Zelf on a Shelf

Aaron Huang
Posted by Aaron Huang | Dec 19, 2022

Coming into the Holidays and the end of 2022, it’s important to reflect on the state of fintech and embedded finance in order to look around the corner to 2023 and beyond. 

There has been a lot of news lately in fintech, banking, and crypto - not all of it good. Actually, most of it was bad and the maelstrom continues. The FTX blow up created apparent issues for BlockFi - an FTX funded company - which may also have caused issues for Deserve - its underlying card issuer - which ultimately may have affected Evolve Bank - the underlying bank partner for Deserve. When you dive into all the parties involved in just a single financial ecosystem you start to understand why it can be so challenging to navigate the space and protect your company, your customers, and your margins from risk in the market. 

The latest incarnation of risk and how NOT to go to market involves the accusations about Zelf. Big up to Alex Johnson for his blog post on Zelf and exposing the parties involved who were apparently asleep at the compliance wheel.

In short, Zelf marketed an ‘anonymous debit card with crypto’ linked to a checking account or digital wallet. There allegedly was no KYC identity verification.

This no-KYC was apparently a feature, not a bug for Zelf.

In short, KYC (Know Your Customer) is regulated by the type of financial program being marketed and includes required information (First Name, Last Name, DOB, SSN or Govt ID, etc.) in order to verify the identity of the user. Identity verification is based on a rule (Customer Identification Program (CIP) rule) that was prompted by the USA PATRIOT Act and serves an important role in protecting the US from terrorism. The rule is part of a larger set of regulations that are managed through a financial institution’s Bank Secrecy Act and anti-money laundering program (BSA/AML), which is designed to prevent and detect individuals who might use the financial institution for illicit activities. 

How this type of offering got out to market, stayed live, signed up users for months, and only recently, if true, got shut down (perhaps due in some significant part to Alex’s sleuthing) speaks to the state of the market today.

This example is not unique. It appears that compliance and oversight are still lacking in the fintech ecosystem. This creates a double standard in the marketplace, one that rewards short termism. 

The cynic in me sees two sentiments at play here: 

  1. “If I can just get away with this and scale, I’ll be able to keep going because volume and revenue speak louder than full compliance.”
  2. “I have no clue what I can/can’t do - that’s why I partner with a program manager and a bank. I’ll just be as aggressive as possible and see what I can get away with.”

Both of these ways of thinking are what the market has conditioned participants to believing - only because past examples of companies that may have thought this way have succeeded. In the past we saw very few consequences. Value propositions around being turnkey, going live in minutes - this is what ecosystem vendors touted and continue to tout, backed by VC-funded models that aim to bring the same SaaS mouse traps to Banking as a Service (BaaS) and Fintech. Where have we heard echoes of “move fast and break things” again and again? But breaking a financial program with a Bank Partner will get you shut down – the question is not if but when. For Zelf, its BaaS vendor, and Bank Partner it’s more egg on face and scrutiny at a time where the ecosystem needs more good news to build confidence, not more egregious flouting of rules and regulations.

Cue the Pendulum
As we’re starting to witness, the very market participants that looked the other way and ignored compliance and risk management in marketing financial products are helping to swing the pendulum back the other way. When consumers get screwed, regulators take action and financial institutions go risk-off. When these regulatory issues arise they put banks in jeopardy and by default their entire ecosystem of fintechs and non-bank companies they partner with. Some of these issues and violations may border on gross negligence and worse in the coming months and years to come.

Market participants will often search for the path of least resistance, but its a recipe for trouble when it comes to flouting established rules and regulations that are meant to protect consumers and businesses, particularly in the current market and regulatory environment. “So and so vendors allows this, why do we have to comply with your requirements for KYC or compliance?” It can be easy to point to a live competitor marketing similar products and services and thinking the same rules (or lack thereof) apply. Here’s why that’s dangerous:

  1. The similar program may have material differences to yours that you are not aware of from a compliance pov. 
  2. The similar program may be running afoul of regulations already. It’s always better to understand the regulations by either having your own counsel, working with a program manager that has qualified compliance experts, and/or working with a bank partner that has a good reputation and will not get shut down in this regulatory environment - or all of the above. 
Shift your decision criteria >

your_decision_criteriaAs a non-fintech product manager, one could be forgiven for not realizing the full downstream impact to a business by myopically optimizing for CAC. I can’t imagine Zelf would have even succeeded in the long-run financially with the amount of potential fraud they were opening themselves up to. 

Ultimately, Banks and Program Managers need to offer the proper guardrails  and non-bank companies looking to offer financial products and services cannot look at banks or program managers as diametrically opposed to their go to market. 

Partnering with Productfy in 2023 and beyond
Good KYC and, more broadly, compliance is critical to protecting your business from fraud and your bank partner and fellow ecosystem players from reputation risk and regulatory scrutiny. Stop thinking of compliance as your enemy and start thinking of it as your competitive advantage. Without strong compliance, it is nearly impossible to manage the numerous risks facing companies that partner with banks, such as:

  • Fraud risk
  • Money laundering risk
  • Regulatory risk
  • Litigation risk
  • Reputational risk
  • Credit risk
  • Merchant risk
  • Cyber risk 
  • Privacy risk
  • Market risk

Note: If in doubt, get a second opinion
Large companies may weigh the cost of non-compliance against the cost of litigation as a corporate strategy. If you don't have the war chest and working capital set aside for this battle and you are receiving advice or considering an approach that you believe to be a short-term 'hack' that could run afoul of regulation, our suggestion at the very least would be to get a second opinion before going live to determine if your go to market strategy can withstand the regulatory risks without getting shelved by bank partners and regulators.  

Productfy’s KYC is just one part of our overall Customer Due Diligence program, which goes beyond CIP and watchlist scans to fraud checks and live transaction monitoring. Our approach is risk-adjusted for the various use cases and programs we partner on (ACH and money movement, debit, credit card programs, etc.)

Doing the right thing sometimes means walking away from opportunities that don’t align with our core mission and the values of our team and ecosystem partners. We started Productfy with the belief financial services have a tremendous opportunity to do societal good. We think financial innovation can be sustainable if all parties in the ecosystem play their part.

Want to learn more? Check out our partner compliance guide.