MoreRSS

site iconBits about Money

By Patrick McKenzie. About the modern financial infrastructure that the world sits atop of.
Please copy the RSS to your reader, or quickly subscribe to:

Inoreader Feedly Follow Feedbin Local Reader

Rss preview of Blog of Bits about Money

小说与金融

2024-10-08 03:54:55

Fiction and Finance

Programming note: Bits about Money has been a bit irregular recently.

I’ve recently booted up the Complex Systems podcast. It is now up to more than a dozen episodes, including interviewing my dad on real estate development (which is something of a BAM deep (curb) cut). The podcast features Bryne Hobart and other guests you’d probably enjoy on a weekly basis. Since I am more of a writer and very plausibly you are more of a reader, being here and all, note that I include fully edited transcripts (with inline commentary) on all episodes.

I also took my hand at bespoke engineering work wildly outside my expertise with a complex capital stack, and the managerial attention required has been significant. Or: we bought a house and it needs work.

I hope to get on a more appropriate cadence soon, and beg your forbearance (and also understanding that when Factorio: Space Age drops I am unlikely to get much writing accomplished for a week or two). 


Fiction is underrated as a means for concretely impacting the real world and learning about it.

The Social Network is substantially made up, more a source for vibes rather than a source for facts. Even the vibes fail to cohere with reality. And yet it convinced many proto-founders to put in YC applications. This matches the previous experience of Michael Lewis (who purports that Liar’s Poker was basically factual, but meant as a cautionary tale), who launched many careers in finance.

And sometimes fiction doesn’t just give you vibes; it gives you models. The Phoenix Project is actually assigned at some infrastructure companies, because the narrative makes the pedagogy about project management go down more easily. (Often compared with The Goal, which does similar for manufacturing.)

In that spirit, I have a few highly opinionated choices for works of financial fiction that more people should read.

I’ve avoided listing some very worthy books which mention finance. The Iron Bank is balderdash with a nonsensical business model (if you’re bad at credit analysis and rely on winning wars to make up for it, you are not a bank, you are a private military contractor), and while Thorin’s Company does temporarily collapse over a contractual dispute caused by insufficiently clear demarcation of rights between share classes, that is a tiny detail.

The Big Short (book and film) — Written before Michael Lewis started his career in financial-inspired fiction, the Big Short is a dramatization of a gang of outsiders (and insiders who are presented as outsiders for narrative convenience, a theme Lewis will return to frequently, not always with self-awareness) who correctly predict the mechanism and course of the global financial crisis. The work is basically accurate (though it could stand to talk a lot more about repo funding, which is the bit about the crisis that non-specialists are most likely to miss). Congressional testimony, industry analysts, and dinner conversations with people who were in the room all mostly align with it.

For people who have limited facility with mortgage finance, the Jenga scene in the movie is a much better primary on collateralized debt obligations than most formal primers on them. And it matches the actual pitch deck Deutsche Bank used for the proposed trade, which is one of the best tours de force of financial writing ever seen, made even better by the reader’s knowledge that the authors of it end up being absolutely right. (Much of the best writing in the world sits eternally below the waterline; the only reason you perceive this tip of the iceberg is because it was evidence in the Congressional investigation.)

Both book and film also spend time on a crucial insight: it is not enough to merely be right and contrarian, not if you want to make money. You also need an instrument to encode your bet, a source of capital, and substantial operational chops. This includes counterparty risk management, which is particularly important when you’re predicting the end of the world as we know it.

Margin Call (film) — Margin Call is a fictionalized extrapolation of what it was like to be on the inside of could-have-been-anyone, absolutely-not-Goldman-Sachs investment bank during the later stages of the financial crisis. Although it covers much of the same procedural ground as the Big Short, it is not a particularly good way to learn about the mechanisms.

What it is stellar at—almost unmatched in fiction—is depicting archetypes that are both dramatically compelling and reasonably true to those working at various levels in the industry.

The two most important scenes in the film are both meetings, and the film respects its audience a lot more than Big Short does; at no point does anyone need to get into a bubble bath to hold your attention. Those scenes have an entire subgenre on YouTube of commentators explaining the subtext, about which characters are (with a very-well-calibrated spectrum of convincingness) disclaiming knowledge about things they actually certainly knew, about the power dynamics between executives near the heights of capitalism, and similar.

If you take one thing away from Margin Call, take the character of Carmelo. He has one line in the movie, delivered after the CEO requests a particular task after a well-compensated executive has reported it impossible: “It is done.” Some commentators believe the point is that Carmelo is a ruthless, willing-to-use-violence henchman waiting in the wings of an investment bank. These commentators do not understand the point of Carmelo being in this meeting, and fail to understand why Carmelo achieves success in the film. He is a dramatic convenience embodying agency and willingness to work outside the normal process in abnormal times. Carmelo is not any particular person, but many organizations have Carmelos, and probably more should.

The Dragon’s Banker (book) —  sometimes, a title has you at hello, and then goes on to underpredict the actual work. That’s the Dragon’s Banker in a nutshell. How could one possibly spoil this? It has dragons. They need banking. Their banker banks the heck out of them. It turns out that banking dragons is difficult due to their diverse needs and demanding expectations of their bankers. Nothing in the book would surprise a private banker.

But most of us aren’t private bank bankers, and the book is one step ahead of even a very genre-savvy reader. I caught myself saying “Hah, brilliant idea, but of course the dragon is going to fail KYC and AML screening” about a page before the banker unspools his plan for defeating (somewhat anachronistically advanced levels of) KYC and AML screening.

It’s not a bad plan, given the setting. Also, somewhat self-indulgently, no character in fiction has ever more caused me to feel more represented than the banker did around the “I love my job.” line. (Though, if I were actually in the text, I would certainly not take his approach with respect to pricing services. If you’re not comfortable charging market rates for financial services to rich clients, private banking is a bad field to be in. No client incapable of burning you to cinders is worth talking to!)

The Dagger and the Coin (book series) — let the name of capitalism never be besmirched with allegations that it has only a single dragon/banking crossover. This is a worthy entry in the genre. It suffers a bit from extensive plot not about banking and characters who barely speak to dragons. But all of that irrelevant fluff makes it one of the most underrated fantasy series I’ve ever read. (It has the best twist in fantasy, which almost recharacterizes the work as understated cosmic horror.)

More relevantly, we get a fairly extensive look at a not-quite-Medici-but-it-rhymes merchant bank. Unlike the Iron Bank, this one has a plausible business model and clientele, focused primarily on distributing risk among merchants for sea voyages and on capital development for land-based productive enterprises. Merchant banking is heavily under-understood by people interested in finance, but is critical to the history of it (and still practiced, in derivative forms, in the present day).  

Bonus entry: Shylock’s Children (Japanese film) — The subtitled version exists and is licensable—I watched it in in-flight entertainment once—but it was a relatively minor release in Japan and may not be conveniently findable on streaming services. This is a pity, and if you can find it, it is very worth your time.

The plot centers on fraudulent shenanigans at a Tokyo bank branch. One imagines the pitch meeting: “Another police procedural, maybe?” “Overdone, but perhaps the world really needs some salaryman-on-salaryman hardcore banking action. I want gritty realism like a crisp fold on the inkantourokushoumeisho (document attesting to the registration of a personal or corporate seal with the responsible local government agency) to compare the specimen with the presented version of a company’s stamp to verify authenticity.”

“Not too much realism, though, for it to work there will need to be a nation’s worth of fraud happening at this one branch. But we’ll populate it with characters so true-to-life that salarymen will think we had a spy camera in their offices, set design that will give them flashbacks, and a really moving meditation on moral culpability and the difficulty of choosing righteousness after being tempted into compromising one’s principles. It will complement texts on the fraud snowball, like Lying for Money, very well. And of course we’ll use Shakespeare as framing device for this narrative, because these characters would of course attend a Shakespeare production in Tokyo, which our audience doesn’t have to be told is a very normal thing to have happen.”

If you have the opportunity, it’s sublime.


See you next time, and do check out Complex Systems if you haven't already. It is in your podcast-delivery-vehicle of choice or at the website.

为什么CrowdStrike漏洞对银行打击很大

2024-07-31 23:00:00

Why the CrowdStrike bug hit banks hard

Programming note: I recently launched a weekly podcast, Complex Systems with Patrick McKenzie. About 50% of the conversations cover Bits about Money's beat. The remainder will be on other interesting intersections of technology, incentives, culture, and organizational design. The first three episodes covered teaching trading, Byrne Hobart on the epistemology of financial firms, and the tech industry vs. tech reporting divide. Subscribe to it anywhere you listen to podcasts. If you enjoy it, writing a review (in your podcast app or to me via email) helps quite a bit.

On July 19th, a firm most people have sensibly never heard of knocked out a large portion of the routine operations at many institutions worldwide. This hit the banking sector particularly hard. It has been publicly reported that several of the largest U.S. banks were affected by the outage. I understand one of them to have idled tellers and bankers nationwide for the duration. (You’ll forgive me for not naming them, as it would cost me some points.) The issue affected institutions across the size spectrum, including large regionals and community banks.

You might sensibly ask why that happened and, for that matter, how it was possible it would happen.

You might be curious about how to quickly reconstitute the financial system from less legible sources of credit when it is down. (Which: probably less important as a takeaway, but it is quite colorful.)

Brief necessary technical context

Something like 20% of the readership of this column has an engineering degree. To you folks, I apologize in advance for the following handwaviness. (You may be better served by the Preliminary Post Incident Review.)

Many operating systems have a distinction between the “kernel” supplied by the operating system manufacturer and all other software running on the computer system. For historical reasons, that area where almost everything executes is called “userspace.”

In modern software design, programs running in userspace (i.e. almost all programs) are relatively limited in what they can do. Programs running in kernelspace, on the other hand, get direct access to the hardware under the operating system. Certain bugs in kernel programming are very, very bad news for everything running on the computer.

CrowdStrike Falcon is endpoint monitoring software. In brief, “endpoint monitoring” is a service sold to enterprises which have tens or hundreds of thousands of devices (“endpoints”). Those devices are illegible to the organization that owns them due to sheer scale; no single person nor group of people understand what is happening on them. This means there are highly variable levels of how-totally-effed those devices might be at exactly this moment in time. The pitch for endpoint monitoring is that it gives your teams the ability to make those systems legible again while also benefitting from economies of scale, with you getting a continuously updated feed of threats to scan for from your provider.

One way an endpoint might be effed is if it was physically stolen from your working-from-home employee earlier this week. Another way is if it has recently joined a botnet orchestrated from a geopolitical adversary of the United States after one of your junior programmers decided to install warez because the six figure annual salary was too little to fund their video game habit. (No, I am not reading your incident reports, I clarify for every security team in the industry.)

