Bits about Money

The financial industry understands itself to be an arm of the government. We were inducted into this service other-than-willingly through the ordinary operation of law and regulation.

This is uncontroversial and unsurprising to insiders.

A claim which will be more surprising: some regulated financial institutions have delegated authority for account- and transaction-level decisioning to a non-profit.

Another: that non-profit includes a private intelligence agency, which runs covert assets, publishes intelligence estimates, develops target lists, and communicates them to decisionmakers.

Still another: the non-profit organized a coalition of the willing as an outgrowth of its intelligence agency. The willing non-profits, that is. The coalition engaged in a years-long campaign to coerce financial infrastructure and other firms to give them the ability to direct accounts to be closed. The infrastructure built to do this against domestic terrorists was applied to an American politician’s fundraising efforts, and no one seemed to think that was odd.

Last week, the DOJ unsealed an indictment against the organizing non-profit for bank fraud. This was based, in part, on how it paid the intelligence agency’s covert assets.

They likely developed evidence for that indictment using the Bank Secrecy Act (BSA) mandatory reporting regime. 

We begin, as always, with the bank fraud.

White collar prosecutions are structurally difficult because they frequently depend on intent. It is difficult to prove intent beyond a reasonable doubt, as it frequently depends on subjective mental states which we cannot directly observe. This problem is discussed in the literature including in book-length treatments.

There exist ways to overcome this difficulty as a prosecutor.

The classic one is waiting for the criminal to violate Stringer Bell’s dictum on the wisdom of taking notes on a criminal conspiracy. You then introduce their notes into evidence. They will frequently contain explicit statements demonstrating mens rea (a legal concept of a “guilty mind”). The register of those statements will be less guilty and more gleeful. Crime is awesome! Wow I sure hope the government never reads this! Because we are committing so much crime right now!

The prosecutorial toolbox has other tricks, too. Rely less on charges which require demonstrating intent. Rely more on what the economics of law field calls bright-line rules. For those crimes, you do not need to demonstrate what emotional valence someone experienced while committing a criminal act. You only need to demonstrate the fact of the act.

Interdicting crime is an iterated game. Responding to our noted inability to manage some forms of crime, legislators have intentionally added some items to the prosecutorial toolbox. Whether one describes them as tools or weapons depends mostly on whether one touches them with the hand or the face.

As Bits about Money has covered frequently previously, the anti-moneylaundering (AML), Know Your Customer (KYC), and related regulatory edifices function in a subtle manner. They do not simply proscribe conduct and rely on perfect enforcement by the financial industry. To achieve the overall objective of stochastically interdicting crime, the regs are designed to force criminals into repeated unpalatable tradeoffs. One is “You can choose making money, or you can choose never interacting with banks, but it is very difficult to choose both.”

We then follow the criminal into the bank. “By the way, lying to a bank is a crime. It doesn’t matter what you think while you’re doing it. It doesn’t matter why you did it. It doesn’t matter if you’re a sinner or a saint. It doesn’t matter if it is a big lie or a little lie. It doesn’t matter if the bank believes you. Lying to a bank is a crime. And everything you say to a bank will be recorded for decades. It will be routinely forwarded directly to law enforcement if the forward-deployed intelligence analysts we force the bank to hire believe there is even a tiny chance law enforcement will find it useful.”

Al Capone infamously went down for the tax evasion because it was easier to prove than the murders. Drug smuggling is sometimes difficult to prove, but the smugglers will want their money in the regulated financial system. The mandatory questionnaire at account opening will ask “Why are you requesting this account?” They will probably not write down “Drug smuggling!”, because a wag who tries doing so will quickly realize this does not successfully result in a bank account. So they will write any other answer. Now they have lied to a bank. 

And then, in the ordinary practice of U.S. prosecutors, you will charge them with any crimes you can prove, including the lie itself. And if you are able to demonstrate that it was in fact a lie, which is easier to prove than e.g. rolling up the entire drug smuggling network, you will then make a simple legal request: give us all the money you lied about. That request will be more directed at the banks than the criminal, and the banks will comply, with alacrity.

Sam Bankman-Fried: SBF continues to believe he is innocent. His argument is, effectively, that being the best investor of his generation excuses stealing the principal to invest. That is not a defense in U.S. law, and the indictment charges fundamentally the same conduct (misappropriating money and crypto investors had on deposit at FTX) under a variety of statutory pathways, including 18 USC §1343 (wire fraud), §1344 (bank fraud), and §1956 (money laundering conspiracy).

Let’s focus on the bank fraud. One part of SBF's criminal empire needed banking in the United States. They could not convince a U.S. bank to let them handle FTX customer funds flows. But they wanted to do that. They incorporated North Dimension, a shell entity. Some shells have legitimate business purposes; this one existed only to deceive. North Dimension filled out a due diligence questionnaire. SBF signed it. It said North Dimension traded on its own account and did not handle customer funds.

You need two bits of evidence to convict SBF of bank fraud. The first fits on one page of paper held by one bank. The second is the answer to a single question: “Did at least one dollar of customer funds flow into the North Dimension account?” Thousands of people at dozens of companies, and hundreds of thousands of electronic documents, know the answer to that question and you only need to find one. A single word convicts.

Other charges can stack on the bank fraud. SBF deployed rationalizations about the core fraud counts like a squid deploys ink. Defeating all of them is unnecessary. A money laundering conspiracy requires showing agreement to a) move money that are the proceeds of at least one of a set of “specified unlawful activities” and b) any act to corrupt the integrity of the paper trail about that money movement.

Bank fraud is a specified unlawful activity.

And so you only need one more sentence to get the second charge. Many many sentences will do. Here’s a question to elicit one: “Caroline Ellison, you are a cooperating co-conspirator. During the duration of your conspiracy, while you were the CEO of Alameda Research, did you at any time direct the North Dimension account to move money on behalf of Alameda Research, knowing that by this direction banking records would reflect the money movement to be directed by North Dimension and not by Alameda Research?” A single word convicts.

SBF was, properly and justly, convicted of all of these crimes and more.

He was not the first and he will not be the last. A brief survey for fellow aficionados of this genre:

Dennis Hastert was accused of horrific acts against children but indicted for other crimes. He could not have been successfully prosecuted on the abuse even with a confession, because it was time-barred long before it came to light. 

Hastert paid one of his victims to keep him quiet. He was smart enough to make the payment in cash, but the system was smarter sooner, and made a trivial tripwire for attempting to move large amounts of cash out of the regulated banking system: your bank files a currency transaction report (CTR). Apprised of this, he changed his banking patterns to avoid the filing of a CTR. That is called “structuring” and it is a crime under 31 USC §5324(a)(3).

When the FBI asked him about it they used another frequent prosecutorial tool to pick up a freebie. They asked why he had changed his banking practices. He did not say “To structure transactions to avoid the bank filing a CTR when I pick up hush-money.” Instead, he agreed with the agents suggesting that perhaps he distrusted banks and simply wanted to keep hundreds of thousands of dollars of cash on hand. This gave the prosecutors a second charge of lying to federal officials. 

In a routine practice, they agreed to dismiss it if he would simply confess to the structuring. The implicit Or Else: “We go to trial, convict you on both, and you get a longer sentence both because the charges stack and because the sentencing formula will mechanically penalize you for this choice.”

Reggie Fowler was the U.S.-based partner of a payment processor which ripped off Tether. It will still be years before we unravel that ouroboros of crime. But that didn’t need to delay the indictment, because he lied to banks that he was doing real estate development. Trivially a lie; his hundreds of millions had bought neither land nor buildings. Our old friend §1344 brought his new bestie §1343 (wire fraud), not because he defrauded Bitfinex/Tether but because he had caused his ill-gotten bank accounts to move money. Every movement is another crime.

George Santos was indicted for a variety of abuses of the public trust. Prosecutions of elected officials are inevitably tricky business, particularly as finding the precise line between crime and politics-as-usual is contentious. (Many people seem to think that line should move radically every, oh, four years.) 

Happily, we have bright lines which don’t move, like “don’t steal credit cards” (§1028A). You can convict on that without needing to explain whether it was done with a gun or a political donation portal.

Then you stack on wire fraud again, because we intentionally make it hard to spend directly on oneself from politics-adjacent pools of money, and so you need to move money at least once to enjoy it.

Why do these indictments, and hundreds more, rhyme so much? Why can we employ these charges to such devastating effect against the rich and powerful, even those in positions of public trust, even those with allies who still love them? Because we maintain textbooks of how to make these cases and make them stick.

White collar criminal cases are like any other high-end bespoke services work. One could imagine that the production function is fully artisanal, like something out of a traditional French restaurant.

You, an aspiring lawyer, labor for years under the eye of a terrifying supervisor. He periodically steps behind you, rips a brief from your hands, screams at your incompetence, and you have learned one new thing. After twenty years, you now write your own indictments. They bear his distinctive stamp but your signature. You have added your own spin, which you will pass on to the rising generation, via the traditional mix of hazing and hands-on instruction.

This happens. But in law, as in restaurants, we are allowed to write down recipes and tell people to just follow the steps.

For example, we in the financial industry are obliged to file Suspicious Activity Reports (SARs). These are basically three-ish page memos. Combined with statutory tools such as those discussed above, these memos will giftwrap charges and convictions. They get saved by the Financial Crimes Enforcement Network (FinCEN) for decades and some small fraction of the four million filed every year will eventually be read by a public servant.

The bank pays the screening vendor which fires the alert, the bank pays the intelligence officer who reviews it, the bank pays the senior compliance analyst to spend a few hours collecting data from various employees and web applications into a single coherent narrative. And then the public pays the prosecutor to copy/paste the SAR into an indictment. (Accept this as a slight exaggeration, but if you can’t name a paragraph lifted from a SAR into a federal criminal indictment, you will be able to in about five minutes.)

FFIEC BSA/AML Examination Manual: 

One purpose of filing SARs is to identify violations or potential violations of law to the appropriate law enforcement authorities for criminal investigation.

…

Examples of agencies to which a SAR or the information contained therein could be provided include:

• the criminal investigative services of the armed forces
• the Bureau of Alcohol, Tobacco, and Firearms
• an attorney general, district attorney, or state's attorney at the state or local level
• the Drug Enforcement Administration
• the Federal Bureau of Investigation
• the Internal Revenue Service or tax enforcement agencies at the state level
• the Office of Foreign Assets Control
• a state or local police department
• a United States Attorney's Office
• Immigration and Customs Enforcement
• the U.S. Postal Inspection Service
• the U.S. Secret Service

A diligent public servant is welcome to use FinCEN’s database to get additional information on the subject of an existing investigation. But FinCEN will happily tell you the other sequencing works fine: trawl the database “proactively.” Most SARs are not evidence of crime! But if you have the choice between doomscrolling Twitter and doomscrolling the SAR database, one is much more efficient at converting into prosecutions. Their phrase for this is proactive SAR review and they have twenty volumes more if you are interested.

Very few Americans not professionally implicated in this surveillance regime understand it exists. FinCEN employees and bank compliance officers depend on it for their continued employment, and so it might be understandable why they are such effusive fans. But the regime does have informed critics, including occasionally this author.

One critique is that this regime is functionally an end-run around the Fourth Amendment. Civil libertarians have made this point for decades, but never with the economy of phrase as the U.S. Immigration and Customs Enforcement (ICE) internal magazine Cornerstone’s article The Currency Transaction Report: Controversial To Some—Essential To All.

Why is the CTR so useful to law enforcement, ICE?

ICE: ICE special agents utilize CTRs to establish links between individuals and businesses, and to identify co-conspirators and potential witnesses. This information is often utilized to meet the 'probable cause' requirement necessary to obtain search, arrest and seizure warrants.

Is this surveillance regime narrowly tailored?

ICE: ICE conducts approximately 1 million record checks of BSA data each year.

If a libertarian were scripting you right now they’d ask you to say that innocents have nothing to hide.

ICE: Individuals and businesses conducting legitimate transactions have no reason to avoid the filing of CTRs.

Yikes. Say, did you ever articulate the intentional double-bind twenty years before Bits about Money did?

ICE: However, criminals are forced to make a choice between appearing to be a legitimate customer, thereby exposing their assets and money movements through BSA reporting requirements, or engaging in risky, illegal actions to conceal the movement of their funds.

Wow, it seems like this field is filled with carefully laid traps that function exactly as designed. Did you by chance happen to publish the Hastert prosecutorial strategy ten years early?

ICE: Suspicious attempts to avoid the filing of a CTR by structuring cash deposits (making a series of deposits just under the $10,000 reporting threshold over a number of days) is a significant red-flag indicator of criminal activity and one of the most frequent triggers for the filing of a SAR.

Which brings us to the Southern Poverty Law Center (SPLC).

On April 21st, 2026, the Department of Justice unsealed an indictment of the SPLC for bank fraud.

The SPLC is a storied civil rights organization. Like many non-profits, it runs a portfolio of what are sometimes called “programs” under a single roof. One of those programs is producing a data product listing individuals and entities that it considers to be involved in hate and anti-government activities. 

That data product is important financial infrastructure, and we will return to it in a moment.

The SPLC runs a private intelligence service to produce it. The SPLC has in the past paid informants, who it describes as “field sources.” Those informants are generally members of what it describes as domestic terror organizations. The existence of this program has been public knowledge for decades.

It is unlikely that any magistrate in the United States would approve a warrant to search the bluest-of-blue-chip civil rights organization's papers on the suspicion that they have created a fictitious CIA to launder money to the wife of an Exalted Cyclops of the Ku Klux Klan. Are you not aware, officer, that the reason this organization is in high school history texts is they developed a novel civil litigation strategy to bankrupt the Ku Klux Klan? You will not get your warrant. You would be lucky to escape court without a citation for contempt or an order for psychiatric commitment.

Well, good thing nobody ever had to ask for that warrant.

Banks don’t need warrants to become quite alarmed when they discover that they have created an account for the Center Investigative Agency and several other sole proprietorships for the same person… and those businesses don’t receive revenue, run payroll, buy office supplies on their debit card, or rent office space. No, the only thing they do is take large deposits then transfer out hundreds of thousands of dollars directly to, Great Scott, the worst people imaginable.

Substantially every employee of the financial industry, CEO or teller or product marketing manager that they may be, is obligated to attend a yearly training on their BSA compliance responsibilities. That training customarily requires you to pass a test. If that test stipulated this scenario and then asked what the financial institution must do next, there is only one correct answer: Conduct an investigation, close the accounts at issue with very high probability, and file a Suspicious Activity Report.

We return from this flight of fancy to the indictment. Excerpting verbatim:

Starting in the 1980s, the SPLC began operating a covert network of informants who were either associated with violent extremist groups, such as the Ku Klux Klan, or who had infiltrated violent extremist groups at the SPLC's direction.

If one does not closely follow this community of practice, one could be forgiven doubting whether prosecutors are being candid here. This claim does sound farfetched. The indictment, in this paragraph, is neutrally recounting the truth. The SPLC is proud of that program, which it ran for decades. NPR’s gloss:

The indictment came shortly after the SPLC revealed the existence of a criminal investigation into its disbanded informant program to gather intelligence on extremist group activities.

Well, OK, they ran an intelligence agency. One can construct a narrative by which that makes some tactical sense. Sure.

How did they get a bank to go along with making payments to people who the SPLC has spent decades attempting to make it impossible to pay. Did they perhaps… lie to a bank?

Indictment:

To secretly funnel donated money to the Fs, individuals at the SPLC, including a person who would become the Chief Financial Officer ("Employee-1") and a person who would become the Director of the Intelligence Project ("Employee-2"), among others, opened a series of bank accounts at Bank-1 and Bank-2 in the name of various fictitious entities, including, but not limited to, the following: Center Investigative Agency ("CIA"), Fox Photography, North West Technologies ("North West Tech"), Tech Writers Group ("Tech Writers"), and Rare Books Warehouse ("Rare Books").

Oh dear, SPLC! It would be extremely bad for you if you had in fact opened accounts for businesses which do not actually exist, then used them to move funds! Perhaps you can just pray that the feds never find out? … The bank is quite likely going to find out, though. Some bank accounts have red flags. These red flags have bank accounts.

Indictment:

In 2020, Bank-1 conducted an internal investigation into these accounts.

Oh that’s… unsurprising given the asserted facts. Well, your options are diminishing rapidly at this point.

Hey quick intermission: want a surprisingly reliable way to combat credit card fraudsters, drug dealers, and the like? First, you identify one of their accounts which is definitely committing crime. Usually they have lots of these and cycle through them quickly. They are often opened with synthetic or stolen identities. Burning the identity doesn’t get you all that much; they have thousands to cycle through. So just freeze the money in the account. Then, rely on human nature: nobody likes giving up “their” money. So compassionately offer to help them out, by offering to transfer the money from the frozen account to another account they control. We just need your quick written instruction to send your money to your other account, sir.

Indictment:

Thereafter, an SPLC employee requested that Bank-1 close the accounts associated with the CIA, Fox Photography, North West Tech, and Tech Writers and transfer the remaining balances in these accounts to a Bank-1 account ending in 6050 held in the name of the SPLC.

Industry practice varies on whether you give the user their money back before filing the SAR.

There are some grey areas in practice. You can’t return the money if you understand the user to be e.g. Hamas. You might be able to return the money if you understand the user to be e.g. engaged in unsupportable but debatably legal behavior. 

“Unsupportable” here is a term of art: the institution, in its considered judgement, cannot allow it to happen on systems it controls. Many legal acts are unsupportable, and a determination of supportability is not and cannot be coextensive with a criminal conviction. Compliance officers are not federal judges and are happy to defer to them.

Please, we beg you, do not ask Compliance to run a parallel criminal justice system. We will do it if you force us to, but you will not like the outcome.

One of the functions of getting an explanation in writing from the SPLC (we will get to it; it is a doozy) is the financial institution seeks to absolve itself. Did we open accounts for cutouts to a domestic terrorism organization? If we did, *#%(, our regulators need to hear about that today. But this admission can be shared with a later regulator to say “We were unaware of the actual ownership of the accounts when opened and for ten years of use, which we agree is bad. We then executed our responsibilities with urgency. On the strength of this communication from the SPLC, which is not a terror organization, we decided to not immediately call you, and instead relied on the ordinary processes of our Compliance function. We will listen attentively if you feel we were ever derelict in our duties.”

One of those duties: a financial institution must, as a matter of black letter law (31 CFR § 1020.320), file a SAR if its investigation discovers a transaction designed to obscure the provenance of money. Transactions, by their nature, reference the account title (ownership, which could be by a e.g. company or trust) and beneficial ownership information (the ultimate people who have economic interest in the account). Any transaction conducted by an intentionally mistitled account is immediately and mandatorily reportable as soon as the financial institution has knowledge of this fact.

Alright, options for the SPLC are narrowing precipitously, but perhaps it can argue that those two employees, senior though they might be, were acting rogue? Or perhaps they could argue that the SPLC was institutionally unaware of the specific financial infrastructure its employees had created to support the SPLC’s intelligence program?

Indictment, quoting the President and Chief Executive officer of the SPLC, to the bank:

Pursuant to the discussion we had earlier this week, please let this correspondence serve as confirmation that the accounts listed below were opened for the benefit of Southern Poverty Law Center operations and operated under the Center's authority. The following accounts are listed below:

...6700 Center Investigative Agency — opened 1/31/2008, closed 8/5/2020

...9674 Fox Photography — opened 1/31/2008, closed 8/5/2020

...6743 North West Technologies — opened 1/31/2008, closed 8/5/2020

...6751 Tech Writers Group — opened 1/31/2008, closed 8/5/2020

...6719 Imagery Ink — opened 1/31/2008, closed 3/15/2013

...6727 J&J Electronics — opened 1/31/2008, closed 3/15/2013

...6735 Kelly's Marine — opened 1/31/2008, closed 3/15/2013

There are a variety of ways for the DOJ to get the CEO’s email. It may have been attached to a SAR, and therefore filed automatically with FinCEN. The other way, of course, is to pivot from a SAR (or any other reason to open an investigation) to a request that the bank produce records. Subpoenas are not strictly required; that document exists to exonerate the bank. A financial institution, concerned it is falling under negative government attention, might proactively offer to share what they know.

