not valuable.
However, by construction, the commanding majority of borrowers here have excellent credit. One factor decreasing their credit risk is that many consumers are, and this is an underwriting term of art, “judgement proof.” If you sue them for performance and a court gives you a judgement, that is worth the paper it is printed on, because they have no easily attachable assets and they might have employment in a System D fashion where garnishing their income is difficult.
A homeowner, on the other hand, always has one asset you can attach: the house, by filing a lien on it after receiving the judgement. A lien against a house is an immediately monetizable asset in the United States, because it blocks the sale of the house until it is satisfied, and there is a specialized financial ecosystem which is happy to buy that lien and then attempt collection by some combination of a) asking nicely and then in the alternative b) waiting patiently.
And so the lender’s contract is, to the extent it is concerned with credit risk, concerned with swiftly demonstrating to a court: valid contract, loan paid for windows, customer isn’t paying, issue us judgement, thank you very much, we’d like to file that judgement as a lien against coincidentally the same house. It’s only fair.
Nice new windows are better than broken ones, and the process of buying them is now painless at an attractive financing cost. They are still expensive, but homes are expensive.
Every time anyone mentions innovation in consumer lending, the same comment is made: isn’t this just the financial crisis all over again? Aren’t we stacking up billions of dollars of low-quality loans with intermediating layers of complex products like CDO-squared? Isn’t this going to blow up?
That’s an understandable point of view. But: there is an actual underwriting process here. We replaced “You write a lie on paper, no one reads it” with a computer program that never gets bored at comparing databases. The borrower is actually reasonably good credit quality, rather than a ninja (“no income, no job”; one of the subprime lending era excesses was writing NINJA loans in quantity).
If the installer successfully leans on the origination machine to lower underwriting standards and let anyone who can fog a window buy one with a smile, then the losses are largely not in the regulated banking sector and backstoppable by taxpayers. They’re mostly to sophisticated investors in credit funds, who are being paid handsomely to take that risk. The system is also self-correcting: early defaults would cause the credit funds to tighten their risk appetites and constrain originations fairly quickly, rather than encouraging refinancing to juice origination numbers, until we were all holding (to quote Margin Call) the biggest bag of odorous excrement ever assembled in the history of capitalism.
Besides, if credit quality keeps you up at night, you should be much more concerned about bog-standard commercial real estate loans.
2025-08-14 07:17:05
Much of the operation of the financial industry is legible to people outside of it. Your credit card works basically like you understand it to (excepting the occasional mythmaking about second order consequences). Debates about what terms banks are allowed to offer on credit cards are fairly straightforward and can be easily followed by non-specialists.
But some issues are under the hood, and a societal debate about them doesn’t exactly wear its consequences on its sleeves. Consider the controversy over Section 1033 of the Dodd-Frank Act (and even that framing is an effective medication for insomnia).
In July, JPMorgan Chase announced its intention to charge fintechs for access to so-called Open Banking data. This comes amidst a consortium of banks trying to sue this hithertofore obscure regulation out of existence.
Almost all discussions of it center on “data”, but it’s actually a fight about payments, and whether banks have a right to monopolize and charge for all economic activity their users engage in, irrespective of whether the bank operates the payment method.
Cards on the table: I previously worked at, and am an advisor to, Stripe, a financial infrastructure company which facilitates customers’ use of both bank-sponsored (cards, etc) and competing (account-to-account, stablecoins, etc) payment methods. Stripe does not necessarily endorse what I say in my personal spaces. (I’m also a user and tiny shareholder of Chase. One presumes they also don’t endorse what I say in my personal spaces.)
The Dodd-Frank Act was passed in the wake of the 2008 financial crisis. It included a combination of needed reforms and, effectively, partial negotiated settlements for the way in which banks had reaped enormous profits originating mortgages of less-than-stellar quality then left taxpayers holding the bag once those mortgages could not be repaid.
We’ve previously discussed one of the knuckle raps: banks had their debit card interchange capped, with an exemption for small banks. (Interchange is the fee card-accepting businesses pay to transact with bank customers.) The Durbin Amendment became a major pillar of fintech companies, as it established a revenue model for them. It also became something of a lifeline for smaller financial institutions, particularly those that partnered with fintechs.
Did banks like the interchange cap? No. It made a very lucrative line of business rather less lucrative. Taxpayers had provided about $245 billion in capital to backstop banks, and they (through the ordinary operation of a representative democracy) got a post-hoc concession for it.
The interchange cap was not the only concession in the Dodd-Frank Act. Section 1033 was another one: it is designed to increase competitiveness in financial services by establishing a presumption that banks must allow users to access their own data, including through competing providers.
In the intervening years, that competition has arrived. The banks do not like it, and would prefer it if it went away.
Financial institutions offer their customers a complex bundle of services.
You might reasonably expect that Open Banking is a fight over the budgeting app space. The banks have, via the magic of account records, a large portion of the underlying data about a household’s finances. You could imagine software using Open Banking to allow it to slurp in transactions and then categorize them. That would compete against the lackluster offerings the large banks have in their apps.
But Open Banking is not actually a fight over budgeting apps. Banks don’t make money on them and the best known standalone budgeting app, Mint, was acquired for a relatively small amount of money.
Payments, on the other hand, are an enormous business. They are monetized both by banks and by a diverse ecosystem of fintech providers.
The data banks find it annoying to make Open are, principally, account numbers. This is because, due to the long shadow of checks, possession of an account number (plus the routing number, identifying the bank) is sufficient to attempt to debit a bank account. Direct account-to-account transfers, including “pulls”, are a common payment method in many countries, but they are not a large share of consumer to business payments in the United States.
Why not? One reason is that the user experience of asking someone for their account number is pretty awful. There is no way to check in real time whether an account actually exists. Credit card numbers, in addition to having infrastructure which allows you to query them in real time, are specifically formatted so that typos in them are easily catchable.
Since you can’t know whether the account exists you certainly can’t know its current balance or whether a transaction posted against it today will succeed in a few days or be reversed for insufficient funds (or another reason). This means that businesses which use account transfers as a payment method would frequently suffer credit losses if they released goods or services at the time of “payment.” For many businesses, that isn’t a worthwhile tradeoff.
So they keep using cards. Cards give much stronger (but not foolproof) real-time guarantees of funds availability and likelihood of a transaction going through successfully. The ergonomics of card acceptance, at the register, through your phone, or in a web browser, are also much more palatable to most customers.
Several fintech companies, including Stripe, realized that they could use Open Banking to make account-to-account payments something customers would actually enjoy. The user is prompted at checkout whether they’d like to pay directly from their bank account. They log into their bank account and grants the fintech read access. This is a much stronger signal of authorization than simply knowing an account number. (We print those on every check, after all, and a check is designed to be handed to a cashier or waiter you’ll never meet again.) The fintech then grabs the account number and perhaps e.g. looks up the current balance.
Then, they can pull money from the account, through an ACH debit.
The ACH debit itself is not Open Banking. It is the ordinary operation of existing payment rails in the financial system. The ACH debit was just made much more convenient by Open Banking.