In theory, you perform ongoing monitoring of all of your computers. Then, your crack security team responds to alerts generated by your endpoint monitoring solution. This will sometimes merit further investigation and sometimes call for immediate remedial work. The conversations range from “Did you really just install cracked Starcraft 2 on your work PC? … Please don’t do that.” to “The novel virus reported this morning compromised 32 computers in the wealth management office. Containment was achieved by 2:05 PM ET, by which point we had null routed every packet coming out of that subnet then physically disconnected power to the router just to be sure. We have engaged incident response to see what if any data was exfiltrated in the 47 minutes between detection and null routing. At this point we have no indications of compromise outside that subnet but we cannot rule out a threat actor using the virus as a beachhead or advanced persistent threats being deployed.”

(Yes, that does sound like a Tom Clancy novel. No, that is not a parody.)

Falcon punched

Falcon shipped a configuration bug. In brief, this means that rather than writing new software (which, in modern development practice, hopefully goes through fairly extensive testing and release procedures), CrowdStrike sent a bit of data to systems with Falcon installed. That data was intended to simply update the set of conditions that Falcon scanned for. However, due to an error at CrowdStrike, it actually caused existing already-reviewed Falcon software to fail catastrophically.

Since that failure happened in kernelspace at a particularly vulnerable time, this resulted in Windows systems experiencing total failure beginning at boot. The user-visible symptom is sometimes called the Blue Screen of Death.

Configuration bugs are a disturbingly large portion of engineering decisions which cause outages. (Citation: let’s go with “general knowledge as an informed industry observer.” As always, while I’ve previously worked at Stripe, neither Stripe nor its security team necessarily endorses things I say in my personal spaces.)

However, because this configuration bug hit very widely distributed software running in kernelspace almost universally across machines used by the workforce of lynchpin institutions throughout society (most relevantly to this column, banks, but also airlines, etc etc), it had a blast radius much, much larger than typical configuration bugs.

Have I mentioned that IT security really likes military metaphors? “Blast radius” means “given a fault or failure in system X, how far afield from X will we see negative user impact.” I struggle to recall a bug with a broader direct blast radius than the Falcon misconfiguration.

Once the misconfiguration was rolled out, fixing it was complicated by the tiny issue that a lot of the people needed to fix it couldn’t access their work systems because their machine Blue Screen of Death’ed.

Why? Well, we put the vulnerable software on essentially all machines in a particular institution. You want to protect all the devices. That is the point of endpoint monitoring. It is literally someone’s job to figure out where the devices that aren’t endpoint monitored exist and then to bring them into compliance.

Why do we care about optimizing for endpoint monitoring coverage? Partly it is for genuinely good security reasons. But a major part of it is that small-c compliance is necessary for large-C Compliance. Your regulator will effectively demand that you do it.

Why did Falcon run in kernelspace rather than userspace?

Falcon runs in kernelspace versus userspace in part because the most straightforward way to poke its nose in other programs’ business is to simply ignore the security guarantees that operating systems give to programs running in userspace. Poking your nose in another program’s memory is generally considered somewhere between rude and forbidden-by-very-substantial-engineering-work. However, endpoint monitoring software considers that other software running on the device may be there at the direction of the adversary. It therefore considers that software’s comfort level with its intrusion to be a distant secondary consideration.

Another reason Falcon ran in kernelspace was, as Microsoft told the WSJ, Microsoft was forbidden by an understanding with the European Commission from firmly demoting other security software developers down to userspace. This was because Microsoft both a) wrote security software and b) necessarily always had the option of writing it in kernelspace, because Microsoft controls Windows. The European Commission has pushed back against this characterization and pointed out that This Sentence Uses Cookies To Enable Essential Essay Functionality.

Regulations which strongly suggest particular software purchases

It would be an overstatement to say that the United States federal government commanded U.S. financial institutions to install CrowdStrike Falcon and thereby embed a landmine into the kernels of all their employees’ computers. Anyone saying that has no idea how banking regulation works.

Life is much more subtle than that.

The United States has many, many different banking regulators. Those regulators have some desires for their banks which rhyme heavily, and so they have banded into a club to share resources. This lets them spend their limited brainsweat budgets on things banking regulators have more individualized opinions on than simple, common banking regulatory infrastructure.

One such club is the Federal Financial Institutions Examination Council. They wrote the greatest crossover event of all time if your interests are a) mandatory supervisory evaluations of financial institutions and b) IT risk management: the FFIEC Information Technology Examination Handbook's Information Security Booklet.

The modal consumer of this document is probably not a Linux kernel programmer with a highly developed mental model of kernelspace versus userspace. That would be an unreasonable expectation for a banking supervisor. They work for a banking regulator, not a software company, doing important supervisory work, not merely implementation. Later this week they might be working on capital adequacy ratios, but for right now, they’re asking your IT team about endpoint monitoring.

The FFEITC ITEH ISB (the acronym just rolls off the tongue) is not super prescriptive about exactly what controls you, a financial institution, have to have. This is common in many regulatory environments. HIPAA, to use a contrasting example, is unusual in that it describes a control environment that you can reduce to a checklist with Required or Optional next to each of them. (HIPAA spells that second category “Addressable”, for reasons outside the scope of this essay, but which I’ll mention because I don’t want to offend other former HIPAA Compliance Officers.)

To facilitate your institution’s conversation with the examiner who drew the short straw, you will conduct a risk analysis. Well, more likely, you’ll pay a consulting firm to conduct a risk analysis. In the production function that is scaled consultancies, this means that a junior employee will open U.S. Financial Institution IT Security Risk Analysis v3-edited-final-final.docx and add important client-specific context like a) their name and b) their logo.

That document will heavily reference the ITEH, because it exists to quickly shut down the line of questioning from the examiner. If you desire a career in this field, you will phrase that as “guiding the conversation towards areas of maximum mutual interest in the cause of 'advanc[ing] the nation’s monetary, financial, and payment systems to build a stronger economy for all Americans.'” (The internal quotation is lifted from a job description at the Federal Reserve.)

Your consultants are going to, when they conduct the mandatory risk analysis, give you a shopping list. Endpoint monitoring is one item on that shopping list. Why? Ask your consultant and they’ll bill you for the answer, but you can get my opinion for free and it is worth twice what you paid for it: II.C.12 Malware Mitigation.

Does the FFEITC have a hugely prescriptive view of what you should be doing for malware monitoring? Well, no:

Management should implement defense-in-depth to protect, detect, and respond to malware. The institution can use many tools to block malware before it enters the environment and to detect it and respond if it is not blocked. Methods or systems that management should consider include the following: [12 bullet points which vary in specificity from whitelisting allowed programs to port monitoring to user education].

But your consultants will tell you that you want a very responsive answer to II.C.12 in this report and that, since you probably do not have Google’s ability to fill floors of people doing industry-leading security research, you should just buy something which says Yeah We Do That.

CrowdStrike’s sales reps will happily tell you Yeah We Do That. This web page exists as a result of a deterministic process co-owned by the Marketing and Sales departments at a B2B software company to create industry-specific “sales enablement” collateral. As a matter of fact, if you want to give CrowdStrike your email address and job title, they will even send you a document which is not titled Exact Wording To Put In Your Risk Assessment Including Which Five Objectives And Seventeen Controls Purchasing This Product Will Solve For.

CrowdStrike is not, strictly speaking, the only vendor that you could have installed on every computer you owned to make your regulators happy with you. But, due to vagaries of how enterprise software sales teams work, they sewed up an awful lot of government-adjacent industries. This was in part because they aggressively pursued writing the sort of documents you need if the people who read your project plans have national security briefs.

I’m not mocking the Federal Financial Institutions Examining Council for cosplaying as having a national security brief. (Goodness knows that that happens a lot in cybersecurity... and government generally. New York City likes to pretend it has an intelligence service, which is absolutely not a patronage program designed to have taxpayers fund indefinite foreign vacations with minimal actual job duties.)

But money is core societal infrastructure, like the power grid and transportation systems are. It would be really bad if hackers working for a foreign government could just turn off money. That would be more damaging than a conventional missile being fired at random into New York City, and we might be more constrained in responding.

And so, we ended up in a situation where we invited an advanced persistent threat into kernelspace.

It is perhaps important to point out that security professionals understand security tools to themselves introduce security vulnerabilities. Partly, the worry is that a monoculture could have a particular weakness that could be exploited in a particular way. Partly, it is that security tools (and security personnel!) frequently have more privileges than is typical, and therefore they can be directly compromised by the adversary. This observation is fractal in systems engineering: at every level of abstraction, if your control plane gets compromised, you lose. (Control plane has a specific meaning in networking but for this purpose just round it to “operating system (metaphorical) that controls your operating systems (literal).”)

CrowdStrike maintains that they do not understand it to be the case that a bad actor intentionally tried to bring down global financial infrastructure and airlines by using them as a weapon. No, CrowdStrike did that themselves, on accident, of their own volition. But this demonstrates the problem pretty clearly: if a junior employee tripping over a power cord at your company brings down computers worldwide, the bad guys have a variety of options for achieving directionally similar aims by attacking directionally similar power cords.

When money stops money-ing

I found out about the CrowdStrike vulnerability in the usual fashion: Twitter. But then my friendly local bank branch cited it (as quote the Microsoft systems issue endquote) when I was attempting to withdraw cash from the teller window.

My family purchased a duplex recently and is doing renovation prior to moving in. For complex social reasons, a thorough recitation of which would make me persona non grata across the political spectrum, engaging a sufficient number of contractors in Chicago will result in one being asked to make frequent, sizable payments in cash.

This created a minor emergency for me, because it was an other-than-minor emergency for some contractors I was working with.

Many contractors are small businesses. Many small businesses are very thinly capitalized. Many employees of small businesses are extremely dependent on receiving compensation exactly on payday and not after it. And so, while many people in Chicago were basically unaffected on that Friday because their money kept working (on mobile apps, via Venmo/Cash App, via credit cards, etc), cash-dependent people got an enormous wrench thrown into their plans.

I personally tried withdrawing cash at three financial institutions in different weight classes, as was told it was absolutely impossible (in size) at all of them, owing to the Falcon issue.

At one, I was told that I couldn’t use the tellers but could use the ATM. Unfortunately, like many customers, I was attempting to take out more cash from the ATM than I ever had before. Fortunately, their system that flags potentially fraudulent behavior will let a customer unflag themselves by responding to an instant communication from the bank. Unfortunately, the subdomain that communication directs them to runs on a server apparently protected by CrowdStrike Falcon.

It was not impossible at all financial institutions. I am aware of a few around Chicago which ran out of physical cash on hand at some branches, because all demand for cash on a Friday was serviced by them versus by “all of the financial institutions.” (As always happens during widespread disturbances in infrastructure, there quickly arises a shadow economy of information trading which redirects relatively sophisticated people to the places that are capable of servicing them. This happens through offline social networks since time immemorial and online social networks since we invented those. The first is probably more impactful but the second is more legible, so banking regulators pretend this class of issues sprang fully formed from the tech industry just in time to bring down banks last year.)

I have some knowledge of the history of comprehensive failures of financial infrastructure, and so I considered doing the traditional thing when convertibility of deposits is suspended by industry-wide issues: head to the bar.

A hopefully unnecessary disclaimer: the following is historical fact despite rhyming with stereotype.