In any event, the feds got what they needed.

This written communication is a succinct confession to bank fraud.

There are multiple different ways to charge it, as we have seen. The indictment went with §1014. And if the SPLC admitted to bank fraud, then the transfers are wire fraud. And if the transfers were wire fraud, then the… you’ve seen this movie before and it ends predictably.

I do not expect this conclusion to be a happy one to all readers. I believe it to be correct.

There exist lawyers who say that the legal analysis in the indictment is sloppy. That statute is a weapon. Weapons wielded sloppily hit the target all the time. A weapon that only works when wielded perfectly is poorly designed.

Some commentators have implied theories that, for example, §1014 only applies to applications for loans. Excerpting the statute:

Whoever knowingly makes any false statement to… any [FDIC-insured institution]... upon any application… shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.

This is extraordinarily broadly drafted, by design.The long list of alternatives to application includes loan, and as a basic principle of statutory construction, this means that Congress considered limiting the list to only loan applications and then intentionally did not do that.

In Wells, the defendant sold something of value to a bank, rather than borrowing money from them. (Turns out copiers print money, in a sense; you can sell the future revenue stream.) The lie was a relatively tiny detail relevant to the pricing discussion. Wells was prosecuted under §1014. The controversy was not “Does §1014 allow prosecution outside of loans?” Yes, read the plain text of the statute. But the holding is as interesting as the data point. Can you be convicted of fraud over a tiny lie? The Court held there is no materiality requirement under §1014. You can be convicted of fraud for a lie that doesn’t matter if you tried to influence any decision of a bank.

Some have advanced the notion that the account application is misleading but not false. This matters due to Thompson, decided last year by the Supreme Court, which holds that §1014 doesn’t cover misleading but true statements. Consider what happens when the prosecutor summons a senior SPLC executive to the stand and says: “So, Fox Photography, which you ran as a sole proprietorship. Did you buy a camera? Did you advertise? Did you file for a DBA? Did you make a website? Does Fox Photography have any activities other than this bank account application? You had three other businesses. Which of them did anything other than obtaining banking services?”

Some believe, plausibly, that the prosecution is politically motivated. Others might counter that the SPLC is the nation’s leading expert in lawfare and has just discovered sauce for the gander. Still others might believe both claims. Or they might believe “This looks like retaliation for the SPLC coordinating a coalition to interfere with Trump political fundraising,” which is not the way coalition participants say the SPLC gained his enmity [archive]. We will return, at length, to the activities of a coalition the SPLC co-founded.

Many commentators have argued that this program has been discontinued. Yes, bank fraud will frequently cease after its discovery. That is definitely a goal of this apparatus, and is almost definitionally true. Almost all white-collar prosecutions will happen after the conduct giving rise to them has ceased. The financial industry would certainly be chagrined to learn about a live fraud happening on its rails from the indictment. (That does happen; we have processes to detect it happening and then immediately investigate accounts associated with entities that were just indicted. We will discuss how data products and screening infrastructure function in substantial detail below.)

The industry as an institution expects its supervisors in government to bring these cases, all the time, against targets that have many friends, positions of authority, extremely competent defense lawyers, and sincere belief that they are innocent of any real crime. The government expects, as an institution, to be overwhelmingly advantaged in these cases.

Many commentators, including the government itself, have made this indictment mostly about the fraud against donors. Many believe that argument to be a stretch. I agree, unreservedly. As a connoisseur of this genre, I have read few documents which are simultaneously so far from the conventions while adding so little new to the canon.

It is a stretch that the government routinely makes and wins in other contexts. Matt Levine has collected several hundred examples of the genre, which he calls Everything Is Securities Fraud. That genre is, succinctly, “If you run a for-profit corporation, and have raised money from outside investors, and anything at all goes badly, and you did not describe exactly that thing to the investors as a risk, you have arguably defrauded your investors.” The government is comfortable making that argument and wins it routinely. 

Perhaps Everything Is Donor Fraud. Perhaps not.

But, again, the design of this system is so you don’t have to prove the hard crime, the one where you’re being creative and taking some risks and pushing the envelope. You only have to prove the easy one, in exactly the same way hundreds of cases have won before. You will then use the spectre of conviction for (minimally) that as procedural leverage, and your target will likely settle.

Absolutely textbook.

A brief break from the SPLC’s situation. We’ll return in a moment. I had promised you a discussion about how the financial industry uses certain data products, including one published by the SPLC. We will begin with the canonical example of a data product.

As BAM has noted in discussing so-called debanking, the United States does not maintain a secret blacklist of people who can’t gain bank accounts. It maintains a public one.

Regulated financial institutions must deterministically reach the correct conclusion about accounts or transactions where they benefit certain people and organizations. That blacklist is called the Office of Foreign Asset Control (OFAC) list of Specially Designated Nationals (SDN). In broad strokes, this is a blacklist for foreign terrorists and narcotraffickers. (Banks aren’t the only people who can’t transact with the OFAC list. Reader, if you are an American, you can’t either, under penalty of law. But enforcement action is concentrated against banks et al because they are a, how might one phrase this, choke point for money movement.)

In theory, every time a bank opens a student checking account, it can have a bank employee mosey on over to the OFAC website, search the list in real time, and then determine that the prospective customer, yep, isn’t on the OFAC list. This is quite impractical and unlikely to be considered an acceptable set of controls by a regulator unless it is the smallest-of-small-town community banks.

You could write your own software to periodically download the list (yep, we just publish the files) from OFAC, and then compare new accounts and in-progress transactions against your recently-synced copy in your database. Most financial institutions do not choose to do this. It is fiddly, extremely high downside if you get wrong, and has zero financial upside if you do a better job than “minimally adequate.” Also, you have to do it many times redundantly across hundreds of functions of your financial institution. Checks, wire transfers, accounts payable, even your employee giving program! This set of considerations spells “outsource this function.”

The jargon for the function is “OFAC screening” and the company or companies which the financial institution engages to handle this are selling “data products.” You will work with your vendors and your internal IT teams to integrate those data products (which might be APIs, or platforms, or similar) with your other IT systems.

Then you turn everything on. Presto! You get alerts sent to Compliance if someone appears to be OFAC-listed. One of the large team of intelligence analysts you are forced to hire will be instructed to click through alerts as they stream by. The interface frequently resembles a Twitter feed from the most boring possible circle of hell. 

Your analyst will tell the system to ignore the false positives (extremely common relative to true positives, but you basically have to look at every one) and action the true positives. “Action” here means close the account or block the transaction. A close synonym is “decision” the account.

If you’re technically sophisticated, you can probably configure your screening vendor to pass alerts off to some combination of heuristics, machine learning models, and other AI techniques before they are sent to a human. Alert fatigue is real and dangerous. You can decrease it by automatically decisioning low-risk accounts/transaction, based on criteria acceptable to your regulator, which you will write in your policies. Perhaps you have recorded that you have a U.S. passport or other evidence of citizenship on file for the account holder and therefore it is vanishingly unlikely they are the SDN whose citizenship is Farawayistan even if the names look similar. You might reasonably argue that, for retail accounts that are incapable of moving large amounts of money, that is good enough.

A bit of engineering and Compliance jargon: this architecture is a pipeline. An alert enters the pipeline from your screening vendor. It goes through some automated decisioning and routing to end up in a particular queue for a particular team of analysts. They decision the alerts which will, in some cases, be the end of it. In other cases, this will result in a new type of entry in a new pipeline, perhaps to effect the series of actions one must take to offboard an account. Pipelines are serviced by a mix of technical and human systems, and governed by both computer code and process documents written in English. Both the code and the documents are subject to review from your regulators. (They are far more likely to read the documents than the code, but they have essentially carte blanche to ask Compliance for anything they want that describes e.g. the OFAC pipeline, and Compliance will probably not push back very hard. Keeping a positive relationship with regulators is a very large portion of their job.)

The OFAC list is the canonical data product, but your screening vendor really wants to sell you several. Can you charge for a list the government makes freely available? Absolutely! Because the screening vendor isn’t simply charging for the list. They are charging for a complex technical and human system around the list.

One factor among many: you expect the list to change and you want them to be in charge of making sure you always have a very recent version. You also want them primarily in charge of understanding the e.g. regulatory environment around their data products. If one of the products goes from advisory to mandatory, you want to learn that from your vendor before you learn that from a pissed-off examiner wondering why you didn’t read the bulletin two years ago.

Some data products have very different characteristics than the OFAC list.

One example, alluded to above, is repackaging criminal indictments into a screening list. You might bank Bob’s Autos. If Beneficial Owner Bob is indicted as a money launderer for the mob, you want to know that very quickly so that no one e.g. drives off with the balances in Bob’s Autos’ accounts.

But you don’t have to close an account if someone is indicted, not like you have to close the account if they’re added to the OFAC list. It’s a judgement call, and you’ll have described your decisionmaking process for it in internal procedures documents, and your regulator will have blessed them. So one of your intelligence analysts gets the tweet-sized version of the indictment from the pipeline, reads “Misdemeanor assault”, and probably decides “Bob’s in trouble, certainly, but still supportable.” Or they read “Felony bank fraud” and that analyst very likely kicks off an internal investigation. Or, and again this is the dominant case, Close As False Positive. Turns out there are a lot of Bobs in the world who own car dealerships; that Bob was not our Bob.

Another data product is so-called “adverse news” screening. This one is not an extension of state power like the OFAC or prosecutorial lists, not directly. You have much more discretion on whether you buy it than you have on OFAC screening. But your screening provider might have gone to the trouble of licensing wire service articles or newspaper feeds or the Twitter firehose or similar. They repackage it and match e.g. mentions of colorful local businessmen (a classic newsroom euphemism for “mob, but we can’t prove it and he has lawyers ready to sue for defamation”) to your accountholders. If a colorful local businessman is reportedly on the lam and feared to have left the country, and then he asks for an international wire transfer, you probably don’t want to simply process it.

And now the data product you’ve been waiting for: the SPLC Extremist Files. Like the OFAC list, it’s available for free on their website, but there do exist screening providers which will happily charge you for it. Part of that work is for scraping, part of that work is for e.g. matching names to e.g. charity EIN numbers, etc. Your screening vendor will happily tell you, though, that the data product they’re selling you is really SPLC’s considered judgement, packaged in a way that makes it easy to include into your pipelines.

Why would you buy this data product? In part, it is because the financial industry broadly considers the SPLC an extraordinarily trustworthy non-profit. It is widely believed that if they say you’re a Nazi, you’re a Nazi, and we don’t want to do business with Nazis. Financial institutions, like other firms in capitalism, have broad discretion (with some specifically enumerated exceptions) in choosing who they do business with.

An aside to conservative and progressive critics of the SPLC: yes, I know, they are not as selective, restrained, and expert as their reputation suggests. But please accept for the moment that the financial industry understands this less well than you do.

One citation for the industry broadly considering the SPLC reliable and being aligned with their views on the good: JPMorgan Chase, the largest bank in the U.S., practically a metonym for conservative-as-a-banker, gave them $500,000 specifically to "work in tracking, exposing and fighting hate groups and other extremist organizations."

If you were to have a thousand conversations in the financial industry about non-criminal clients you don’t want to do business with, you would hear the SPLC cited more than any other group or data product. 

Some of the most established screening providers do not carry the SPLC data product, though they have data products which compete with it. The SPLC has in the past criticized those providers by name:

World-Check is often criticized by civil rights organizations, advocates, and experts on international terrorism for bias and misinformation that can result in the blacklisting and de-platforming of legitimate charitable groups. The commercial nature of World-Check, its lack of coordination with civil society organizations, its use of unsubstantiated data, and its lack of transparency make it a highly problematic tool to screen out hate. 

In substance, the SPLC’s complaint is that our competitors list people we wouldn’t, don’t list people we would, and we’re just better at this. Which, fair enough, everyone is allowed to have an opinion.

How did we arrive at the position where financial institutions clamored for their data providers to offer SPLC screening? Marketing and sales are skills and the SPLC is very, very good at them. Also, again, read a history book of your choice; they picked a fight with the KKK and won. If you get a reputation for doing that for decades and also have an aligned product many customers feel the need for, sure, they will want to get it from you specifically.

That is not the only reason why many people in tech companies, financial infrastructure companies, and banks are intimately acquainted with the work of the SPLC. We will return to the other reason in a moment.

But, what does your SPLC pipeline do? Depends! Perhaps alerts go to an analyst, who checks it for false positives (yep, hits will frequently be false positives), and in the case of true inclusion you have a spirited debate within your firm. Perhaps some people argue that even Nazis need to eat, and to eat you need money, and that on balance the marginal harm of giving this particular Nazi a checking account is outweighed by the social utility of their children not starving to death. You are consuming the SPLC’s data product on an advisory basis; your firm retains full control of decisioning.

Or you could configure your pipeline to automatically deny services to anyone the SPLC lists, either by operation of computer code or by the programmatic-but-in-the-sense-of-directing-humans way that many processes still work in the financial services industry.

Jeff Bezos, in Congressional testimony, describing Amazon's reliance on the SPLC data product for AmazonSmiles, a now-discontinued charitable product they offered:

"We use the Southern Poverty Law Center data to say which charities are extremist organizations. We also use the U.S. Foreign Asset Office [sic] to do the same thing.” 

Bezos was interrupted before he could finish his next thought; you're welcome to read the testimony for full context. He is clearly referring to the OFAC SDN list.

Bezos went on to elaborate that the Fortune 2 company could not operate AmazonSmile without some way to kick out the extremist organizations and that SPLC was, effectively, the only reasonable option. He asked Congress for other suggested data providers. None were offered. (No, really, he did that.)

Let us pause to acknowledge that Bezos, one of the richest men in the world, considers these two four-letter organizations as peers. One of them is created by statute, operates within constitutional and administrative-law constraints, and answers to Congress, the courts, and ultimately the people of the United States of America. It could jail Bezos, personally, for willful non-compliance. And the other is …some people in Montgomery with a very specific interest, whose decisions are subject to review by no court, and whose only power appears to be moral suasion.

Bezos was equally and entirely committed to satisfying both.

Why? We’ll return to it in a minute.

As a longstanding financial infrastructure enthusiast and practitioner, I am confident that SPLC screening is used on an advisory basis in very many sectors of the financial industry. It is also used in a delegated authority fashion for some products at some firms, in the fashion that Amazon used to. In the delegated-authority cases, an SPLC hit kills an account application or transaction as cleanly and automatically as an OFAC hit does.

Perhaps that strikes readers as implausible, even after you just heard it in sworn testimony to Congress. I offer to you publicly documented examples, frustrated that they all cluster in a small set of the vast panoply of financial products. There is a reason for that clustering, related to the SPLC’s marketing and sales motion, and we will discuss it in a moment. A warning: if you assume the public examples are fully representative of the SPLC’s delegated authority you will materially underestimate how much actual power the SPLC has over financial infrastructure.

Many employers in the United States offer a perk: if you donate to charity, we’ll match what you donate, up to some dollar amount and subject to some restriction. This is, morally, compensation, just like the salary is compensation, just like the 401-k match is compensation, just like the healthcare benefits are compensation. Firms use specialist providers of financial services to run payroll, administer 401-k plans, and deliver health insurance.

Deed offers a workplace giving program as a service (WGPaaS? We’ll workshop it.) Some Deed customers are banks, and so they have a ready answer [archive] for your Compliance people on the work Deed already does on your behalf: Continuous Monitoring: Stay protected with up-to-date screening against sanctions and regulatory watchlists, including IRS, OFAC, SPLC, PEP, and adverse media.

One of these acronyms is not like the others.

This perk is quite popular in banks, who have been trying to shake the heartless image since the Medicis, and who want people to feel good that they teleport value through time and space but also really and truly care. So some financial institutions in the United States, possibly without knowing it, may have, in delegating authority to Deed to decision requests for compensation, indirectly delegated it to the SPLC.

I assume, as enterprise-grade software, that many workplace giving programs have many levers available to customers if they want HR to review every match of a $20 donation to someone’s parish. As a self-evident statement of prioritization: no, HR does not want to do this, at all, ever, please stop wasting my time, configure it the way you do for every other bank. Do you expect Customer Success to press on and say “Nope, sorry, not enough to proceed. Is being able to donate to Nazis important to your employees?”

An observation from someone who worked in the marketing department of a financial services company: features on the industry-specific solutions page are there because customers care about them and not having them is a dealbreaker. So you must offer the SPLC screening to customers. But it is socially impossible to ask whether they want it. Product decision time: what is the default value of the Allow Gifts to Nazis checkbox.

Now, a quiz: do you think Compliance at a bank is neutral on “Can the bank delegate transaction-level decisioning authority, in any part of the business, however small, to an entity under federal indictment for bank fraud? Does the answer change if they are convicted of bank fraud?”

No! Compliance will not let you do that! Not because they are worried about the integrity of the blacklist. An accused bank fraudster has the final say to approve money movement out of a regulated financial institution. That is very likely intolerable to Compliance.

What happens next? Well, remember, when you bought the data product, you were also buying someone anticipating your concerns before you even voice them and preparing options before you ask. Jeff Bezos’ words echo in San Francisco today: Does anyone know another option?

Deed is not an outlier in workplace giving programs. 

Groundswell? The FAQ recently read “Groundswell does not process donations to organizations denoted as hate groups by the Southern Poverty Law Center.” but changed to “Groundswell conducts due diligence to confirm they meet applicable IRS standards. Clients can also configure their own charitable restrictions within Groundswell, including allowing or blocking specific organizations or categories of organizations, in accordance with their internal policies.” 

No prizes for guessing the default.

Millie? Blog: "Vetting nonprofits can be a time and labor sensitive task… That is why vetting is typically left up to the experts at SPLC. All vetting for the Millie database is even through the SPLC!” [sic throughout] [archive]

And, again, you are reading the tip of the iceberg. There is much more use of the SPLC list in the financial industry, in much more important products than workplace giving.

Why is it so easy to find public evidence in giving programs but not of SPLC blacklisting in e.g. life insurance or wire transfers or options trading?

The SPLC and its allies bootstrapped a consensus in their core community of practice, non-profits and the supply chain that funds them. I will describe the shape of that consensus without making specific claims about truths. It is: either you’re screening charitable donations for hate funding, or you are a monster. You will not attend our parties. You will not get our retweets. You will be iced out of the flow of money, because we have friends at Ford. One phone call and Open Society is closed to you. And then good luck paying your staff. We have spent our professional careers getting very good at delivering social consequences through tightly coordinated coalitions. Get with the program, or get consequenced.

If you want to understand why the charitable giving world moves in lockstep here, start with the Amalgamated Foundation's "Hate Is Not Charitable." You will find it a project to reconstruct what that did, but the SPLC has a whitepaper with most of the important story beats.

It's a long story, and I would rather tell you a different story, about how the SPLC formed a coalition to gain account- and transaction-level decisionmaking capability at tech companies, financial infrastructure firms, and banks through a coordinated pressure campaign.

Parts of this story are abundantly reported in public. Parts are extremely well understood in the organizations that the SPLC’s coalition repeatedly persuaded, cajoled, or threatened (pick your favorite verb for the moment).

Some parts of the story are original public interest reporting. What is the public interest in candidly recounting the exercise of power over Nazis? Because they did not stop once they achieved power over the Nazis.

One coalition of non-profit organizations ran an organized pressure campaign against industry, for years. It started in 2017, with the SPLC and another non-profit informally coordinating. It intensified and formalized in 2018, under SPLC co-leadership. It escalated sharply in 2020 and 2021.

The campaign had two main components. The first was public advocacy and communications work. The second, less visible but more consequential, was a series of meetings with industry. Hundreds of meetings. With a specific target set of companies.

