Fraud levels are a policy choice

I'm doing a bit of an experiment with Complex Systems this week. I also write Bits about Money, a biweekly-to-monthly newsletter about the intersection of finance and technology. I'm doing a reading of one of my favorite essays, The optimal amount of fraud is non-zero, with extensive live commentary. I expect to continue to experiment with the format in some episodes in December, while also having some of the more typical interview-style episodes.

[Patrick notes: Commentary which I'm adding after the recording was done is set out like this. The transcription of my live remarks is partly by myself and partly AI-assisted. As always, I try to preserve my voice in writing while making it read well, in preference to exactly reproducing what I said.]

Sponsors

Support proven charities that deliver measurable results and learn how to maximize your charitable impact with GiveWell. First-time donors get $100 matched. Go to givewell.org (and type in "Complex Systems" at checkout).

Check is the leading payroll infrastructure provider and pioneer of embedded payroll. Check makes it easy for any SaaS platform to build a payroll business, and already powers 60+ popular platforms. Head to checkhq.com/complex and tell them patio11 sent you.

Timestamps

(00:00) Intro
(00:32) Origins of the essay and Dan Davies' influence
(02:16) Fraud is a policy choice
(04:56) The unique nature of fraud enforcement
(07:54) Who pays for payment fraud?
(12:55) Fraud as a necessary business expense
(21:13) Sponsors: GiveWell & Check
(27:43) Credit reports
(29:19) Anti fraud loops used in online commerce
(35:38) Different business tolerances for fraud
(37:20) High vs low margin fraud strategies
(41:40) Fraud in benefit systems and pandemic programs
(43:29) Taxes
(45:38) Fraud as an intended component
(51:55) Wrap

Transcript

Patrick McKenzie: Welcome to Complex Systems, where we discuss the technical, organizational, and human factors underpinning why the world works the way it does.

Hideho everybody, my name is Patrick McKenzie, better known as patio11 on the Internet. This December I'm going to do a few sort of experimental episodes and play with the format of Complex Systems a bit, just to try to keep things new and fresh and see what works for the audience. Today's episode has me solo.

I'm going to do a live read of one of my old essays, which is quite popular, and talk through some author's commentary of it. Before I introduce the essay, I'd like to say that the title of the essay was somewhat unknowingly lifted from Dan Davies, author of Lying for Money. Dan Davies, as you might know, was previously a guest of this podcast, and Lying for Money is one of my favorite nonfiction works of all time.

And in that book, which is largely about the nature, practice, and countermeasures against financial fraud, Dan writes this:

The way we might describe this is to say that fraud is an equilibrium quantity. We can't check up on everything, and we can't check up on nothing. So, one of the key decisions that an economy has to make is how much effort to spend on checking. This choice will determine the amount of fraud. And since checking costs money and trucks is really productive, the optimal level of fraud is unlikely to be zero.

And so, sometime after reading this book, I somewhat unknowingly snowcloned this line into the title of the essay The Optimal Level of Fraud is Non-zero.

This ran in Bits about Money back in September of 2022, and has become my most quoted line of writing in the five million or so words that I've written. (Just try searching Twitter for “optimal level zero” to see many people’s citations and elaborations.)

And so I will read it and interject commentary along the way. [Patrick notes: The Marginal Revolution authors have a good system for when they’re adding commentary to a published piece but I presently have neither a convention nor an easy way to technically implement this. To distinguish the original text from the commentary, I will announce it with speaker headings when I change modes. You can, of course, just read the essay by itself if you find that less distracting, then flip to the comments where you like.]

Essay:

I was recently interviewed by NPR’s Planet Money (podcast, transcript) regarding a particular form of credit card fraud. One comment which tragically ended on the cutting room floor: "the optimal amount of fraud is greater than zero."

This is counterintuitive and sounds like it is trying a bit too hard to be clever. You should believe it.

Commentary:

Policy. There's a word. Often we use policy to refer to laws and bureaucracy, but it also sort of effervesces out from that, particularly in the financial industry. The Compliance department of banks, for example, are also doing policy decisions, both in that they're implementing their own internal bureaucracy, which is policy or policy-adjacent, but also because the internal bureaucracies are implementation arms for Policy policy. The Customer Identification Program and similar are a direct consequence of decisions which have been written into law and regulations by more formally democratically constituted actors in society.

One of the somewhat weird things about getting one's arms around the blob that is the government is that here is the classical government, the parts that we can identify from civics class and reading the Constitution, and then there are parts which are, well, very governmenty, but not quite that. The Financial Action Task Force, for example, is a semi-governmental institution (intergovernmental, if you want to get technical), but it promulgates things that all banks must deal with. When you can unilaterally establish standards for an industry, the question of whether you are truly the government or not is sort of moot.

[Patrick notes: I think many people would have a national sovereignty point to raise here, and FWIW I believe that to be a good point, but trust me when I say that the U.S. is not the nation that routinely gets the short end of the stick, even among FATF member nations as distinguished from those select non-members that FATF-docimiled banks must treat as high risk.] 

Essay: 

If you enjoy simulation games, you might be familiar with the mechanic where you click a button and some statistic in your civilization moves radically in response. In real life, cause and effect is more subtle, but this relationship exists, and there are (both historically and at this very moment) legal regimes which are radically different than your status quo, and which achieve(d) very different outcomes as a direct consequence of policy decisions.