Back in 1970, there was a widespread and sustained (six months!) strike in the Irish banking sector. Workers were unable to cash paychecks because tellers refused to work. So, as an accommodation for customers, operators of pubs would cash the checks from the till, trusting that eventually checks drawn on the accounts of local employers would be good funds again. 

Some publicans even cashed personal checks, backed by the swift and terrible justice of the credit reporting bureau We Control Whether You Can Ever Enjoy A Pint With Your Friends Again. This kept physical notes circulating in the economy.

As I told my contractors, to their confusion, I was unable to simply go down to the local bar to get them cash with the banks down. I don’t have sufficient credit with the operator of the local bar, as I don’t drink.

I told them, to their even greater confusion, that I had considered going down to the parish and buying all their cash on hand with a personal check. Churches, much like bars, have much of their weekly income come through electronic payments but still do a substantial amount of cash management through the workweek heading into the weekend. I’m much more a known quantity at church than I am at the friendly neighborhood watering hole. (Also, when attempting to workaround financial infrastructure bugs to get workers their wages, consider relying on counterparties with common knowledge of James 5:4.)

I eventually resolved the issue in a more boring fashion: I texted someone I reasonably assumed to have cash and asked them to bring it over.

Financial infrastructure normally functions to abstract away personal ties and replace favor-swapping with legibly-priced broadly-offered services.

Thankfully, while this outage was surprisingly deep and broad, banks were mostly back to normal on the following Monday.

工作标题(保险)

2024-07-01 00:00:00

Working title (insurance)

My family recently bought a duplex in Chicago, after years of living in Japan. This exposed me to Relatable Banking Influencer Content. One facet of it is the largest bill you’ll ever get from the insurance industry for the most inscrutable reason, which I thought would be interesting to cover.

Every time you transact in property, you will notice a variety of ticky-tack transactional frictions added to a (hopefully) itemized list. The largest, by a substantial margin, are agent commissions, which have come under substantial scrutiny for their set-by-a-disciplined-cartel character.

Next up on the list is a bundle of services around “title.”

The rest is a mix of government fee passthroughs and Obvious Nonsense, such as a $125 “water processing fee,” $55 for a wire transfer where that number is just made up, etc. But if I were to go through each of the 16 line items summing up to $1,400, we’d be here all day.

So, let’s talk about the title industry.

What is “title,” anyway?

Ownership is a bundle of property rights, which exclude others from using a thing, and which are hopefully (for the owner) enforceable by the legal system in the case where the larger societal system fails to agree on reality. That is the very orthodox, first-year law school answer, at any rate.

Title in real property is the aggregate of rights, commitments, and contracts which make up an ownership claim. And here it gets into gloriously wonky real estate operational trivia about the difference between an easement versus an encroachment, the justiciability of restrictive covenants written by societies far less enlightened than the present, and similar. But in common usage, you can round title to “who owns this address and how do we know?”

You might reasonably think that you know about title because you can look it up in a database, probably maintained by the government. Here you run into a fascinating historical detail.

Distributed versus centralized database design in property rights

Most people assume ownership is recorded in some sort of government database, in the same sense that your bank balance is recorded in some sort of bank database. If you assume this, you’re right… for many places in the world.

For example, if you wonder who owns a particular tiny sliver of Tokyo, you can hire a judicial scrivener to go ask the government, and in a fairly deterministic fashion they will bring you a piece of paper saying that the Legal Affairs Bureau’s records show one Patrick McKenzie as very definitely owning it. That piece of paper suffices as proof of title for almost all purposes in Japan. Courts, lenders, and the ward office will all treat it as one step below holy writ.

The United States, perhaps surprisingly, is not operationally capable of producing that piece of paper. There is no government body in the United States which will confidently say that, as of this instant, Patrick owns this property to the exclusion of all others. Serious professionals who work in or adjacent to the real estate industry understand this incapacity of the United States and organize their lives around it.

As a broad sketch of varied practice over the 50 states, the relevant government body (here, the Cook County Recorder of Deeds) does not record ownership but rather records certain private transactions. Current ownership is not an independent fact; current ownership is the sum of all compounding transactions since time not-quite-immemorial. (Cryptocurrency enthusiasts might see a parallel: blockchains typically don’t record balances. Software operating on top of the blockchain probabilistically estimates balances by being aware of all transactions that happened since genesis.)

At some point in the very near future, it will be a matter of the public record that I bought a property from a particular seller, and that a bank filed a lien against that property due to me taking out a mortgage.

Users of the database will infer that, since the last few entries in the database were that seller buying the property from someone else, recording a mortgage, and extinguishing that same mortgage on full payment, and there are no other recent entries, that I very probably own the property.

There is an important difference between “very probably owns” and “certainly owns.”

A quick digression for privacy-minded buyers

I lied. I don’t actually own any property in Chicago. My wife and I are beneficiaries of a land trust. The land trust actually owns the property. It is contractually obligated to allow us to live there, receive all rents and other benefits which derive from ownership, and pay us when the trust decides to sell the property, which it will eventually do. The trustee cannot independently decide to sell the property; it must, under law and contract, faithfully execute our directives.

“That sure sounds like ownership, Patrick.” Oh yeah, it’s designed to be equivalent to ownership in every way except basically one.

While there are other reasons to use them, the dominant use case for land trusts is mild privacy preservation. Because maintaining records regarding real estate implicates the public trust, in much of the United States, those records are public records. When this required actually schlepping down to the county clerk’s office to review yellowing papers or microfiche, the fact of the records being public was an interesting bit of operational minutiae for practitioners but had very little impact on owners.

But we have computer systems these days maintaining the records, and also vast secondary ecosystems of data brokers who ingest public records at scale and collate them with other information about people, searchable by other identifiers. As a consequence of this, in Chicago (and many other American cities), if you know a homeowner’s name (or address, or phone number, or…) you can have the full text of their mortgage, address, purchase price, monthly payment, etc etc, with 30 seconds of effort. No login or reason is required.

Many people react quite negatively when they learn this. If you are currently reacting negatively, I express no judgment.

This strikes me as similar to many questions about privacy rights. The range of human preferences is wider than anticipated. Framing influences perception quite a bit (“Anyone on Twitter can figure out your children’s exact walk to school” sounds different than “Your property tax payment is a public record” despite being the same physical database entry). Our laws have (as a descriptive not normative statement) not been updated in the wake of technological progress.

And so, I pay a very boring company $300 a year for a two-page contract that makes them our trustee. They have that contract in a filing cabinet. It is (assuming competent execution, always a risky assumption in the real estate industry) not cross-referenced in any databases. You can get them to show it to you, but you’ll need a court order, and fighting that court order is basically their reason for existing.

Many people, when they learn about land trusts, immediately assume that something extremely hinky is going on. Not so much; this is an extremely common way for savvy people to own property. It is in no way a loophole. The same polity which told its elected representatives that it wants property records to be public also told its elected representatives that it wants to exempt the rich, powerful, and savvy from that requirement. (That is a commentary on the American political system, certainly.)

Anyhow, should you want to avail yourself of this the next time you buy property, just tell your real estate attorney “What’s the privacy option in this state? Land trust or something?” They do this all the time. Or you can choose to have your full-text mortgage publicly available and automatically imported into hundreds of data sets. Whichever you prefer.

(As long as I’m adding I-grew-up-discussing-real-estate-quirks-at-the-dinner-table-sorry-not-sorry notes, another use case for land trusts is that judgments against individuals are more difficult to enforce against property held by a trust. LLCs are also commonly spun up to act as legal firewalls for that reason. Ask your friendly neighborhood real estate lawyer; this is common knowledge in that community of practice. Like most complex systems underlying how the world works, it is very understandable by mortal minds, and people who tell you otherwise are lying to you.)

High confidence and complete confidence are different

Perhaps the digression about land trusts has helped convince you that, if someone tells you they own a property and want to sell it to you, that claim might be more difficult to verify than you’d naively expect. It is also a claim that can sometimes be falsified well after a transaction.

Suppose a person lives in a community property state. One day, in the throes of passion, they swear their undying love and devotion in front of a justice of the peace, perhaps in a commercial establishment in a jurisdiction well-known in popular fiction for facilitating other-than-considered vows of this nature. That passion wanes along with the alcohol, and everyone involved just tries to forget this incident. A year later, they purchase a property, using their own money and a mortgage. And then, in the future, they sell their property, without asking for permission from their spouse, because socially speaking they are not married.

Does the new buyer actually own the property? No, they do not, because that property has been fraudulently transferred to them, against the interests of the spouse with a 50% claim to it by law. Does a person purchasing it from them actually own the property? Again, no, they do not.

You might sensibly object that no database reasonably available to these innocent buyers recorded the fact of the out-of-state marriage. The law does not care, and remediation at this point will be extensive and expensive.

(If it sounds implausible that marriages are not trivially searchable: the marriage is equally legally valid if conducted overseas. For example, when an American marries a Japanese person in Japan, the right U.S. government agency to register that fact with is no one at all. My wife and I joke about our unlicensed marriage, but it is absolutely valid in the U.S., and rights under it are enforceable by U.S. courts, because of the principle of comity. Comity doesn’t care that your SQL query returned zero records.)

“Undiscovered marriage torpedoes a real estate deal after-the-fact” sounds far-fetched, I know, I know. Every real estate lawyer has variants of this story in particular and another few dozen with similar effect. Partially they’re deployed tactically to drum up additional work for real estate lawyers. And partly they’re only slightly fictionalized versions of real cases where the full details are recorded for posterity by court reporters. (In the category of particularly historically well-attested-to title disputes, a particular family lost their home three times due to title defects. The family was forced to migrate as a result of these disasters. The young son, perhaps scarred by them, later went on to practice law here in Illinois. He is better known for other work.)

So we have a system for remediating title defects.

Title insurance and title searches

Our first procedural countermeasure is that one hires a professional to diligently conduct “title searches.” And, indeed, someone is certainly going to bill you for doing this work, and for a non-obvious risk transfer incident to doing that work.

But simply querying the database harder will not, and cannot, shake out all title problems. (Back in the days of yellowing paper and microfiche, knowing how hard your title searcher searched was actually consequential. Now that a twelve-year-old can do a physically equivalent search, the competence distribution is… slightly narrower than it used to be.)

For all those edge cases that no amount of searching can derisk, there exists title insurance. It is a specialized insurance policy which says that, if there is an undiscovered defect in title, the insurance company will pay for the expensive and painful remediation, up to (and inclusive of) simply refunding the entire purchase price of the property to the insured buyer/lender. It is critical to understand that title insurance is effectively mandatory since almost all purchases are financed. Lenders will require a policy be purchased, and they are themselves similarly obligated to require this, due to the supply chain for mortgage financing.

Title insurance has been called an expensive racket. A wag might say that this is grossly unfair. To rackets.

Why? Well, it comes down to how title insurance is priced, sold, and purchased.

To understand that, three magic insurance words you should know: frequency, severity, loss ratio. Frequency is the rate of occurrence of claims. Severity is the cost of claims contingent on claims happening. Loss ratio is the total amount of paid-out claims divided by collected premiums.