The campaign's declared aims were three. To convince those companies to censor more communications the coalition characterized as hate. To blacklist organizations and individuals the coalition characterized as promulgators of hate or violence. And to interdict the flow of funds to those blacklisted parties.

The coalition claimed to be non-partisan. Be on the lookout for mentions of “non-partisan,” because it is a word the coalition understands differently than I do.

The coalition calls its targets “Internet companies” and relies on government, media, and the public to not read the fine print. In it, they define Internet company mendaciously to include banks, credit card processors, and any other financial infrastructure their enemies could touch. The coalition was going after posts, but it was also and primarily going after money. I will use the language “industry participants” going forward to identify who they met with.

Industry participants included Facebook, Twitter, JPMorgan Chase, Visa, Mastercard, and many other firms. Some were among the largest companies in the world. Others had fewer than 10 employees. (I estimate headcount based on published reporting and industry experience.)

Stripe was an industry participant. I was employed at Stripe continuously from late 2016 through early 2023, covering the entire period under discussion. I remain an active advisor to Stripe. Stripe does not necessarily endorse what I write in my personal spaces.

This series of hundreds of meetings involved hundreds of employees from industry participants. Those employees included C-suite executives and managers and individual contributors across a host of functions. Those functions included communications, legal, government affairs, Trust and Safety, and compliance professionals.

Meeting notes were frequently kept, and sometimes widely circulated, as is the routine practice in industry. The meetings were documented on calendar invites (often with full participant lists), shared docs, attachments, emails, and other contemporaneous records. In the ordinary practice of industry these primary documents distribute themselves promiscuously into secondary documents; think of an email being screenshot to paste into a PowerPoint to discuss the response in a meeting. Records exist on conservatively hundreds of systems and can be accessed by many more than 10,000 people.

No employee of an industry participant I have spoken to, familiar with the contents of the meetings, was willing to provide quotes for publication with their name and corporate affiliation attached.

Their reasoning included not being authorized to disclose private information, fear for their personal and corporate reputation, future career consequences for leaking, personal consequences for being identified adjacent to national political controversies, in some cases fear for their physical safety, and in some cases unwillingness to betray a cause they personally support.

Industry participants recount the tone of the meetings differently, and as varying over the meetings. Some meetings were strained-but-professional. Sometimes the coalition participants were described as demanding and “hectoring.” Industry participants report abusive remarks towards their companies and to the people in the meeting.

Industry participants were repeatedly told that if they did not accede to demands they would be profiting from evil, complicit in the death of innocents, or benefitting from white supremacy. The innocents claimed to be at risk were often specifically identified as black, including during a period of intense societal concern for the lives of black Americans specifically. Industry participants were told that they wanted this. That they were taking “blood money”. Industry participants repeatedly felt personally attacked, in ways and using language not normative in their professional experience.

On the account of multiple industry participants, coalition participants explicitly held individuals in the meeting personally responsible for the actions of their employers. This was aimed at individuals with substantial influence and authority in companies, and also at junior employees.

Industry participants describe the coalition participants as threatening their employers, openly and by implication.

The most commonly described threat was coordinated negative public messaging with the goal of causing reputational harm to the industry participants. Feared comms outcomes ran the gamut from heavy mainstream media coverage to a Twitter pile on. Twitter is real life, particularly when a large and vocal contingent of your employees use it and Slack simultaneously. Ever been pulled into a meeting over a single customer tweet then burn weeks on managing the fallout? Count yourself lucky.

Less commonly, the industry participants perceived they were being threatened with adverse legislative, executive, or regulatory action indirectly by coalition participants who are reasonably read as exercising substantial political influence. Industry participants sometimes report that coalition participants flaunted their political influence.

Industry participants were repeatedly told that if they did not accede to specific demands, they would share the blame for future deaths. Bits about Money has reviewed contemporaneous records which unequivocally make this claim, authored by coalition participants. We note that this echoes language the coalition routinely puts in press releases, Medium posts, and similar artifacts after presumptively careful review of the phrasing. The coalition was inconsistently disciplined in phrasing in documents we have reviewed, and we decline to quote their phrasing, in part, out of charity.

You will share the blame. We will hold you responsible.

The coalition has publicly and voluminously described their own understanding of what was said in those meetings.

Where employees of industry participants dispute their characterizations, I will characterize broadly what some employees of industry participants have said, to preserve their anonymity. You should not view this as a claim on behalf of all industry participants. Patterns emerge frequently, but I am making no claims about unanimity.

Many left-of-center voices felt that white supremacists had been emboldened by the 2016 election of Donald Trump. Beginning in mid-2017, Color of Change communicates with and meets with PayPal, with the objective of cutting off financial services to hate groups. Color of Change is a civil rights organization which specializes in online organizing.

The Center for Media and Democracy, an aligned non-profit, quotes a senior executive as saying “Let’s be clear: public speech promoting ideologies of hate always complements and correlates with violent actions.”

Industry participants characterize the coalition participants as asserting that speech was inseparable from conduct. Free speech concerns were dismissed and, industry participants report, mocked, including with the dismissive rendering “freeze peach.”

As has been abundantly reported elsewhere, a coalition of white nationalist, neo-Nazi, and alt-right organizations (per voluminous public reporting tracking self-identification) organized a rally in Charlottesville, Virginia. This sparked counter-demonstrations. A rally attendee struck and killed a counter-demonstrator with his car.

Color of Change intensified its existing engagement with PayPal and other industry participants. Rashad Robinson, then executive director, would describe them in detail later, to a podcast on iHeartRadio. Fast Company [archive] approvingly cites that this came after “Robinson used similar tactics to move companies to withdraw sponsorship from the 2016 Republican National Convention.” The Republican National Convention is a get-together sometimes described as a grand old party.

Robinson articulated the coalition’s theory of change: “Power is the ability to change the rules.” The coalition perceived the industry participants as having power, desired power for itself, and took steps to achieve it.

Color of Change swiftly organized what it describes as a social media campaign using the hashtag #NoBloodMoney.

In the wake of Charlottesville, which was shocking in the broader U.S. political environment and perceived as a watershed moment within tech companies, many industry participants made decisions to end services to a variety of groups they felt had violated their policies against promoting violence or extremism. This was sometimes proactively. It was sometimes after receiving communication from activists, either in their personal capacity or identified as coalition participants.

Meetings were, prior to this point, relatively ad hoc. This would soon change.

As mentioned above, the SPLC enjoyed broad trust within the financial industry dating to long before these events. Chase’s donation to SPLC immediately after a galvanizing tragedy could, if one were immensely cynical, be read as a tiny communications expenditure.

Industry participants routinely claimed shock and a sense of urgency after Charlottesville. A grown man once wept in my presence recounting that event. While there is substantial diversity of views among industry participants, many have, in their private spaces, when the cameras are not rolling, when there is nothing to gain, repeatedly described the SPLC to me as being on the side of the angels.

Keep this in mind as the coalition describes industry as being standoffish and foot-dragging.

The SPLC co-led an effort to unify, coordinate, and intensify previously ad hoc organizing actions. Change the Terms (CTT) was a coalition, to its friends, a conspiracy, to its enemies, and an unincorporated association, to a geek with an unhealthy interest in LLC formation. (The only fact I’ve ever retained about unincorporated associations is that they are jointly and severally liable for acts of the members.)

The individuals identified contemporaneously as co-chairing CTT were Heidi Beirich (then-head of the SPLC Intelligence Project) and Henry Fernandez, of the Center for American Progress (CAP).

SPLC’s Intelligence Project ran the private intelligence service and produced its data products. It also produces an annual intelligence estimate, such as the (2024) Year in Hate and Extremism.

(Beirich left SPLC in 2019 to co-found Global Project Against Hate and Extremism (GPAHE) with a fellow SPLC alumna.)

The SPLC characterized the CTT coalition as its own initiative under the Intelligence Project, and not simply Beirich’s initiative, in charitable governance and fundraising documents in the possession of Bits about Money. We cite one such document below, contrasted against later Congressional testimony.

According to documents reviewed by Bits about Money produced by coalition participants, the SPLC participated in cost-sharing arrangements to fund expenses of other coalition participants incurred in carrying out the joint purpose of the coalition. We are unaware of the extent of this practice.

CTT presently describes its most senior members as CAP, Color of Change, Common Cause, Free Press, GPAHE, Muslim Advocates, the National Hispanic Media Center, and the SPLC. There is some ambiguity around who claims founding member status and whether that list has evolved over time. Startup life, I get it.

I will refer to CTT’s primary artifact as the Terms. This document, announced at the coalition’s debut, was foundational to CTT’s positioning (they are Change the Terms). The Terms were sometimes described as recommendations, sometimes as a model Terms of Service (ToS). They were consistently positioned as being for Internet companies.

This is sleight-of-hand. A primary purpose, perhaps the primary purpose, of the Terms is to interdict money movement.

The Terms define “Internet Companies” in a non-standard fashion to include banks, credit card brands, any business of any character which facilitates a transfer of money with a web or mobile interface, and also more central examples of Internet companies. This is in keeping with the coalition’s by-now demonstrated target selection of PayPal (an Internet company) and Mastercard (which predates the commercial Internet by decades).

The SPLC co-drafted the Terms. 

The SPLC referenced the Terms in Congressional testimony as being an extension of the SPLC’s long-running campaign to interdict money movement to targeted organizations.

For decades, the SPLC has been fighting hate and exposing how hate groups use the internet. We have lobbied internet companies, one by one, to comply with their own rules to prohibit their services from being used to foster hate or discrimination. A key part of this strategy has been to target these organizations’ funding.

The Change the Terms coalition existed to coordinate and parallelize execution on this tactic. In addition to nominating targets for existing policies, it extracted concessions from industry in the form of policy changes. The coalition, when minimizing its own power served its purposes, sometimes described all actual decisions as made by industry. The coalition was very candid when speaking with itself, with allies, and with industry participants. The coalition understood itself to have some degree of coercive power, and factually had some degree of coercive power, as we will discuss. It also secured delegated authority, routinely but not universally, as we have discussed.

Industry participants do not consider the Terms to be reasonably characterized as a ToS.

I would say the Terms are an advocacy artifact which adopts the stylization of a ToS without making any effort to be one. A ToS is a binding contract that industry customarily pays professionals to produce or adapt from firm-maintained templates appropriate to young startups. The English-language U.S. ToS of a major tech company has consumed more than 7 figures in bespoke services work, as a rule. The idea that a filesharing service and regulated U.S. depository institution could adopt the same ToS is fatuous on its face.

The purpose of the Terms was to get the meeting and, oh boy, did the coalition get them. I estimate they successfully achieved hundreds of meetings. 

Color of Change’s Robinson was interviewed by Hillary Clinton on her podcast You and Me Both in March 2021. You and Me Both is available on major podcast platforms through iHeartRadio. Readers may recognize Clinton from other work. 

Bits about Money has archived the podcast MP3 file, to make specified quotations findable via timestamps. Many professional podcasts use dynamic insertion of ads, which is good for advertising revenue but bad for reproducibility of timestamps across listeners. Please do not use the archive unless you need these specific timestamps.

Robinson confirms that CoC works with SPLC and that its relevant work began after the 2016 election (29:15).

Episode at 29:30:

We started calling the credit card companies. We started calling these payment processing companies. And you know what they told us? They said, oh, we're with you, but, you know, you have to talk to the banks. And then the bank said, you know, you have to talk to the credit card companies. So we start building the #NoBloodMoney campaign and we start building this platform. And, you know, we're not quite done with it all when Charlottesville happens.

Robinson describes a central tactic of the coalition: identifying particular accounts it wants deactivated, with a consequence if demands are not met. He claims this to have been demonstrably effective.

Multiple industry participants describe the same sequence of events across several invocations of the tactic. I feel it necessary to caveat causality, as described below.

Episode at 30:00:

We have been talking with you [companies] for months. We’ve given you these lists of white nationalist groups. And then within about twenty four hours [of launching the #NoBloodMoney campaign], they start sending us a list of white nationalist organizations that they are cutting off from processing. No law had changed.

Clinton interjects: Exactly.

Robinson locates this within his non-partisan broader political project.

Episode at 28:00:

We really built what I feel is a new strategy. It was focused not simply on resistance, but on opposition. What would it mean to not just resist but to build power, to oppose, so that we could get back to governing, focusing on winning real victories at the local level, while also recognizing that the game was not fair, that the rules were rigged, and that we couldn't simply say that what happened in 2016 was democracy. It was what happened.

Clinton later comments, at 31:20 :

Moving [your advocacy] to the private sector, and corporate power, was an incredibly smart approach.

Industry participants have, compared to anyone else in the world, broadly better information about account status, account history, position in pipelines, and similar. (This is not to say they have total awareness of all information in their possession, or that all employees of an industry participant have equivalent access to information and capacity to understand it. Some organizations tightly silo information internally by role.)

It is easy to infer causality from timelines without that being warranted. One mechanism for this: accounts may be in pipeline at the time of target nomination. An external observer will perceive “account active, nomination communicated, account closed shortly thereafter” and make the obvious inference. 

If one understands one’s counterparty to have misunderstood something, one can correct them. Or not.

Industry participants describe a variety of tactics for extending olive branches to the coalition participants, including but not limited to acceding to demands. One such tactic was giving more visibility into pipelines than the broader public had, with or without influence on operation of those pipelines. “Thanks so much for bringing that to our attention. They are absolutely on our radar now.” can mean many things, including “Message received.”, “I confirm they are in pipeline.”, “I confirm they are in pipeline thanks to you.”

The CTT Terms include the following recommendation.

Many Internet Companies have granted special exemptions to official accounts, government actors and powerful people, allowing them to promote hateful activities, disinformation and other divisive behavior. Instead, these actors should be held to the same standards (if not higher standards) as regular users. There should be no special exemptions that allow the powerful to spread hate with impunity. Many official accounts at various social-media companies have circumvented platform policies despite promoting hateful activities, disinformation and other divisive behavior. Policies should apply equally to all users and must be enforced.

Industry participants perceived themselves as being in an impossible situation with regards to a handful of accounts which were both extremely vexatious to coalition members and obviously newsworthy. Consider how manifestly unwise it would be to intentionally deplatform the sitting, duly elected President of the United States. While nominally about a large class of users, industry participants describe the motivating examples brought up in meetings as consistently circling back to Trump, Tucker Carlson, and a very short list of other names.

The ADL, a coalition-aligned non-profit, co-authored a press release with some coalition members titled Deplatform Tucker Carlson.

The coalition benefits from the mistaken impression that it only asks platforms to remove accounts controlled by terrorist organizations. No. The first, unobjectionable list is the ante. After you’re in the hand, they raise you Tucker.

Once the coalition has achieved agreement in principle it defines the bounds of polite society, it soon broadens the ask, framing the new concession as something you have already committed to publicly. 

The coalition often communicates the ask privately but the retaliation for non-compliance publicly. The public, mainstream media sources, and similar interpret the sudden coordinated pressure intensification as evidence that the targeted company has failed at the original commitment, the one about terrorist organizations.

In public communications, some coalition participants exhibit message discipline in locating the agency within the industry participants: the coalition “recommends” policies, the industry participant agrees to a policy, then the industry participant is responsible for enforcing what is now their own policy. 

Coalition participants were, in the recollection of many industry participants, frequently undisciplined in meetings. They specifically nominated accounts for adverse actions, up to account closure, in no uncertain terms, and it was not a request.

Color of Change, at a minimum, was quite disciplined: they consistently adopted coercive conditional escalation as their default engagement model. Get the meeting, communicate demand, show a marketing brief of words and images that would be activated if you did not swiftly accede to the demand. This account is described by industry participants and by executive director Robinson to Fast Company, where he describes employing it “95% of the time.”

Coalition participants were inconsistently disciplined in their contemporaneous written records, some of which Bits about Money has reviewed. Authenticating these as true copies is tricky; authenticating public statements is not.

The Leadership Conference on Civil and Human Rights in October 2019 wrote Facebook a public letter, which the SPLC and many coalition members co-signed. 

And yet, sabotaging your own efforts, Facebook recently announced that it would automatically deem speech from politicians to be newsworthy, even when it violated the company’s Community Standards; exempt politician-created content from its fact-checking program – permitting anyone running for office to post or purchase ads with falsehoods; and exempt content deemed to be “opinion” from its misinformation rules. Politicians should not get a blank check to lie, incite, spread hate, or oppress groups of people. Politicians are historically responsible for perpetuating discrimination and erecting barriers to voter participation, while autocrats throughout history have relied on mass media to rise to power and subjugate minority communities.

Note the conflation here of committing incitement (illegal), spreading hate/oppression (probably bad), and lying while being a politician (Tuesday). This sort of conflation, of attempting to box someone into a proposition they had never actually agreed to, was routine, in the view of some industry participants.

I contemporaneously viewed the brouhaha about politicians lying as being battlespace preparation for the 2020 election. First, establish the general principle that social media platforms had a duty to censor lies told in campaigning. (This was sometimes described as “misinformation,” to imply that an American politician lying was doing so in a Russian accent.) Then, seize on every lie in one very specific political campaign, and use the platforms to interdict that political campaign’s storytelling. I didn’t expect campaign financing shenanigans, because I have a strong prior that responsible professionals might fly close to the sun but do not attempt to fly through it. More on that later.

Industry participants have their own compliance issues to worry about and frequently perceived this two-step as being too cute by half. The aim was obvious to them. Industry participants describe coalition participants as stating directly that Trump lies frequently, and helpfully telling people with degrees in logic that it therefore follows that if lies cause decisioning, and Trump lies, Trump should be decisioned.

The SPLC has described the coalition's strategy in its own voice, in the most formal venue available to it: sworn testimony before Congress. Lecia Brooks, who self-identifies as senior SPLC leadership, appeared before the House Financial Services, Subcommittee on National Security, International Development and Monetary Policy on January 15th, 2020.

Verbatim quotes from prepared testimony:

For decades, the SPLC has been fighting hate and exposing how hate groups use the internet. We have lobbied internet companies, one by one, to comply with their own rules to prohibit their services from being used to foster hate or discrimination. A key part of this strategy has been to target these organizations’ funding.

The coalition was an extension of the SPLC Intelligence Project, identified as such in their 2018 Annual Report, pg 9 [archive]. A charity annual report is a governance and fundraising document exhaustively reviewed by professionals and customarily approved by the board. It would be uncharitable to argue the SPLC misunderstands or is dissimulating about its role in the coalition in that document.

Brooks, to Congress, chooses to describe the SPLC as a member of the coalition and not the animating force of it:

On Oct. 25, 2018, the Change the Terms coalition – including the SPLC and other civil rights groups – released a suite of recommended policies for technology companies that would take away the online microphone that hate groups use to recruit members, raise funds and organize violence. In response to Change the Terms’ advocacy, several Silicon Valley leaders have made promising changes that align with the coalition’s vision for a safer online world.

Brooks then lists several examples of specific wins the coalition achieved.

Brooks then claims these accomplishments advanced the SPLC’s mission. She implies that the coalition’s important work will continue.

Hate groups have clearly been damaged by the efforts of the SPLC and its allied organizations, including the Change the Terms coalition, to fight them and their funding sources online. But the fight is far from over.

Brooks had an opportunity to describe industry participants as valued partners. Brooks describes the SPLC’s relationship with industry participants in part as follows:

The public exposure was half the battle. We conducted the other part of the campaign privately. SPLC officials held dozens of meetings with top Silicon Valley executives. Some companies acted. Some took half steps. Others did little or nothing. But eventually, the far-right extremists who depended on Silicon Valley were beginning to feel the pain.

Brooks characterizes the SPLC’s tone in a similar fashion to industry participants quoted above. 

She indirectly confirms one of the campaign’s core tactics: get the meeting, get a commitment under threat of coordinated public pressure, then judge progress against the commitment to be inadequate. In the next meeting, offer absolution and de-escalation, contingent on policy concessions. Repeat as desired.