Most use of Open Banking is through so-called aggregators. Plaid and Yodlee are well-known examples.
Prior to the existence of Open Banking, the aggregators (and businesses which needed the data they can make available) were largely forced to build supportability networks, bank by bank, by writing so-called screenscraping software. Screenscraping software emulates someone typing the password into a bank’s website then browses through a live bank account to extract the information needed from it. Hopefully that screenscraping software isn’t bugged, because bugs in scrapers that interface with consequential systems are terrifying.
Aggregators would then ask users to share their bank account passwords, so they could operate the bank accounts via software automation, to get the data the aggregators’ business customers were interested in. Like, say, account numbers.
This is a worse model for users and security of the banking system than Open Banking, because sharing bank account passwords leads to misuse of accounts. The flow for Open Banking, in the best implementations, redirects users to the bank site to authorize the data sharing, without forcing the user to irrevocably cough up the keys to the kingdom.
ACH debits are not new. Businesses have been able to use them for decades. You very likely use them yourself to e.g. pay recurring bills every month, like utilities, mortgage, or credit cards. ACH debits have just been very annoying to use for payments online or at cash registers, and so almost all consumer to business payments go over card rails instead.
ACH debits are almost free.
NACHA, which administers ACH, charges a per-transaction fee of 1.85 hundredths of a cent. This compares favorably to regulated debit card interchange (21 cents plus five basis points of the transaction size) and extremely favorably to Durbin-exempt debit cards or credit cards (generally about 2.X% of the transaction size plus 20-30 cents). The interchange fee is paid mostly to the card issuing banks.
Banks would strongly prefer the world not make novel payment methods that are convenient and cost accepting businesses less than cards. Banks are interested in Section 1033 because they want to continue earning interchange revenue on coffee purchases and software subscription invoices.
But payments for goods and services are not the only interesting Open Banking use case. Useful infrastructure, once it exists, tends to get incorporated into everything.
When you open a brokerage account or engage with crypto companies, you are quite likely to pass through an Open Banking flow to link your existing bank account. You’ll use your linked bank account to fund your investments and, hopefully, eventually receive your returns.
Older users might remember that this used to require asking the brokerage to make trial transactions, typically pushing two ACH payments under $1 in total and asking you to confirm the amounts. This would demonstrate that you hadn’t typoed your bank account number, that the account could actually accept transfers, and that you (presumptively) had authorized access to that account, given that you could read recent transactions at will.
Trial transactions are painful for all parties. They insert a multi-day wait into the account opening process, and many customers abandon the process during that lull. Brokerages and fintechs were overjoyed that Open Banking largely allowed them to move away from trial transactions to authorize every new account.
There are also clever uses of Open Banking to piggyback on banks as oracles. For example, how do you, a financial institution or insurance company, know that I, a particular natural person, have authority to direct Kalzumeus Software, LLC to open a new financial account? One way you could establish that is to ask me to submit a copy of the LLC’s Articles of Organization and a Certificate of Good Standing from the great state of Nevada. Then you pass those to a backoffice paralegal, who can ascertain that the Articles name me the Managing Member, and empower the Managing Member to open new financial accounts. This costs $50 to involve Nevada, and very many small businesses in America will not succeed at the task “please locate an authoritative copy of your Articles of Organization.”
A much faster way is to use an Open Banking aggregator to read a bank account statement issued to Kalzumeus Software, LLC. This allows a second financial institution to make the reasonable inference that if I habitually direct a small business’ banking, as demonstrated by being able to grant access to its accounts, then I probably direct a small business’ banking. This will save their operations team from reviewing 100 pages of boilerplate and cut down on account opening time. (This is one of the rare and underacknowledged benefits of Know Your Customer regulations. Since banks are understood to have KYC responsibilities, the bank “vouching” for you as a customer in this fashion is treated as strong evidence by others in the economy.)
So why is Open Banking in the news now? We’ve had Open Banking for almost 15 years. The competing payment products work and work well. They are lower cost to accepting businesses and easy for customers to start using. Customers are switching to them in increasing numbers. Not all of them, but enough to worry the banks into wanting to strangle the upstarts.
This has happened via a regulatory push, litigation, and ultimatums over fees.
The Consumer Financial Protection Bureau finalized its rule for Section 1033 in late 2024. As you can tell by the lag between 2010 (when the Dodd-Frank Act was passed) and 2024, it was something of an involved process.
Relevantly, the CFPB which passed this rule was the Biden administration CFPB. I try to be non-partisan in professional spaces but will need to neutrally observe how partisan players have seen the CFPB.
The CFPB was not well loved by many people in the finance industry or the fintech community. Critics alleged that the CFPB was less a federal agency and more a one-woman show, with the stars being Senator Elizabeth Warren and a ventriloquism dummy. This was unfair. The CFPB staff was actually quite intelligent in anticipating Senator Warren’s preferred positions and rulemaking to achieve them without the dreary necessity of her writing legislation or convincing Congress to vote for it.
As I mentioned last December in discussing the debanking discourse, influential supporters of the second Trump campaign, including fintech and crypto investors, wanted the CFPB’s scalp. They essentially got what they wanted. The CFPB was hollowed out early in the new administration.
In a swift and ironic turn of events, a policy promoted by the crypto industry due to their frustration with the decisions of large banks (regarding their industry’s supportability) was quickly used by large banks for commercial advantage, catching the crypto industry in the crossfire.
Prior to the election, the Bank Policy Institute, a banking industry trade group, and the Kentucky Bankers Association sued to prevent the CFPB’s rulemaking from taking effect. I think an informed person would understand that their legal arguments are pretextural. Their policy arguments, against the normative intent of Open Banking, I’ll return to below.
The CFPB initially defended the suit vigorously, but the newly hollowed out CFPB in June announced its intention to surrender.
This has caused a bit of chaos in Washington, as Section 1033 is administered by the CFPB but is part of the financial regulatory apparatus that crypto companies actually like.
Exchanges largely monetize by charging a vig on crypto purchases, and the so-called “onramp” (transfering money from the traditional financial system to the crypto ecosystem) enables the rest of their revenue (such as e.g. receiving a cut of interest earned by stablecoin issuers or staking the coins owned by customers).
Exchanges want to accomplish the onramp at the lowest possible cost, which is through ACH debits. Their desired outcome is the new user uses an aggregator to authorize a debit from their bank account. Then, the debit is very close to free, both for the first transaction and also for subsequent transactions using the same banking details. (The exchange bears a bit of credit risk, since the debit is not known to settle successfully until about two business days later and it can be reversed long after that if it was fraudulent. These issues cost Coinbase about $20 million last quarter. It dries its tears on money.)
The legal and regulatory wrangling continues. It’s difficult for me to read tea leaves from Washington in the best of times, and in the interests of avoiding partisan commentary, I’ll refrain from confidently guessing whether statements of the administration predict its future actions over multi-week timescales.
The credit card brands, which were originally created by banking consortiums, consider Open Banking data aggregators to be an existential risk to their business. They have long wanted to co-opt or kill them.