Title insurance has extraordinarily low frequency for insurance products. However, when it does pay, the severity can be very high. Title insurance defenders will tell you that the reason title insurance is expensive is because the insurance company is promising to literally buy you a house in event of a problem.

Title insurance defenders are dissimulating, though, because the actual loss ratio on title insurance policies is laughably low. This number is exhaustively tracked by insurance regulators, and floats around the 5% region. And so, of the $4,000 or so that I paid in title insurance, the underwriter expects to pay out $200 in losses.

A high loss ratio means an insurance policy is inexpensive relative to the actual risks it insures; a low loss ratio means the opposite. Title policies are among the most expensive insurance policies issued for any risk whatsoever.

Now you might ask “What is a typical insurance loss ratio?” These are not unknowable numbers; they’re some of the most accurate figures captured by capitalism, with a combination of financial institutions and government regulators obsessed over quarter-to-quarter variations in them. Let me quote a couple of representative examples: fire, 65%. Workers’ comp, 48%. Medical profession liability, 56%. Auto liability, 76%. Homeowner, 82%. Even travel insurance, which is legendarily a poor option for customers (for reasons), pays substantially more out in claims than title insurance does.

So why does this policy cost 10-20X as much as other comparable insurance risks?

One very quirky risk transfer and a statistical artifact

We mentioned that title insurance is bound fairly tightly with conducting a title search. In theory, one needs to chain that title search backwards for a few hundred years, at which point there will be an entry that sounds something like “ceded by the king of Spain to the United States” or “acquired by right of conquest.” (These are absolutely real facts that appear in title records. If you want to pay six figures, you can get a degree in philosophizing that all property is based on a theft, late-stage capitalism, etc etc. Few people who work in title insurance have that sort of degree.)

In practice, most title searches are strictly limited. My transaction obligated the searcher to do backbreaking labor and laboriously read twenty four months of transactions (i.e., two transactions) which would take a non-specialist thirty seconds to find using an online publicly available portal. They were not required to read several dozen transactions going back to the digitization of records (which gets you to almost when I was born) or to try to reconstruct what happened to Chicago title records in 1871.

For diligently reading two search results, the searcher was paid $260. ... Or were they?

Yes, according to an invoice. Not really, according to the title industry. But yes again, in reality.

The reason that the title industry says the $260 is not actually earned solely for reading two records is that there is a complex contractual risk transfer happening incident to the search and determining insurability of the title. They, acting as the agent of the insurance underwriter (this would be called a “carrier” in most insurance industries but in title “underwriter” is used to mean “the insurance company” and not “a specific professional at the insurance company”), represent and warranty that they’re making commercially reasonable efforts to avoid “on-record” title flaws (i.e., failing to read those search results accurately).

The title insurance industry expects there to be three main categories of claims.

One, vanishingly unlikely (as a percent of claims) but extremely evocative, is a “historical defect,” where the king of Spain (or, in Illinois, far more likely an Indian tribe or the federal government) has a justiciable concern about the original transfer of land to private ownership.

The far more likely type of claim is “off-record” flaws, where someone has ownership but that isn’t reflected in the searched records. The above ownership-by-undiscovered-marriage scenarios are examples of off-record claims. There is an infinite universe of fact patterns that can result in them, though; this is substantially why title insurance exists.

Then there are “on-record” flaws, where… somebody goofed, and nobody caught it before the transaction closed. There is a clear indication in the search results that the seller lacks legal right to sell the property. Maybe the mortgage isn’t paid and arrangements haven’t been made. Maybe they haven’t gotten a lien released. Maybe they are in the midst of an unresolved divorce. Maybe there is a charming historical anomaly on the deed. (Some anomalies are of a variety that are presumptively void in present-day America.)

In the case of an on-record flaw, where the searcher (who is also usually the agent of the title insurance company) “dun goofed,” in theory the title insurance company can put the claim back on their agent. In theory, that would result in “the system” paying a claim without that claim showing up in the loss ratio. In theory, this means that title insurance isn’t as expensive as it looks.

In practice, this basically never happens. But it’s a nice theory on why title agents deserve to get paid 80-85% of the insurance premium. (These are the standard numbers in Illinois. In some states, it goes as high as 95%. This is, I rush to add, done in the clear light of day. It is definitely not a kickback. A kickback requires someone involved to feel shame.)

Since “basically never happens” is a claim about reality that can be measured with numbers, I’ll observe that title insurance agents themselves carry insurance policies. One important genre is errors and omissions insurance, which can cover them if e.g. they goof and actually have to reimburse a purchaser/lender without the title insurance company covering it. Those policies themselves have a price, and that price encodes the information “we’re talking basis points on basis points of risk here.”

So why do title insurance agents actually get paid so richly, directly driving up the cost of title insurance?

How title insurance is sold

In theory, there is a vibrant, functioning market in title insurance, with thousands of agents ultimately backed by dozens of carriers in Illinois. Price should float down to the minimum amount of loss ratio plus administrative costs plus profit required to sustain a vibrant insurance industry.

In practice, nobody shops for title insurance. I write articles like this as my actual literal job and I didn’t shop for title insurance. I used the insurance company nominated by the seller’s lawyer.

Unsurprisingly, the seller’s lawyer nominated the insurance company that she is an agent of. This was disclosed, in an entirely aboveboard fashion, on one of dozens of documents of paper sent back and forth during the buying process.

You are welcome to your estimate of whether anyone saw fit to explain that document as anything other than “sign this to continue.”

The seller’s attorney earned $625 for legal services in connection with the transaction. 80% of $4,000 in title insurance is $3,200. I think you can make a reasonable estimate as to how important that attorney understands having a ~100% attach rate of title insurance to real estate closings is.

Like all industries, real estate is a very small world, particularly since it is conducted hyperlocally. I have many, many dinner table discussions from my father (in commercial real estate in Chicago for most of his career) about this. My attorney, who I found independent of any other party to the transaction, had interacted with the seller’s attorney on numerous occasions. They mutually collaborated to take a straightforward transaction to a speedy and efficient close.

You are welcome to your estimate of how many times my attorney called attention to the title insurance fee, that the number was set by an act of the seller’s attorney, or that this fee could be shopped.

A really good mental model to carry around for analyzing the finance industry is one-shot versus iterated games. Real estate attorneys model (residential, owner-occupied) closings as effectively one-shot with respect to the client but iterated with respect to the other attorney. If one were conspiratorially-minded, one could say unkind words like "conflict of interest" at this point, but this sort of equilibrium doesn't require anyone to act invidiously. The other attorney is a peer running their business in a socially accepted fashion and very likely quite similarly to how you run your own business. You will see them again both professionally and socially. Why make trouble over nothing.

One reason I personally, despite being fairly financially sophisticated, did not shop the quote was that I was unsure the juice would be worth the squeeze. It’s pretty clearly possible to insure this transaction for 1/10th the price; that pricing prevails in other U.S. markets. It was not obvious to me it would actually be offered by anyone serving Chicago. (You can read a lot on this topic in the book The American Title Insurance Industry: How a Cartel Fleeces the American Consumer. I’ll give you one guess as to the thesis of the work.)

Is there anything to be done here?

You, dear reader, are highly likely to transact property many times over the course of your life. There is a specific line item on your disclosure that almost all participants will skip over. You might make the decision to shop around on that item, and in doing so potentially save a few thousand dollars for an hour of work. (Bits about Money is supported by members, some of whom just got excellent ROI.)

On a societal level… title insurance adds up, fairly quickly. The typical American purchaser will reside in a house for 7 years, and get repeatedly cheesed in this fashion.

We could simply decide, as a policy priority, to not structure the industry this way. However, this is a classic political economy problem, with diffuse costs and concentrated benefit. The real estate industry is extremely politically powerful. It is nationally distributed, extremely well-resourced, and staffed by vocal pillars of the community. Those advocates are everywhere and talk to likely voters because it is their job to do so and are extremely well-liked. The same lawyer who quietly cheeses buyers on title insurance will, in about half of their client interactions, write a client a very obvious, very salient, very memorable check for multiple years of the client’s salary.

The title insurance industry extracts a relatively small rake, hidden in the minutiae of a complex transaction that most legislators and regulators don’t truly understand. There is a strong, organized constituency in favor of that rake existing. That constituency is not shadowy forces in smoky backrooms. They are pillars of your community. They are your friends and neighbors.

And they, independently and through their lobby, know how to present this business to the American polity. The industry provides a valuable service, and charges money for it, unabashedly. The price is set by a vibrant, competitive marketplace. Historical infelicities like kickbacks have mostly been replaced by market mechanisms, like controlled business arrangements, which are fully disclosed to the consumer. Of course consumers read and understand disclosures. The state even released model disclosure language which the industry adopted almost universally.

Do I think this equilibrium is likely to change? I would not bet on it over short timeframes. But, if anyone out ever wants to take a serious run at disrupting this industry, I’ll happily write you a check.

ACATS(Advanced Component Analysis Test Suite)是一种高级组件分析测试套件,用于评估硬件或软件组件的性能和可靠性。如果ACATS出现问题,可能有几个原因: 1. **软件版本过时**:使用的ACATS版本可能已经过时,无法与当前的硬件或软件环境兼容。 2. **配置错误**:ACATS的配置可能不正确,导致测试无法正确执行。 3. **硬件问题**:如果ACATS是用于硬件测试,硬件本身的问题可能会影响测试结果。 4. **软件缺陷**:ACATS软件本身可能存在缺陷或错误,导致测试失败或不准确。 5. **兼容性问题**:ACATS可能与某些操作系统、驱动程序或其他软件不兼容。 6. **环境因素**:测试环境可能受到干扰,如电源不稳定、温度过高等,影响测试结果。 7. **用户操作错误**:用户可能在执行测试时操作不当,导致测试未能正确执行。 如果你遇到ACATS的问题,建议检查上述可能的原因,并尝试更新软件、重新配置、检查硬件或寻求技术支持以解决问题。

2024-05-25 04:05:00

Guys what is wrong with ACATS

Many beginnings imply a contemporaneous ending. This is often bittersweet. Some personal news implies a tearful goodbye to soon-to-be-former coworkers. A new adventure of scholasticism and self-discovery means saying goodbye to your high-school friends. And a new brokerage account often implies leaving a years- (or decades-!) long relationship with a firm that stuck with you, feels a bit like a jilted lover, and by the way happens to constructively control most of your net worth.

This particular beginning and ending is mediated by a complex techno-legal system called ACATS: the Automated Customer Assets Transfer System. ACATS is quite impressive, underpins a very important part of the financial system, and some of the quirks of how it operates will probably surprise you.

The title of this issue is a play on an AI-generated song. Infohazard warning about which I am being absolutely serious: you probably have the experience of a song being an “earworm” that you cannot get out of your head. This song is not simply an earworm. It is auditory superstimulus, like the Dorito, carefully designed to taste like nothing in nature. Unlike the Dorito, which someone is guilty of, this song either has no author or has all the authors. I think if you say the words “my cat” to me when I am on my deathbed I will immediately hum three notes. With that very important caveat out of the way, if you want to be mimetically infected as the price of getting this reference, take a listen at Sono here.