Fraud is a policy choice

A glib way to phrase this is that crime is a policy choice, both definitionally (you could simply agree something was not a crime anymore and bam, crime down) and, more interestingly, because crime responds directly to things which are within your control. Most of the world has taken most of the easy policy choices which have few tradeoffs available! But there are still arbitrarily severe options to control crime from where you are, from “increase the police budget” to “ban alcohol totally” to “implement an Orwellian dystopia.”

Fraud is a unique subset of crime which occurs, to a major degree, subject to the enforcement efforts of non-state actors. A commanding majority of all fraud which is stopped, detected, adjudicated, and even punished (!) gets those done to it by one or more private sector actors. And the private sector has, in this case, policy decisions to make, which, like the public sector’s decisions, balance the undesirability of fraud against the desirability of social goods such as an open society, easy access to services, and (not least!) making money.

Commentary:

The unique nature of fraud enforcement 

I believe this is a selectively understood mechanic. We understand it very well in the scholarly literature around, for example, certain forms of violence against women. [Patrick notes: If you’re not familiar with that literature, short gloss is certainly historically and advocates would say continuing to the present day, forms of violence which would be crimes in other contexts are institutionally tolerated by the legal system. The police wouldn’t investigate, the DA wouldn’t prosecute, and the juries wouldn’t convict. And so something morally monstrous was, for most intents and purposes, not a crime, despite any number of words protesting that society really did care about the conduct.] But the scholarly literature about property client crimes is largely written by people who are pretty happy with the dynamic in certain cities in the United States, and so they are happy to say that “Crime is down!”, because look at the official statistics. 

[Patrick notes: Can’t have a crime problem if you simply refuse to arrest or prosecute! Checkmate! … What do you mean we’re getting reamed on this issue in elections?!] 

Essay:

Fraud is a unique subset of crime which occurs, to a major degree, subject to the enforcement efforts of non-state actors. A commanding majority of all fraud which is stopped, detected, adjudicated, and even punished (!) gets those done to it by one or more private sector actors. And the private sector has, in this case, policy decisions to make, which, like the public sector’s decisions, balance the undesirability of fraud against the desirability of social goods such as an open society, easy access to services, and (not least!) making money.

[Patrick notes: In part, this is because of the de facto decriminalization of property crime.]

Commentary:

The financial industry has various ways to punish fraud which are not reporting you to police. Credit scores are obviously one of them. In the actual practice of the financial industry in the United States, you can jackpot it for a couple thousand dollars. Straight up.

If you do that, you're [Patrick notes: mooooostly] not going to be offered credit again for a while. The credit you will be offered is going to have much worse terms. But as people have discovered, simply playing the low-trust card in a relatively high-trust society does actually pay. … At least for the first few iterations of the game.

[Patrick notes: Similarly, everyone in America has an opportunity to run stolen credit cards against a legitimate processor to attempt to take money from them. Once. Then you go into an industry-wide blacklist.

I do not recommend this, for reasons that should hopefully be obvious beyond speaking.] 

One of the great things about credit scores are as a technology is it prevents the first iteration of the game from being the only iteration of the game, because it allows information sharing between financial institutions. This defends both against scaled fraud operations by sophisticated, organized crime and also the lower grade ne’er do-well who simply serially rips off every bank in town.

That happened quite frequently back in the day [Patrick notes: greatly exacerbated after the invention of the automobile and the increased mobility of Americans, which had many boons but destroyed local knowledge as a reliably available underwriting data source]. This helped to motivate the development of clearinghouses for fraud/credit risk information and, eventually, lead to credit scores as a technology and discipline.

Scoping down to payments fraud

Essay:

To prevent this conversation from being painfully abstract, let’s scope it to one particular type of fraud against one particular type of actor: the bad guy steals a payment credential, like a credit card number, and uses it to extract valuable goods or services from a business. This is an extremely common fraud, costing the world something like $10 to $20 billion a year, and yet it is actually fairly constrained relative to all types of fraud.

This fraud is possible by design. The very best minds in government, the financial industry, the payments industry, and business have gotten together and decided that they want this fraud to be possible. That probably strikes you as an extraordinary claim, and yet it is true.

Before we get into the how, let’s get into the why.

Who pays for payments fraud?

Liability for payments fraud happens in a waterfall, established by a combination of regulation, contracts, and business practice. The specifics get complicated but, for ability to concretely visualize this, consider the case of consumer credit card users in the United States.

You might assume that, if a credit card is stolen/hacked and used by a bad actor to buy something, the cardholder would be liable. They will suffer the first loss, certainly, but society has decided by regulation (specifically, Regulation E) that that loss should flow to their financial institution, less a $50 I-can’t-believe-it’s-not-deductible. As a marketing decision, the U.S. financial industry virtually universally waives that $50.

The card issuer will, following the credit card brand’s rules (which developed in symbiosis with regulation), automatically seek recovery of the loss from the business’s payments processor. It will, similarly, automatically seek recovery of the loss from the business itself.

In the overwhelming majority of cases, that is where the waterfall ends. While insurance is available (both specialized chargeback insurance and general business insurance), overwhelmingly businesses simply absorb fraud costs in the same way that they absorb their office rent, staff salaries, and marketing expenses.

That $10 to $20 billion number we threw around earlier? This is what happens to it, in the ordinary course of business. This allocation of loss is mostly automatic, virtually never involves a court or lawyer, and only sometimes takes human effort at the margin at all.