The SPLC kept up the pressure, cajoling companies and exposing those that dragged their feet. 

The coalition, across a wide variety of documents, more consistently describes itself as having only influence when having power would require accountability, and more consistently describes itself as having power when addressing audiences presumptively sympathetic to the aims towards which that power was deployed.

As a reminder, in late May 2020, the death of George Floyd triggered a wave of nationwide protests.

Several of those protests devolved into riots and looting. This continued for months. The usual reckoning of the death toll, based on contemporaneous reporting, is two dozen. Property damage is generally estimated at between $1 and $2 billion based on insurance industry claims data.

Trump posted “Any difficulty and we will assume control but, when the looting starts, the shooting starts.”

The U.S., unfortunately, has long historical experience with race riots, and the civil rights movement has strong institutional memory of that phrase being invoked to justify murder as a riot control tactic. 

One can believe people steeped in this tradition, inclusive of many coalition members, sincerely understood the post to be a true threat. One can also believe they understood the situation to be an opportunity. 

The coalition’s operating logic has been to use each expansion to prepare for the next. A win here would establish that no one is beyond its reach. It would also establish that industry just isn’t qualified to understand what their policies mean, and should defer to the subject matter experts who wrote them.

Facebook declined to remove the post. 

Some employees at Facebook organized a walkout in protest.

In an attempt to quell the discontent within the ranks, senior Facebook leadership (Zuckerberg and two lieutenants) had an unusually publicized meeting with coalition members (the heads of Color of Change, the NAACP, and the Leadership Conference on Civil and Human Rights).

Coalition participants did not achieve what they professed to want in that meeting and, in a tick-tock motion industry participants were very familiar with by this time, released a statement to media then coordinated coverage around it.

Widely quoted language from the statement included “Mark is setting a very dangerous precedent for other voices who would say similar harmful things on Facebook.” The specificity and analytical rigor of this sentence is not dissimilar to that recounted by industry participants of statements made in many meetings.

The statement explained its concern was that failing to censor Trump, in a non-partisan manner of course, would result in voter suppression, via a causational pathway that the margin of the statement may have been too small to contain.

This was transparently designed to activate commitments Facebook had made in the wake of the 2016 election.

Believing the 2016 election had been tainted due to Russian interference was a left-coalition signifier—much as believing Trump actually won 2020 became a right-coalition signifier later. Neither of these views has the evidentiary strength the coalitions claim for them. But they aren’t claims advanced to achieve understanding; they are advanced to achieve alignment and, through it, power.

If one was concerned about the substantive merits of the claim on election interference, and not willing to simply accede to it on the strength of the speaker’s social position, one might wonder whether widespread actual violence might not suppress voting more than words describing hypothetical government violence.

Industry participants who asked coalition participants (in other circumstances) to explain their reasoning were told that it was not their job to educate them, that there exists literature, and that civil rights organizations had unmatchable expertise. Stick to coding, geeks. This did not always mollify industry participants, who in 2020 and 2021 were becoming deeply skeptical of expertise wielded as a shield for disastrous policy recommendations. For reference, see any history of the early days of the covid pandemic.

When they knew the cameras were rolling, participants were fractionally more disciplined. Color of Change's Robinson delivered a 2019 speech to Facebook leadership [archive], telling executives directly that they had 'profound gaps in their expertise' and that implementing CTT would be 'a step toward seriousness.' We believe we fairly characterize other documents we have seen as extending the logic from a claim about incapacity to understand racism as a societal problem to incapacity to understand the words written on industry’s internal policy documents.

The term of art in industry for the person responsible for the interpretation of a document is the “owner” of that document. Accepting this term of art, many professionals in the industry would agree that if the coalition doesn’t understand themselves to own the policies, it’s tough to guess where they think they should be on the stakeholder-analysis form. “Consulted” doesn’t get to say the owner has blood on their hands after a decision.

The House Judiciary Subcommittee on Antitrust, Commercial and Administrative Law conducted a hearing on Online Platforms and Market Power, Part 6: Examining the Dominance of Amazon, Apple, Facebook, and Google. The CEOs of the four companies attended as witnesses.

This is the hearing at which Jeff Bezos invited Congress to recommend a substitute data product for the SPLC blacklist.

About a month later 15 Republican lawmakers wrote Bezos a letter, saying:

Amazon’s ongoing reliance on the SPLC, with its documented anti-conservative track record, reinforces allegations that Big Tech is biased against conservatives and censors conservative views.

The letter did not contain a recommendation for an alternative data product.

Industry participants were extremely aware of the climate regarding potential anti-trust actions against their firms at many times during these years. Avoiding that was a central goal of policy teams and company leadership at all levels. Industry participants perceived the coalition members as possessing substantial influence over outcomes for anti-trust policy.

You don’t get interviewed by Hillary Clinton for being a nobody.

Joe Biden won the 2020 election. Trump disputes this. 

A planned demonstration in Washington D.C. for protesters sympathetic to him, timed to coincide with the counting of electoral votes in the Capitol Building, devolved into a riot. Demonstrators gained physical access to the Capitol Building, sometimes by force and sometimes being let in by overwhelmed police. Capitol Police shot and killed one demonstrator while she attempted to enter a window. A Capitol Police officer who had responded to the riot died the following day; the medical examiner ruled the cause natural (strokes) but noted the events of the day played a role in his condition.

Industry participants and coalition participants treated the events of January 6th as a multi-faceted emergency and responded within days. 

Industry participants converged on nearly unanimously terminating or severely restricting services to Trump and affiliated entities. Coalition participants pressed publicly and privately for this outcome. 

Some commentators view these events as over a dozen firms watching the same news and making substantially the same decisions independently of each other. Some commentators, focusing on the near unanimity, believe these decisions to have been strictly coordinated. This commentator believes neither.

There was a widespread effort to blame the tech industry specifically for the events of January 6th, contemporaneously reported in many places. The WSJ synthesizes, in a straight news story, the view “The Capitol incursion, some of which was planned and discussed in advance on social media, has hardened many Democrats’ view that a lack of tech-platform regulation is undermining democracy.” The climate in industry contemporaneously was acutely aware of being perceived as a threat to national security.

Industry participants perceived they were making decisions under conditions of profound risk to their businesses. This perception was contemporaneously noted by many external observers, including then-Senator Rubio, quoted by the WSJ as saying:

The reason why these guys are doing it is that the Democrats are about to take power, and they view this as a way to get on their good side.

If “get on their good side” converges with “not get one’s license to do business revoked” then there is not much daylight between that model and tech’s own. I am making this observation generally, on the basis of years of industry experience, rather than on the specific basis of any conversation that happened that week.

Financial professionals not directly employed by tech companies themselves shared this model, articulated it, and attempted to profit from it in a way which is entirely permissible under capitalism. Bellwether tech stocks (including those of industry participants) sold off during market highs for non-tech indexes, pricing in regulatory risk to these businesses.

This was noted by many non-political industry observers. The WSJ quoted an equity analyst as saying:

The bottom line is that the odds of legislative action on privacy, antitrust and [liability shield Section] 230 just went up significantly.

Investment banks get market color on recorded lines. In tech we get it in DMs from people we’ve worked with before and will again. It flows up to decisionmakers when it needs to. Much color is tweets being pasted into Slack.

This is not limited to times of national crisis. Speed is edge. As an illustrative example, regulators learned FTX had tried suborning a bank from the NYT, who learned it from an informed source in Tokyo, who developed a package of proof after reading a single document posted to Twitter. Or so this writer speculates in a curiously specific and consistent manner.

Now, putting these observations together:

Imagine a coordination game with two sides of a fence. Players have to pick either side of the fence. They may announce their decision at any time, and may change it until all players have announced a decision. Payoffs to this game decline the longer one waits. They are catastrophically negative if the game ends with one player alone on a side. The game has no winners ever and you can’t refuse to play.

This game has a “race to be second” dynamic, where any credible commitment to a move, or observed move, strongly encourages any player contemplating the same move to immediately announce it. Each additional player joining the block is a domino against players who have yet to announce.

The real-life situation reached rough equilibrium by January 10th.

Industry participants do not perceive themselves as having highly weighted the opinions of coalition participants during these few days. They were considered unimportant relative to other factors. Nor did industry participants broadly attempt to solicit input from coalition participants, in part because their responses were viewed as being trivially predictable. Further meetings during a crisis were considered a distracting waste of time.

Coalition members publicly and privately, along with many who had learned by imitation, immediately demanded everyone shut down everything. If he still had Netflix the next day it was not for want of trying.

Change the Terms issued a joint statement [archive] demanding an absolute Trump ban on January 6th itself using extraordinary language.

If platforms do not take immediate action to permanently remove Trump’s accounts, they will further share in the blame for additional white-supremacist violence that may unfold over the evening and in the remaining days before Trump’s term as president ends.

The House Financial Services Subcommittee on National Security, International Development and Monetary Policy held a hearing titled Dollars Against Democracy: Domestic Terrorist Financing in the Aftermath of Insurrection. SPLC’s Brooks again offered prepared testimony. The SPLC appears to ask Congress for new legislation establishing a BSA-style mandatory reporting regime, with penalties for non-compliance, across industry participants. 

Verbatim quotes, bolding in original:

Government should require regular, mandatory reporting by technology service providers to document abuse of their systems including financial support of violence, harassment, and terrorism.This includes implementation of mandatory financial abuse reporting requirements for internet services operating in the United States, including social media services, infrastructure providers, banking institutions, cryptocurrency exchanges, crowdfunding sites, video streaming platforms, and the like.

and

[These companies] should be required to investigate and report the details of harms and abuse of their service. There should be … penalties applied to services that refuse these tracking and reporting responsibilities.

Given that this reporting regime is mandatory, on the face of it, if a respected civil rights organization makes a payment to an individual responsible for violence, harassment, and/or terrorism, facilitators would have an immediate reporting requirement. That seems to carry the risk of reporting on the actions of an NGO to a potentially hostile government. That government could be the current one or a future one, because governments have been known to keep written records and employ personnel who serve across generations.

Had the SPLC asked me for comment on this novel expansion of BSA-style enforcement mechanisms, I would have told them that the existing BSA enforcement apparatus routinely negatively impacts marginalized individuals the SPLC makes the center of their moral concern. Bits about Money has made this argument across many pieces and in depth for years, continuing on observations I had made during my time as a consumer advocate for individuals with banking and credit problems, dating to the mid-2000s.

Facebook announced that it would end its longstanding "newsworthiness exception” to content moderation rules. This was a concession to years of repeated public and private demands by CTT coalition members. These demands included the October 2019 letter co-signed by 46 organizations including several CTT coalition members.

This form of exception was called out in the CTT Terms and ending it was an avowed goal of the coalition.

CTT coalition members then pushed for another concession they desired.

Industry participants have characterized coalition members as being routinely undisciplined, verbally and in writing, in specifically nominating FEC-registered entity controlled accounts, including fundraising accounts, for termination. They claim this was a pattern of practice for several years. Bits about Money has reviewed multiple records suggestive of this pattern.

It is not straightforward to authenticate documents obtained through sources. More rigorous authentication often poses additional risk to sources.

On the other hand, sometimes documentary evidence of the pattern is available from the coalition directly. Common Cause maintains a WordPress site, and occasionally posts their target lists in public. [archive] WordPress is a complex and highly modular open source platform which you could use for a blog or e-discovery delivery service.

Bits about Money’s eclectic collection of coalition-authored communications unequivocally demonstrates a) multiple coalition members b) specifically directing account termination and/or continuous restriction c) against Trump-affiliated accounts d) for the express purpose of interdicting political fundraising and other activity e) with them subsequently fundraising in specific reliance upon these acts. We offer the published document in substantiation of claims a-d and the next section of this piece in substantiation of claim e.

Verbatim quotes from the document:

As you know, The Team Trump Facebook page is operated by Save America, a political action committee (“PAC”) controlled by Trump. 

and

Allowing Team Trump to continue running political ads on Facebook is a significant loophole in Trump’s two-year suspension and provides a pathway for the former president to evade the ban. … Further, Team Trump is soliciting donations and inviting supporters to Trump rallies.

and

[We urge you to s]ubject the Team Trump account and any other account under Trump’s control, including any account of a political committee authorized and/or established by Trump pursuant to campaign finance law, to the same two year-ban as his Facebook and Instagram accounts.

No other accounts are specifically nominated in this document.

The document makes a token gesture that the principle is broader than the specific PAC whose fundraising activities it desires to be interdicted.

[We urge you to s]ubject any Facebook pages run by a political committee or other political entity authorized, established, financed, maintained or controlled by an individual to the same content moderation decisions as that individual’s Facebook account.

The Common Cause demand letter was co-signed by CTT coalition members Common Cause, CAP, Free Press, GPAHE, Media Justice, NHMC, and many other aligned 501c3 organizations. The published version of the demand letter is not signed by the SPLC.

Consider what level of operational discipline prevailed in the coalition, which employs many communications professionals and lawyers, to publish that document. Now imagine what individual coalition employees wrote with their thumbs. Do you picture excessive emoji, or prose that reads more Blackberry.

Coalition participants Free Press and Common Cause rented a mobile billboard to reiterate their demands. The mobile billboard was deployed to follow Facebook executives around Washington D.C. They tie this action to organizing to achieve a government investigation of Facebook.

Verbatim quotes from their press release [archive], titled Facebook Targeted by Mobile Billboard Circling Capitol Hill Demanding That Company Close the Trump Ad Loophole:

A mobile billboard demanding that Facebook ban Team Trump ads in accordance with its ongoing suspension of Donald’s [sic] Trump’s accounts will greet Facebook representatives following their Capitol Hill testimony today.

and

Sponsored by Free Press Action and Common Cause, the mobile billboard began its route

this morning and is continuing to circle the Federal Trade Commission, the White House,

Facebook headquarters and the U.S. Capitol, and will join the “Rally to Investigate Facebook”

We below reproduce Chris Cruz 8 Media Group’s photo of the mobile billboard, attached to the press release. The mobile billboard reads “Facebook must close Trump’s ad loophole” and “Nobody is above the rules.” We believe this reproduction is fair use for the purpose of reporting and commentary, but are happy to pay any reasonable fee for an unrestricted non-exclusive perpetual worldwide license across all media types currently existing or to be invented. Invoice to Kalzumeus Software, LLC please.

Free Press’s 2021 end of year communication [archive] to donors, signed by its co-CEOs, attempted to fundraise in part based on their participation in the Change the Terms coalition and in part based on the mobile billboard campaign to interdict PAC fundraising. The communication includes a photo of the billboard. All following quotes are from the document, and bolding is true to the original.

[W]e co-founded Change the Terms, a coalition that calls on the platforms to adopt model policies we developed to crack down on hateful content.

…

Our efforts have yielded numerous concrete changes. After years of pressure from Free Press and our allies, Twitter finally banned Trump[.]

…

Facebook initially suspended Trump “indefinitely” and later changed his suspension to a two-year ban. We’re now pushing the company to permanently ban Trump and to close a loophole that’s allowing a Trump PAC to fundraise and organize on his behalf.

The funding call to action, immediately above a donate button, was:

FUND THE FIGHT. Your generosity makes our work possible. Please give what you can today to make sure we have the resources we need to keep fighting for equitable media policies that improve people’s lives.

The communication included the following disclaimer, directly under the donation call-to-action. It was italicized.

Free Press and Free Press Action are nonpartisan organizations fighting for your rights to connect and communicate. Free Press and Free Press Action do not support or oppose any candidate for public office.

Meetings between industry participants and coalition participants decline from being a regular practice to occasional and ad hoc. This is according to several industry participants in past meetings. The Change the Terms social media presences, which had posted regularly from 2018 through 2021, substantially cease operations. Their last Medium post was in May 2022.

CTT coalition member GPAHE released a statement [archive] about Facebook and Trump on January 25th, 2023. The Change the Terms coalition retweeted it, in one of their final Twitter posts, and the final one naming Trump. 

The most striking difference from the CTT coalition’s past several years of public and private statements: this is, conspicuously, carefully worded.

There was no urging, calling upon, demanding, etc in this public statement. It was comparatively disciplined in only describing Facebook’s decision and their analysis of it, and letting a rhetorical question hang in the air.

If that’s not enough for Facebook to continue to ban him, then what is? 

The Change the Terms coalition website remains up, but it is difficult to say whether any members maintained their longstanding non-partisan interest in shaping industry policy via pressure campaigns and then nominating targets for enforcement. Perhaps they achieved final victory over hate. 

Or perhaps, since September 2021, they had learned operational discipline. The kind that chuckles at a proposal to chase executives around with mobile billboards demanding the interdiction of PAC fundraising, in a totally non-partisan fashion of course, and then doesn’t do that. Donor funds are best spent elsewhere.

In other news, Trump had filed his candidacy paperwork with the FEC in November 2022. He would go on to win the 2024 election.

[Update on May 8th, 2026: At the time of publication of this essay, Bits about Money was unaware that the coalition had written, on its own letterhead, a demand letter after Trump was a declared candidate. We would not have written this section in the fashion it is written had we been aware of that document. Our discovery of it caused us to do substantial follow-on reporting. Bits about Money regrets the error.]

Wiley Coyote Charities, an IRS-recognized 501c3 non-profit organization in a universe not too far from our own, has chased its hated nemesis for years. The orange road runner is tantalizingly close. Focused and untiring, perceiving himself close to ultimate victory, Wiley Coyote Charities salivates. This time, this time for sure, he will be sated. He will be free.

Wiley Coyote Charities speeds past a sign reading “Danger: Plausible Non-Partisanship Ends.” The only danger is to that blasted bird.

Wiley Coyote Charities is, to the appearance of observers of the race, now running over two miles of clear blue sky. He has not yet looked down. We know what will happen when he does. Blame the road runner all the way down.

As a former 501c3 CEO myself, I am aware of the requirements to maintain tax-exempt status. This is of paramount importance to charities. You can save yourself some legal bills quickly with the IRS's Restriction of Political Campaign Intervention by Section 501(c)(3) Tax-Exempt Organizations :

"Under the Internal Revenue Code, all section 501(c)(3) organizations are absolutely prohibited from directly or indirectly participating in, or intervening in, any political campaign on behalf of (or in opposition to) any candidate for elective public office. Contributions to political campaign funds or public statements of position (verbal or written) made on behalf of the organization in favor of or in opposition to any candidate for public office clearly violate the prohibition against political campaign activity. Violating this prohibition may result in denial or revocation of tax-exempt status and the imposition of certain excise taxes."

501c4 organizations have similar considerations. Consult your lawyer.

BAM mostly explains and analyzes financial infrastructure. The pipes work for everyone in every party, and for that thank God, plus the many people who go to work every day to make it happen.

A reader unfamiliar with years of issues will assume, picking one at random, that we are sympathetic to the then-current administration because we referenced an indictment. We say very similar things at substantial length every single time. Some pieces you may enjoy: The Bond Villain compliance strategy re: CZ, an extensive discussion in Debanking and Debunking of bank compliance failures enabling the FTX fraud, and our voluminous record on the function and tradeoffs of the BSA regime.

Bits about Money does not generally recommend particular providers of financial services, including of screening data products. As an editorial decision: we anti-recommend the SPLC blacklist. It is unfit for purpose in financial services and obviously so. We have no position as a publication as to whether it is valuable for other uses.

To the extent I personally have policy preferences, I prefer the orderly administration of law. Any law we would not be willing to enforce against a sympathetic lawbreaker, a friend, or an ally is a bad law. Until a bad law is changed, it is the law. I reject a legal realism, or legal cynicism, that says that power is the only law.

The Declaration of Independence and D.C. billboards agree: No one is above the rules. We have no kings in this country.

On the SPLC specifically, I don’t really specialize in charity effectiveness ratings, but so I am not accused of hiding the ball: I think they achieved a meaningful and historic victory in the cause of righteousness many years ago. They have dined well on that reputation for a very long time.