A brief digression into self-regulatory organizations

Brokerages are regulated by FINRA. FINRA stands for many things, though these days FINRA might deny that it is an acronym. In previous years, though, it was definitely the Financial Industry Regulatory Authority. One reason FINRA is not an acronym, to the extent it is not an acronym, is that an unsophisticated investor might hear that and assume “Ah yes, FINRA is clearly part of the government” and FINRA will immediately swear up, down, and sideways they are not. They are just a financial regulator overseeing trillions of dollars.

Self-regulatory organizations (SROs) are industry associations. There are many industry associations in the world.

Some pool money to pay for a-rising-tide-lifts-all-bovines advertising. Some exist to get peers together for merriment, diversion, and some conspiracy against the public. (This is a joking reference to a famous passage from Adam Smith. On a completely unrelated note, please feel free to introduce yourself if you see me at a software conference. I’ll be doing a talk about raising prices.)

SROs are the type of industry associations that partially exist as a blocking play. If we don’t get our house in order, Dangerous Professionals from the government are going to barge into our house to order it for us. That will be disruptive to providing valuable services to customers at a price they are willing to pay.

FINRA regulates asset transfers between brokerages

Discount brokerages are large, trustworthy, competent institutions. But there are some brokerages which are not. There are wirehouses attached to large investment banks like e.g. JP Morgan (large, trustworthy, and competent, but not a discount brokerage), there is Robinhood (a large discount brokerage), but by far the most numerous are small boutiques which keep on keeping on.

Some of those boutiques have been known to be a bit grasping when assets under management attempt to walk out the door. They would refuse to let their customer leave. When told this was extremely improper, they whined and said it was really difficult to facilitate their customer leaving, and wouldn’t the customer prefer staying, and Cindy who can actually take care of this will be back in the office the first Tuesday after the waxing moon.

And so FINRA listened to its members (brokerages), customers, advocates, and counterparts in government, and passed a rule. Cindy can go on vacation any time she wants, but it is the brokerage and not Cindy who is responsible for outcomes, and only one outcome is acceptable: if a customer wants to move their assets out, you must let them.

The full rule is necessarily more complicated than that gloss of the intent of the rule. It’s not unknowable inside baseball; see FINRA Rule 11870. It is somewhat somnambulance inducing:

When a customer whose securities account is carried by a member (the "carrying member") wishes to transfer securities account assets, in whole or in specifically designated part, to another member (the "receiving member") and gives authorized instructions to the receiving member, both members must expedite and coordinate activities with respect to the transfer..

But, by the standards of many regulations, it is short and actionable.

Rule 11870 doesn’t itself establish a technical artifact but exists in tandem with one: ACATS.

How does one transfer securities account assets?

What is a share of stock, really? An abstracted right to ownership of a corporation? A legal contract promising the same? Some complex sociopolitical edifice where judges who are not yet born will of course automatically award surplus returns of an enterprise to an equity holder even when told not to by a nuclear-armed government? A share is all of these things.

But also, in a really important way, a share is an entry in a spreadsheet.

Whose spreadsheet? Everyones’ spreadsheets. Stock that you own, and you really do own it, exists as the superposition of several spreadsheets. Your spreadsheets, for example. Those matter. Spreadsheets (or databases, or blockchains, or… actually no probably not blockchains even cryptoenthusiast technologists don’t believe that will happen anymore) at your brokerage. And then, in a fascinating wrinkle that Matt Levine has covered many times, a spreadsheet at the Depository Trust Company, which keeps almost all the stocks and simultaneously has very probably never heard of you.

So when you move stock between brokerages, nobody needs to print out a stock certificate and courier it across Chicago, New York, or the Pacific Ocean anymore. Thank goodness. (I have no stories, but I have friends who have stories, and the Die Hard steal-the-bearer-bonds plot didn’t come from nowhere.) You just have to coordinate updating the spreadsheets. How hard could that possibly be.

ACATS is a system with technical and legal elements to it. It greatly decreases the number of moving parts required to coordinate updating spreadsheets. The pre-ACATS era meant needing to interface directly with the thousands of other brokerages in the United States. You had to care deeply about the operational differences at their firms. Sometimes your Ops and their Ops didn’t use the same version of Excel. It was anarchy. ACATS puts very diverse firms between a relatively consistent experience, while simultaneously codifying operations and reducing various forms of risk to the process. This is a very common way to create value in financial technology.

What does an ACATS request actually entail?

A customer selects a new brokerage and tells that brokerage they intend to move in assets. That brokerage, which very much wants to get those assets onto their own books (and spreadsheets, etc etc, as a necessary consequence), will assist them in operating ACATS on their behalf. The customer will very likely never care about nor understand a complex operational symphony happening in the background.

The brokerage will likely kick off a few processes which don’t necessarily happen in Internet time and aren’t strictly coupled but might feel like they are to the customer. They will ask the customer to create a new account, which (extremely relevantly) will require the brokerage running their KYC process on the customer. They will very likely ask the customer for their last brokerage statement. And they will ask the customer to authorize them moving over the previous assets.

That authorization is customarily on a very templated rather short contract / form, and the template is almost inevitably going to rhyme heavily with the template in FINRA Rule 11870. But, in one of those fascinating rabbit holes about how the world actually works, authorization does not mean performing a particular ritual on a particular written instrument. Authorization means permitting something. You can permit something with words, most typically, or even a gesture.

As a very concrete consequence of this, many of those forms will be filled out not by the customer, but by the brokerage employee working on onboarding them. This is not bad and is not fraud. That feels weird to say out loud but it is extremely important: they have authorization. They are doing the thing brokerages do, taking specific authorization for a specific action from a customer and translating it into a complex series of technical and legal processes to cause the physical result in the world that the customer wants to happen.

And so, the form that authorizes an ACATS request might have a signature blank at the bottom. Some of them are signed by the customer, in that the customer had that form physically presented to them and they affixed their signature with a pen. Some are signed by the customer via a solution like Docusign, which might or might not imply that they actually saw an image which physically resembles the form that gets signed.

And some of them are signed on the customer’s behalf. The exact form of that might look like the ASCII characters /s/ John Q. Public. Skeptical? Those are, and these words are carefully chosen to sound very rigorous, “an electronic signature in a format recognized as valid under federal law to conduct interstate commerce.” You probably assumed there would be public key encryption involved in an electronic signature and this is allowed but not required.

All of this is actually normal

And, combined with the next bit, it will give many security-minded people an aneurysm.

Brokerages frequently do not verify incoming ACATS requests

ACATS is a network of trusted peers who have contractual (and other) relationships with a central organizing entity. One thing peers agree to do is to act upon incoming requests very, very quickly by the standards of financial institutions. One thing they do to accomplish this is very surprising: most ACATS requests will cause the brokerage losing the assets to not verify with their customer that the request is authorized.

“What.”, I hear you ask. No, this is true, and this is designed, and this is normal. It only sounds batshit insane.

Let’s start with the timeline: a brokerage receiving an ACATS request must complete any investigation within three business days. FINRA doesn’t get hyperspecific on any particular thing you must or mustn’t do within those three business days, but that shot clock starts running instantly once your computer gets the message from the other computer.

“Cindy didn’t check her mail because she was on vacation” is not a valid excuse. The brokerage gets only two options: validate (agree to) the request, or take exception to the request. Validation starts a second shot clock to actually complete the spreadsheet updates. It is not quite a no-takesies-backsies decision. True trapdoors are rare in finance. But reversing it is uncommon and unfun for all parties.

You cannot take exception simply because you feel like it. You must communicate one of twelve enumerated reasons. The general flavor of them is “that account has no assets in it”, “that account number doesn’t correspond to an account that exists in this universe”, “the person who you claim has authorized this transfer doesn’t own that account”, etc.

Questions about title, about who really owns the assets in an account, sound really simple to non-specialists who are mostly familiar with individual accounts. John owns the money in John’s accounts, right?

Hah, hah, hah.

The “edge cases” cover trillions of dollars.

John and Mary just divorced and while the account records reflect John as sole owner, the divorce decree says Mary owns half of the account. Your blockchain disagrees with an Article III judge? Then your blockchain is wrong. Fix your blockchain.

These determinations are fact-intensive and, again, are not necessarily obvious to either brokerage or even to the account owner themselves. John very likely thinks he owns his own money and may even think that in a sincere and innocent fashion. The brokerage doesn’t have actual possession of a divorce decree and very likely has no actual knowledge of a contemplated divorce. It doesn’t matter.

Tick tock tick tock. FINRA doesn’t care. The orderly operation of capitalism must go on, private tragedies notwithstanding, and your brokerage must make a determination before three business days are up. Validate or take exception. Those are your only two options.

Now let’s superimpose another difficult reality on this one: brokerages will, in the ordinary course of business, spend long periods of time happily having no real communication with their customers. Oh sure, their customer will receive account statements, and they might even place trades, but the last time a human talked to another human was… early in the 2010s?

Ping, ping, incoming message from ACATS. John purportedly wants to move his assets. The shot clock has begun. You have three business days.

Does the phone number on file from 2004 still work for John? FINRA doesn’t care. Does John still use AOL? FINRA doesn’t care. Can the United States Postal Service successfully put a piece of paper in John’s hand within three business days? FINRA doesn’t care. Will John pick up the phone for an unknown caller attempting to reach him on a matter of urgency? FINRA doesn’t care. Is John in the hospital on his deathbed? FINRA doesn’t care.

Brokerages are broadly competent and they know all of this. They know they cannot, at scale, successfully verify all of the transfers for all of the customers. And so they make a business decision to not contact customers for most transfers by count and reserve extraordinary efforts for contacting only very important customers, who might be most transfers by volume of assets.

The brokerage will absolutely not phrase this as “We don’t verify outgoing transfers.” They will check, and check most diligently, that the account number claimed is the account number, that the name matches the name on file, etc. And their Operations team understands that sometimes names do not match and that is OK, and sometimes it means Nope That’s A Specially Enumerated Exception Right There.

Sometimes they will look at the signature card, because everyone enjoys live action roleplaying occasionally. If John cannot in 2024 reproduce his signature from 2004, I have an epic non-surprise for you: FINRA doesn’t care. But, hey, it is the culture of the United States that financial institutions and expert witnesses in court sometimes do forensic analysis. Do we believe it is possible to compare signatures and gain useful information? Do we believe in the tooth fairy? Yes in some ways and no in others. We take no important decisions premised mostly on belief in the tooth fairy. And, again, “/s/ John Q. Public” is a normal and accepted way to represent John’s consent to move assets.

Small account transfers with paperwork that has no glaring errors will be approved in the ordinary course. Sometimes those transfers will be fraudulent. Brokerages defrauded in this fashion will be annoyed, but not surprised, because they are competent financial institutions. They understand that the optimal amount of fraud is not zero.

So what, ultimately, is a brokerage relying upon when it sends money to /s/ John Q. Public? It is relying on chained trust in a community of practice, and on a web of contracts, and on a business decision, all at once.