If you've ever paid an interest rate for using your credit card, as I have and as you probably have, a portion of that was due to fraud and credit risk to the bank. (This is for those instances in which they can’t put the risk back on individual merchants.) It also covers the ongoing operational cost of staffing teams to pick up the pieces after someone does other-than-salubrious behavior.

On the business side, both the 2.9% percent plus 29 cents or whatever they're paying their credit card processor [Patrick notes: often called “interchange” though some people in industry will make a poindextery argument that some is “scheme fee”; I doubt many businesses care] and in the payback (and fee) they get for periodic chargebacks, is for being able to participate in a system with valuable customers that are at varying points along the spectrum of trustworthiness.

We'll talk about this later in the essay, but that's immensely valuable for businesses, and so they intentionally have a budget for this sort of thing. It's often not recognized explicitly as the reason they have that budget, but it is one of sort of the underlying structural reasons.

We could make other choices every time a business is defrauded. We could take it up with the local magistrate, hire a lawyer, do 18 months of legal process and pay $100,000 in fees. Over, say, a $80 typical e-commerce order.

Why don’t we do that?

One of the reasons the financial industry functions as a gigantic diversion program from the legal system is that the legal system is known to be extremely slow relative to, say, Internet speeds or business speeds. It is also extremely costly. And from businesses perspective, it is very non-deterministic.

We are a nation of laws. Those laws are mostly followed. That is great, but when you get down to individual transaction-level decisions, you have much more trust that your bank is going to do “the usual thing” with respect to a transaction, with dispatch, than you have that the legal system will do the usual thing.

Perhaps I'm a business that has operations across the United States, which includes includes a number of local polities, a number of local district attorneys, a number of, say, cultural preferences with regards to how much of their effort they put into remediating property crime.

[Patrick notes: Or, to put this another way, one reason to buy services from the financial industry and not from the government is that the financial industry finds the statement “stealing from businesses is wrong” to be straightforwardly uncontroversial. A business owner would need to put some thought into whether they trust your local police department or district attorney to have the same belief.

I apologize to non-American readers of this piece who believe I am spouting insanity. It has been an interesting few years in the United States.] 

Commentary:

In this schema, a business might believe:

Fraud is going to happen to me all over the nation. While I think I have a pretty good prior assumption that in some places it will be punished rather severely, and the government will be on my side, in other places it might not be punished that severely at all, and, perhaps I will be treated as a nuisance by the local police officers. Say what you will about the bank, but the bank, does not consider me or anyone happily paying the 2.9% to be nuisances. They will happily deal with me tomorrow and the next day, versus the brushoff I expect to get if I go to the local police department and say “Excuse me, I’d like to report a theft of $75. Do you have a victim restitution fund or something?”

Fraud as a necessary business expense

Essay:

Pretend you are the newly hired Director of Fraud for Business, Inc. You know you are ultimately liable for most fraud that happens in this pattern. What target do you take to the CEO for how much fraud you should suffer?

Zero?! Do you think the Director of Marketing desires to spend zero on marketing!? That would be an objectively silly goal. They would clearly be fired and replaced with someone who understands marginal returns.

The marginal return of permitting fraud against you is plausibly greater than zero, and therefore, you should welcome greater than zero fraud. You can think of it as a necessary expense, just like rent or salary or advertising is. You can even write it off on your taxes. (Ask your accountant; businesses frequently misunderstand the rules here.)

Commentary:

Alright, since you asked, here is one geek’s understanding of the rules. Check with your friendly local tax professional for confirmation.

The thing businesses frequently misunderstand is you can write off fraud “casualty” losses, but one can only write off the basis rather than the sticker price of the items which you lost to fraud.

And so, in the stylized case where a business ships an item to a customer and then loses a chargeback for fraud, that business can write off: a) the exact amount of the chargeback (a deduction against revenue), b) the chargeback processing fee, and c) the basis in the lost inventory.

But, talk to your accountants. I'm not an accountant and I'm not your accountant. [Patrick notes: One of my great disappointments with the world is that, even if I were an accountant, I would be forced to give disclaimers about saying true things about accountancy online, due to the distinction between accounting information (anyone can distribute it) and practicing accounting (we won’t even let accountants do that, by default).]

Essay:

The reason for this is that Directors of Fraud are aware that the policy choices available to them impact the user experience of fraudsters and legitimate users alike. They want to choose policies which balance the tradeoff of lowering fraud against the ease for legitimate users to transact.

Costs and benefits of policy choices around trust

Essay:

Maybe the frame of talking about fraud predisposes people to view the space of choices here negatively. Here’s an equivalent function with different emotional valence: how much do you trust people, and under what circumstances?

All fraud is a) an abuse of trust causing b) monetary losses for the defrauded and c) monetary gain for the fraudster. You could zero fraud by never trusting anyone in any circumstance.

Trust, though, is an immensely socially useful technology. Human civilization has a fundamental limitation in that all humans can be trivially killed while sleeping. Huge portions of society’s efforts go toward establishing conditions where this trivial vulnerability virtually never gets exploited. God has, reportedly, closed all bug reports claiming that it is a feature and won’t be patched any time soon.