That isn’t just me saying it. Visa attempted to buy Plaid back in 2020. The argument to Visa’s board was (pg 5) that Plaid could potentially be a, quote, “existential risk” to their debit card business, which threatened a $300 to $500 million a year revenue hit. It was cheaper to take them off the table, even at $5.3 billion. Call it an insurance policy, their CEO said.
The FTC quashed the acquisition, saying it would have the anti-competitive harm of protecting the debit card business. The FTC alleged that Visa had a near monopoly in online debit transactions. (This payments geek thinks there is actually a vibrant competitive landscape there, including internationally.)
Some commentators might assume that that was one of the Commissioner Lina Khan era anti-monopoly interventions. (This enforcement environment was part of the causus belli which flipped some notable Silicon Valley personages. It’s a complicated story and not particularly well-told by the press, in part because people with a nuanced view of the situation no longer respond to press inquiries, due to journalists’ repeated defection in an iterated game.)
While I’m not a close follower of anti-trust enforcement, I do happen to know how to use a calendar, and so feel obliged to mention that the action to stop the Plaid acquisition was late during the first Trump administration.
Politics legendarily creates strange bedfellows. Crypto companies are now asking the CFPB to revive a regulation protecting a business the first Trump administration kneecapped, after which the second Trump administration hollowed out that same agency, despite campaigning against kneecapping tech and crypto—leaving the CFPB, long a sworn enemy of big banks, in Chase’s corner dismantling the crypto industry and suppressing competing payment methods, because the administration apparently thinks that’s what its backers want.
Yep, one’s head spins.
Chase is the largest bank in the U.S., maintaining checking accounts for approximately 44 million Americans, and therefore makes up a hefty chunk of total transaction volume within the financial system.
To avoid adversarially screenscraping banking apps, which is unreliable and a bit of a security hole, the better way to do Open Banking is to negotiate API access with as many banks as possible. (Companies make APIs available to let developers access data from them in a safe and controlled fashion. API access allows customers to give secure, scoped, and revocable access to their financial information. Handing over a password is not ideal for those properties.)
This will customarily require signing a contract with the bank, obligating you to e.g. not steal the money, not attempt to hack bank servers, and not abuse customers’ expectations. These are all reasonable requests, swiftly agreed to. Most of the aggregators had agreements in place with Chase, which eagerly promotes their API access to developers.
In July, Chase started sending data aggregators notices about upcoming changes to their agreements.
The typical notice between financial institutions and developers downstream about changes to contracts is something along the lines of “We updated the wording in our privacy policy.”
These notices weren’t that. Chase was altering the deal; pray that they do not alter it further.
Chase demanded payment for access to Open Banking APIs, and would cut that access if companies interfacing with them did not acquiesce. The fees demanded were enormous.
A fintech industry trade group was quoted by the Financial Times as saying:
“Across all the companies that received the notices, the cost of just accessing Chase data is somewhere from 60 per cent and in some cases well over 100 per cent of their annual revenue for the year … Just from one bank.”
Plaid was asked for $300 million, which would be 75% of their 2024 revenue. That is likely more than the wages and benefits for all of the 1,200 people who work at Plaid.
Even as someone whose perennial advice to companies was Charge More, these don’t strike me as serious proposals to put a reasonable price tag on valuable services.
The prospect of Chase monetizing Open Banking has dragged some other banks into the fray; PNC is also looking at taking a bite at the apple. The table gets crowded quickly if even a fraction of the next 4,500 banks try to join.
You can imagine some rapid back-and-forth happening between bank and fintech negotiators happening in the background. There is some reluctance in the industry to speak of that openly, partly because negotiations are delicate and partly because some fear retaliation elsewhere in their business relationships.
But, helpfully, the banks have published their arguments, directly and via their industry associations. They are not particularly persuasive.
The best one is that banks bear risk here, and want to price it. Should a bank authorize a third party to use Open Banking, that third party might use it to exfiltrate value from a bank account. Should a bank customer authorize a transaction but regret it, perhaps because it was to a scam operation, they might ask their bank to make them whole.
Banks bear this fraud risk, the same as they do when they pay out a fraudulent check, until they can recover the money by reversing the transaction. They will not always be able to successfully reverse the transaction.
This is structurally similar to banks’ obligations under Regulation E for debit cards and Regulation Z for credit card purchases. If a consumer gets abused over card rails, the bank is good for it by regulation, less a $50 deductible that the industry universally waives in the interests of their good name. Banks are quite happy with this responsibility for cards, because card issuing prints money, but Regulation E covers almost any form of electronic payment and almost any imaginable form factor of abuse. (For non-limiting examples, see the AI-sung ditty, Doesn’t Matter, That’s Reg E.)
But account-to-account payments are less like cards and more like checks. Indeed, the Automated Clearinghouse part of “ACH debit” refers to being a clearinghouse for check payments.
Banks will occasionally take fraud losses over checking accounts. They mostly can’t charge for checks directly; customers expect to write them freely and businesses expect to deposit them for, at most, a nominal fee. Certainly you’d be laughed out of the boardroom if you suggested a check fee scaling with the size of the check. That’s check cashing nonsense, and not something that regulated financial institutions or their customers expect.
Dimon, in his 2024 letter to shareholders, laments that typical retail checking accounts are a low- or negative-margin business. As an avid reader of Chase shareholder letters, I know why Chase operates that business anyhow: it’s the foundation of their relationship with households, which they largely monetize through credit card issuance, mortgage origination, and the like. It’s also operated by design to charge lower-income lower-asset consumers less and reliably increase monetization over their long relationships with the institution
The deposit franchise, which contributes a lot to the Fortress Balance Sheet™, is most valuable when it attracts retirees, small businesses, and others who keep larger balances earning 0.01% in a savings account or nothing in checking. As a cost of acquiring that business, it offers accounts to e.g. a teenager who wanted to cash the paycheck for their summer job, even though the margins on that account might be negative for the next ten years.
And so suggesting that retail checking account availability is threatened by banks’ responsibility to monitor transactions and pay out if they make mistakes in authorization is, frankly, an insult to the intelligence of anyone familiar with banking.
Checking accounts are also a public service expected by society of banks. This is in return for their lucrative monopolies on industries like e.g. consumer debt issuance and explicit and implicit taxpayer backstops of their operation. Chase is intimately familiar with those, most recently from when it cashed a $13 billion sweetener check to acquire a failed bank.
We have made enormous strides, both from the financial industry and civil society, in banking almost everyone. That should not immediately imply “and thus banks get to charge a fee on every transaction in society.”
Chase is extremely capable of shipping payment products that customers actually want to use. Witness the Chase Sapphire Reserve, which probably half of fintech VCs and management teams use to pay for dinners, to my casual observation.
When Chase can’t successfully convince a customer to use a Chase payments rail that has a Chase CSR standing by to help out at 2 AM, Chase shouldn’t charge the accepting business money. Chase should understand that Open Banking and account-to-account payments are close in character to a check: one facilitates them in the ordinary course of business, for close to free, as part of the larger package offer.
