Key insights in this post
Risk management is an overlooked vector for Payments innovation
Differentiating on Risk Management is similar to “MoneyBall” strategy in sports: Use analytics to identify pockets of value that competitors overlook
Capital One is the most prominent payments company that differentiated on Risk (Credit Risk) and grew to be a top 3 player. The strategy was not to minimize risk, but to price for risk
Fintechs have adopted similar risk-based strategies in a variety of areas, for example:
BNPL issuers underwrite small, short-term loans from low-FICO borrowers. The key was more about validating identity than underwriting credit risk
Merchant Cash Advance (MCA) allows ISVs to collateralize loans against card settlements. The ISV has insight on cash flows and control of repayment
Square underwrote micro-merchants for card acceptance. Square managed this via limits and active monitoring
Such strategies face broader risks from the ecosystem:
Economic cycles can magnify exposures
Regulators can limit the use of key tactics
Copycats can pile in and drive down margins
Technology-based solutions can obsolete analytics-based solutions
The overall conclusion is that risk-based strategies are more of an entry point rather than a long-term sustainable advantage:
Analytics can be commoditized by technology and data vendors
Outside forces can undermine the model
Target TAMs can be too small to sustain growth
Even Capital One pivoted when they started getting large: They bought branch banks to lower funding costs and they developed spend-centric products to balance the lend-centric book. Risk-based strategies are an effective starting point, but not an end point.
Introduction
Most payments innovation focus on the payment methods themselves or software that sits in front of or behind the payment:
Payment method innovation includes today’s Stablecoin frenzy but also included P2P (Zelle, Venmo, Cash App) & Instant payments (RTP, FedNow, Visa Direct/MC Send, SD ACH). In a prior post I debated whether BNPL fit the bill as well
Payment software innovation includes ISVs (e.g., Square & Toast) and Digital wallets (PayPal & Apple Pay) among others. These all use standard payment methods, usually Cards or ACH, with a smart front-end or back-end that helps facilitate payments execution. Agentic commerce is the latest innovation here
A third dimension of payments innovation gets much less attention, and that is Risk Management. The best example would be Capital One’s specialization on Credit Risk. They grew out of a modest-sized regional bank (anyone but me remember Signet Bank?) to become the third biggest issuer.
Capital One had limited in-going differentiation, such as:
Card products were pretty much the same as other issuers’
No national brand, like Amex
No big branch network for distribution & low-cost deposits (e.g., Chase, BAC)
No big cobrand partners for distribution (e.g., Citi, Synchrony, MBNA)
Capital One is not the only financial institution who innovated on the risk dimension – Progressive famously did a similar thing in Insurance. Other success stories are less well known. This post will distill some general principles for differentiating on risk based on these other payments success stories.
Moneyball strategies
In general, focusing on Risk is a “Moneyball” strategy. Here is one definition of Moneyball:
“… a data-driven, analytics-focused approach to sports … that involves identifying and acquiring undervalued players based on their performance in key, often overlooked, statistical metrics, rather than relying on traditional methods and expensive, highly-touted players …”
Moneyball is a strategy for the underdog. The biggest competitors can rely on processing scale, brand, and marketing budgets to capture mass markets. They may not even view the undervalued segments as big enough to pursue – leaving them to insurgents.
Notice the focus on analytics. Capital One ingrained this in their culture. For example, everyone has to take a math test to be employed there. I had to do that once (I passed, but still didn’t get the job). They speak internally about playing the “skews”, that is, areas of opportunity ignored by other issuers.
If too many market participants adopt similar techniques the undervalued segments are no longer available to arbitrage. This happened to the Oakland A’s who first implemented Moneyball. Other teams hired statisticians to do similar “Sabermetric” analysis, and the marginal returns diminished. At some point, an insurgent needs to get big or get out.
In Payments, the key to these strategies is not to minimize risk but to price for risk. If the insurgent’s analytics quantify the risk better, they can price customers to compensate for that risk.
If the customer is unwilling to pay the risk-adjusted price, they will go to a competitor who underprices that risk – weakening their performance (this is known as adverse selection.
If the other competitors overprice the risk, customers will flock to the insurgent, offsetting some distribution costs
One challenge with this approach is that government doesn’t always like such “risk discrimination”. After the Credit Crisis, the Card Act limited some risk-based pricing tactics; some consumers could no longer be underwritten at all and prices went up for everyone to cover for the bad risks that could not be priced high enough.
Other payments examples
We see insurgents adopting risk-based strategies all the time, but we often attribute their success to other factors – in particular “user experience”. Scratch the surface and risk management is often a key differentiator:
BNPL issuers underwrite small, short-term loans from mostly low-FICO borrowers
Merchant Cash Advance (MCA) allows ISVs collateralizes loans against daily card settlements
Square underwrote micro-merchants for card acceptance
I’ll walk through each of these in a bit more detail below:
BNPL
BNPL lenders (i.e., “Pay-in-4”) make short-term, low-value loans to generally low-FICO customers. They charge no interest, making them very appealing to those customers. They limit risk in a few ways:
Automatic repayment via debit card
Product structure
The first 25% is collected at purchase time, so only 75% is actually lent out
25% is collected every 2 weeks – aligned to the borrowers’ pay periods
Loan size is generally under $200
Access to SKU data helps with fraud. Easily fencible goods get additional scrutiny
The big risk here is application fraud. The lender needs to validate identity at the same time they are underwriting credit risk. My understanding is that most of the losses on BNPL are not from credit but from fraud – the customer deliberately takes the loan with no intention to pay it back. This is a problem with any online service, but it is the difference between success and failure in BNPL. That makes the real analytic trick here validating identity in real time, with SKU helpful to determine fraud likelihood.