Anyhow, trust is also fundamental in commerce, where it’s a layered concept, with different people having different levels of trust in different situations. To increase trust generally tends to frontload the cost to generate that trust, and decrease transactional friction afterwards. You trust your accountant more than most regular employees, you trust your employees more than your customers, you trust your customers more than a person you’ve never met, etc.

This cost falls on both parties in a trust relationship. To employ an accountant, you (the business) need to identify and interview several prospective accountants and employ one winner for years, and you (the accountant) need to have spent years of your life to get a professional credential and then to have worked your entire career to demonstrate yourself worthy of trust. This is one reason why accountants are routinely trusted with the holiest-of-holies secrets of companies and governments.

Clearly, e-commerce would cease if, prior to buying a pair of sneakers online, you required someone to go to that degree of effort. You’d almost never lose a pair of sneakers to a fraudster again, but you’d also sell very few sneakers.

Commentary:

This causes a fun iterated game within companies and between them and adversaries. One version of it is that you, as a company, should expose a first-time transaction with a user to more countermeasures and more scrutiny than you would to an Nth-time transaction. But you probably shouldn't turn off first-time transactions. You have large staffs of people in multiple departments whose only job is getting first-time transactions!

New revenue sources are extremely important, both for the general health of the business and also because it is a metric specifically looked at by shareholders and other stakeholders. So there exists some tension here.

There also exist downstream consequences. Account takeovers, where the bad guys somehow gain access to a legitimate user’s seasoned account, are relatively more dangerous than similarly resourced frauds which use identities that simply walk through your front door.

The reason is you will have formal or informal ways where someone who has been successfully doing business for 10 years with you is quite trusted If they put it in order for $100,000 after they've transacted several million dollars with you over 10 years, you would naturally feel, “Oh, you know, it's Bob.”

“We know Bob, very unlikely that Bob is deciding to rip us off now after 10 years of happy business.” But the person operating the account may no longer be Bob. A very unfortunate way this happens is when Bob's email gets hacked. Fraudsters run automated or semi-automated tools to find all of the accounts attached to Bob's email, and see which ones are the ones that they are most easily capable of turning into cash.

[Patrick notes: As much B2C commerce becomes more phone-centric, phone skimming and (to a lesser degree) outright theft has a similar risk/exploitation toolchain.]

I've written a essay on this topic called The fraud supply chain, because there are multiple different professional specialties involved in that attack tool chain.

Now, an unhappy fact of life, important for people to understand: sometimes Bob is involved. And Bob's level of understanding that he is involved… varies.

One way this business happens: suppose Bob is rolling up his business and moving to his next adventure. It happens all the time to businesses, particularly small businesses. Bob might be approached by someone who says, “Hey, That business you have, uh, shame it's going out of business. I wish you best of luck in your new thing. Uh, but you know, your bank account, your supplier relationship, etc. I'll take it over for $2,000.”

Bob might not know that that is an inducement to fraudulent activity. In fact, my wife Ruriko, when my business Starfighter shut down, said it was generally understood that business bank accounts were valuable and could be sold for $1,000 to $2,000.

Ruriko did not know, and I did, that that market exists because the buyers are criminal money launderers. [Patrick notes: Your supposition as to their affiliation with traditional organized crime is historically accurate in Japan and perhaps less accurate these days.] They want those accounts because they can move hundreds of thousands of dollars, or more, of crime proceeds through Japanese banks using them before the bank cottons onto the account being under new management.

So I did not sell my business bank accounts, for obvious reasons. [Patrick notes: One less obvious one, which might help people understand how people can believe this transaction is legitimate: my accountant told me not to, because business accounts are such a rigamarole to set up. He said to mothball the company and, whenever I start a new business, “take your empty box off the shelf and fill it with something new”, to save several weeks of administrivia and a few thousand dollars in expense. The filing to change a company name is cheap and easy relative to de novo incorporation (still cheap and easy, IMHO) and getting a business bank account (historically a pain in the keister).]

There exists substantial recruiting on places like Craigslist for people to sell seasoned PayPal and similar accounts. Sometimes those posts, will wear a fig leaf of being non-fraudulent. Sometimes the user probably understands what they're doing, although sophistication levels of users with respect to fraud are all over the map.

And this is a thing we see over and over again in the industry. Money mules, for example, are people who rent their identity to cybercrime operations in return for a cut of the money that they move around the financial system using their own (generally legitimate) identity. Some percent of those people absolutely know that they are engaged in a crime. 

Some percent of those people remember the old adage that if it's too good to be true, it probably is. And some percent of those people are very literally trusting, old, retired grandmothers in Kansas. And when you read narratives by them, it's really heartbreaking that they got snared up in something. Typically, prosecutorial discretion is exercised and they don’t get charged with a crime. But they will frequently have life substantially interrupted, and not infrequently lose their access to banking and similar for a couple of years.

The banking industry does not have the memory of a goldfish. If you are induced to become a money mule once, the probability of you being induced to become a money mule a second time is frequently far, far higher than the banking industry's tolerance for it. [Patrick notes: Some people think that fraud victims probably learn from their experience. In actual practice, fraud operations sell lists of past victims to each other, because they are more valuable leads. The pitch for the next fraud is often making them whole for the last one that victimized them!] 

Making a customer of someone you've never met.

Essay:

The payments industry has to solve many foundational problems. One of the core ones is quickly bootstrapping a business over the decision to trust someone they’ve never met, enough to allow them to consume valuable goods and services, based on nothing more than a promise of future payment.