Banks additionally make the argument that Open Banking leads to screen scraping. Certainly, as a financial technologist, I would prefer high-quality APIs with reasonable security guarantees. And some banks, like Chase, used the fifteen years of advance notice they had to develop these.
Other banks had other priorities, and are now using their own inaction to argue that screen scraping is a threat. (One can’t help but notice the bait and switch: first say aggregators must use official APIs rather than screenscrape, then claim that anyone who’s viewed developer documentation has agreed to a bill for 75% of their revenue.)
The banks additionally argue that fintechs are freeriding on substantial technology investments made by banks to serve their customers. This is extremely selective memory. Stripe did over $1.4 trillion in payment volume in 2024. Using no private information whatsoever, that implies that Stripe alone paid the banking industry somewhere in the general neighborhood of $20 billion in interchange fees.
Twenty. Billion. Dollars. From one firm alone.
It’s a little rich, pardon the pun, to cash a check for $20 billion and then whine about fintechs freeriding on your IT spend.
Credit cards are an enormously lucrative business for banks. The capability for businesses of all sizes to transact with customers worldwide over those rails is an enormous service to the world.
But cards are not and cannot be the last word in payments. We, as a society, should continue making things people want. Sometimes, the natural way to buy those things will be less compatible with cards or the assumptions baked into cards’ business model.
There has been quite a bit of enthusiasm for stablecoins in some quarters recently. Part of the sales pitch for stablecoins has been that you get to bypass the traditional financial system rails. This sales pitch does not accurately predict the operation of stablecoin businesses with material volume. Those are often operating something of a crypto mullet, with a stablecoin in the front and a bank transfer in the back. Those bank transfers are often substantially facilitated by Open Banking. This is a necessary part of the growth story for stablecoin businesses, as they are increasingly attempting to interact with the real economy, rather than crypto speculation. The real economy wants dollars and doesn’t much care what brand of database your backoffice uses.
People, particularly at the socioeconomic margins, increasingly use things which aren’t exactly a plastic rectangle. Sometimes that is a Cash App or a Venmo, or wallet directly integrated into a phone, or whatever a YC company invents next week. Our international peers like Japan (and our adversaries) have thriving payments ecosystems.
Developing these innovations will almost always need to touch the banking system because, at the end of the day, businesses want dollars. If we award banks the ability to impose a fee on any transaction that competes with their card business, that will strangle some of these innovations. This would be unfortunate, because customers and businesses benefit from choice.
It also helps us keep the banks on their toes. The industry tends to default to sleepwalking with regards to core services. Bank apps actually being quite good in the last few years is not simply a reflection of their general technical competence. They invested deliberately, after decades of underprioritization, because they saw the younger generation increasingly defecting to apps, and then they realized that would eventually threaten the deposit franchise.
The banks aren’t inherently opposed to shipping good products! They do it frequently! But if you ask the question slightly differently, they will happily bankrupt anyone who threatens revenue streams which are fat-and-happy. In that world, you get to use 1999 banking websites on Internet Explorer 5.0 forever. (And if that sounds unlikely, speak to a Korean friend sometime.)
There was also something of a kerfuffle with regards to banking supportability decisions recently. I have a nuanced point of view on it, but if I can offer a comment: when you let banks look into the economic logic of their customers’ lives to determine their pricing structure, you’re giving them the capability to pick winners and losers.
It has been reported that Chase wants a two-tier pricing system for Open Banking: one fee for data access and another, much higher, fee if someone uses that data access to facilitate a payment. These are the same products from Chase’s perspective. The same servers hold the same data. The same CSR stands ready to answer the call if a customer’s data leaks. But one of them is inimical to Chase’s preferences, and so they charge it more to discourage it.
We should not allow banks to get into the habit of sending demand letters to ruin the economics of businesses they simply do not like. Those demand letters will be inevitably abused, including in ways which are not determined by any conceivable direct business interest.
Banks are good at much of what they do, and it is quite profitable. If they want to maintain their share of wallet in their payments businesses, they employ intelligent people who are capable of shipping good products. Let them compete for the business. They’ll frequently win it, fair and square, including from me. But if customers choose to use someone else or if they mistakenly release payment to a fraudster, eh, have your teams break out Excel and try better tomorrow.
2025-03-06 01:36:15
In the sciences they call it the file drawer problem: studies that fail to achieve significance or reach the "wrong" conclusion end up hidden away, creating a distorted picture of reality.
And so here's me rescuing something from the file drawer of banking procedure: a tale of two Americas, one bank branch, and $50,000 in cash.
A style magazine published an account of a large cash withdrawal that didn't match my understanding of banking reality. I burned several thousand dollars and a year investigating. I now doubt that account less, because I understand the context better.
There exist thousands of banks in the United States, each one independently operated with their own procedures, work forces, and circumstances. They are, broadly, similarly constrained by regulation, industry practice, culture, and perception of the threat environment. There is no such thing as a perfectly typical bank, banker, or banking client. But if we were to ignore the messiness of the real world, for the purpose of making a larger point, here is what is supposed to happen when a customer comes in and asks to withdraw $50,000.
A bank doesn’t expect its CEO or Head of Compliance to individually make decisions on every withdrawal. It has designed procedures to achieve the outcomes it (and its regulators, and other stakeholders) desire, and trained staff in how to implement those procedures. Those procedures happen to very explicitly contemplate this transaction.
The teller or personal banker, junior though they may be, is supposed to ascertain the identity of the customer, and ask themselves whether this is a typical transaction for this customer. Do they, perhaps, run a cash-heavy business which, every few weeks, takes out $50,000 to e.g. stock the ATM fleet they operate? If yes, either the staff knows that to be true personally, or this fact is noted on their account. (That note was written after the bank got extremely familiar with their cash management needs, for reasons.)
Very few customers routinely withdraw $50,000 in cash. We move to the next step on the flow chart. Here, the bank staff will begin to deploy some mix of truths, half-truths, and white lies.
One statement, which may be anywhere along that spectrum, is that the bank branch does not have $50,000 cash on hand. Across all bank branches in America, this is frequently actually, mathematically true. A true-ish variant of it is that the branch does actually have a bit more than $50,000 cash on hand. The branch needs it to service customers with routine cash needs, and the instant customer cannot be allowed to wipe out the bank’s on-hand cash reserves, because that will cause them to disappoint dozens or hundreds of customers between now and the rebalancing shipment of cash they will swiftly order. And then there is a false variant, where at some branches this is factually as operationally straightforward as exchanging a $20 bill for two rolls of quarters, but where the lie is institutionally excusable to save this customer from themselves.
Many people who have never withdrawn $50,000 in cash do not have great reasons for suddenly wanting to withdraw $50,000 in cash. It is quite likely they are being scammed or otherwise victimized. The bank, in consideration of its legal and ethical duties to its customer, would prefer to not facilitate this, even unknowingly. Over the universe of all people with this request, the bank knows, in its soul of corporate personhood, that it has actual knowledge of what is likely happening here.