BNPL makes its income from merchant fees. The merchant needs to believe that BNPL increases conversion and/or basket size to justify paying a higher MDR (~5%) than it does for credit cards (<3%) or debit (~30¢ for regulated, <1.5% for exempt). Some of the analytic challenge from BNPL lenders is demonstrating this lift.
A feeding frenzy emerged here as many other startups targeted the space and drove down MDRs. It was a classic land grab. Some incumbents have now launched competing products that rely on lower, outstanding MDRs, but already had strong identity verification e.g.,
PayPal tucks its BNPL product under its standard digital wallet MDR
Debit processors make BNPL available on any debit transaction, although the economics only work for Exempt debit
Credit Card issuers allowed their cardholders to structure purchases as installments
Incumbents have already KYC’ed each customer so identity is not an issue, undermining one differentiator of the BNPL specialists. All this competition forces down merchant MDRs, undermining financial returns.
In contrast, the BNPL specialists now issue debit cards to use BNPL at the physical POS. Those are high-IC Business Debit cards that offers half the revenue as online, but are only used by regular customers.
Merchant Cash Advance
Merchant Cash Advance (MCA) uses daily card settlements to collateralize loans to small merchants. The lender, usually an ISV (e.g., Square, Toast, Clover), repays the loan with automatic, fixed deductions from daily settlements. The loans are generally short term and often used to level out seasonal cash flow challenges.
Most banks won’t lend to small merchants other than via Cards, which carry high APRs and insufficient limits. The ISVs have better cash flow data via the card settlements and can automate repayment. ISVs underwrite loans via insights into merchant cash flow, since card settlements account for the bulk of merchant revenue. By monitoring those daily settlements, they are also positioned to see credit trouble coming. An automated origination and servicing experience built into the core ISV software gives them low Opex.
There are third-party MCA lenders, but generally the ISVs are positioned to win. They are usually the sole acquirer, giving them advantaged insight on cash flow. MCA has become a key source of ISV revenue; however, it is no longer differentiating as it has spread across the ISV universe. While there is no MCA competition within a captured customer, there is also limited MCA differentiation among ISVs when competing for new customers. However, it does still differentiate versus terminal-based competitors.
Square: Merchant accounts for micro-merchants
Square pioneered payment acceptance for in-person micro-merchants that couldn’t get acquiring support from an incumbent. They found structures to manage the acquiring risk while charging premium prices for the volume. They found unique solutions to distribution as well.
Credit risk arises because if a merchant goes bankrupt, the acquirer needs to stand in to honor any trailing chargebacks. This is a particular issue for small merchants, who businesses have high failure rates.
Some enterprise verticals have the same challenge – Airlines are the best example. They tend to go bankrupt during travel recessions, but have sold many tickets well in advance, often for vacations. If the airline shuts down, the acquirer needs to make good on those tickets. Most acquirers avoid the risk, but a couple embraced it. They take reserves on daily settlements in a way that resembles Merchant Cash Advance, and only release those reserves once the tickets are actually used. Therefore, the exposures are enormous, but the realized losses are tiny.
When WorldPay was spun out of RBS in 2010, I remember a diligence meeting where their CEO said exposures ran into the billions, but realized losses over the prior 10 years were only around $0.5M. Why? When airlines fail they usually aren’t liquidated but just taken over by a larger airline – who make good on the tickets. The handful of acquirers who understood this made good returns in a large vertical.
On the micro-merchant side, no-one will step in to honor those chargebacks; so, the Acquirer needs to price high enough to overcome the losses. Square identified this as underserved segment: Micro-merchants wanted to accept cards but could not get merchant accounts from incumbents – which kept them in a cash & check economy. Even if they could get merchant accounts, terminals were expensive and immobile, MDRs were high and some merchant accounts had minimums. These economics didn’t work for many micro-merchants.
Square pioneered a new model:
A $5 card swipe dongle that plugged into any smart phone instead of an expensive, immobile terminal. Square launched while mobile phones when smartphones were relatively new and just before tablets were introduced. The dongle turned them into smart POS terminals
Free software for functions like inventory management that could be hosted on those smart devices with large screens
Flat rate MDR pricing with no minimums instead of complex qual/non-qual pricing
Self-service distribution instead of needing an in-person sales call
A risk management approach that could approve micro-merchants
It is the last of these that concerns us here.
The early Square merchants were often informal business with no dedicated store in mobile verticals like food trucks, dog walkers, tradesmen, craft fairs and farmers markets, etc. Many of these could not get through the credit processes of the incumbents.