And that means that if a bad guy can convince any brokerage in the U.S. that it is John, the bad guy can fairly reliably cause movement of all of John’s financial assets.

Recent developments in ACATS fraud

You can probably guess the shape of the attack.

Get a copy of John’s ID from, perhaps, a vendor specializing in “fullz” on the Dark Web. Figure out where John keeps his accounts by e.g. just guessing that it might be one of the places where 80% of Americans with assets keep their retirement accounts. Open up an app, tap tap tap, request to move “your” assets to “your” new account. And then lie about being John while telling some truths you know about John.

Now, wait five to seven business days.

Congrats, John’s assets now appear to be in “your” brokerage account. Your brokerage is in the business of giving you access to “your” money swiftly when you want it. Now would be a great time to wire it out, take it out on that debit card connected to the account, place a trade which successfully transfers value to a confederate’s account, etc etc.

Five to seven business days is much more frequent than many Americans, even many wealthy Americans, check their brokerage accounts, and so the money may be spendable before any involved human realizes it has been taken improperly.

This is, obviously, super duper illegal. But in another sense it is just business. For you, as a criminal, this is Tuesday. And for brokerages, well, capitalism hopes they catch most people trying this.

Some brokerages have not successfully caught some people trying this. That is normal and expected. Some brokerages have not successfully caught a rather large number of people trying this.

That was a bit concerning. To FINRA, for example, which has a podcast episode about how it coordinated an industry-wide fact finding process to issue a pair of Reg Notices to let the industry know about this new Wild West of criminality and how to deal with it.

Now, the most sophisticated and competent brokerages already had large security teams working on this problem. But again, some brokerages aren’t nearly as large and well-resourced as a non-specialist might suspect.

Also, how to say this delicately: competence is unevenly distributed in the world. Sometimes this is wonderful; you can pick diamonds in the rough out on the Internet, who have no institutional backing but nonetheless achieve incredible results in deep areas of human endeavor. And sometimes the odd spike is in the other direction: a regulated institution has an important function headed up by a well-credentialed, impeccably pedigreed, speaks-at-conferences, well-liked-by-colleagues-and-friends individual who capitalism should not want in the chair they currently occupy.

A digression: It is considered very impolite in the U.S. professional managerial class to observe that a particular, named professional manager is incompetent at their job. An individual who makes a habit of it will be optimized out of decisionmaking processes featuring PMC members, which is… all decisionmaking processes, effectively. That deviant is ipso facto disruptive to orderly operations and also a bit of a career risk to be in the same room with. And so, even if you know someone to be incompetent, part of being an effective PMC class member in an executive position is to learn the approved euphemisms and rituals.

Anyhow, FINRA issued Reg Notices after a drawn out and somewhat ponderous process, for institutional reasons. They contain some mitigation recommendations that rhyme with “If a customer signs up for an account with you and doesn’t know where their brokerage account currently is, and sequentially asks you to transfer accounts at each of the top 10 brokerages in the U.S., perhaps you might want to look into that.”

When you phrase it like that, it might sound obvious. But for Seeing Like A Bank reasons, the actual screen in front of the actual operations professional who is actually making a the-shot-clock-is-ticking decision on John’s accounts might not display that “John” has recently made four ACATS requests that were each rejected for non-existence. One objective of the Reg Notices is activating a ponderous machine that will eventually get a technologist deep in the bowels in the least sexy part of a brokerage to fix that screen.

Should I be terrified, Patrick?

This is all normal and working as designed! Capitalism will function on Monday pretty much like it did on Friday! Your assets are safe in an eventually consistent sort of way; your brokerage will eventually come around to agreeing with your view on the matter, regardless of what their first communication says.

If you get mugged in San Francisco, society expresses sympathy, kinda, but you are never going to see your wallet again.

Finance. Does. Not. Work. This. Way.

If your brokerage makes a mistake with your assets, and they have before and will again make many mistakes, then they will make you whole. Financial institutions have capital for a reason. There is a budget for operating losses. There is a budget for fraud losses. The aggregate expenditure of effort by society in solving this problem greatly exceeds the aggregate expenditure of effort by society in solving muggings.

If your balance suddenly goes to zero in a surprising fashion, that will be very stressful for you but they are eventually good for it, with very high probability.

Some people hire a lawyer to resolve this and it’s just about the easiest letter for a lawyer to write: Here’s my best understanding of what my client owns. You think they own nothing. Fix this immediately or tell me in writing why you have decided not to. Lawsuits subsequent to fraudulent transfers and the brokerage deciding that, on reflection, no, they did the right thing are extremely uncommon, both in absolute numbers and as a percentage of all fraudulent transfers. But the nuclear option exists for those very, very, very few customers who need it to compel action.

Should we be satisfied with this? Probably not at the current margin.

Many people who own, and depend upon, assets are not competent enough to project manage the resolution pathway here, and may (largely wrongly) assume that they have been stolen from in a durable fashion. Some might come to this (mistaken) point of view because they talked to a front line customer service representative of the brokerage who, and this is aggravating but it will happen at least once today even in a regulated institution, just makes shit up rather than reading the Emergency Escalations list printed in their cubicle. Some might come to this (mistaken) point of view because their brokerage of choice is other-than-competent at answering utterly routine inquiries and instead they get their information about capitalism from the first person who replies on Reddit, who is not necessarily the custodian of Reddit’s best answer to the question.

Another fun wonky control

Brokerages control many accounts worth $20,000 and some accounts worth millions or much more. Frequently, the formal text of the rules will treat those accounts equivalently. Go read the rule if you have any doubt; there is no This User Is Rich exception anywhere in it. Three business days, FINRA doesn’t care.

One (optional!) control that some institutions use is called a “medallion guarantee”, and it’s a fascinating combination of a physical artifact and a contractual risk transfer.

The receiving institution, who may be ultimately liable (to an action from the transferring institution, to recover the assets they already re-bought for the customer out of their risk budget) for a fraudulent transfer, can optionally require a customer to get a “medallion” issued to move the risk to another institution. Hilariously, that institution can in principle be totally uninvolved.

What is a medallion? A piece of paper that has a number on it and represents a promise. In brief form, that promise is “I, a financial institution who is absolutely good for this guarantee, warrant that I know this to be John. The paper attached to this medallion is authorized by John; he told me so. And if I was wrong, and I am not wrong, I will no-muss no-fuss reimburse you up to $_______.”

So John, when he tells a new company that he would like to move in about $1 million, might get asked to go get a $1 million medallion.

You might think this rhymes with notary services and it rhymes with insurance. All institutions involved will claim it is absolutely not notarization (a state function delegated to private individuals, who are almost universally not good for a million dollars if they screw up) and it is absolutely not insurance (a regulated industry).

Also, medallions are generally free. That surprises people, particularly people who model them as specialized insurance contracts.

The thresholds at which institutions request a medallion vary based on their own policies, but you might reasonably expect $500,000 or $1 million to be important thresholds. If you have an account with a million dollars in it, anywhere, your bank very probably loves you and wants you to be happy. Want a coffee? Stop by any time, they will happily give you a coffee. Charge for the coffee? Laughable. Oh you need an admissible proof of identity for a very wonky financial industry operations issue? Happy to oblige, sir, we are here for any of your diverse financial needs. Can I get you a coffee while you wait.

Yes, the bank is taking risk when issuing a medallion. But it’s a tiny, tiny, tiny risk from their perspective, which insulates the receiving company from a huge risk. The bank has many years of history over which they’ve become thoroughly convinced that John is John. The receiving institution has somebody claiming to be John who spent six minutes filling out an onboarding form in a mobile app. And so the largest firms in capitalism somewhere have a spreadsheet for how much they spent on medallions, much like they can (with difficulty) come up with a pretty exact number for how much they spent on toilet paper.

Toilet paper is substantially more expensive in aggregate even though no individual square of toilet paper has ever caused a $1 million wire.

And, thus, medallions. Most Americans will never see one in their lives. The typical mass affluent user is most likely to see one precisely once, right around retirement age, when e.g. moving their 401k to a new custodian.

But if you’re reading Bits about Money, you are much more likely to get asked for this quaint ritual than the population is at large, and now you know why. And perhaps you won’t be as frustrated as the typical person asked for a medallion, who fumes “Why do I have to walk into a bank just to get them to write ‘Yeah that’s John’ on a piece of paper? Everyone knows I’m John. My drivers license says I’m John. I already gave that to the brokerage. I swear, the entire financial industry is staffed by incompetents.”

A final ACATS story

Once upon a time there was a financial technologist.

He made it his routine practice to buy just a few shares of every bank he worked with. This was not to make money, it was so that he could write a letter to Investor Relations if there was ever an issue he needed to escalate out of Customer Service purgatory. Investor Relations is highly placed in the org chart of banks and does not relish telling Investors they Relate to that their princess is in another castle.

Some time later, that customer caused another financial institution to ACATS out some assets, including the shares of that bank. Unfortunately, that bank had in the interim had a spot of trouble, and their stock had ended up on a "penny stock" list.

Many large, competent financial institutions have a rule about penny stocks, and it rounds to "absolutely not." And so the financial institution objected to its customer, claiming that it could not process the ACATS request, because it contained a trivial amount of equity in a bank.

In a bit of potent irony, the objecting financial institution owned the bank it objected to holding equity in.

Sometimes, the behavior of a financial institution in the moment looks insane. Often, if you play back history, the insanity is explicable as emerging from individually reasonable actions by several separate parties with only a partial view of the facts.

And, of course, playing history forward, this was trivially resolved. Just another day at the office.

钱包业务

2024-05-01 06:00:00

The business of wallets

One of the best series of credit card commercials was the now-classic Capital One “What’s in your wallet?”, which reimagined the user as either an observer of or participant in family-friendly Viking raids. That always felt a bit on the nose for me given Capital One’s traditional market focus, but be that as it may, it’s one of my strongest associations with the word “wallet.”

Many of my contemporaries and younger users no longer carry a physical leather or plastic wallet, to hold their identification, cards, and cash. All of these either live directly on their cell phone or, in some cases, hang out in its case. But industry saw that transition coming a long time ago, and vied to get the most valuable bits about money onto electronic systems in an enduring manner. It called the customer-presenting elements of those systems “electronic wallets”, which quickly got shortened to “wallets.” Usage of this term has bounced around over the years as various product teams have tried to one-up their competitors or emphasize that the thing they are doing is merely wallet-adjacent or a superset of wallet functionality. Be that as it may, it’s useful to look around the world and say “Yeah, someone definitely pitched that as a wallet.”

In 2024, I feel I have to add a clarification that a while ago the crypto folks repurposed the word “wallet” to mean “a collection of private keys controlled by a single entity” and then “the software artifact which, given an instruction to move money from A to B, would assemble that money from separately kept accounts corresponding to a list of private keys and send the relevant crypto network a candidate transaction for inclusion in the blockchain that would eventually move money from A to B.” These are not the sorts of wallets under discussion. For crypto enthusiasts, I’ll mention that it is instructive to contrast how crypto wallets (definition #2) make money versus how these wallets make money.