And so, the staff will likely say that the bank has a rule, procedure, or request that the customer call them a day or two in advance of making large cash withdrawals. This will “allow us to get the cash together.” Now, in point of fact, there is a number that the branch manager could call to ask for an extraordinary shipment of physical currency, but this is mostly intended as a speedbump. Scams and other forms of exploitation rely on isolating the victim and pressuring them into making poor choices. Mandating a cooling-off period causes some scams to effervesce like dew in the morning sun.
Perhaps, as happens in many non-routine requests in banking, the customer will call in third-party professionals. Perhaps the customer, annoyed that the $50,000 they need to consummate a real estate transaction isn’t trivially on offer, might phone their real estate lawyer. This is music to the bank’s ears. Not every voice on a telephone is actually a lawyer, and not every member of the bar upholds its strict standards of professionalism and moral uprightness, but lawyers are so much easier to work with than civilians. And, should the matter be reviewed later, the bank will be able to document its reasonable reliance on representations made by a lawyer.
Fraudsters have frequently targeted real estate transactions in recent years. Banks are acutely aware of this; it’s covered extensively in their professional journals and in circulars from regulators. But banks, who have extensive experience with real estate deals, know that a few hiccups on closing are stressful for customers, but very rarely actually blow up transactions, certainly not like scams blow up bank customers.
The bank is unlikely to reach confidence, in this circumstance, in just a minute or two in the teller line. Many well-off people, with great relationships with their banks, with extensively paperworked transactions, will go through more than a half-hour of hoop jumping to get approval for anomalous transactions.
But suppose, for some reason, the calls do not happen and the extended due diligence is not performed. What is supposed to happen next? Well, typically at large money center banks (and here I cite both general industry knowledge and also sources familiar with banking procedure), the staff dealing directly with the customer will summon a second individual. Sometimes this is the branch manager, sometimes it is a peer. Sometimes the next action takes place verbally. Sometimes it happens in specifically built software which keeps an audit log of both staff signing off.
The bank invokes the Two Man Rule. (Yes, this has been renamed in many—but not all—formal documents recording procedural controls. Regulators have, generally, reviewed and approved those documents.)
If both individuals are satisfied that the anomalous transaction is not sufficiently hinky to refuse, it goes forward. This will generally require asking the customer about what they intend to do with $50,000 cash. Banks very rarely ask this question at $50 or $5,000.
Bankers, by law and custom, holistically review these situations. Elements considered include the account records, the experience of branch staff with this particular customer, and a host of context cues which the financial industry would prefer to dissimulate about.
If you are, for example, a lanky thirtysomething who waltzes into a branch in San Francisco and asks for a six figure wire to fund an investment, helpfully mentioning that you have the KYC/KYB information in a clear plastic folder, neither of the Two Men are likely to actually ask to read that folder. If you walk with a cane, if you speak with an accent, if you present as not really understanding the rituals you are engaged in, the bank and its staff will pay radically more attention to you, frequently not in ways you will enjoy.
Let us assume that a $50,000 withdrawal happens, through some pathway. It will have one more mechanical consequence. Very soon after the withdrawal, the bank will be obligated to file a Currency Transaction Report (CTR) with the Financial Crimes Enforcement Network (FinCEN), unless the customer has had a previously-approved status as someone who routinely needs to do this sort of thing, which almost no customers have. The CTR is a write-once read-probably-never document which mostly serves to get the customer’s banking information into a trivially searchable database for law enforcement.
And then what happens to the $50,000? Whatever the customer wants, really. If they want to put it in a shoebox and give it to a courier, it is, at that point, no longer the bank’s problem.
In February 2024, the style publication The Cut published on its site, and concurrently in the print edition of New York Magazine, an article titled “The day I put $50,000 in a shoe box and handed it to a stranger I never thought I was the kind of person to fall for a scam.” It was written, in the first person, by a financial advice columnist who previously wrote for the New York Times business section.
The Cut and New York Magazine are owned by Vox Media, a private equity firm with material investments in advertising platforms (“We Create Premium Advertising Solutions”, “We Enable Media Companies To Build Modern Media Businesses”). Vox also publishes an eponymous website, notable for popularizing the term-of-art “explainer” and for publishing, about covid, analysis that aged more poorly than perhaps anything in the history of the written word. (It subsequently unpublished it.)
Many of Vox’s publications are good at what they do. The shoebox piece successfully achieved virality and follow-on coverage by several media orgs. A media critic could point to reasons why, such as the specificity and viscerality, the it-could-happen-to-anyone framing, and the complicated mix of schadenfreude, voyeurism, and self-protective reassurance which make so-called “true crime” explorations so explosively popular.
Vox Media sell ads with rate cards justified by the storied legacy of New York Magazine, which has won Pulitzers before, against articles of the caliber produced by The Cut. The print edition of the piece is immediately preceded by a fashion spread for “TOM FORD Halter-neck Jumpsuit and Black Stamped Croc Bar Belt, at tomford.com” A similar item, U0269-FAX1105, on the site bears the price tag $5,790, which is capitalism’s surest signal as to who it thinks is reading a publication.
For a quick vibe check on editorial standards of any publication, by their fruits shall you know them: just read the headlines. I checked them the morning of a presentation on this investigation, and they were “The high stakes of the group family vacation”, “George Clooney didn’t appreciate Biden criticizing his wife”, “The film exec distracted by her crushes at Cannes”, and “Madam Clairevoyant: Horoscopes for the week of June 9-15. Mars, planet of action, moves into steadfast Taurus. Time to knuckle down.”
Time to knuckle down… on hard-hitting journalism about banking procedures.
When I reached the bank, I told the guard I needed to make a large cash withdrawal and she sent me upstairs. Michael [a member of the scamming team] was on speakerphone in my pocket. I asked the teller for $50,000. The woman behind the thick glass window raised her eyebrows, disappeared into a back room, came back with a large metal box of $100 bills, and counted them out with a machine. Then she pushed the stacks of bills through the slot along with a sheet of paper warning me against scams. I thanked her and left.
As the piece went quite viral on Twitter, a number of people reached out to me. One specific question asked was “Are high-value withdrawal rooms a thing?”, which I answered, somewhat confusedly, “I could believe that there is, somewhere among 76,000 bank branches in the United States, a room designed to make $50,000 withdrawals. But no, the standard branch layout has no such room designed or designated.”
If a customer needs privacy, the branch has several rooms with doors, behind which banking business is routinely conducted. Those rooms are not fortresses. The branch is not a fortress. It's primarily a sales office for financial services that happens to handle some cash.
Then, I read the article, with a particular attention to the paragraph quoted above. I felt that several elements of this paragraph were inconsistent with the standard practice of banking.
I have an immense regard for journalism, generally, but the institution has been duped before. Stephen Glass comes to mind. One of the earliest bits of hard evidence against him was that he confabulated evocative details about the built reality of buildings he claimed to have visited. The shoebox piece contained much evocative detail, including some details I felt were, unbeknownst to almost all readers, likely to be checkable… and unlikely to have been checked.