To those who think their mission remains critical and more intrinsically noble than simply the pursuit of political power for their favored coalition, I will say this. If the coyote has a noble mission on his back, he owes it to the mission to let the damned bird go, before he takes that mission off the cliff with him.

Just following up on my emails. Do I have the correct addresses? Emails to the team alias and your personal work accounts, formatted correctly, did not bounce; emails to incorrect guesses for the team alias did.

SPLC: I had asked you to deny that the email between the SPLC’s CEO and bank exists or dispute the accuracy of the excerpt in the indictment, and asked you to comment on whether the Change the Terms coalition you co-founded had specifically nominated accounts for negative actions. I still welcome a denial or comment from you on any matter, like whether it is fair to characterize Change the Terms as the SPLC’s concerted coalition to interrupt the fundraising of political opponents.

Common Cause: I asked you to comment on whether you have ever nominated the account of an FEC-registered entity for negative decisioning, and told you I had written evidence of you doing so on at least one occasion. I welcome your future comment, perhaps on when you started that practice and when or whether you have ceased. We could compare notes.

Email is my preference, but since the SPLC specifically is well-resourced to pursue the other way to deliver a response if it desires, I’ll save everyone 6 billable minutes: tell them “to Kalzumeus Software, LLC’s registered agent.” The Internet and I will read it attentively.

To the as-yet uncontacted coalition members, that meeting can be an email: “How about ‘We categorically deny ever directing any company to interfere with fundraising of a political opponent.’ ?” “Approved. Next topic?”  Unless you doubt that is true, in which case, book the non-partisan conference room for workshopping the language.

Don’t worry, I am a reasonable professional. Most journalists haven’t worked in a comms department. I have, and so gave all parties contacted several business days to answer very simple questions.

Your employer is profoundly opposed to you sending confidential information to external parties, even a fellow geek. The incremental value of evidence to me is far lower than risk to you.

Audit logs exist, including for searches and document accesses.

Remember the front page test. If you write it down, you could read it in the NYT. Or HN. So don’t write down anything you wouldn’t want published next to your name for forever. 

There was recently an attempt by an independent journalist to expose fraud in a Minnesota social program. It was deeply frustrating; the journalist had notably poor epistemic standards, which secondary media seized upon to dismiss their result.

The class-based sniffing almost invariably noted that prestige media had already reported stories which rhymed with the core allegation, while sometimes implying that makes the allegations less likely to be true, through a logical pathway which is mysterious to me.

The journalism went quite viral anyway, in part because of sensationalized framing, in part because of signal boosting by an aligned media ecosystem and aligned politicians, and in part because the journalism develops one bit of evidence that has a viscerality that paperwork dives often lack: these purported childcare operations routinely have no children in them.

Fraud has become quite politicized in the United States the last few years. We had a poorly-calibrated federal initiative led by a charismatic tech entrepreneur which believed it would unearth trillions of dollars of fraud that focused substantial effort on large programs which are comparatively fraud-resistant. Across the aisle, we have reflexive dismissal that fraud happens in social programs, which functions as air cover for scaled criminal operations which loot many varied social programs [0] and are sometimes run out of geopolitical adversaries of the U.S. including by ambiguously-retired members of their clandestine services.

I worked in the financial industry for a few years. We do not have the luxury of pretending that fraud is something invented by our rivals to besmirch our good name. It hits the P&L every quarter and will eat you alive if you’re not at least minimally competent in dealing with it. Conversely, it is well-understood in industry that the optimal amount of fraud is not zero.

The financial industry has paid at least tens of billions of dollars in tuition here. Overwhelmingly, one learns about fraud in it through an apprenticeship model, with different firms having different internal levels of understanding on the shape of the elephant. The industrial organization presumes small numbers of people architecting anti-fraud systems and relatively larger numbers of investigators and analysts operating those systems on a day-to-day basis.

There does exist some informal knowledge sharing between firms. If you work in payments, try getting invited to the Chatham House rule sessions held by… oh yeah, can’t say. Despite that social technology being originally developed for the benefit of government and press actors, it is my general impression that U.S. benefits programs don’t yet see themselves as sufficiently yoked by adversarial attention to benefit from their own Chatham House series. Perhaps that should change.

And so, for the benefit of fraud investigators with badges, press cards, or GoPros, some observations from a community of practice with an extensive (and mostly nonpublic) body of work. But first a tiny bit of throat clearing.

Minnesota has suffered a decade-long campaign of industrial-scale fraud against several social programs. This is beyond intellectually serious dispute. The 2019 report from the Office of the Legislative Auditor (a non-partisan government body) makes for gripping reading. The scale of fraud documented and separately alleged in it staggers the imagination: the state’s own investigators believed that, over the past several years, greater than fifty percent of all reimbursements to daycare centers were fraudulent. (Separate officials took the… novel position that they were only required to recognize fraud had happened after securing a criminal conviction for it. Since they had only secured a few criminal convictions, there was no way that fraud was that high. Asked to put a number on it, repeatedly, they declined.)

The investigators allege repeatedly visiting daycare centers which did not, factually, have children physically present at the facility despite reimbursement paperwork identifying specific children being present at that specific time. The investigators demonstrated these lies on timestamped video, and perhaps in another life would have been YouTube stars.

Our social class is intensely averse to straightforwardly recounting these facts, partly due to political valence and partly due to this particular fraud being dominantly conducted within a community which codes as disadvantaged in the U.S. sociopolitical context.

Fraudsters are liars and will cheerfully mouth any words they believe will absolve them of their crimes. If an accusation of racism gets one a free pass to steal hundreds of millions of dollars, they will speciously sue you alleging racial discrimination. That empirically worked in Minnesota. The OLA takes explicit notice of this multiple times, a coordinator for the fraud operation is on record explicitly explaining the strategic logic of accusations of racism, and a judge was even moved to make an extraordinary statement to clarify that the bad-faith lawsuit alleging racism did not achieve success through the formal judicial process but rather through the voluntary compliance of governmental actors shamed by its allegations.

(As a sidenote: one has to be able to hold two thoughts simultaneously about fraudulent operations. They can be sophisticated with respect to exploiting sociopolitical cleavages in their targets while also being comically inept at faking evidence elsewhere, such as having a single person write dozens of adjacent rows in a sign-in sheet. This routinely surprises observers and it should not surprise them. The financial industry also has a division of labor in it. The person architecting the fraud department’s standard processes is well-paid, well-educated, and routinely brings crossdisciplinary expertise to bear. A Fraud Analyst I, on the other hand, bears a lot of similarity to a call center employee in terms of compensation, education, and permitted amounts of agency.)

In the immediate wake of the independent journalist’s report, the great and the good rallied around the organizations he accused. Of course it was natural that journalists wouldn’t get immediate access to children if they asked. Of course there was a certain amount of informality in the sector. Of course, as the New York Times very carefully wordsmithed recently:

Minnesota officials said in early January that the state conducted compliance checks at nine child-care centers after Mr. Shirley posted his video and found them “operating as expected,” although it had “ongoing investigations” at four of them. One of the centers, which Mr. Shirley singled out because it misspelled the word “Learning” on its sign, has since voluntarily closed.

An inattentive reader might conclude from this paragraph that the Times disputes Shirley’s reporting.

To the extent that Bits about Money has an editorial line on that controversy, it is this: if you fish in a pond known to have 50% blue fish, and pull out nine fish, you will appear to be a savant-like catcher of blue fish, and people claiming that it is unlikely you have identified a blue fish will swiftly be made to look like fools. But the interesting bit of the observation is, almost entirely, the base rate of the pond. And I think journalism and civil society should do some genuine soul-searching on how we knew—knew—the state of that pond, but didn’t consider it particularly important or newsworthy until someone started fishing on camera.

But this is not a publication about particular ponds. It is a publication about getting better at fishing.

The best non-fiction work on fraud is Dan Davies’ Lying for Money. In it, you’ll find replete examples of something well-known to fraud investigators: the dominant next adventure for a former fraudster is… opening up a new fraud. And therefore, if you want to identify a ridiculously-high-hit-rate list of frauds in round N+1 of a game, a so-easy-its-practically-cheating way to do so is to look at what known fraudsters from round N are doing today.

There is a genuine difference in the culture and epistemology of the financial industry versus the government of the United States here. In the financial industry, we keep blacklists and getting a second chance after obvious misbehavior is intentionally non-trivial. This runs against deeply felt values of civil servants. An accusation is not a conviction, and absent clear authority to impose consequences in a new program, an actor convicted at enormous societal cost emerges to a new program officer as tabula rasa, equal in moral worth to any randomly chosen citizen.

I will not argue that Mastercard has better moral intuitions than the Founding Fathers. I would, however, happily suggest that the government not assume that the Constitution contains emanating penumbras obligating it to be repeatedly taken advantage of by the same people in the same fashion. We are not forbidden object permanence.

Minnesota raided the Sunshine Child Care Center in 2022 on suspicion of overbilling. No charges were brought, in what investigators imply was less an exoneration and more an inter-departmental fumble. That operation was owned by one Fowsiya Hassan. A separate childcare center owned by Fowsiya Hassan was featured on YouTube recently. This follows on $1.5 million of funds received through Feeding Our Future, a scaled fraud operation which has generated over 70 indictments, 5 criminal convictions, and 50 guilty pleas. What a set of coincidences. Perhaps Hassan has, as she has alleged in a lawsuit, been a frequent target of racially-motivated government investigations into a successful serial entrepreneur in the childcare field.

Much of the intellectual energy in policy circles about fraud is aimed at retail-level fraud by individual beneficiaries. Most fraud, like most scaled property crime, is actually the result of a business process.

This is an elementary fact of capitalism. It is deeply disconcerting to find every benefits program independently rediscovers it a decade too late to do anything about it. Most bread is not baked by amateurs in their kitchens. It comes from a bakery which exists to bake bread and hires specialists in baking bread and then supports them with capital-intensive built infrastructure.

Fraud develops a supply chain. Some elements in the supply chain are dual-use; the bad guys use Excel for the same reason every business uses Excel. Some elements in the supply chain, though, are specialized infrastructure with no or de minimis legitimate purpose. Those elements can be profiled.

I worked at Stripe for several years and am currently an advisor there. Stripe does not endorse what I write in my personal spaces. In its own spaces, Stripe has discussed being able to follow fraudulent operations in sufficient detail to determine when the operators went to lunch.

Fraudsters share specialists quite frequently. They use the same incorporation agents, the same mail services, the same CPAs, the same lawyers, etc.

You can make the same observation about many communities of practice. It is a non-coincidence that many tech startups are at 548 Market Street in San Francisco. 548 Market Street is not the world’s hippest coworking space. It is the address for EarthClassMail in SF. There are many P.O. box providers in the world; many geeks with taste reach for ECM. (Bits about Money is legally required to maintain a postal address and, if you were ever to send it a physical letter, that would also end up in the hands of an EarthClassMail employee.)

Elsewhere in the world, there exist P.O. box providers whose customers statistically include fewer AI labs and more frauds. One imagines the specialist-in-fraud at the storefront, picking up the day’s take from fifteen separate boxes.

Elementary work graphing supporting infrastructure, even on something as unsophisticated as butcher paper, frequently unravels fraud networks. Data science has any number of more sophisticated approaches. Jetson Leder-Luis, an academic who now routinely works with the government, has previously discussed some approaches which work based on widely commercially available data sources.

There is an emerging defender’s advantage here in the age of LLMs, since exploratory work in visualizing and walking network graphs is getting much cheaper. You no longer need to buy Palantir and engage a “forward-deployed engineer” to cluster IP addresses. A non-technical fraud investigator could get an LLM to do that while eating at Chipotle, and the lunch would cost more.

This democratization of capabilities is relevant to journalists, formal and otherwise, and also to governments. RFPs and software contracting once de facto mandated a multi-year lead time to do an automated network analysis if an analyst thought perhaps their program might need one. Now that is an afternoon’s work, if we allow ourselves to do it. We should.

As mentioned, there is enormous visceral distaste for the conclusion that a particular fraud ring operates within a particular community. This is quite common. You should expect to find circumstances which rhyme with it when conducting effective fraud investigations. You should not abandon fraud investigation when you chance upon this.

People assume a level of ethical fraughtness here which is not warranted. You would, if doing ethnographic work on perfectly legitimate businesses across industries, routinely discover ethnic concentration rather than population-level representation everywhere you looked. The Patels run the motels. One doesn’t need to adopt grand theories about how certain groups are predisposed to becoming pharmacists or startup employees or line cooks; simple microeconomic reasoning explains reality easily. Firms hire the people they already know, like, and trust. That will routinely include friends and family, who are going to be much more like the founding team than they are like randomly drawn members of the population. This is the default outcome.

Fraudsters do have one structural factor here. Everyone wants to trust their coworkers. Fraudsters need to trust their coworkers will be loyal even upon threat of prison time. That necessarily selects for tighter bonds than the typical workplace. Madoff was a family affair, SBF was in an on-again off-again romantic relationship with a chief lieutenant, and neither of those facts is accidental or incidental.

That’s the other ethical dimension of being other-than-blind to concentration: so-called affinity frauds do not merely recruit fraudsters from affinity groups. They recruit victims from affinity groups. Madoff mobilized the social infrastructure of the Jewish community in New York and Palm Beach to find his marks. Community members certainly did not intend their charitable foundations to be looted by a fraudster. It was an emergent consequence of trust networks.

This also happens to “chosen” communities. FTX was, in material part, an affinity fraud against effective altruists, who are not a religion or ethnic group as traditionally construed.

And so when the great and the good turn a blind eye towards abuses because the perpetrators share an uncomfortable common factor, they are often simultaneously turning a blind eye towards abuses of a community whose interests they purport to champion.

As covered extensively in Lying for Money, the necessary fundamental conceit of a fraud is growth in a business that doesn’t happen in the real world. “Every lie told incurs a debt to the truth, and one day, that debt will be paid”, to quote the excellent drama mini-series Chernobyl. Fraudsters forestall that day of reckoning by telling a bigger lie, increasing the debt, which (mostly as a side effect) alleges that they’re growing much faster than most of your legitimate portfolio. Happily, many businesses have figured out how to keep track of fast-growing customers. Tracking rocketships doesn’t require rocket science.

Sort-by-growth-rate-descending on new accounts will turn up a lot of interesting observations about the world. One is that Fortune 500 companies sometimes open new accounts, and you probably don’t need to open a fraud investigation file in that case. Another is that some people claim to be feeding millions of meals to a community of tens of thousands of people, beginning from a standing start, and growing local social services at a rate which an Uber Eats city manager would not expect to achieve in the wildest dreams of their go-to-market plan.

Feeding Our Future had a CAGR of 578% sustained for 2 years. Uber, during their meteoric growth period in core rideshare services, had an average CAGR of 226%. Their best year was 369%. But, if you asked in Minneapolis in 2021, you’d quickly find someone who had been in an Uber, but fail to find anyone who ate courtesy of Feeding Our Future. So curious, given that they were drubbing one of the fastest growing companies in history on growth rate.

Investigators in Minnesota were ringing the alarm bells for years about implausibly fast growth in Feeding Our Future’s reimbursement requests, including at new facilities. Feeding Our Future felt it was maxed out on the fraud it could conduct at existing sites, and expanded voraciously, including (most prominently) enrolling numerous restaurants as “feeding sites.” They then copy/pasted the usual playbook and requested reimbursement for implausible volumes at those sites, paying kickbacks to many participants. This then required growing the fraud, which… you get the general idea. We could have gotten off the bus at many points, and I suppose that is at some level a question of political will.

The highest growth rates in the economy generally are newer fields (you basically can’t sustain the alternative). This doesn’t imply that those fields are fraudulent, but they will tend to disproportionately attract frauds. The defenders in those fields have not yet paid their tuition to the School of Hard Knocks, and so attackers target the weaker systems. The higher growth rates of legitimate businesses function as protective cover for high stated growth rates of illegitimate businesses; a CAGR of 1,000% looks implausible for a restaurant but barely-meets-expectations for an AI software shop.

And, not to put too fine a point on it, many people are invested, literally and metaphorically, in whatever today’s new hotness is. People who could not secure an allocation in the more legitimate ends of it will sometimes find themselves adversarially selected by less salubrious actors. This will read to those people as a justly earned success. They might even have their marketing department write up their victimization as an indisputable success.

And so, if you’re a defender who has many different lines of business and has limited resources (or political will), where should you deploy those resources? Should you place your bets on e.g. Social Security, a multi-trillion dollar program whose primary source of growth is fun to conjure but then requires 70 years of seasoning? Or should you place them on the Paycheck Protection Program, or pandemic-era unemployment insurance, or genetic testing, or non-emergency medical transportation? Despite those being smaller line items, they probably have more juice worth squeezing, and the fraud is more easily detectable. Just look.

Bits about Money has extensively covered anti-moneylaundering and Know Your Customer regulations and I won’t rehash those regimes here. A bit of tacit knowledge in the financial industry: some actors in the set “broadly considered trustworthy” are more worthy of trust than others… and some are less.

We are generally discreet about writing this down in as many words. But, as an analogy, cross-national regulatory bodies require that financial institutions maintain a list of high-risk jurisdictions to do business in. You are generally required to do enhanced due diligence on customers/activities/etc touching the high-risk list.

If you are particularly competent, and there are plusses and minuses to being competent in detecting fraud (you will not be the most popular person in the firm at bonus time; that goes to the folks who sold the high-growth accounts), you might have the analogous list of U.S. financial institutions which are not entirely fronts for the bad guys.

If one hypothetically has that list, that’s one more signal you can use in evaluating any particular account, and a one-stop shop for developing a list of accounts to look into. It would be uncouth of me to name an extant bank that has poor controls, but for a general example of the flavor, see my (scathing) commentary on Silvergate’s AML and KYC program. Without using any proprietary information, I predict confidently that Silvergate banked many more multi-billion dollar frauds as a percentage of its customer base than almost any of the U.S.’s 4,500 banks. (Trivial substantiation: divide FTXes-banked by total-count-of-customers.)

One might, if one has never seen the list, wonder whether it is simply proxying for something the financial industry is definitely not allowed to proxy for. One of the first things you learn as a data analyst is zip codes are extremely probative and you are absolutely not allowed to use them. The American system remembers the experience of redlining and has forbidden the financial industry from ever doing it again; the industry mostly respects that. But good news: institutions with weak controls environments are not, in fact, simply a proxy for “Who banks socially disadvantaged people?” There are many financial institutions that have that as an explicit business model. Some of them are good at their jobs. Some, less so, and the fraudsters know it.

This sometimes happens with the knowing connivance of the financial institution and/or their staff. For much more on that, see histories of the savings and loan crisis, or the Lying for Money chapter on control frauds. But more commonly it is simply a community of practice developing organic knowledge about who is just very easy to get an account with. You need accounts, as a business. As a fraudulent business, which intends to cycle through accounts and identities at a much higher rate than baseline, you would prefer to do business with a bank which will not detect that malfeasance.

And so you will disproportionately end up banked, with many of your buddies, at the least attentive place still capable of getting a license. And so an agency, trying to find a fraudulent network, might want to look at fraud-cases-by-routing-number and then start making some judgment calls.

One of the reasons the government has deputized the financial industry is it is good at keeping spreadsheets and quickly responds to requests for them. Perhaps the government should call up a few of their deputies and say “So, not alleging anything here, but we think you might have a list, carefully maintained by your fraud department for your own purposes. We want to see the list. It would be pro-social of you to give us a copy of it.”

There is a thriving market in identities to be used in fraud. This is because bad actors prefer not putting their own names on paper trails certain to become evidence, because they frequently “burn” themselves early in their careers, and because institutions have cottoned onto the wisdom of collecting lists of ultimate beneficiaries.