Instead, Square managed all this via limits. It set a very low limit for new merchants so that if they were fraudulent or short-lived, the exposure was also limited. As the merchant grew, their limits would grow with them. Of course, Square also monitored chargeback rates and other traditional fraud indicators, but the limits kept their exposures in line.
It was still hard to make a profit on this segment, so Square started moving upmarket into small merchants with regular stores. Here they focused more on differentiators 1-4 and have done very well. They have even moved into Enterprise. But, Square still supports the smallest merchants which accounted for 30% of GDV earlier this year – down from over half at IPO. They have now stopped reporting this metric.
Risks of a Risk Management strategy
Risk Management strategies face challenges to sustain advantage. These techniques are rarely patentable, so the insurgent can’t create a legal moat around their advantage. Capital One developed an entire analytics culture around credit risk that kept it ahead despite competitors hiring their staff and attempting to copy their techniques. Incumbents were generally too stuck in their ways to keep pace.
Other trip wires can confound Risk-based strategies:
Macro challenges undermine economic assumptions
The product is launched at a certain point in the economic cycle, but its economics may not survive a turn in the cycle. Most monoline credit card issuers failed in the Credit Crisis as they were not diversified enough to survive a bad stretch. Capital One did survive, and thrive, because it had turned itself into a large depository during the good times and could fund itself with consumer deposits.
Other lenders got spoiled in the post crisis environment where credit losses were very low and interest rates were near zero. Everyone looks like a credit genius in that environment.
Regulatory challenges limit the use of certain tools
Sometimes, the rules change, making some monetization strategies impractical. As I noted above, the Card Act took away some of the risk-based pricing tools that had allowed card Issuers to price for the risk on low-FICO customers.
Recently, EWA providers have faced scrutiny on their real-time fees. While a borrower can get an EWA advance for free via ACH, that can take a day or two to settle. Providers instead offer instant payouts for a fee (e.g., Chime charges $2 on MyPay). The NY State AG recently charged that such instant fees make the APR usurious. Apparently, most borrowers opt for instant. Without some way to monetize, EWA may disappear.
Competitive challenges squeeze margins
I have given a few examples of competitive risk in this post. If a pioneer demonstrates the market value of their risk approach, startups and incumbents are sure to follow. Those competitive forces typically drive down revenue per transaction. The pioneers may be able to outlast the onslaught, but their financial performance will take a hit.
Early competition in BNPL drove merchant MDRs down dramatically, particularly at the biggest merchants. 2-day advance payroll has been commoditized as many of the biggest incumbents and most of the neobanks figured out how to do it as well.
Technology developments undermine analytic approaches
Sometimes, technology solutions reduce the advantage of Risk Management pioneers. A good example is Apple Pay versus PayPal. PayPal does analytically based fraud detection. It got quite good at that and got increasing amounts of proprietary data to fine-tune models.
In contrast, Apple Pay authenticates the consumer biometrically, via Face ID or Touch ID, which eliminates most types of scalable fraud. EMV did a similar trick for in-person transactions, eliminating 80% of fraud without using analytics or data, just technology.
Third-party tech solutions can level the playing field. For example,
Credit bureaus gather data that anyone can analyze
FICO provides universally used Credit Scores
The networks mandated EMV & CVV that were effective at limiting fraud
Plaid is a more recent example of this. Any incumbent that invests in unique risk management can see its advantage diminish if a third-party makes its proprietary data readily available to all comers.
Conclusions
As I wrote this post, it jumped out at me how unusual the Capital One success story is. Most of the other examples I came up with did not go on to breakthrough success. In fact, most of them pivoted at some point from risk management as the key differentiator.
The winners used a risk-based strategy to launch and then pivoted to other strategic dimensions. They had a short window before analytics & data were commoditized. Data tends to be aggregated into utility models (Credit Bureaus, EWS), models are retailed by software vendors (FICO, Vantage), networks issue technology standards (CVV, EMV), etc. Plaid is leveling the playing field by making any bank data available to Fintechs for proprietary modeling.
The other challenge is that targeted segments are too small, so the provider has to move upmarket. Square is an example here: it started with high-risk micro-businesses but gradually move to larger, more stable clients. And in those segments, their risk-based analysis didn’t differentiate as much.
In rare circumstances, an insurgent might have both superior analytics and access to proprietary data, such that early growth reinforces their moats. Beyond payments, this describes Google & Facebook in digital advertising. Nothing like that has emerged in payments, although Shop Pay & Amazon Payments may get there.
My conclusion is that risk-management-centered strategies should be thought of an entry point, not an end point. Notably, the Oakland A’s never made it to the World Series using Moneyball tactics but the Boston Red Sox did under a formula of analytics plus high spending. Moneyball + Money equaled ultimate victory whereas Moneyball alone did not.
Keep this in mind when insurgents talk about the moats they are building around their risk-based business models.
Andrew, your breakdown of risk-centred payment strategies is insightful - especially the idea of using analytics to uncover overlooked opportunities. Exploring practical approaches to risk and working capital can add another layer to these strategies. TCLM provides resources that could be helpful in this context.
(It’s free)- https://tradecredit.substack.com/subscribe