Thus began an investigative journalism project, which ended up taking almost a year.
Having once worked for a Communications department, which very definitely does not endorse anything I say in this piece, I am aware of a social ritual of reporters and PR teams. You can send PR an email and ask them for a reply. By convention this is called a comment or a statement to pretend it is something vastly different in character than an excerpt from an email.
If one defects from this social ritual, many responsible professionals will conclude that one has something to hide. This is part of the reason why e.g. the largest banks in the world will swiftly answer questions asked by reporters working for, for example, a low-circulation weekly in Topeka, Kansas. This produces immense social utility, including by acting as an escalation pathway into the bank regarding, e.g., “Does the bank have a comment on why it is foreclosing on Ms. Mildred, who has shown this reporter a carefully maintained collection of checks that appear, to this reporter, to have been deposited?”
On February 22nd, 2024, I sent an email to Vox Media and asked for a comment. You don’t need to be bitten by a radioactive spider to do this. By custom, PR departments publish contact details widely, in part to avoid hostile journalists construing a lack of contact information as a refusal to comment.
There is, however, a performance of class that is helpful in getting PR departments to take you seriously. Mentioning that you are an avid Factorio player might not counsel an immediate reply to one’s questions. The following introduction is designed to compel one.
My name is Patrick McKenzie. I write a column titled Bits about Money, which frequently covers financial fraud and operational mechanics of banking infrastructure. I have previously appeared on Bloomberg and in the New York Times.
I read with interest the article about $50k in a shoebox, which was also published in the print edition of New York Magazine. I may reference it in future writing.
All claims in those paragraphs are true. Some people resent that one can assert authority simply because of implicit blessing of high-status institutions. I leave anyone to their aesthetic preferences, but will mention that this is a very important lesson for how halls of power in New York and Washington, D.C. work.
When the New York Times attempts to commission a piece from you, they will say apologetically that they can’t pay that well for it, but almost nobody writes for the Times for the money. You are paid in a different coin. Flash it, John Wick style, at a PR department, and it immediately takes you seriously, or it is quickly brought to task by New York’s hidden-in-plain-sight subculture of character assassins.
My email to the press contact asked a few questions and avoided explicitly broaching the question I was most curious about: Did the editorial process understand this piece to be an exercise in… creative writing? This felt unlikely, but magazines publish a spectrum of artifacts. Some pieces are roman à clefs, some are pastiches, some are based in a true story, and some are the more traditional understanding of journalism. On the text of it, the piece reads like it is reporting a true event, but it is in a style magazine and does run next to a piece titled Tweencore (“What the 13-and-under set is shopping for.”) and, you know, one may be forgiven some doubts.
A spokesperson for New York Magazine replied with a statement for publication which removed all doubt about how it perceived this story.
The story was thoroughly fact-checked prior to publication, and as part of this process, we reviewed the writer's bank withdrawal, recordings of phone calls and text messages with their scammer, and their statement to the police.
Since I had publicly expressed doubt that there was any fact checking process, I corrected the record.
Published statements or comments routinely occur in the context of a larger conversation. This is rarely mentioned, and I am promoting this subtext to text. There may have been any combination of on the record, on background, or off the record statements between myself and Vox Media. The world may never know.
But generally speaking, careful titration of how much information passes between PR and reporters, including restrictions (which are closer to handshake agreements than contracts) on what can be used where and when, enables a brisk favor-swapping economy. That economy has failed to function recently in the tech industry, as I discussed previously with Kelsey Piper. (Kelsey works in a different part of the Vocis machinae.)
When it does function, society gets the usual benefits of journalism, PR departments grumble a bit but play the game, the Bat Phone to mortgage servicing gets answered on the first ring, and advertisers sell their wares to willing customers to pay for it all.
So Vox Media’s statement through a spokesperson effectively definitively resolved my doubts about editorial processes… but this did not resolve my doubts about banking procedure.
Fraud investigators, law enforcement, and journalists alike frequently start with intuition then backfill with objective facts. My intuitions were screaming.
The article does not actually name the bank or the bank branch, despite a scene unambiguously set within it, despite the centrality of its failure to the narrative, despite repeated identification of firms that were utterly uninvolved. The transaction does not proceed as what a bank expects to happen if someone asks for the entirety of their savings account in cash. Physical details provided for flavor purposes are very rare in the universe you live in.
The claimed fact checking process struck me as… other than robust, in worlds where parts of the article were not factually accurate.
For example, there are many ways to “review a bank withdrawal.” That review can involve five or more parties, and I’ve been on almost all ends of it at various times. Some “reviews” are low-friction but low-robustness, such as e.g. asking someone to see a screenshot of their mobile phone or a printout of a bank statement.
As I once told a colleague in an unrelated context: a printed bank statement is of limited probative value because it could be forged by a bright high school student.
The financial industry has a variety of ways to resolve this, depending on how much time and toil it wants to expend on the investigation. For example, you can call the financial institution which issued the statement in question, announce that you are in a room with their customer, and then ask their customer to ask them to read the financial institution’s copy of the statement into the open line. Many people I have told about this ritual assume that, due to security concerns, no bank will engage in it. Nope! This is extremely routine and will happen tens of thousands of times next Tuesday. It is obviously more trustworthy than a copy of the statement whose chain of custody includes a non-bank actor.
Anyhow, some years after cracking wise about bright high school students, I chanced upon an infelicity which happened to New York Magazine. It published that a Stuyvesant high school student had made $72 million trading stocks and was shortly to open a hedge fund.
This is obvious nonsense and would be detected within seconds of conversation by anyone professionally involved in hedge funds, but we have a ritual in our society which blesses some writers as being owed the benefit of the doubt when they publish obvious nonsense. If it ran in the pages of New York Magazine, and New York Magazine engaged its standard fact checking process by sending someone to Stuyvesant to review a bank statement, and that piece of paper said Chase at the top and an eight figure number at the bottom, then the clearly the story is defensible, right.
No! Of course not! New York Magazine got punked by a teenager.
And so, reading New York Magazine’s newest written statement about thoroughly fact checking a bank withdrawal, I thought “After ten years memories fade. Vox is currently wearing New York Magazine as a skin-suit, so who knows if anyone involved in that fracas is still around. Perhaps current staff reviewed the newest issue’s most important transaction in an other-than-robust fashion.”
Texts from the scammer? Voice recordings? A statement to the police? All of these struck me as highly correlated rather than being independent evidence: all reliable if one trusts the writer, and all unreliable if one does not trust the writer.
Never having employed or encountered this writer myself, before she wrote things I believed to be improbable about banking procedure, I reflected on what I do trust.
I trust the physical reality of the world. I trust that it is very difficult to corrupt the archives of societal institutions.
Vanishingly few bank branches put teller windows on the second floor. Many people have not ever had reason to deeply consider this true fact about the world. Relatively few people have ever made real estate decisions about siting bank branches or sketched layouts for them.