Sometimes this is a social process, conducted at e.g. the dinner table. Sometimes the market is explicitly a market. Jetson recounted that, having exhausted the supply of patients needing dialysis who could plausibly need ambulance services, frauds began bribing potential patients, first with donuts and then with cash. This is extremely common. In Minnesota, parents were recruited to childcare providers with the promise of cash kickbacks or (a detail we’ll return to in a moment) fictitious paperworked no-show jobs, sometimes at substantially fictitious companies.

Fraudsters sometimes exercise some level of operational discipline in their communications. The bad guys have also seen The Wire; they know Stringer Bell’s dictum on the wisdom of keeping notes on a criminal conspiracy. However, the population of people willing to be named in a federal indictment over $200 necessarily selects preferentially for individuals who are not experts at operational security. They will sometimes organize recruitment very openly, using the same channels you use for recruiting at any other time: open Facebook groups, Reddit threads, and similar. They will film TikTok videos flashing their ill-gotten gains, and explaining steps in order for how you, too, can get paid.

As a fraud investigator, you are allowed and encouraged to read Facebook at work.

Now, knowing that there exists the frequent epiphenomenon where fraudsters recruit strawmen to use their identities to qualify for payments: suppose that you have an entirely new enterprise whose first customers are individuals A, B, C, and D. You know, from past records, that A, B, C, and D have all been customers of an organization which you now know, positively, was a fraudulent actor. You might infer from this that A, B, C, and D might have sold their identities once, but you probably don’t have sufficient information to convict them in a court of law of that. (It is of course possible that they are simply unsophisticated, or that bad actors obtained their information without their knowledge, for example by misappropriating a client list from a previous corporate entity they happened to own/work for/etc.)

But do you have enough information to take a more-detailed-than-usual look at this totally new enterprise? I think you do.

We have choices, as the defender, in what levels of evidence we require to enter the circle of trust, what our epistemological standards are, and how much evidence we require to forcibly exit someone from the circle of trust.

A detail from the Minnesota cases is that these burdens are asymmetric, in a way which disadvantages the defender (all of us). That decision is a choice and we should make better choices. 

For example, the primary evidence of a child attending a day-care was a handwritten sign-in sheet of minimal probative value. Prosecutors referred to them as “almost comical” and “useless.” They were routinely fraudulently filled out by a 17 year old “signing” for dozens of parents sequentially in the same handwriting, excepting cases where they were simply empty.

To refute this “evidence”, the state forced itself to do weeks of stakeouts, producing hundreds of hours of video recording, after which it laboriously reconstructed exact counts of children seen entering/exiting a facility, compared it with the billing records, and then invoiced the centers only for proven overbilling.

On general industry knowledge, if you are selected for examination in e.g. your credit card processing account, and your submission of evidence is “Oh yeah, those transactions are ones we customarily paperwork with a 17 year old committing obvious fraud”, your account will be swiftly closed. The financial institution doesn’t have to reach a conclusion about every dollar which has ever flowed through your account. What actual purpose would there be in shutting the barn door after the horse has left? The only interesting question is what you’ll be doing tomorrow, and clearly what you intend to do tomorrow is fraud.

We can architect the asymmetry in the other fashion: legitimate businesses will customarily, as a fact of their operations, put enormous effort into creating visible effects in the world which are trivial to check. In technologist circles this is sometimes called a “proof of work” function.

Once upon a time, a team of fraud analysts asked how they could possibly determine frauds from non-frauds without having extensive industry knowledge about every possible commercializable human activity. I suggested that a good first pass was “Just ask the correspondent for a quick video, shot on their cell phone, of their workspace.”

That is minimally invasive for the business owner, generates a huge amount of signal (including that which can be correlated across accounts), and can be usefully adjudicated by non-specialists in a minute. No multi-month stakeout of their storefront is required. Of course you can convincingly fake a video of working in, say, a machine shop, but fraudsters maintaining spreadsheet row 87 about the machine shop will find that difficult to juggle with all the other required lies in their backlog. Actual machine shops, meanwhile, include people, which means they include functional cell phone cameras at no additional cost to anyone.

You can also get some signal from who can trivially produce a video and who needs a week of advance notice to find a cell phone to record those machines that were absolutely milling aluminum last week.

Fundamentally, we have a choice about where we put our investments in defanging fraud, and we should stop choosing to lose.

So-called “pay-and-chase”, where we put the burden on the government to disallow payments for violations retrospectively, has been enormously expensive and ineffective. Civil liability bounces off of exists-only-to-defraud LLC. Criminal prosecutions, among the most expensive kinds of intervention the government is capable of doing short of kinetic war, result in only a ~20% reduction in fraudulent behavior. Rearchitecting the process to require prior authorization resulted in an “immediate and permanent” 68% reduction. (I commend to you this research on Medicare fraud regarding dialysis transport. And yes, the team did some interesting work to distinguish fraudulent from legitimate usage of the program. Non-emergency transport for dialysis specifically had exploded in reimbursements—see Figure 1— not because American kidneys suddenly got worse but because fraudsters adversarially targeted an identified weakness in Medicare.)

Attackers carefully respond to signals they think they are being sent from defenders. A lawyer for some of the Minnesota defendants, Ryan Pacyga, was quoted by the New York Times as saying that his clients understood Minnesota to tacitly allow their actions.

> No one was doing anything about the red flags. … It was like someone was stealing money from the cookie jar and they kept refilling it.

Don’t be the defender who sends that message. It will not work out well for you or your program.

Most frauds have rich external lives, with a soaring narrative of how deserving people are getting valuable services (and/or getting rich for being right and early regarding e.g. crypto asset cross-margining). They tend to be distinctly underpaperworked internally, partly because a synonym for “paperwork” is “evidence” and partly because… most frauds aren’t really that sophisticated, when it comes down to it. There is a true number; lie about it; done.

Like many time-pressed entrepreneurs busy talking to potential customers, fraudsters put the minimal amount of time necessary into bookkeeping and even less than that into paperworking epiphenomena of their frauds. One example of epiphenomena is sometimes the beneficiaries need their own paperwork. A legitimate mortgage company employs sales reps and a backoffice to help unsophisticated customers successfully get several hundred pages of paperwork together to sell a mortgage. Frauds… mostly don’t do that.

And so, if you have e.g. a statutory requirement that a beneficiary be employed to access services, a fraudster might say “Don’t worry about it!” They’ll just assert that you are an employee at a cleaning company. Perhaps they might even go as far as payrolling you as an employee of a cleaning company. This kills two birds with one stone, paying you your kickback while also generating the paystub they need you to have to qualify for the government reimbursement. (This happened, per the OLA’s reports summarizing the results of many investigations, in Minnesota.)

But fraudsters don’t actually operate cleaning companies even in those cases where they do operate daycares.

Cleaning companies are legitimate businesses, in the main, and working for one is an honest occupation. And so a fraud investigator should feel no chagrin at calling a cleaning company in the phone book and asking for a quote. A cleaning company which expresses complete befuddlement that someone could ask for a quote is providing, ahem, evidence in a direction.

(I have to note, as someone who pays to send children to a private school, that there is replete evidence that the school is accepting new children, knocking on the door and asking will quickly result in being given a brochure, and there are scheduled open houses and similar. I can imagine a gratuitously mismanaged educational establishment which does none of these things, and I can imagine an educational establishment which makes a lot of money, but I have trouble holding both thoughts in my head at the same time.)

The core frauds are sometimes hardened, to an attenuated degree. The peripheral frauds collapse under even a glance. Architect processes to require more signals regarding the periphery, then architect a system which takes at least a cursory look at the periphery. You will trivially catch frauds.

If you’re worried about exposing the exact signal that you are using, costing utility of it in the future, you can use this as a “parallel construction” engine. Develop leads for investigation using the non-public signal, pull the core records as a matter of routine, find the discrepancies that all frauds leave in their core records, and then put those in the indictment. Ask your friendly neighborhood lawyer if that passes muster or if you need to add a sentence rhyming with “was selected for a routine audit on the basis of information available to the department.”

We have discussed some heuristics [1] for identifying fraud. The financial industry still makes material use of heuristics, but a heuristic is a compression of the real world. It will sometimes lose fidelity to the world. It will frequently, by design, be legible to the adversary.

The defender has one advantage the attacker cannot ever replicate: data at scale. It knows what legitimate use looks like because it has all the messy, contradictory, varying quality, typos-and-all data which legitimate businesses in the real world constantly throw off. You cannot duplicate all of the shadows on the wall of Plato’s cave without first duplicating the entire world. Fraudsters, even quite talented ones, can’t do that.

There are any number of techniques for machine learning in anti-fraud; Emily Sands has previously discussed some with me. An important subset of the field can adapt in real-time or close to it to changes in adversary (or legitimate!) behavior. For example, covid surprised the fraudsters at the same time as it surprised every supermarket in the country, but the ex-post actions of the fraudsters and the supermarkets were very different. Revenue went up for both, but only one group actually runs a supermarket. And so by ingesting and constantly analyzing data from all users, including retrospective annotation of which users you’ve identified to be frauds, you get better and earlier signals on which users are likely fraudulent and which are likely not.

This can inform outright interdiction or the investigate-then-punish loop that we ordinarily expect from government. It can also inform less consequential, easier-to-reverse interventions. For example, rather than putting all users immediately through the highest-possible-ceremony process for application, you can let most users do a lower-burden process, saving the higher levels of scrutiny for those which signal greater likelihood of being fraudulent. Or you can default to approving more applicants and reserve more of your investigatory budget for post-approval review, with this being equivalently costly by using better tasking of those reviews versus random allocation. Pay-and-chase becomes more palatable if it is not pay-and-pay-and-pay-and-pay-and-chase and more pay-until-we-decide-to-chase-but-stop-payments-at-that-decision-not-after-the-catching.

Machine learning isn’t simply useful from a perspective of decreasing fraud. The history of regulation of benefits programs is the history of too-late, too-harsh overcorrection to notorious abuses. Much of what advocates find most maddening and Kafkaesque about eligibility criteria and application processes was voted on by a legislature but bears the signature of a fraudster with a novel idea.

With a good machine learning practice, you can increase data ingested but decrease the burdensome formal application/etc requirements. This is in no small part because those data points are less probative (they are under the direct control of the attacker and announce that they will be scrutinized). But it bears a dividend: if you better control fraud, and can successfully demonstrate that to the public and legislators, you can decrease application burden and perhaps even widen eligibility criteria. Those are both in the direct interests of potential marginal beneficiaries.

A political commentator might focus more on the optics here than on the substance, because that is so frequently where the point of actual leverage is in politics. But the substantive reality of fraud losses matters. It is much easier to tell the story of fraud in benefits programs being rare, opposed by all right-thinking people, and swiftly sanctioned when that story is not an obvious lie.

You can read Lying for Money or other histories of frauds for more detail on the texture, but in the main, a dedicated fraudulent enterprise is created, is seasoned for a while before crossing the rubicon, has a period of increasing brazenness, is detected, is closed, and then is resurrected when the fraudster gets the band back together from round N+1.

We can intervene against the lifecycle model if we understand it. This begins with not defaulting to the understanding of investigators that frauds are isolated incidents by disparate individual actors. Those have been known to happen, but frauds are, by total damage, dominated by repeatable business models perpetrated by professional specialized bad actors. We should study them like we study other successful entrepreneurs, and then not invest in them.

One actionable insight from the lifecycle model: because the fraudster intends to be in business multiple times in their life, we should track the person-to-business mapping much more closely than we have historically. As Lying for Money says, if you’re an accountant and willing to go to prison, and you do not get rich via fraud… well, you are very bad at your job. That’s on you. When we give you repeated chances to do it, that’s on us.

One might think that the simplest imaginable reform is passing some sort of beneficial ownership regulation to unroll complex corporate structures designed to obscure who is actually puppeting Totally Not A Fraud, LLC. But the simplest imaginable reform is probably just actually reading corporate filings that already exist and are public. Again, most fraudsters are not the hypersophisticated Moriarties of the popular imagination. The Minnesota fraudsters frequently did not even bother with fig leaves. While they did find some nominee directors in some cases, many of the convicted operated their companies in their own names, with no complicated structuring at all. Sometimes multiple times, consecutively, after the previous entities had worn out their welcome with Minnesota.

The Fed should not be surprised when the bad guys buy a bank when buying a bank requires an extended permission-seeking process and the bad guy’s corporate records, dutifully recorded by Maryland (entity D20033544), are signed by a notorious bagman. In the Fed’s defense, the bagman lied to them about his intentions, which was outside of their world model. (Pip pip to the New York Times for figuring that out before the Fed did. That is, sadly, not the usual way it works in financial journalism.)

Responsible actors in civil society have a mandate to aggressively detect and interdict fraud. If they do not, they cede the field to irresponsible demagogues. They will not be careful in their conclusions. They will not be gentle in their proposals. They will not carefully weigh consequences upon the innocent. But they will be telling a truth that the great and the good are not.

The public will believe them, because the public believes its lying eyes.

[0] In a thing you will see frequently in fraud investigations, early detection of anomalies does not necessarily imply successful identification of the underlying fraudulent enterprise. A teacher was scandalized that a third of their students are using AI to write papers. Those “students” are identities puppeted by a criminal organization to siphon federal funding out of community colleges towards accounts controlled by the criminals. (I award myself one cookie for correctly predicting this.)

[1] A heuristic, in industry parlance, is a hard-coded rule or set of rules as opposed to a system which automatically adapts to changes in the underlying data. Compare the difference between “You are less likely to default on loans if you own versus renting”, which is absolutely demonstrable in aggregate data, versus “You are less likely to default on loans at 780 FICO versus 540 FICO.” For a variety of reasons, the culture that is legislators sees the problem with having one heuristic, which will obviously not come to the correct conclusion all of the time. It corrects for this issue by having several hundred pages of heuristics. Just one more heuristic, man, and we’ll have completely anticipated all the complexity of the world.

Heuristics are wonderful things! They’re cheap to adjudicate, easy to explain, and can be understood by lawyers, even the kind who have ascended from the practice of law to the writing of it. Happily, machine learning systems can have all of these properties if you make them priorities.

Programming note: Happy New Year! Bits about Money is made possible—and freely accessible to all—by the generous support of professionals who find it useful. If you’re one of them, thank you—and consider purchasing a membership.

The U.S. is often maligned as being customer-hostile compared to other comparable nations, particularly those in Europe. One striking counterexample is that the government, by regulation, outsources to the financial industry an effective, virtually comprehensive, and extremely costly consumer protection apparatus covering a huge swath of the economy. It does this by strictly regulating the usage of what were once called “electronic” payment methods, which you now just call “payment” methods, in Regulation E.

Reg E is not uniformly loved in the financial industry. In particular, there has been a concerted effort by banks to renegotiate the terms of it with respect to Zelle in particular. This is principally because Zelle has been anomalously expensive, as Reg E embeds a strong, intentionally bank-funded anti-fraud regime, but Zelle does not monetize sufficiently to pay for it.

And thus a history lesson, a primer, and an explanation of a live public policy controversy.

If you were to ask your friendly neighborhood reference librarian for Electronic Fund Transfers (Regulation E), 44 Fed. Reg. 18469 (Mar. 28, 1979), you might get back a document yellowed with age. Congress, in its infinite wisdom, intended the Electronic Funds Transfer Act to rein in what it saw as the downsides of automation of the finance industry, which was in full swing by this time.

Many electronic transactions might not issue paper receipts, and this would complicate he-said bank-said dispute resolution. So those were mandated. Customers might not realize transactions were happening when they didn’t have to physically pull out a checkbook for each one. Therefore, institutions were required to issue periodic statements, via a trustworthy scaled distribution system, paper delivered by the United States Postal Service. And electronic access devices—the magnetic-stripe cards, and keyfobs [0], and whatever the geeks dreamed up next—might be stolen from customers. And therefore the banks were mandated to be able to take reports of mislaid access devices, and there was a strict liability transfer, where any unauthorized use of a device was explicitly and intentionally laid at the foot of the financial institution.

Some of the concerns that were top of mind for lawmakers sound even more outlandish to us, today. Financial institutions can’t issue credit cards without receiving an “oral or written request” for the credit card. That sounds like “Why would you even need to clarify that, let alone legislate against it?!” unless you have the recent memory of Bank of America having the Post Office blanket a city with unsolicited credit cards then just waiting to see what happened. [1]

The staff who implemented Reg E and the industry advocates commenting on it devoted quite a bit of effort to timelines, informed by their impression of the cadence of life in a middle class American household and the capabilities of the Operations departments at financial institutions across the U.S.’s wide spectrum of size and sophistication. Two business days felt like a reasonable timeline after the theft of a card to let the financial institution know. They picked sixty business days from the postmark for discovering an unauthorized transaction in your periodic statements. That felt like a fair compromise between wanting to eventually give financial institutions some level of finality while still giving customers a reasonable buffer to account for holidays, vacation schedules, the time it takes a piece of mail to travel from New York City to Hawaii, and the reality that consumers, unlike banks, do not have teams paid to open and act upon mail.

And, very importantly for the future, Congress decided that unsophisticated Americans might be conned into using these newfangled electronic devices in ways that might cost them money, and this was unacceptable. Fraudulent use of an electronic fund transfer mechanism was considered an error as grave as the financial institution simply making up transactions. It had the same remedy: the financial institution corrects their bug at their cost.

“Unauthorized electronic fund transfer” means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit.

Reg E provided for two caps on consumer liability for unauthorized electronic fund transfer: $50 in the case of timely notice to the financial institution, as sort of a deductible (Congress didn’t want to encourage moral hazard), and $500 for those customers who didn’t organize themselves sufficiently. Above those thresholds, it was the bank’s problem.

Reg E also establishes some procedural rights: an obligation for institutions to investigate claims of unauthorized funds transfers (among other errors—Congress was quite aware that banks frequently made math and recordkeeping mistakes), to provisionally credit customers during those investigations, strict timelines for the financial institutions, and the presumptive burden of proof.

In this privately-administered court system, the bank is the prosecutor, the defendant, and the judge simultaneously, and the default judgment is “guilty.” It can exonerate itself only by, at its own expense and peril, producing a written record of the evidence examined. This procedural hurdle is designed to simplify review by the United States’ actual legal system, regulators, and consumer advocates.

The institution's report of the results of its investigation shall include a written explanation of the institution's findings and shall note the consumer's right to request the documents that the institution relied on in making its determination. Upon request, the institution shall promptly provide copies of the documents.

Having done informal consumer advocacy for people with banking and debt issues for a few years, I cannot overstate the degree to which this prong of Reg E is a gift to consumer advocates. Many consumers are not impressively detail-oriented, and Reg E allows an advocate to conscript a financial institution’s Operations department to backfill the customer’s files about a transaction they do not have contemporaneous records of. In the case that the Operations department itself isn’t organized, great, at least from my perspective. Reg E says the bank just ate the loss. And indeed, several times over the years, the prototypical grandmother in Kansas received a letter from a bank vice president of consumer lending explaining that the bank was in receipt of her Reg E complaint, had credited her checking account, and considered the matter closed. It felt like a magic spell to me at the time.

Banks do not like losing money, citation hopefully unnecessary, and part of the business of banking is arranging for liability transfers. Insurance is many peoples’ paradigmatic way to understand liability transfers, but banks make minimal use of insurance in core banking services. (A bank which is robbed almost always self-insures, and the loss—averaging four figures and trending down—is so tiny that it isn’t worth specifically budgeting for.)

The liability transfer which most matters to Reg E is a contractual one, from issuing banks to card processors and from card processors to card-accepting businesses. These parties’ obligations to banks and cardholders are substantially broader than the banks’ obligations under Reg E, but the banks use a fraction of those contracts to defray a large portion of their Reg E liability.