A promise! Mere words! Billions upon billions of dollars have been spent on marketing to make you think that a payment is more than a promise. It’s a lie, and it’s a lie we all choose to believe in part because it’s a vastly more effective model to run the world under than the truth is.

Businesses prefer attracting new customers to not attracting new customers, citation hopefully not needed. They have a choice as to how much friction they want that new customer to need to go through prior to being offered goods and services. Many businesses have found that decreasing friction results in getting more new customers, who spend more, and who stick around for more transactions. (These are, incidentally, the “only three goals of marketing.”)

You could subject first-time customers (or even repeat customers), to an elaborate underwriting process, in part to increase your trust in them / decrease your perception of the risk that they would defraud you. You could, for example, ask them to give you a firm handshake as a condition of doing business.

The requirement for a firm handshake is, actually, an effective anti-fraud measure. The requirement that it happen face-to-face decreases the number of international professionalized fraud gangs which can target you, because they’re not physically close enough to shake your hand. Unfortunately, for the same reason, it also decreases how many customers you can sell to; most people don’t live within commuting distance of your retail presence.

Commentary:

So I had a tweet thread recently about load bearing frictions. We often see this in government services. We recoil against how the Social Security Administration, for example, takes about a year to issue someone a new Social Security card with a new number in the case where they have been victimized by identity theft. (Identity theft deserves its own essay.)

Why does it take a year? Partly it's the government being the government. Partly it's that the architects of this process understand that the possession of social security numbers is relied upon by the rest of society, inclusive of the government and non-government actors, as being very hard to fake proof of work.

Very hard to fake at least relative to many other proofs of work, like possession of an email address, not very hard to fake at all, possession of a Gmail address, harder to fake at scale. Possessing a true, legitimate, and above-all clean social security number, that's really tough to manufacture by the thousands and tens of thousands.

[Patrick notes: Fun fact about the world: there are people whose job it is to create fake-but-real ones for the purpose of e.g. the intelligence community, and this job has gotten much harder in the last 20 years, for reasons that are outside the scope of this essay. Which can occasionally result in a financial institution accidentally writing a spook classifier in the fraud department.

Also I don’t want to overstate the financial industry’s acumen here: so-called “synthetic identities” are not, in 2024, a solved problem… yet. But many of the smartest financial technologists I know would bet on the defender here, and not the attacker, going forward in a way which is very different from the bet most security professionals would place about software security.]

One reason why certain processes in society do require a lot of that upfront vetting and are kind of painful to go through is that they’re designed to allow the rest of society to free ride off of them.

In solution with this, you should keep in mind that the financial industry has put no small amount of effort into moving away from this paradigm. Back in the day, almost all underwriting was front-loaded, and then after you were inside the circle of trust, ongoing checks were… far less robust.

Many firms attempt to bootstrap underwriting to decrease barriers to desirable things, like access to credit, and to the revenue from serving those customers. The entire credit scoring apparatus, exists to allow you to apply for your first credit card at 2 A.M. online. There's sort of a supply chain here, an ecosystem with various providers having various niches in that ecosystem. Depending on your exact position in society, some institution, maybe Capital One, maybe a specialized provider likely less well-known to this audience, maybe Seis (a fintech targeting Spanish-speaking new arrivals to America [Patrick notes: I am a small investor]), has specialized in taking the risk of your first encounter with the credit system.

After one has a credit report with something meaningful on it, there are increasingly elaborate machines running through much of capitalism to bootstrap that report itself into trust with all manner of institutions, financial and otherwise.

Credit reports, and I should write more about them someday, are honestly one of the most important advances of the 20th century prior to the Internet. They are the original AI technology, but we’ve used them so many years we demoted them to “just some matrix multiplication.” [Patrick notes: Could still happen to LLMs, I think? “Pfft big deal they had those back in 2020! Like a transformer counts as intelligent. Google, explain what a transformer is to this idiot.”]

Why do I think they are important in addition to being impressive? They allowed a great expansion of consumer credit and the financial sector, which perhaps controversially, I believe, is largely positive. More than anything else, more than decades of legal reform, even more than decades of positive cultural change in the U.S., they brought people who were at the socioeconomic margins of society into the mainstream by allowing them to qualify for things like, for example, mortgages. 

(To avoid hiding the ball there, you know, black Americans, women who were as as late as the 1970s unable to hold accounts in their own name, etc. Everyone who wasn't able to walk into their local bank branch, give the responsible professional a firm handshake and immediately get granted credit on the basis of that handshake benefits in aggregate enormously by that system being depersonalized, more objective, and using history like credit cards do.)

This is extremely not believed by many advocates because they will say, accurately , that certain populations of concern for them have worse credit scores than other populations. And so they think that is discriminatory. The difference in scores is downstream of behavior.

[Patrick notes: Advocates would counter that that behavior is downstream of systemic racism etc etc. Regardless: credit scores are a mirror of our society and advocates hate the mirror because it fails to reflect a reality that doesn’t exist.

Some advocates would underwriting that caused banks to take additional losses to subsidize favored users. One reason they make this argument about credit scores and not about, say, government-ordered reparations is you can launder the credit score subsidy through highly technical details that almost no one understands. This avoids taking the political hit for saying “I would like to direct resources away from people of disfavored races and award them to people of favored races” in a way which is legible.