By coincidence, my father has. And, as someone who listened attentively at the dinner table and on car rides as he geeked out with his eldest son about the relative merits of various corners in Chicago, when I read that there was a bank branch in New York City with thick glass on the second floor, I thought “If that unicorn exists, I can probably narrow it down to a single physical location.”
New York City, ye capital of the world, ye center of global finance, ye city which never sleeps: poets say you contain stories beyond numbering, but bike messengers can count your bank branches. A few hundred. Done. A diligent person could walk into every last one. (Of course the public can just walk into bank branches. That is what they are for.)
I started by attempting to narrow the set, to save some shoe leather. One gets a free 90%+ reduction by narrowing it to one bank in particular. Bank regulators keenly track deposit share concentration (and, therefore, bank branch concentration) in major markets, and NYC, the majorest market, is gardened with an exactitude that makes the feng shui look effortless.
Who knows the bank? Well, Vox (by implication of their statement) must know the bank, and the writer certainly knows the bank, and perhaps one of these would give an on the record comment naming the bank.
The writer engages in freelance journalism, has a professional website which lists her email address, and swiftly answered a question from another writer, on the record.
Bank of America.
Now we are getting somewhere.
Bank of America will trivially give you a list of all Bank of America locations in Brooklyn, for many reasons, including “We would certainly hope you find our financial centers for your financial services needs. We didn’t build this branch footprint and lease out desirable locations for a half century and sweat the details about curb cuts for the sheer joy of it all.”
One can, if one is unusually punctilious, cross reference their list against public records.
One useful sort of public record is the Office of the Comptroller of the Currency’s weekly bulletin, which includes all bank branch closings for nationally chartered institutions in the United States. Why would one care about those bulletins? An investigation, conducted in February 2024, about branches open on October 31st, 2023, might otherwise miss some which closed in the interim. And so I told my research assistant to read a few months of bulletins. (He surprised me by saying there is a search engine these days. Well, this wire transfer compliance influencer learned a new trick in 2024.)
And so we had twenty two Bank of America branches in Brooklyn to look at.
I’m in Chicago, and flying to Brooklyn to spend three days walking into branches seems like an obviously irrational use of my time. So, in the finest tradition of publications assigning scutwork to junior employees, I sent Sammy to Brooklyn instead.
We excluded any buildings which physically didn’t have a second floor. We used sophisticated techniques taught in journalism school, like the fact you can press ten buttons on an iPhone and then someone at a bank in Brooklyn will immediately answer questions like “Does your branch have a second floor?”
We kept a detailed spreadsheet, in the expectation we might eventually have to show New York media outlets that we had done our homework. A timestamped call here, a Street View there, our search area narrowed precipitously.
The final round of investigation involved Sammy physically entering bank branches, walking to the second floor, and looking for physical details consistent with the story as published.
This is a long way to say: I am very confident indeed that the only place in the world the described bank transaction could possibly have taken place at is 1 Flatbush Avenue, at the teller window, on the second floor. Right here.
We took this photo in March 2024, only weeks after publication of the original article.
And then we entered a long, long holding pattern, trying to find one trusted institution to say that, as of earlier than February 2024, they understood the transaction to either a) definitely have taken place at 1 Flatbush Avenue or b) definitely not have taken place at 1 Flatbush Avenue.
If the incident took place in the physical world, then the geospatial reality of the world imposes some constraints on the narrative. The writer unambiguously locates their narrative in Brooklyn. But Brooklyn is large.
Could we narrow it down? Could we do that using only independent, trustworthy information?
I trust, for example, that the city of New York keeps mostly accurate records about who owns property. These are quite useful for e.g. facilitating the orderly operation of the country's largest real estate market. The records are publicly available through the Automated City Register Information System (ACRIS).
I learned two things from ACRIS in early 2024.
One was an address on a mortgage. That address is, factually, a thoroughly doable walk from 1 Flatbush Avenue.
The other: this outsider, trusting at face value representations made by a news publication about the socioeconomic status of the subject of a story, did not successfully predict other facts present on that mortgage.
Socioeconomic class, unfortunately, has a great deal of bearing on how a bank would choose to interact with an individual. This is particularly true as one approaches either end of the socioeconomic spectrum, away from the mass market that most people assume banks must be serving at all times. We have often discussed discontinuities in service at the lower end of the spectrum in Bits about Money. There exist… other discontinuities.
I realize that commenting on the socioeconomic status of a crime victim is uncouth, particularly in ways they might not choose to describe themselves. Class is unfortunately essential to understanding what actually happened at 1 Flatbush Avenue on October 31st, 2023. Permit me a brief recital of the source of my confusion.
This outsider perceived a through-line of the Cut piece as being that the writer made other-than-rational decisions about $50,000 because their financial life was on the line. Here are some select non-consecutive paragraphs reproduced verbatim, with bolding added to highlight statements this outsider apparently read incorrectly.
Calvin [a member of the scamming team] wanted to know how much money I currently had in my bank accounts. I told him that I had two — checking and savings — with a combined balance of a little over $80,000. As a freelancer in a volatile industry, I keep a sizable emergency fund, and I also set aside cash to pay my taxes at the end of the year, since they aren’t withheld from my paychecks.
I almost laughed. I told him I was quite sure that my husband, who works for an affordable- housing nonprofit and makes meticulous spreadsheets for our child-care expenses, was not a secret drug smuggler. “I believe you, but even so, your communications are probably under surveillance,” Calvin said. “You cannot talk to him about this.” I quickly deleted the text messages I had sent my husband a few minutes earlier. “These are sophisticated criminals with a lot of money at stake,” he continued. “You should assume you are in danger and being watched. You cannot take any chances.”
Fifty thousand dollars is a lot of money. It took me years to save, stashing away a few thousand every time I got paid for a big project. Part of it was money I had received from my grandfather, an inheritance he took great pains to set up for his grandchildren before his death. Sometimes I imagine how I would have spent it if I had to get rid of it in a day. I could have paid for over a year’s worth of child care up front. I could have put it toward the master’s degree I’ve always wanted. I could have housed multiple families for months. Perhaps, inadvertently, I am; I occasionally wonder what the scammers did with it.
Because I had set it aside for emergencies and taxes, it was money I tried to pretend I didn’t have — it wasn’t for spending. Initially, I was afraid that I wouldn’t be able to afford my taxes this year, but then my accountant told me I could write off losses due to theft. So from a financial standpoint, I’ll survive, as long as I don’t have another emergency — a real one — anytime soon.
These statements, and others throughout the article, conjured a particular image for me. It was that the writer was upper middle class, dealt with a bit of financial anxiety common to many individuals in precarious or not-particularly-remunerative employment circumstances, and was abused by professional con artists in a calculated fashion to prey upon this financial insecurity.
When recounted these same statements, my friend Byrne Hobart, who has actually lived among this social milieu before, laughed knowingly and said “Ah, family money.”
I will now add three true statements to the above sketch, in the hopes that you understand this transaction the way that a Bank of America teller understood it.