For example, under the various brands’ card rules, an issuer must have the capability for a customer to say that a transaction which happened over plastic (or the electronic equivalent) simply didn’t meet their expectations. The issuer’s customer service representative will briefly collect facts from the customer, and then initiate an automatic process to request information from a representative of the card-accepting business. On receipt of that information, or non-receipt of it, a separate customer service representative makes a decision on the case. This mechanism is called a “chargeback” in the industry, and some banks are notorious for favoring the high-income quite-desirable customers who hold their plastic over the e.g. restaurant that the bank has no relationship with. “My eggs were undercooked” is a sufficient reason to ask for a chargeback and will result in the bank restoring your money a large percentage of the time.

In the case where the complaint is “My card was stolen and used without my knowledge”, essentially the same waterfall activates, perhaps with the internal note made that this dispute is Reg E sensitive. But mechanically it will be quite similar: bank tells processor “Customer asserts fraud”, processor tells business, business replies with a fax, bank staff reviews fax and adjudicates.

There are on the order of 5 million criminal cases in the formal U.S. legal system every year. There are more than 100 million complaints to banks, some of them alleging a simple disagreement (undercooked eggs) and very many alleging crime (fraud). It costs banks billions of dollars to adjudicate them.

The typical physical form of an adjudication is not a weeks-long trial with multiple highly-educated representatives debating in front of a more-senior finder of fact. It is a CSR clicking a button on their web app’s interface after 3 minutes of consideration, and then entire evidentiary record often fits in a tweet.

“Customer ordered from online store. Customer asserts they didn’t receive the item in six weeks. No response from store. Customer wins. Next.”, “Customer ordered from online store. Customer asserts they didn’t receive item. Store provided evidence of shipping via UPS. Customer does not have a history of fraudulent chargebacks. Customer wins. Next.”, “Customer’s bookkeeper asserts ignorance of software as a service provider charge. Business provided written statement from customer’s CEO stating chargeback filed in error by new bookkeeper. Customer wins. Next.” (I’m still annoyed by that last one, years later, but one has to understand why it is rational for the bank and, in a software company’s clearer-minded moments, rational for them to accept the risk of this given how lucrative software is.)

The funds flow in a chargeback mirrors the contractual liability waterfall: the issuing bank gets money back from a financial intermediary, who gets it back from a card processor (like Stripe, which I once worked for, and which doesn’t specifically endorse things I write in my own spaces), who will attempt to get it back from the card accepting business.

That word “attempt” is important. What if the business doesn’t have sufficient money to pay the aggrieved customer, or they can’t be located anymore when the system comes to collect? Reg E has a list of exceptions and those aren’t on it. The card processor then eats the loss.

The same frequently happens to cover the provisional credit mandated while the bank does its investigation, and the opposite happens in the case where the issuing bank decides that the card accepting business is in the right, and should be restored the money they charged a customer.

This high-frequency privately-funded alternative legal system has quietly ground out hundreds of millions of cases for the last half century. It is a foundation upon which commerce rests. It even exerts influence internationally, since the card brand rules essentially embed a variant of the Reg E rights for cardholders globally, and since nowhere in Reg E is there a carveout for transactions that a customer might make electronically with their U.S. financial institution while not physically located in the United States. If you are mugged and forced to withdraw money at an ATM in Caracas, Uncle Sam says your bank knows that some tiny percentage of cardholders will be mugged every year, and mandates they pay.

Zelle, operated by Early Warning Systems (owned by a consortium of large banks), is a substantially real-time electronic transfer method between U.S. bank accounts. Bank web and mobile apps have for decades supported peer to peer and customer to business transfers, via push ACH (and, less frequently, by wire), but ACH will, in standard practice, take a few days to be credited to the recipient and a few hours until it will become known to them as pending.

Zelle is substantially a blocking play, against Venmo, Cash App, and similar. Those apps captivated a large number of mostly-young users with the P2P payments, for use cases like e.g. splitting dinner, spotting a buddy $20, or collecting donations for a Christmas gift for the teacher from all the parents in a class. After attracting the users with those features, they kept them with product offerings which, in the limit, resemble bank accounts and which actually had bank accounts under the hood for at least some users.

And so the banks, fearing that real-time payment rails would not arrive in time (FedNow has been FedLater for a decade and RTP has relatively poor coverage), stood up Zelle, on the theory that this feature could be swiftly built into all the bank apps. Zelle launched in 2017.

Zelle processes enormous volumes. It crowed recently that it did $600 billion in volume in the first half of 2025. Zelle is much larger than the upstarts like Venmo (about $250 billion in annual volume) and Cash App (about $300 billion in customer inflows annually). This is not nearly in the same league as card payments (~$10 trillion annually) or ACH transfers (almost $100 trillion annually), but it is quite considerable.

All of it is essentially free to the transacting customers, unlike credit cards, which are extremely well-monetized. And there is the rub.

“Hiya, this is Susan calling from your bank. Your account has been targeted by fraudsters. I need you to initiate a Zelle payment to yourself to move it to a safe account while we conduct our investigation. Just open your mobile banking app, type the password, select Zelle from the menu, and send it to your own phone number. Thank you for your cooperation.”

Susan is lying. Her confederates have convinced at least one financial institution in the U.S. that the customer’s phone number is tied to a bank account which fraudsters control. That financial institution registered it with Zelle, so that when the victim sends money, the controlled account receives it substantially instantaneously. They will then attempt to immediately exfiltrate that money, sending it to another financial institution or a gift card or a crypto exchange, to make it difficult for investigators to find it faster than they can spend it. This process often repeats; professionals call this “layering.”

So, some days later, when the victim calls the bank and asks what happened to the money the bank was trying to secure from fraud, what does the bank tell them?

Zelle is quick to point out that only 0.02% of transactions over it have fraud reported, and they assert this compares favorably to competing payments methods. Splendid, then do the banks want to absorb on the order of $240 million a year in losses from fraudulent use of a technology they built into their own apps which is indisputably by any intellectually serious person an electronic funds access device?

Frequently in the last few years, the bank has said “Well, as Gen Z would say, that sounds like a bit of a skill issue.” And Reg E? “We never heard of it. Caveat emptor.”

To be slightly more sympathetic to the banks, they’re engaged in fine-grained decisioning on Zelle frauds, which have many mechanisms and flavor texts. They are more likely to reimburse as required in the case of account takeovers, where the criminal divines a customer’s password, pops an email address, or steals access to a phone number, and then uses it to empty a bank account. They are far less likely to reimburse where the criminal convinces the customer to operate their access device (mobile phone) in a way against their interests. Skill issue.

Why do banks aggressively look for reasons to deny claims? Elementary: there is no waterfall for Zelle. If there is a reimbursement for the user, it has to come from the bank’s balance sheet. (Zelle as originally shipped was incapable of reversing a transaction to claw back funds. That mechanism was something of an antipriority at design time, since funds subject to a clawback might be treated by receiving banks as non-settled, and the user experience banks wanted to deliver was “instantly spendable, like on Venmo.” Instantaneous funds availability exists in fundamental tension with security guarantees even if the finality gets relaxed, as Zelle’s was in 2023 under regulatory pressure.)

Banks like to pretend that the dominant fraud pattern is e.g. a “social media scam”, where an ad on Facebook or a Tiktok video leads someone to purchase sneakers with a Zelle payment from an unscrupulous individual, who doesn’t actually send the sneakers. This pattern matches more towards “well, that’s a disagreement about how your eggs were done, not a disagreement about how we operate payment rails.” Use a card and we’ll refund the eggs (via getting the restaurant to pay for them); don’t and we won’t.

So, in sum and in scaled practice at call centers, the bank wants to quickly get customers to admit their fingers were on their phone when defrauded. If so, no reimbursement.

This rationale is new and is against our standard practice, for decades. If you are defrauded via a skimming device attached to an ATM, the bank is absolutely liable, and will almost always come to the correct conclusion immediately. It would be absurdly cynical to say that you intended to transact with the skimming device and demonstrated your assent by physically dipping your card past it.

Bank recalcitrance caused the Consumer Financial Protection Bureau to sue a few large banks in late 2024. The CFPB alleged they had a pattern and practice of not paying out claims for fraud conducted over Zelle rails. The banks will tell you the same, using slightly different wording. Chase, for example, now buries in the fine print “Neither Chase nor Zelle® offers reimbursement for authorized payments you make using Zelle®, except for a limited reimbursement program that applies for certain imposter scams where you sent money with Zelle®. This reimbursement program is not required by law and may be modified or discontinued at any time.”

The defensible gloss of banks’ position on “purchase protection” is that the purchase protection that customers pay for in credit cards which makes them whole for eggs not cooked to their liking is not available for Zelle payments. Fine.

The indefensible extension is that banks aren’t liable for defrauded customers. That is a potential policy regime, chosen by the polity of many democratic nations. The United States is not one of those nations. Our citizens, through their elected representatives, made the considered choice that financial institutions would need to provide extraordinary levels of safety in electronic payments. In reliance upon that regime, the people of the United States transacted many trillions of dollars over payment rails, which was and is very lucrative for all considered.

The CFPB’s lawsuit was dropped in early 2025, as CFPB’s enforcement priorities were abruptly curtailed. (Readers interested in why might see Debanking and Debunking and Ctrl-F “wants some examples made.”) To the extent it still exists after being gutted, it is fighting for its life. 

But knifing the CFPB doesn’t repeal Reg E. In theory, any bank regulator (and many other actors besides) can hold them to account for obligations under it. One of the benefits of Reg E is that the single national standard is easiest to reason about, but in the absence of it, one can easily imagine a patchwork of state-by-state consumer protection actions and/or coalitioning between state attorneys general. I will be unmoved if banks complain that this is all so complicated and they welcome regulation but it has to be a single national standard.

Having for the moment renegotiated their Reg E obligations by asserting they don’t exist, and mostly getting away with it, some banks might attempt to feel their oats a bit and assert that customers bear fraud risks more generally.

For example, in my hometown of Chicago, there has been a recent spate of tap-to-pay donation fraud. The fraudster gets a processing account, in their own name or that of a confederate/dupe, to collect donations for a local charitable cause. (This is not in itself improper; the financial industry understands that the parent in charge of a church bake sale will not necessarily be able to show paperwork to that effect before the cookies go stale.) Bad actors purporting to be informal charities accost Chicagoans on the street and ask for a donation via tap-to-pay, but the actual charged donation was absurdly larger than what the donor expected to donate; $4,000 versus $10, for example. The bad actor then exits the scene quickly. 

(A donor who discovers the fraud in the moment is then confronted with the unfortunate reality that they are outnumbered by young men who want to rob them. This ends about as well as you’d expect. Chicago has an arrest rate far under 1% for this. A cynic might say that if you don’t kill the victim, it’s legal. I’m not quite that cynical.)

But Reg E doesn’t care about the safety of city streets, in Chicago or anywhere else. It assumes that payment instruments will continue to be used in an imperfect world. This case has a very clear designed outcome: customer calls bank, bank credits customer $4,000 because the customer was defrauded and therefore the “charity” lacked actual authority for the charge, bank pulls $4,000 from credit card processor, credit card processor attempts to pull $4,000 from the “charity”, card processor fails in doing so, card processor chalks it up to tuition to improve its fraud models in the future.

Except at least some banks, per the Chicago Tribune’s reporting, have adopted specious rationales to deny these claims. Some victims surrender physical control of their device, and banks argue that that means they authorized the transaction. Some banks asserted the manufactured-out-of-their-hindquarters rationale that Reg E only triggers when there is a physical receipt. (This inverts the Act’s responsibility graph, where banks were required to provide physical hardcopy receipts to avoid an accountability sink swallowing customer funds.)

Banks will often come to their senses after being contacted by the Chicago Tribune or someone with social power and gravitas who knows how to cite Reg E. But it is designed to work even for less sophisticated customers who don’t know the legislative history of the state machine. They just have to know “Call your bank if you have a problem.”

That should work and we are diminished if it doesn’t.

With a limited number of carveouts (e.g. wire transfers), Reg E is intentionally drafted to be future-proof against changes in how Americans transact. This is why, when banks argue that some new payments rail is exempt because it is “different,” the correct legal response is usually some variation of: doesn’t matter—that’s Reg E.

Our friends in crypto generally believe that Reg E is one star in the constellation of regulations that they’re not subject to. They created Schrödinger’s financial infrastructure, which is the future of finance in the boardroom and just some geeks playing with an open source project once grandma gets defrauded. There is an unresolved tension in saying “Traditional institutions like Visa are adopting stablecoins” and in the see-no-evil reimburse-no-losses attitude issuers and others in the industry take towards fraud which goes over their rails.

Reg E doesn’t have an exception in its text for electronic funds transfers which happen over slow databases.

A hypothetical future CFPB, given the long-standing premise that fraud is not an acceptable outcome of consumer payment systems, would swiftly come to the conclusion that if it walks like a checking account, quacks like a checking account, and is marketed as an alternative to checking accounts, then it is almost certainly within Reg E scope.

Casting one’s eyes across the fintech landscape, many players seem to have checking account envy. In the era of the “financial superapp” where everyone wants to bolt on high-frequency use cases like payments to e.g. AUM gathering machines like brokerage accounts, that is worth a quick chat with Legal before you start getting the letters from Kansan grandmas.

[0] The first “credit cards” were not the plastic-with-a-magstripe form factor which came to dominate but rather “charge plates.” They were physical tokens which pointed at a record at e.g. a department store’s internal accounts, usually by means of an embossed account number, to be read by the Mk 0 human eyeball and, later, physically copied to a paper record via ink. Many were metal and designed to be kept around a key ring. As Matt Levine and many others have mentioned, the crypto community has speedrun hundreds of years of financial history, and keeping your account identifier on etched metal enjoyed a short renaissance recently. Unlike the department stores’ bookkeepers, crypto enthusiasts lost many millions of dollars of customer funds by misplacing their metal (see page 20 particularly).

[1] Market research in the 1950s was hard. Short version of the Fresno drop: they lost money due to abuse by a small segment of users, but successfully proved that the middle class would happily use plastic to transact if they were offered it and it was generally accepted by businesses as opposed to being tied to a single store. They then scaled the 60,000 card pilot to millions within a year. Visa is the corporate descendant of that program; Mastercard that of what competitors did in response.

Programming note: Merry Christmas! There will likely be another Bits about Money after the holiday but before New Year.

Bits about Money is supported by our readers. If your education budget or business can underwrite the coming year of public goods in financial-infrastructure education, commentary, and policy analysis, please consider supporting it. I’m told this is particularly helpful for policymakers and others who cannot easily expense a subscription, and who benefit from all issues remaining publicly available with no paywall.

The American Association of Retired People (AARP, an advocacy non-profit for older adults) has paid for ads on podcasts I listen to. The ad made a claim which felt raspberry-worthy (in service of an important public service announcement), which they repeat in writing: Asking to be paid by gift card is always a scam.

Of course it isn’t. Gift cards are a payments rail, and an enormous business independently of being a payments rail. Hundreds of firms will indeed ask you to pay them on gift cards! They also exist, and are marketed, explicitly to do the thing that the AARP implicitly asserts no business or government entity will ever do: provide a method for transacting for people who do not have a banked method of transacting. [0]

Gift card scams are also enormous. The FBI’s Internet Crime Complaint Center received $16.6 billion in reports in 2024 across several payment methods; this is just for those consumers who bothered reporting it, in spite of the extremely real received wisdom that reporting is unlikely to improve one’s direct situation.

The flavor texts of scams vary wildly, but in substance they’ll attempt to convince someone, often someone socially vulnerable, to part with sometimes very large sums of money by buying gift cards and conveying card information (card number and PIN number, both printed on the card) to the scammer. The scammer will then use the fraud supply chain, generally to swap the value on the card to another actor in return for value unconnected to the card. This can be delivered in many ways: cash, crypto, products and services in the scamming economy (such as purloined credit cards or even “lead lists” of vulnerable people to run more scams on), or laundered funds within regulated financial institutions which obscure the link between the crime and the funds (layering, in the parlance of AML professionals). A huge portion of running a gift card marketplace is trying to prevent yourself from being exploited or made into an instrumentality in exploiting others.

It surprises many people to learn that the United States aggressively defends customers from fraud over some payment methods, via a liability transfer to their financial institution, which transfers it to intermediaries, who largely transfer it to payment-accepting businesses. Many people think the U.S. can’t make large, effective, pro-consumer regulatory regimes. They are straightforwardly wrong… some of the time.

But the AARP, the FBI, and your friendly local payments nerd will all tell you that if you’re abused on your debit card you are quite likely to be made whole, and if you’re abused via purchasing gift cards, it is unlikely any deep pockets will cover for you. The difference in treatment is partially regulatory carveouts, partially organized political pressure, and partly a side effect of an accountability sink specific to the industrial organization of gift cards.

There exists an ecosystem of gift card program managers, who are essentially financial services businesses with a sideline in software. (I should probably mention that I previously worked for and am currently an advisor to Stripe, whose self conception would not be precisely that, but which a) supports many ways for people to pay money for things and b) does not necessarily endorse what I say in my personal spaces.)

Why does the program manager exist? Why not simply have the retailer keep some internal database of who the retailer owes money to, updating this when someone buys or loads a gift card and when they spend the balance at the store? Because this implies many capabilities that retailers do not necessarily have, such as e.g. software development teams.

There is also a large regulatory component to running a gift card program, despite gift cards’ relatively lax regulatory drag (we’ll return to that in a moment). Card programs are regulated at both the federal and state levels. One frequent requirement in several states is escheatment. (Essentially all states have a requirement for escheatment; many but not all exempt gift cards from it.)

As discussed previously in Bits about Money, a major component of the gift card business model is abandonment (“breakage”). Consumer advocates felt this was unfair to consumers, bordering on fraudulent really. They convinced states to take the money that retailers were keeping for themselves. (Many states didn’t take all that much convincing.) 

In theory, and sometimes even in practice, a consumer can convince a state treasurer’s office of unclaimed property (e.g. Illinois’) that the $24.37 that Target remitted as part of its quarterly escheatment payment for an unused gift card 13 years ago was actually theirs. A consumer who succeeds at this, which is neither easy nor particularly inexpensive to do, will receive a $24.37 check in the mail. The state keeps the interest income; call it a fee for service. It also keeps the interest income of the tens of billions of dollars of accumulated unclaimed property, which it generally promises to dutifully custody awaiting a legitimate claim for as long as the United States shall exist.

And so if you are a regional or national retailer who wants to offer gift cards, you have a choice. You can dedicate a team of internal lawyers and operations specialists to understanding both what the laws of the several states require with respect to gift cards, which are a tiny portion of your total operations, not merely today but as a result of the next legislative session in Honolulu, because you absolutely must order the software written to calculate the payment to remit accurately several quarters in advance of the legal requirement becoming effective. Or you can make the much more common choice, and outsource this to a specialist.

That specialist, the gift card program manager, will sell you a Solution™ which integrates across all the surfaces you need: your point-of-sale systems, your website, your accounting software, the 1-800 number and website for customers to check balances, ongoing escheatment calculation and remittance, cash flow management, carefully titrated amounts of attention to other legal obligations like AML compliance, etc. Two representative examples: Blackhawk Network and InComm Payments. You’ve likely never heard of them, even if you have their product on your person right now. Their real customer has the title Director of Payments at e.g. a Fortune 500 company.

And here begins the accountability sink: by standard practice and contract, when an unsophisticated customer is abused by being asked to buy a BigCo gift card, BigCo will say, truthfully and unhelpfully, that BigCo does not issue BigCo gift cards. It sells them. It accepts them. But it does not issue them. Your princess is in another castle.

BigCo may very well have a large, well-staffed fraud department. But, not due to any sort of malfeasance whatsoever, that fraud department may consider BigCo gift cards entirely out of their own scope. They physically cannot access the database with the cards. Their security teams, sensitive that gift card numbers are dangerous to keep lying around, very likely made it impossible for anyone at BigCo to reconstruct what happened to a particular gift card between checkout and most recent use. “Your privacy is important to us!” they will say, and they are not cynically invoking it in this case.