One more disclaimer: I previously worked at, and am currently an advisor to, Stripe. Stripe does not necessarily endorse what I write in my personal spaces. Stripe also has a product (Link) which looks quite a bit like a wallet if you squint a bit.

The big question about wallets

Frequently in finance and the technology surrounding it, relatively small questions swing huge doors about e.g. regulatory and partner complexity for bringing something to market. The small question with large implications about wallets is “Can it hold a balance of actual money?” If it holds actual money, that starts looking to regulators an awful lot like a deposit product.

Regulators strongly prefer that deposits stay within the regulated banking sector. The single largest reason is that they’re worried that households’ immediately accessible stored funds stay safe and accessible. A major follow-up reason, less understood by non-specialists, is that regulated banks are bound to a long list of consumer protection items on the transaction level, not the institution level. A lot of the abuse in the economy happens in $50 and $5,000 increments, rather than multi-billion dollar increments. Regulators sleep happier knowing that this abuse happens at companies with teams of operators standing. Those operators will groan and chalk a disputed transaction, instance of fraud, or glitch in the matrix up to the operational losses budget rather than sticking a user with it.

Wallets show up early in the life of the Internet

The granddaddy of wallets was Paypal. In the early days of Internet commerce, nearly 30 years ago, many users were askance about typing their credit card details online. (In some countries, this would have been their banking details. The physical capability to pay with banking details lagged cards so hard in places like the U.S. and Japan that online commerce became synonymous with card use early. This persisted for decades, though it is no longer strictly true.)

Younger users may not appreciate this, but there were front-page-of-the-newspaper (... newspapers used to have paper pages, one of them was considered most important, it was a different time…) stories that scared large parts of the population that if you typed your credit card number into any keyboard it would be stolen by hackers. There was a purported raft of fake e-commerce sites where bad guys would spend millions of dollars to create convincing facsimiles of real e-commerce sites, just to steal your credit card details. This was probably never actually a major threat by percentage of all stolen cards, not when these articles were written or afterwards, but this would not be the first or last time that the media convinced itself of an untruth and then was unable to find an industry insider to leak them a SQL query dispelling their fantasies. (The largest source of purloined credit card information is scaled breaches of card issuers or companies that were legitimately presented hundreds of thousands or millions of cards in commerce. Organized crime does not outscale capitalism; the threat is when it gets to piggyback illegitimately on capitalism.)

And so that was the initial value proposition of Paypal: convey money from your own payment instruments to others on the Internet (by volume, mostly eBay auction sellers) without needing to show those potential devious hackers your actual credit card number. That way, your exposure was upper-bounded at the single transaction in progress, and hopefully Paypal or your bank could intervene if something went wrong.

But then the eBay seller ended up with money… and what were they to do with it?

Stocks, flows, and whatever the heck a wallet is

There are classically two ways to make money in financial product innovation: you charge the customer for stocks, an ongoing and often percentage-based fee to custody their assets for an arbitrarily long time, or you charge them for flows, a per-instance and sometimes scaling-with-size fee on transactions specifically. Very frequently, from the perspective of a single user, stocks are priced and flows are free, or vice versa. In the basic bank account, stocks are priced (via the interest rate spread on deposits) but transactions are free or close to it. In credit card processing for businesses, stocks are free-ish but flows (incoming transactions from customers) are priced.

So do wallets with embedded cash make money from stocks or flows? Yes.

The enduring genius of Paypal’s wallet money was that moving money into Paypal’s ecosystem cost a substantial amount of money, via card interchange. Paypal would try to set their pricing, historically about 2.9% plus about 30 cents, such that it was above most interchange fees they’d eat moving money into the system. Then they would strongly encourage users to keep that balance within PayPal. This was natural for many casual eBay sellers: they were buyers as well, rather than being professional antique dealers, and leaving their Internet money somewhere on the Internet until they next needed money on the Internet worked out fine.

When a customer did the next transaction, paying from their Paypal balance to another Paypal user, the money moved internally at the speed and cost of a database transaction: approximately instantaneously and too-cheap-to-meter. And then Paypal would try, with varying levels of success, to charge the full 2.9% plus 30 cents, this time making 290 bps of margin rather than 80-120 bps or so of margin.

Supercharging the margin possibilities by disintermediating the card ecosystems is the primary economic advantage of wallets capable of holding balances. I bolded that for emphasis because non-specialists routinely assume that the thing that looks like a bank deposit, and might actually be a bank deposit under the hood, must earn revenue in the same way that bank deposits earn revenue, via net interest margin. It does and in high-interest environments, like the one we’re currently living in (at least in the U.S.), this is lucrative. Paypal earned nearly $500 million in interest on customer balances last year, per their 2023 annual report. Most of that is very high margin revenue, but it is not the ballgame. The real prize is having vastly better economics on the transactions.

It’s easy to see this when you zoom into the economics of a single account. Paypal claims accounts on average have about 40 transactions per year. I think, ahem, that that includes some strategic ambiguity between personal and corporate accounts, but let’s assume a typical consumer might carry $200 in balance and do 10 transactions each about $40 per year. So that’s something like $10 of margin from net interest and either about, oh, $1 of margin from transactions if transactions are funded with the most expensive credit cards or about $15 of transaction margin if they’re just repeatedly funded by the Paypal balance.

And thus a subtlety: how do you do $400 in transactions out of a $200 balance without extending credit? You convince the consumer to let you top up their balance via an ACH pull or similar method, which (unlike card transactions) is very close to free.

What does an ACH pull cost?

The cost of an ACH pull… depends on a lot of things, like your negotiating savvy and volume. But if you were to guess “maybe it costs 5 cents when you’re buying hundreds of millions of them”, you would be in the ballpark.

If you quickly check what your payment processor of choice charges businesses to do their own ACH pulls, you will get quoted a number closer to e.g. 30 cents. This should not surprise you; payment providers are in the business of earning margin on underlying payment rails in the same way that Coca Cola is in the business of earning margin on combinations of water, carbon dioxide, and corn derivatives. You can’t just pay Coke for the corn and call it a day. Coke also structurally gets much better prices on corn than you do, because you buy a few ears of corn from the supermarket and Coke buys the agricultural output of Iowa.

Many Bits about Money readers live in nations where interbank transfers do not go over ACH rails and so mea maxima culpa for the above provincialism. In your nation, as well, interbank transfers are broadly speaking much less expensive than most card transactions.

… Unless you live in Japan, in which case your friendly local fintech product innovators could really talk your ear off about shenanigans to decrease their money movement costs to support wallet operations. One example: “If it costs almost 200 yen to move money between banks but moving money inside a single bank is much closer to free, could we not simply establish a bank account at the top ten banks or so, covering more than 80% of our transaction volume, and then move money between our own corporate accounts daily at relatively low one-off cost then settle consumer transactions via same-bank close-to-free ledger transactions?” Which would be a somewhat sharp-elbowed thing for a salaryman to do to his bank.

Extensions on the basic wallet model

So that describes the basic business of a wallet with cash management: move money into the ecosystem at high cost to the wallet provider, move it within the ecosystem at nearly zero cost to the wallet provider, move it out of the ecosystem at very low costs, and charge customers primarily for each instance of moving money.

After you’ve been doing this for a few years, your product teams will start to clamor that they have some attractive ideas which will make your wallet stickier with users, encourage your best customers to move more of their transactions to your wallet, and decrease your payment costs. They’ll also sometimes make you incidental revenue.

What’s in your wallet? A new debit card!

The first option is going to be making a debit card backed by the wallet balance, with the card issued by a banking partner that (in the U.S.) is certain to be a Durbin-exempt institution. This is an obvious no-brainer, your product team will tell you. Currently, when your users want to get money out of the ecosystem to e.g. their bank accounts, you pay money. Why not earn money instead? Get a co-branded debit card offering and your banking partner will provide you a revenue share on every transaction out. (How much is something of a trade secret, but if you were thinking somewhere in the 100 bps ballpark, you’d be close enough to interview as a PM at a fintech company.)

Cash App is, if you squint, a wallet. Block product managers would probably heavily dispute this characterization and say, truthfully, that their core user feels like they’re using Cash App rather than using their linked Bank of America debit card when they are paying with Cash App. But economically, it looks an awful lot like a wallet. And Cash App has morally speaking a debit card (currently described as a prepaid card, the distinction between which doubtlessly caused many, many meetings at Block and Sutton Bank) which Cash App users can use anywhere in the economy that doesn’t take Cash App directly. Each time they do, Sutton Bank earns a swipe fee, a portion of which becomes Cash App transaction revenue you could read about in Block’s 2023 annual report. You can reasonably assume these payments are a very large chunk of their $498 million in revenue in that segment.

Monetizing payouts from wallets

But wait there is more! Sometimes there is money inside of your ecosystem that users need taken out in a hurry. A common Cash App use case is texting your buddy to ask them to spot you $20, or asking your roommate to send you their fraction of the rent. You might need to very quickly convert those few hundreds dollars into the kind of electronic money that doesn’t get shoutouts in rap songs. Cash App will facilitate you doing this, for 0.5-1.75% with a 25 cent minimum depending on exactly what rails you need the money to go over.

For example, if your landlord requires you to pay rent via Zelle or a check, you might want to fairly urgently send money to your account at Bank of America, which can do both Zelle and checks. There are two ways to do this: via an ACH push payment to BoA, which would typically arrive in a few days, or via a quirky form of “reversing a transaction that never happened” on your BoA debit card, which arrives almost instantly.

If I were a betting man, I’d bet that Cash App charges 0.5% (25 cent minimum) if they push over the cheaper ACH rails and 1.75% (25 cent minimum) over the more expensive debit card rails. I tried to test this with a $50 instant withdrawal (called an “instant deposit” by Cash App, and I’d love to have been a fly on the wall at that meeting) on an account connected to a Capital One debit card and a Chase checking account. Without asking me for further details or telling me how it would route, Cash App quoted 88 cents (about 1.75%), sent it to Capital One, and delivered in an almost instant fashion as promised. I assume users with multiple bank accounts attached are an edge case, because I like to be an optimist, but in the long history of finance some teams have been known to pick which of two options maximizes their own revenue.

What’s in your wallet? A new credit card!

But wait there is more! Why only let your users spend the money they already have, when you could get them to spend money they might not already have! You should have a co-branded credit card offering. You will not issue a credit card, no no no, Legal has explained multiple times at considerable length that regulators consider issuance of consumer credit to be an exclusive domain of the regulated financial sector. You will partner with a member of that august community and they will issue the cards, which will simply have your name on them.

Why do you want to do this? One reason is it lets customers spend money which does not exist in your ecosystem, in your ecosystem, and instead of paying to move money into your ecosystem you will get paid coming and going. The user charges money to their card (which your co-branding partner will pay you a fee for) and then it moves to some business through you (earning you another fee). You are also highly likely to get another success fee for every card account you successfully open (possibly after some de minimis level of spending on it), which you might use to incentivize users opening cards, might keep for yourself, or might split to do both.