The writer’s positive home equity, trivially available to the bank which wrote their mortgage, is well in excess of ten years of the median household income for New York City. The writer is the president of the family charitable foundation, which per its annual filings with the IRS has in the recent past held approximately $2 million in marketable securities. And the family estate in Connecticut (which the writer’s parents live at) was featured in the local paper, highlighting two hundred years of history.
Discovering these facts radically changed my impression of why, per the writer’s written communication with me, she was not asked for the purpose of a $50,000 withdrawal by any bank staff. It no longer looks like a surprising lapse in procedure, when someone attempted to empty their entire savings account and wasn’t even half-heartedly counseled about caution. It looks like trivial cash management of a well-off, presumptively sophisticated client, whose household, resources, and probable financial future were thoroughly known to the bank.
Would the bank prefer the teller to ask one more question in this circumstance? Perhaps. But it won’t lose sleep over the matter.
Bank of America was asked about this transaction by the New York Times: “‘We have extensive efforts to warn clients about avoiding scams,’ said a Bank of America spokesman, William P. Halldin, via email. The bank declined to comment further.” (The Times, citing policy, refused to confirm the bank branch it understood the transaction to have taken place at.)
And thus we return to our earlier question: can we find an institution which will divulge where this transaction was claimed to have taken place at? Vox Media, the writer, and the New York Times have all been asked, and we do not have an answer yet.
Bank of America is one of the largest depository institutions in the world, and reliably files Currency Transaction Reports when someone moves $10,000 or more into, or out of, the bank in cash. I thought it would be extremely unlikely that FinCEN would cough one of these up to anyone who asked.
But a recent development in Freedom of Information Act jurisprudence gave me some hope: the FOIA now, per the Ninth Circuit, allows for “statistical aggregate data” to be FOIAed. And I thought there was some hope that FinCEN would, rather than showing me a very private Currency Transaction Report, answer a simple question about statistical aggregates.
So I filed a FOIA request, 2025-FINF-00126, asking for a statistical calculation to be done:
How many currency transaction reports were filed. In Brooklyn. For a withdrawal of between $48,000 and $52,000. On October 31st, 2023. Broken down by branch address.
FinCEN efficiently processed this FOIA request, returning a definitive answer in less than two weeks: hell no. It asserted the same argument rejected by the 9th Circuit, that responding would require creating a new record (the results of the SQL query) and therefore it had no obligation to do so. It also asserted a statutory exemption which very broadly applied to many records kept by FinCEN. On reading the statutes, I thought FinCEN likely had the right of them, even if it was unlikely to prevail on the statistical aggregate issue.
Drats. It was worth a shot.
The statement from Vox Media claimed that the writer had filed a police report.
From the perspective of a fact-checker, police reports serve a useful tripwire function. Lying on one is a crime. It is not a particularly serious crime (a class A misdemeanor, which also covers “spilling a drink on someone” and “shoplifting a bottle of Tide”).
One is welcome to one’s guess as to how often New York prosecutors enforce this law, particularly against people in our social class. But it is a useful Schelling point for society: a news publication can gesture in the direction of a police report, and say “Well, everyone knows what a police report means”, and we all pretend that it means a police report necessarily contains no lies.
No police officer need disabuse journalists of their illusions here. Should a publication ever get put to the question, it will immediately pivot into “We didn’t say we agreed with or believed anything on the police report. We simply neutrally reported the demonstrable fact of the police report. Obviously we intended nothing else by bringing up a police report.”
But police reports remain useful even in a world where they sometimes contain lies, because they establish paper trails which are extremely difficult to retrospectively fudge.
I was most interested in two facts on the police report.
One was metadata: when was this report received? (It obviously reads a bit differently if the report was created in response to the fact-checker asking for it, right.) The other: did, prior to the publication of the story, the writer consistently cite 1 Flatbush Avenue, the only location in the physical universe the transaction could have taken place at, as the location the transaction took place at?
I tried to get that police report, by several methods. By June 2024, getting impatient, I was at the point of forcing enthusiastically encouraging the NYPD to follow the law and provide it to me.
Police reports, like many public records, are retrievable under the Freedom of Information Law, New York state’s legislation which mirrors the federal FOIA. The statutory deadlines are five business days to acknowledge a request, and then twenty business days (or such time reasonably required) to release the records or cite an exemption under the law for not disclosing them.
I filed FOIL-2024-056-16750 on June 26th, 2024. On the last possible day, the NYPD updated its timeline to successfully locate a police report: it would need until November. OK, fair enough. I was a bit busy myself, being involved in a house purchase and move, and my one paper copy of a style magazine was hanging out in a box in the basement while we repainted. Perhaps the New York Police Department, annual budget $5.8 billion, was likewise quite busy.
November came. November went.
Eventually, concerned that Santa would not deliver the Christmas present I most wanted, I began to press the NYPD for answers. I did this using a voice and mien which I call Dangerous Professional. Three messages, one phone call, no dice.
And so, in February 2025, after a full six months of waiting on the NYPD, I got out my call log and penned a FOIL appeal. After a brief recitation of the procedural history, that letter did a bit of calculated knife twisting:
This request was filed on June 26th, 2024, more than six months ago. It was originally assigned a Due Date of November 4th, more than two months ago, by the NYPD. Despite three attempts to request an update via the Contact the Agency form online and one telephone message, I have yet to receive any non-automated contact from the NYPD about this request.
The statutory timeframe for production of documents in response to a FOIL request is twenty business days from the acknowledgement of the request. The NYPD's failure to produce this document in more than 100 business days is, accordingly, a constructive denial of the request.
I hereby appeal the NYPD's denial, and require that it produce the documents described in the FOIL request or provide me with its reasoning under the statute why it cannot do so.
An attorney for the NYPD wrote back, forecasting a response within the statutory timeframe (10 business days for an appeal). The substantive response said that the appeal was moot because… the Records Access Officer had, subsequent to my appeal, made a determination that the NYPD did indeed keep police reports and could indeed release them in response to FOIL requests.
Oh happy day.
The police report contains a statement recorded by the police made on October 31st, 2023. I have lightly rewritten police shorthand and corrected some inconsequential spelling mistakes:
Complainant/victim further states listed perpetrator stated complainant/victim needed to pay in order to avoid being arrested. Complainant/victim states she withdrew $50,000 in U.S. currency from Bank of America, located at 1 Flatbush Avenue, at 3:10 PM.
And there we have it: reliable chain of custody to a claim made about the physical world at a known time, within hours of the alleged incident. This transaction was alleged to have happened at 1 Flatbush Avenue. Months later, in writing of her memories of the day, the writer offered a seemingly inconsequential detail about going up stairs to visit a teller window.
That seemingly inconsequential detail is, if one has a very particular set of interests, and is willing to put an irrational amount of work in, independently verifiable. Of all the bank branches in all the towns in all the world, the only one where a Bank of America teller awaits Brooklyn socialites behind thick glass on the second floor is, indeed, 1 Flatbush Avenue.
This would be a very different piece if that police report, or any other documentation at a trusted institution, named e.g. 266 Broadway instead.
As for the rest of the shoebox piece? I have no informed point of view on anything in a style magazine, except for the banking.