Apologies for mixing in politics with the commentary.] 

Anti fraud loops used in online commerce.

Essay:

You’ve probably had a shopping experience impacted by an anti-fraud loop, though you might not have recognized it as such. Ever been asked for billing address in addition to shipping address? That’s for AVS verification. There is an obvious user-experience hit there, and it’s quantifiable; removing fields from checkout forms increases conversion rates nearly as a rule. (Conversion rates are an industry term-of-art describing the percentage of prospects who successfully purchase something.)

Commentary:

Conversion rates are an industry term of art describing the percentage of prospects who successfully purchase something. As an aside here, before I worked in the technology industry in places like Stripe, I spent a number of years trying to convince very savvy software companies, which had excellent designers and excellent software engineers that their purchasing pathways hated money. (As always, Stripe does not necessarily endorse things that I say in my personal spaces.)

That probably sounds like a wild claim, and oh boy, the stories I can’t tell. [Patrick notes: One of the documents I am most proud of writing was, essentially, “Many members of the team here have loved you since childhood. You don’t even have to use us; we just want what is best for you. Here is a Powerpoint deck stepping through your purchasing pathway one click at a time. Fix the identified issues and we believe with high confidence it will stop tens of millions of dollars of revenue a year from leaking.— Sincerely, your friends at Stripe.” (If they ever publish the new customer press release and name that firm I will dance a merry jig.)]

Even in the best resourced bastions of capitalism, the physical artifact that you interact with when attempting to give the business money is often a terrible artifact. My job for a number of years was charging eye-popping amounts of money to various software companies to spend a week or two weeks just making their credit card form better. Then we’d do an A/B test on that, which is a simple version of statistical testing.

(Essentially, you keep the system as it exists beforehand as a control group and then test the iterative approach against it ,and see in a statistical sense which one will make more money over the long term. And very obvious improvements, like not asking for what credit card brand someone is using when they purchase things online [Patrick notes: inferrable from the card number, trivially] , turn out to have statistically significant and meaningful lifts in conversion.

This surprised some of the smartest people I've ever met, even after they had enormous regard for A/B testing and me specifically. In the words of one: when someone is buying the thing we sell, they've already given a huge amount of consideration to the purchase. If there are some infelicities in the flow, they’ll power through them.

That person was wrong.

I'm as confident of that as anyone is confident of a result which gets p=0.03.

Essay:

Wonder why everyone under the sun wants you to have an account on their site? One major reason is that it gives customers a history that allows a business to direct more of its anti-fraud attention to (more risky) first-time users than (less risky) multi-year regular customers. Allowing guest checkouts is a business decision to accept more fraud (and less ability to market to the customer) in return for marginal sales.

Some of the savvier interventions operate in the background or don’t surface for all users. For example, you could imagine asking the purchasers of especially high-risk orders to first confirm possession of a phone number (via typing in a code you text them), or even to talk to a human in your fraud department before completing the transaction. Both of these are aimed at breaking the economics of scaled fraud; phone numbers and voice calls are expensive relative to synthetic identities and tend to leak information about fraud operations, which can further inform defenses.

We’ll talk about this some other time; risk scoring and marginal interventions are fascinatingly deep topics.

Commentary:

As an aside, there’s a lot of work in many e-commerce shops to create profiles for customers, even when those customers don’t have accounts. This kind of activity likely gives EU bureaucrats some heartburn, but if a customer uses guest checkout five different times, you can often use various shared identifiers across those sessions to build a synthetic profile on the backend. This allows the business to do things like assess the risk of someone using guest checkout for the sixth time—because their risk factors will differ significantly from those of someone truly new to the business using guest checkout for the first time. It also enables creative strategies, such as recommending products on a future visit, even if the customer doesn’t log in, by leveraging persistent cookies.

This kind of functionality helps explain why some e-commerce businesses employ thousands of engineers. Well, not all e-commerce businesses—this is especially true for platforms that sell this technology to other businesses and for companies in the ecosystems supporting those platforms.

Here’s a concrete example from the industry. If you have an Amazon account, which is typically very well-established, you aren’t asked to reconfirm your payment details every time you make a purchase. Obviously, right? That would be a terrible user experience. However, if you add a new shipping address to your account—maybe because you’ve just moved or you’re sending Christmas gifts directly to someone else—Amazon will require you to retype your full credit card number to use it again. They don’t ask for the other details needed to process a transaction; they simply want to ensure you can access the full credit card number.

Why? Because Amazon only displays the last four digits of your saved cards. This measure ensures that, if a fraudster gains control of someone’s Amazon account, they can’t simply input their own address—or that of an accomplice—and start making purchases using the victim’s saved payment credentials. This countermeasure addresses a specific attack vector and saves Amazon a substantial amount of money.

There are countless analogous tripwires like this embedded throughout the industry. Unfortunately, many of them are trade secrets, but the topic is fascinating. It’s also poorly understood by, let’s call them, “civilians” or non-experts. Referring back to an earlier tweet of mine: sometimes, friction is load-bearing.

When banks or businesses introduce a behavior in an edge case that frustrates you, it’s rarely because they don’t like you, and it’s usually not because they’re incompetent. More often than not, that edge case sits on the critical path for preventing a significant amount of fraud. The defenses—and the costs incurred, both in dollars and in user experience—are typically justified by the fraud they mitigate.