See, for example, the Venmo card. Card issuers are getting more sophisticated in how they differentiate in offers, which possibly causes Paypal (Venmo’s parent) to get more sophisticated in how they make offers, and so it is possible not all readers will see the same offer. But on my phone, Venmo is willing to pay me $200 if I apply in next 2 weeks and spend $1,000 in the next six months. One could construct a range of per-account and usage-based payments from Synchrony Bank to Paypal which makes this immediately incentive compatible for Paypal. (As we have previously covered, it is not the case that it needs to be immediately incentive compatible. The marketing operations of financial services companies are sophisticated and model customer acquisition costs over portfolios, and some accounts being negative margin contributive is not a problem if the portfolio is sufficiently positive.)

Now a fun thing about negotiating issuing relationships: everyone and their dog will, at this point, say that they have Alternative Data™ with Big Data™ levels of transaction history which will allow the issuing bank to underwrite heavy users of the wallet better than they can their typical prospect. Spoiler: this won’t actually end up mattering for credit decisions. FICO scores are unreasonably effective. Many, many, many teams have thought “I bet I can get better loss rates if I supplement FICO scores with another data source”, and just about the only data sources for which that is actually true are illegal to use. (You can improve on FICO if you add zip codes… and a junior data analyst who puts zip codes in a spreadsheet to make predictions will be told by Compliance that they need to understand what redlining is if they ever hope to make senior data analyst.)

The big win on loss rates isn’t the additive data that the wallet has. It is negotiated terms between the wallet provider and the card issuer. The card issuer is not interested in individual consumers’ decisions to pay or skip on debts. They are emotionally unaffected by a single instance of identity fraud. No, the issuer is attempting to buy a portfolio from the wallet provider, and they will negotiate about that portfolio.

A fairly common term is “Across all accounts we issue on the co-branded card, we model a certain loss percentage. Now we’re going to construct a graph. If you slightly underperform that loss percentage, we’re going to cut out payouts to you a bit. If you greatly underperform that loss percentage, we’re going to cut them by more. And if you somehow have an absurdly fraudulent user base which nonetheless makes it past our own underwriting, we will demand a payment from you.”

And indeed, if you read Paypal’s 2023 10-K, you will find many scintillating paragraphs like:

Consumers that have outstanding loans and interest receivable due to our partner institution may experience hardships that result in losses recognized by the partner institution, which may result in a decrease in our revenue share earned in future periods. In the event the overall return on the PayPal branded credit programs funded by the partner institution does not meet a minimum rate of return (“minimum return threshold”) in a particular quarter, our revenue share for that period would be zero. Further, in the event the overall return on the PayPal branded credit programs managed by the partner institution does not meet the minimum return threshold as measured over four consecutive quarters and in the following quarter, we would be required to make a payment to the partner institution, subject to certain limitations. Through December 31, 2023, the overall return on the PayPal branded credit programs funded by the partner institution exceeded the minimum return threshold.

Translation: No worries, Paypal and their card issuing partner financial institution are mutually happy with the performance of the portfolio.

Put the wallet on the phone already!

Many wallets exist these days as apps on your phone, but of course phone makers have realized that the phone has replaced the leather wallet, and consider the walletness of the phone to be as core a product feature as niche use cases like making phone calls.

And so two very, very successful wallets are Apple’s wallet, which is more or less coextensive with Apple Pay (my apologies to some people in Cupertino who would argue that point), whatever Google calls their wallet this week, and Samsung Pay.

We have previously covered that one thing the payments industry charges businesses for is delivering high-spending customers who will use their plastic/etc to spend more and spend more frequently. Apple’s pitch to banks is, essentially: “OK, you might buy that many well-heeled users like their American Express card. That certainly sounds reasonable. Do they spend hours stroking their American Express card lovingly? Do they bring it out to gaze upon as they sit on the toilet? No? OK, we think they care about our plastic-and-glass artifact much more than they do about Amex’s plastic-and-glass artifact then. But good news. We can digitize your thing that users yawn about on the thing that they love, and then it will outcompete all the other payment methods because it is not in their wallet, it is in the palm of their hand basically all of their waking hours.”

This was pretty contentious, but banks agreed to pay Apple for the privilege of inclusion in this wallet. Partially this was because Apple might have said something rhyming with “If you don’t do this, we will find a two-sided payment network willing to do business with us. If we can’t find them, we will build it, and people will use it, because they like us more than they like you.”

Apple has been publicly reported to make 15 bps on each transaction which goes over Apple Pay. Google reportedly doesn’t make anything for intermediating transactions, which if you believe it might suggest something about the relative executional capabilities of Apple and Google on non-core products.

That smells like an ads business

Many, many scaled Internet firms have looked at the above economic models and decided to jump into the wallet business. The economics are extremely compelling and they are additive to almost any business which already needs to move money around on behalf of users.

This has occasioned some laughter with how they compete against each other:

The business of wallets

You’ll note that not all of these are wallets, but after you have a wallet, and you have relationships with transacting businesses, it is very natural to add a checkout experience.

Now put on your consumer Internet product manager hat.

Here we have a number of different firms vying for the attention of a user, where the experience between those firms all leads to essentially the same outcome (the user bought the good/service for a price from the business), where there might be a bit of user preference, but where many users are highly persuadable.

Do you know what a good consumer Internet product manager will say at this point? “This smells like an ads business. Do you have any idea how much money ads businesses make? It’s absurd.”

Now if you’re a product manager who prioritizes the outcomes of the transacting businesses you represent, you might have a prioritization algorithm other than “who paid me the most for placement.” For example, if you were a business choosing your own ordering of those providers, you might say “I really prefer to maximize net margin rather than simply maximizing the side payment. I am in business to sell things to people for money, after all, and this checkout page is only incidental to that. I have a team of people who optimize my website to sell more things to more people for money. I should kick this question to them.”

Surprising almost everyone, almost no business below the scale of the largest businesses in the world, and few enough of them, actually has a team of people who run experiments on their checkout flow to optimize for conversion rates (percentage of people who successfully check out). This was dumbstriking to my colleagues at Stripe when I told them it and then they went on to hear “Oh great idea but those people don’t exist so yeah not doing it right now maybe next year” from some of the biggest names in capitalism, for many consecutive years.

So Stripe took advantage of rendering the checkout flow for very, very many customers in parallel and introduced dynamic optimization of presentation of payment methods (including wallets) at checkout. This takes advantage of previous user preference in various geographies, so that e.g. people transacting in America get prompted for cards like they probably expect and people transacting in Japan see both cards but also popular Japanese payment methods. The conversion rate impact is… much larger than many people guessed prior to doing it. It was so large that Stripe built out tooling to let businesses fine-tune availability of payment methods if they think they understand their customers better than the learning machines will guess at.

Speaking of Stripe and wallets…

I’d be hiding the ball a bit if I didn’t mention that Stripe has a wallet-adjacent offering called Link. (Stripe describes it as a “fast-checkout solution.”) Let me reiterate that Stripe does not necessarily endorse what I say in my personal spaces.

Most wallets are designed to make the wallet provider money via various revenue streams. (No judgment here! Building things people love and charging indirectly for them is a legitimate way to earn a living!) Link is designed to convert very, very well, and to get networks effects for businesses. You can see it in action if you’re curious, but if you’re a regular reader probabilistically I think you have already seen it just transacting on the Internet. Link converts very well, and you'll understand why when you see how quick checkout is the second time you encounter it.

A business can allow customers who start a checkout with them sharing identifying information like e.g. email address or phone number to quickly reuse payment credentials that they Link-ed in a previous transaction at that business or another business using Link. Since that is a pretty sizable fraction of all businesses using Stripe, the user attempting to transact is highly likely to have used a currently-available payment method before that Link knows about, which allows them to re-use it without having to do anything barbaric like fish out a piece of plastic and redundantly type numbers on a telephone.

A fun bit of ancient history: once someone was visiting the Stripe Tokyo office shortly after I joined, and I wanted to show off that I had figured out how to query an internal data store, so I said “What’s your over/under on the percentage of cards used this year that we have seen before?” That number was pretty mindboggling even in 2016, and an obviously good marketing point. I chuckle a bit every time I see it (or its descendants) quoted. I have left, but some descendant of that SQL query will probably keep getting run until it asymptotes near 100%.

Link is a product born out of a similar realization: if the user has typed in their card/etc details once, and if they’re OK with it, they should be allowed to redundantly type those as infrequently as possible. This is an obvious user experience win. Businesses should like it, too, to the extent it outconverts other ways of presenting checkout, which Stripe is (on their behalf) dynamically measuring all of the time. Stripe likes it because improvements to conversion rate at the margin means Stripe gets to charge its fees on more transactions.

Now you can probably imagine another good business rationale: Stripe’s two largest costs are a) smart people and b) card interchange. One of these is fun to cut.

Many customers have strong preferences about how they conduct transactions. They might e.g. really like their credit card rewards. For those users, sure, let them do the thing they want to do.

For other users who do not have strong preferences, perhaps because they are not in the socioeconomic strata that directly benefits from rewards programs, you can have businesses that are sensitive to the cost of interchange subsidize an incentive for typing a low-cost payments credential into a mobile phone once. That business might have repeat custom with those users, and recoup that incentive over lowering their payments cost on many, many transactions over months or years.

Think, for example, a ride sharing service. The core customer rides twice a day, every weekday, for arbitrarily long periods of time, and every time the business charges them they pay the issuing bank again for making the acquaintance of that customer. If the ridesharing business could convince the customer to pay with their bank account instead, that would be beneficial enough over the term of that relationship that the ridesharing business could directly pay for that simple one-time action.

Then, the next time that rider goes to check out at another business, if they have agreed to save that payment method to Link… that business passively benefits from lower payment costs.

In essence, it’s a scaled renegotiation between the businesses that ultimately pay for payments and the providers of payment services: we understand the logic that we pay more for customers that really love you. If they really love you, great, you won their hearts and will clearly continue to win their business. If on the other hand your customer perceives your service as commoditized… then we will buy payment services from a commodity provider of them.

The price of payment services is a contentious topic between businesses and the businesses that operate payment rails. There has been substantial litigation about credit card interchange fees in the U.S., for example. We’ll have to go into detail about it some other time.

As one tiny piece of that, Walmart has opposed a settlement, because Walmart explained to the judge that it has the economic heft to negotiate serially with e.g. the largest 20 banks in the U.S. on interchange and would do so if Visa and Mastercard got out of the way. I take no particular position on the merits, but most companies do not have nearly the scale of Walmart or the operational capability to pick up the phone and do months-long bespoke negotiations with one bank, to say nothing of 20 of them. Walmart makes this point at length to the judge; they don't want the deal most companies will get.

But why shouldn't the Internet get the deal the Internet could negotiate, if the Internet was capable of negotiating on its own behalf? Stripe, as a side effect of a wallet-like product, enables a distributed, techno-social renegotiation of payment costs on behalf of the Internet. It's even aesthetically Internet; it's not a single big bang negotiation ratified by a judge, but rather the aggregate of millions of individual purely voluntary decisions interacting with each other. This brings a large number of small-to-huge businesses, and the customers using them, to a side of the table. And given that side of the table represents something like a percent of global GDP, it might get listened to.