Different businesses have different tolerance for fraud

Margins create margins. A business with high margins will, all else equal, tend to spend more on marketing and sales than a business with low margins; if they don’t, their competitors will “bid up” the cost of attracting customers out of their own fat margins.

Businesses with high margins also tend to be more accepting of payments fraud than businesses with low margins. Consider businesses which sell IP, like video game companies, streaming services, or SaaS. Because their margins are often 90%+, if you were to present them with a menu of strategies which traded off conversion rate and fraud rate, they’d maximize for conversion rates until fraud at the margin reached levels not seen in even the most corrupt places imaginable.

Businesses selling valuable resalable goods with much lower margins, such as Apple hardware or game consoles, have to be much more careful about who they transact with. When they’re offered a conceptual slider for who to do secondary transaction screening on, they screen more marginal orders. They accept painful tradeoffs like, “We’ll have a fraud department review every new order and hold every first-time order for shipping until we can talk to the purchaser.”

Between these two there exists a spectrum of fraud regimes, and this is broadly a good thing. Society gets to make choices, and here it is choosing through the activities of private agents. It is optimizing for how many resources to let leak to bad actors and much societal effort to burn on policing them versus how much low-friction commerce to enable by good actors. This is often missed in discussions of fraud; one reason it has increased over the past few decades is that legitimate commerce has exploded, as the world becomes richer and as barriers to commerce have come down.

As an aside, the concept of high-margin versus low-margin businesses also applies within individual businesses. Certain products are, for various reasons, more likely to be targeted by fraud, while others are much less likely. More sophisticated businesses build different levels of tooling and transactional friction to account for these differences.

This is why razor blades are locked up at your local Walgreens—something that always makes me shake my fist at the sky. While this practice reflects societal failures downstream, it exists nonetheless. Counterintuitively, getting a vaccine at Walgreens often involves less hassle than buying razor blades, deodorant, or shaving cream. The blunt truth here is that vaccines aren’t resaleable, while razor blades, deodorant, and shaving cream certainly are. Fraud operations aggressively target items like these, pulling them off shelves and reselling them at flea markets, on the internet, or through other e-commerce channels. This drives differentiated user experiences: some items go behind glass, and others remain openly accessible.

Retailers face interesting decisions in these scenarios. For instance, they could choose to lock up all high-shrinkage items. However, this can sometimes lead to unforeseen consequences. One major pharmacy chain, which I won’t name, ran an analysis to sort products by shrinkage rates and locked up the most frequently stolen items. One such product happened to be a hair care item popular among African Americans, while analogous products used by other demographic groups did not have high shrinkage rates. As a result, the store put the high-shrinkage hair care product behind glass while leaving similar products out in the open.

Inevitably, someone took a photo, tweeted it with an obvious implicit commentary, and the image sparked a public outcry. I imagine someone in the company’s data analysis division had a very uncomfortable conversation afterward, likely including reminders of certain immutable truths: while the store’s decisions might not have been driven by malice, optics matter. There are truths your PR team will adamantly advise against turning into a public battle. In this case, the business decided to tolerate slightly more shrinkage for the sake of other priorities—whether those are societal justice, equalizing customer experiences, or simply avoiding bad press is open to interpretation.

This dynamic isn’t limited to physical goods. Internet merchants also learn to accept non-zero levels of fraud because enforcing absolute zero is neither practical nor profitable. Hopefully, you can see the parallels here. Businesses weigh their risks and goals carefully, often making trade-offs to balance operational needs with broader societal considerations.

This extends beyond payments

Essay:

So hopefully you buy that Internet merchants can happily accept non-zero levels of fraud. This argument generalizes, and it has some important ethical considerations. We should, as a society, accept non-zero amounts of benefits fraud. We should accept non-zero amounts of cheating on taxes. You personally have benefited from the financial industry’s decision to not expend the maximum possible effort on defending against so-called identity theft.

These tradeoffs are often intensely difficult to pursue openly. Who wants to be known as the politician in favor of benefits fraud or the financial CEO who thinks they are not laundering enough money?

One of the interesting questions here is who gets to resolve tensions like this. Generally speaking, it will be private actors applying their own cost-benefits decisions. There is substantial space for regulations to help with cases, like identity theft, where actors can choose to spend other people’s risk budgets to maximize for their own interests.

If you have other fraud subtopics you’d love to cover, drop me a line.

Commentary:

One area where this topic really stands out is in discussions of pandemic fraud. The Paycheck Protection Program (PPP) loans and the expansion of unemployment insurance during the pandemic were funded by the federal government with a rapid decision made on behalf of the American people by their elected representatives. The context was clear: we faced a unique and urgent situation. The economy was at risk of collapsing, and the response was to "spray money at the problem." The government decided to spend whatever it took and solve the crisis by any means necessary.

I would argue that this decision was made with full awareness of the likely outcomes, including the high levels of fraud that we now observe in retrospect. And I believe this approach was the correct one—morally, ethically, and practically speaking. It’s a hard reality for many actors in government to fully embrace, which is why post-crisis reports often feature sniping between agencies like the Office of the Inspector General and other sub-organizations. These disagreements often focus on whether the high fraud rates reflect administrative incompetence or a deliberate, calculated choice to prioritize expedience over the usual safeguards.

Here’s the tough truth: those programs weren’t protected to the same degree as benefits programs in ordinary years, and that wasn’t an accident. It was a trade-off we consciously made under extraordinary circumstances. Whether you view that as an acceptable cost depends on how you weigh the urgency of the moment against the inefficiency and fraud that followed.

Now, let me touch on another related issue—one that’s harder to discuss but just as real. It’s something people often find controversial in the context of benefits programs, so before I say the spicy part, let’s start with something less contentious: taxes.

Taxes

When it comes to taxes, there’s little emotional charge. Countries publish tax rates for various income levels, along with books of regulations defining what constitutes income, allowable deductions, and the like. The framework is clear, and while debates about fairness or loopholes exist, the underlying structure is widely understood and accepted. Benefits programs, however, are often viewed through a much more emotional and polarizing lens, even when the underlying dynamics—like trade-offs and systemic incentives—operate in a similar way.

These systems operate in a kind of homeostasis, managed by the interplay of taxpayers, tax accountants, and taxation authorities. The rules as written aren’t really the rules. The real rules are shaped by what this homeostasis typically allows people to get away with in practice.

Take, for example, the rules about who qualifies as an employee versus an independent contractor. On paper, these rules are uniform across industries. The criteria for software companies are ostensibly the same as those for cosmetology or office cleaning services. However, in practice, market norms in cosmetology and office cleaning lead to many workers in those fields being classified as independent contractors, even when, under strict application of the rules, they likely wouldn’t be.

This reality is implicitly or explicitly acknowledged by taxation authorities. We, as a society, could theoretically enforce the rules rigidly, imprisoning salon owners or cleaning service operators who fail to comply. But the fact is, we like getting haircuts, and we like having clean offices. So, we collectively choose not to push too hard against this deviation from the written rules. In a legal realism framework, then, the U.S. tax code isn’t just the document as written—it’s the tax code as shaped by this iterative, pragmatic interplay among all the involved parties.

With that point established, let me pivot to benefit systems.

Fraud as an intended component

Fraud is, to some extent, an intended component of certain benefit systems. By that, I mean that when we design these systems, we balance multiple factors: the scope of the net we cast to include favored members of society, the formal budget allocated, the amount available to each claimant, and the level of fraud we’re willing to tolerate as a consequence. This balance is baked into the system’s design and operation, even if it’s rarely acknowledged explicitly.

It’s a difficult truth to say out loud, but it’s pervasive. In fact, the tension between these trade-offs is a key feature of how benefit systems are conceived and maintained. Granted, I’ve had other guests on this podcast who might strongly and viscerally disagree with that characterization. But I believe productive disagreements between smart people are a valuable use of time—and this is a topic well worth talking about.

One thing I think most observers would agree on is that there’s a kind of game involved in establishing ongoing political support for benefit systems. Different actors in society assign different levels of importance to the outcomes of complex political decisions.

Some actors focus on minimizing costs, others on maximizing coverage—whether broadly or for a specific demographic of interest. Some feel viscerally offended by the idea of being taken advantage of and prioritize reducing instances of visible fraud. Each of these groups shapes the design and operation of benefit systems in its own way.

In the complex political economy of benefit systems, part of the design involves accounting for the “usual” level of fraud. Another part is ensuring that the fraud itself isn’t overly legible to the system, as blatant fraud can trigger significant backlash. On the flip side, countermeasures against fraud are designed to be highly concrete and visible, creating a narrative that the system is being actively protected. This is as much a political strategy as it is a functional one—sorry for making the observation, but I think it’s critical to understanding the topic.

Returning to the Paycheck Protection Program (PPP) and other pandemic-era initiatives, aiming for zero fraud would have been a catastrophic mistake. With trillions of dollars at stake, some level of fraud was simply the cost of doing business. We should have been—and I would argue largely were—content with that trade-off, given the circumstances.

Recently, a government report estimated that pandemic-era fraud totaled $200 billion. I haven’t had a chance to read the entire report yet, and that number is higher than most credible estimates I’ve seen before. Previous estimates suggested fraud in the tens of billions, at minimum. However, some portion of this fraud is not the kind that anyone in the U.S. political system would consider acceptable. Specifically, a significant amount went to actors in geopolitical adversaries of the United States, who “jackpotted” the programs for substantial sums. That’s a different—and far more politically significant—dimension to this issue.

No one is particularly happy about the fraud that occurred, but I still think it can be understood as a cost of doing business. For example, if you’re unwilling to implement identity verification in week one—because doing so would take 12 weeks and you need paychecks to go out in week one—that’s an incredibly reasonable decision, especially in March 2020. [Patrick notes: And if that means some Russian ex-spooks get a few billion dollars in April then, well, not the worst thing that happened in April by a long shot.]

A significant portion of the fraud involved retroactively creating or exaggerating sole proprietorships to take advantage of Paycheck Protection Program (PPP) “loans,” which, in the case of sole proprietors, were almost automatically forgiven. This essentially allowed individuals to jackpot the government for money. Now, very few people in Congress or similar positions would publicly say, "We intended for that to happen."

But, between friends, I think we did intend for that to happen. One can certainly debate whether this was a just or proper use of society’s resources during an emergency, but I believe it was a deliberate decision made by the United States under the circumstances.

Anyway, thanks for tuning into this experimental episode. We’ll be back next week, and throughout December, we’ll try a few more experiments, likely mixed in with some of the classic interview-format podcasts. Have a great day, and I’ll see you around the internet. Bye-bye!