As mentioned above, Regulation E is the primary driver for the private enforcement edifice that makes scarily smart professionals (and their attached balance sheets) swing into action on behalf of consumers. Reg E has a carveout for certain prepaid payments. Per most recent guidance, that includes prepaid gift cards, gift certificates, and similar.

And so, if you call your bank and say, “I was defrauded! Someone called me and pretended to be the IRS, and I read them my debit card number, and now I’ve lost money,” the state machine obligates the financial institution to have the customer service representative click a very prominent button on their interface. This will restore your funds very quickly and have some side effects you probably care about much less keenly. One of those is an “investigation,” which is not really an investigation in the commanding majority of cases.

And if you call the program manager and say, “I was defrauded! Someone called me and pretended to be the IRS, and I read them a gift card number, and now I’ve lost money,” there is… no state machine. There is no legal requirement to respond with alacrity, no statutorily imposed deadline, no button for a CS rep to push, and no investigation to launch. You will likely be told by a low-paid employee that this is unfortunate and that you should file a police report. The dominant reason for this is that suggesting a concrete action to you gets you off the phone faster, and the call center aggressively minimizes time to resolution of calls and recidivism, where you call back because your problem is not solved. Filing a police report will, in most cases, not restore your money—but if it causes you not to call the 1-800 number again, then from the card program manager’s perspective this issue has been closed successfully.

The people of the United States, through their elected representatives and the civil servants who labor on their behalf, intentionally exempt gift cards from the Reg E regime in the interest of facilitating commerce.

It is the ordinary and appropriate work of a democracy to include input from citizens in the rulemaking process. The Retail Industry Leaders Association participated, explaining to FinCEN that it would be quite burdensome for retailers to fall into KYC scope, etc etc. Many other lobbyists and industry associations made directionally similar comments.

The Financial Crimes Enforcement Network, for example, has an explicit carveout in its regulations: while FinCEN will aggressively police rogue bodegas, it has no interest in you if you sell closed-loop gift cards of less than $2,000 face value. This is explicitly to balance the state’s interest in law enforcement against, quote, preserving innovation and the many legitimate uses and societal benefits offered by prepaid access, endquote.

FinCEN’s rules clarify that higher-value activity—such as selling more than $10,000 in gift cards to a single individual in a day—brings sellers back into scope. Given the relatively lax enforcement environment for selling a $500 gift card, you very likely might not build out systems which will successfully track customer identities and determine that the same customer has purchased twenty-one $500 gift cards in three transactions. That likely doesn’t rate as a hugely important priority for Q3. 

And so the fraud supply chain comes to learn which firms haven’t done that investment, and preferentially suggests those gift cards to their launderers, mules, brick movers, and scam victims.

And that’s why the AARP tells fibs about gift cards: we have, with largely positive intentions and for good reasons, exposed them to less regulation than most formal payment systems in the United States received. That decision has a cost. Grandma sometimes pays it.

[0] Indeed, there are entire companies which exist to turn gift cards into an alternate financial services platform, explicitly to give unbanked and underbanked customers a payments rail. Paysafe, for example, is a publicly traded company with thousands of employees, the constellation of regulatory supervision you’d expect, and a subsidiary Openbucks which is designed to give businesses the ability to embed Pay Us With A Cash Voucher in their websites/invoices/telephone collection workflows. This is exactly the behavior that “never happens from a legitimate business” except when it does by the tens of billions of dollars.

As Bits about Money has frequently observed, people who write professionally about money—including professional advocates for financially vulnerable populations—often misunderstand alternative financial services, largely because those services are designed to serve a social class that professionals themselves do not belong to, rarely interact with directly, and do not habitually ask how they pay rent, utilities, or phone bills.

Programming note: Bits about Money is supported by our readers. I generally forecast about one issue a month, and haven't kept that pace that this year. As a result, I'm working on about 3-4 for December.

Much financial innovation is in the ultimate service of the real economy. Then, we have our friends in crypto, who occasionally do intellectually interesting things which do not have a locus in the real economy. One of those things is perpetual futures (hereafter, perps), which I find fascinating and worthy of study, the same way that a virologist just loves geeking out about furin cleavage sites.

You may have read a lot about stablecoins recently. I may write about them (again; see past BAM issue) in the future, as there has in recent years been some uptake of them for payments. But it is useful to understand that a plurality of stablecoins collateralize perps. Some observers are occasionally strategic in whether they acknowledge this, but for payments use cases, it does not require a lot of stock to facilitate massive flows. And so of the $300 billion or so in stablecoins presently outstanding, about a quarter sit on exchanges. The majority of that is collateralizing perp positions.

Perps are the dominant way crypto trades, in terms of volume. (It bounces around but is typically 6-8 times larger than spot.) This is similar to most traditional markets: where derivatives are available, derivative volume swamps spot volume. The degree to which depends on the market, Schelling points, user culture, and similar. For example, in India, most retail investing in equity is actually through derivatives; this is not true of the U.S. In the U.S., most retail equity exposure is through the spot market, directly holding stocks or indirectly through ETFs or mutual funds. Most trading volume of the stock indexes, however, is via derivatives. 

The large crypto exchanges are primarily casinos, who use the crypto markets as a source of numbers, in the same way a traditional casino might use a roulette wheel or set of dice. The function of a casino is for a patron to enter it with money and, statistically speaking, exit it with less. Physical casinos are often huge capital investments with large ongoing costs, including the return on that speculative capital. If they could choose to be less capital intensive, they would do so, but they are partially constrained by market forces and partially by regulation.

A crypto exchange is also capital intensive, not because the website or API took much investment (relatively low, by the standards of financial software) and not because they have a physical plant, but because trust is expensive. Bettors, and the more sophisticated market makers, who are the primary source of action for bettors, need to trust that the casino will actually be able to pay out winnings. That means the casino needs to keep assets (generally, mostly crypto, but including a smattering of cash for those casinos which are anomalously well-regarded by the financial industry) on hand exceeding customer account balances.

Those assets are… sitting there, doing nothing productive. And there is an implicit cost of capital associated with them, whether nominal (and borne by a gambler) or material (and borne by a sophisticated market making firm, crypto exchange, or the crypto exchange’s affiliate which trades against customers [0]).

Perpetual futures exist to provide the risk gamblers seek while decreasing the total capital requirement (shared by the exchange and market makers) to profitably run the enterprise.

In the commodities futures markets, you can contract to either buy or sell some standardized, valuable thing at a defined time in the future. The overwhelming majority of contracts do not result in taking delivery; they’re cancelled by an offsetting contract before that specified date.

Given that speculation and hedging are such core use cases for futures, the financial industry introduced a refinement: cash-settled futures. Now there is a reference price for the valuable thing, with a great deal of intellectual effort put into making that reference price robust and fair (not always successfully). Instead of someone notionally taking physical delivery of pork bellies or barrels of oil, people who are net short the future pay people who are net long the future on delivery day. (The mechanisms of this clearing are fascinating but outside today’s scope.)

Back in the early nineties economist Robert Shiller proposed a refinement to cash settled futures: if you don’t actually want pork bellies or oil barrels for consumption in April, and we accept that almost no futures participants actually do, why bother closing out the contracts in April? Why fragment the liquidity for contracts between April, May, June, etc? Just keep the market going perpetually.

This achieved its first widespread popular use in crypto (Bitmex is generally credited as being the popularizer), and hereafter we’ll describe the standard crypto implementation. There are, of course, variations available.

Instead of all of a particular futures vintage settling on the same day, perps settle multiple times a day for a particular market on a particular exchange. The mechanism for this is the funding rate. At a high level: winners get paid by losers every e.g. 4 hours and then the game continues, unless you’ve been blown out due to becoming overleveraged or for other reasons (discussed in a moment).

Consider a toy example: a retail user buys 0.1 Bitcoin via a perp. The price on their screen, which they understand to be for Bitcoin, might be $86,000 each, and so they might pay $8,600 cash. Should the price rise to $90,000 before the next settlement, they will get +/- $400 of winnings credited to their account, and their account will continue to reflect exposure to 0.1 units of Bitcoin via the perp. They might choose to sell their future at this point (or any other). They’ll have paid one commission (and a spread) to buy, one (of each) to sell, and perhaps they’ll leave the casino with their winnings, or perhaps they’ll play another game.

Where did the money come from? Someone else was symmetrically short exposure to Bitcoin via a perp. It is, with some very important caveats incoming, a closed system: since no good or service is being produced except the speculation, winning money means someone else lost.

One fun wrinkle for funding rates: some exchanges cap the amount the rate can be for a single settlement period. This is similar in intent to traditional markets’ usage of circuit breakers: designed to automatically blunt out-of-control feedback loops. It is dissimilar in that it cannot actually break circuits: changes to funding rate can delay realization of losses but can’t prevent them, since they don’t prevent the realization of symmetrical gains.

Perp funding rates also embed an interest rate component. This might get quoted as 3 bps a day, or 1 bps every eight hours, or similar. However, because of the impact of leverage, gamblers are paying more than you might expect: at 10X leverage that’s 30 bps a day. Consumer finance legislation standardizes borrowing costs as APR rather than basis points per day so that an unscrupulous lender can’t bury a 200% APR in the fine print.

Prices for perps do not, as a fact of nature, exactly match the underlying. That is a feature for some users.

In general, when the market is exuberant, the perp will trade above spot (the underlying market). To close the gap, a sophisticated market participant should do the basis trade: make offsetting trades in perps and spot (short the perp and buy spot, here, in equal size). Because the funding rate is set against a reference price for the underlying, longs will be paying shorts more (as a percentage of the perp’s current market price). For some of them, that’s fine: the price of gambling went up, oh well. For others, that’s a market incentive to close out the long position, which involves selling it, which will decrease the price at the margin (in the direction of spot).

The market maker can wait for price convergence; if it happens, they can close the trade at a profit, while having been paid to maintain the trade. If the perp continues to trade rich, they can just continue getting the increased funding cost. To the extent this is higher than their own cost of capital, this can be extremely lucrative.

Flip the polarities of these to understand the other direction.

The basis trade, classically executed, is delta neutral: one isn’t exposed to the underlying itself. You don’t need any belief in Bitcoin’s future adoption story, fundamentals, market sentiment, halvings, none of that. You’re getting paid to provide the gambling environment, including a really important feature: the perp price needs to stay reasonably close to the spot price, close enough to continue attracting people who want to gamble. You are also renting access to your capital for leverage.

You are also underwriting the exchange: if they blow up, your collateral becoming a claim against the bankruptcy estate is the happy scenario. (As one motivating example: Galois Capital, a crypto hedge fund doing basis trades, had ~40% of its assets on FTX when it went down. They then wound down the fund, selling the bankruptcy claim for 16 cents on the dollar.)

Recall that the market can’t function without a system of trust saying that someone is good for it if a bettor wins. Here, the market maker is good for it, via the collateral it kept on the exchange.

Many market makers function across many different crypto exchanges. This is one reason they’re so interested in capital efficiency: fully collateralizing all potential positions they could take across the universe of venues they trade on would be prohibitively capital intensive, and if they do not pre-deploy capital, they miss profitable trading opportunities. [1]

Gamblers like risk; it amps up the fun. Since one has many casinos to choose from in crypto, the ones which only “regular” exposure to Bitcoin (via spot or perps) would be offering a less-fun product for many users than the ones which offer leverage. How much leverage? More leverage is always the answer to that question, until predictable consequences start happening.

In a standard U.S. brokerage account, Regulation T has, for almost 100 years now, set maximum leverage limits (by setting minimums for margins). These are 2X at position opening time and 4X “maintenance” (before one closes out the position). Your brokerage would be obligated to forcibly close your position if volatility causes you to exceed those limits.

As a simplified example, if you have $50k of cash, you’d be allowed to buy $100k of stock. You now have $50k of equity and a $50k loan: 2x leverage. Should the value of that stock decline to about $67k, you still owe the $50k loan, and so only have $17k remaining equity. You’re now on the precipice of being 4X leveraged, and should expect a margin call very soon, if your broker hasn’t “blown you out of the trade” already.

What part of that is relevant to crypto? For the moment, just focus on that number: 4X.

Perps are offered at 1X (non-levered exposure). But they’re routinely offered at 20X, 50X, and 100X. SBF, during his press tour / regulatory blitz about being a responsible financial magnate fleecing the customers in an orderly fashion, voluntarily self-limited FTX to 20X.

One reason perps are structurally better for exchanges and market makers is that they simplify the business of blowing out leveraged traders. The exact mechanics depend on the exchange, the amount, etc, but generally speaking you can either force the customer to enter a closing trade or you can assign their position to someone willing to bear the risk in return for a discount.

Blowing out losing traders is lucrative for exchanges except when it catastrophically isn’t. It is a priced service in many places. The price is quoted to be low (“a nominal fee of 0.5%” is one way Binance describes it) but, since it is calculated from the amount at risk, it can be a large portion of the money lost. If the account’s negative balance is less than the liquidation fee, wonderful, thanks for playing and the exchange / “the insurance fund” keeps the rest, as a tip.

In the case where the amount an account is negative by is more than the fee, that “insurance fund” can choose to pay the winners on behalf of the liquidated user, at management’s discretion. Management will usually decide to do this, because a casino with a reputation for not paying winners will not long remain a casino.

But tail risk is a real thing. The capital efficiency has a price: there physically does not exist enough money in the system to pay all winners given sufficiently dramatic price moves. Forced liquidations happen. Sophisticated participants withdraw liquidity (for reasons we’ll soon discuss) or the exchange becomes overwhelmed technically / operationally. The forced liquidations eat through the diminished / unreplenished liquidity in the book, and the magnitude of the move increases.

Then crypto gets reminded about automatic deleveraging (ADL), a detail to perp contracts that few participants understand.

(Pray we do not alter them further.)

Risk in perps has to be symmetric: if (accounting for leverage) there are 100,000 units of Somecoin exposure long, then there are 100,000 units of Somecoin exposure short. This does not imply that the shorts or longs are sufficiently capitalized to actually pay for all the exposure in all instances.

In cases where management deems paying winners from the insurance fund would be too costly and/or impossible, they automatically deleverage some winners. In theory, there is a published process for doing this, because it would be confidence-costing to ADL non-affiliated accounts but pay out affiliated accounts, one’s friends or particularly important counterparties, etc. In theory.

In theory, one likely ADLs accounts which were quite levered before ones which were less levered, and one ADLs accounts which had high profits before ones with lower profits. In theory. [2]

So perhaps you understood, prior to a 20% move, that you were 4X leveraged. You just earned 80%, right? Ah, except you were only 2X leveraged, so you earned 40%. Why were you retroactively only 2X? That’s what automatic deleveraging means. Why couldn’t you get the other 40% you feel entitled to? Because the collective group of losers doesn’t have enough to pay you your winnings and the insurance fund was insufficient or deemed insufficient by management.

ADL is particularly painful for sophisticated market participants doing e.g. a basis trade, because they thought e.g. they were 100 units short via perps and 100 units long somewhere else via spot. If it turns out they were actually 50 units short via perps, but 100 units long, their net exposure is +50 units, and they have very possibly just gotten absolutely shellacked.

In theory, this can happen to the upside or the downside. In practice in crypto, this seems to usually happen after sharp decreases in prices, not sharp increases. For example, October 2025 saw widespread ADLing as (more than) $19 billion of liquidations happened, across a variety of assets. Alameda’s CEO Caroline Ellison testified that they lost over $100 million during the collapse of Terra’s stablecoin in 2022, but since FTX’s insurance fund was made up; when leveraged traders lost money, their positions were frequently taken up by Alameda. That was quite lucrative much of the time, but catastrophically expensive during e.g. the Terra blowup. Alameda was a good loser and paid the winners, though: with other customers’ assets that they “borrowed.”

In the traditional markets, if one’s brokerage deems one’s assets are unlikely to be able to cover the margin loan from the brokerage one has used, one’s brokerage will issue a margin call. Historically that gave one a relatively short period (typically, a few days) to post additional collateral, either by moving in cash, by transferring assets from another brokerage, or by experiencing appreciation in the value of one’s assets. Brokerages have the option, and in some cases the requirement, to manage risk after or during a margin call by forcing trades on behalf of the customer to close positions.

It sometimes surprises crypto natives that, in the case where one’s brokerage account goes negative and all assets are sold, with a negative remaining balance, the traditional markets largely still expect you to pay that balance. This contrasts with crypto, where the market expectation for many years was that the customer was Daffy Duck with a gmail address and a pseudonymous set of numbered accounts recorded on a blockchain, and dunning them was a waste of time. Crypto exchanges have mostly, in the intervening years, either stepped up their game regarding KYC or pretended to do so, but the market expectation is still that a defaulting user will basically never successfully recover. (Note that the legal obligation to pay is not coextensive with users actually paying. The retail speculators with $25,000 of capital that the pattern day trade rules are worried about will often not have $5,000 to cover a deficiency. On the other end of the scale, when a hedge fund blows up, the fund entity is wiped out, but its limited partners—pension funds, endowments, family offices—are not on the hook to the prime broker, and nobody expects the general partner to start selling their house to make up the difference.) 

So who bears the loss when the customer doesn’t, can’t, or won’t? The waterfall depends on market, product type, and geography, but as a sketch: brokerages bear the loss first, out of their own capital. They’re generally required to keep a reserve for this purpose. 

A brokerage will, in the ordinary course of business, have obligations to other parties which would be endangered if they were catastrophically mismanaged and could not successfully manage risk during a downturn. (It’s been known to happen, and even can be associated with assets rather than liabilities.) In this case, most of those counterparties are partially insulated by structures designed to insure the peer group. These include e.g. clearing pools, guaranty funds capitalized by the member firms of a clearinghouse, the clearinghouse’s own capital, and perhaps mutualized insurance pools. That is the rough ordering of the waterfall, which varies depending geography/product/market.

One can imagine a true catastrophe which burns through each of those layers of protection, and in that case, the clearinghouse might be forced to assess members or allocate losses across survivors. That would be a very, very bad day, but contracts exist to be followed on very bad days.

One commonality with crypto, though: this system is also not fully capitalized against all possible events at all times. Unlike crypto, which for contingent reasons pays some lip service to being averse to credit even as it embraces leveraged trading, the traditional industry relies extensively on underwriting risk of various participants.

Many crypto advocates believe that they have something which the traditional finance industry desperately needs. Perps are crypto’s most popular and lucrative product, but they probably won’t be adopted materially in traditional markets.

Existing derivatives products already work reasonably well at solving the cost of capital issue. Liquidations are not the business model of traditional brokerages. And learning, on a day when markets are 20% down, that you might be hedged or you might be bankrupt, is not a prospect which fills traditional finance professionals with the warm fuzzies.

And now you understand the crypto markets a bit better.

[0] Brokers trading with their own customers can happen in the ordinary course of business, but has been progressively discouraged in traditional finance, as it enables frontrunning. 

Frontrunning, while it is understood in the popular parlance to mean “trading before someone else can trade” and often brought up in discussions of high frequency trading using very fast computers, does not historically mean that. It historically describes a single abusive practice: a broker could basically use the slowness of traditional financial IT systems to give conditional post-facto treatment to customer orders, taking the other side of them (if profitable) or not (if not). Frontrunning basically disappeared because customers now get order confirms almost instantly by computer not at end of day via a phone call. The confirm has the price the trade executed at on it. 

In classic frontrunning, you sent the customer’s order to the market (at some price X), waited a bit, and then observed a later price Y. If Y was worse for the customer than X, well, them’s the breaks on Wall Street. If Y was better, you congratulated the customer on their investing acumen, and informed them that they had successfully transacted at Z, a price of your choosing between X and Y. You then fraudulently inserted a recorded transaction between the customer and yourself earlier in the day, at price Z, and assigned the transaction which happened at X to your own account, not to the customer’s account.

Frontrunning was a lucrative scam while it lasted, because (effectively) the customer takes 100% of the risk of the trade but the broker gets any percentage they want of the first day’s profits. This is potentially so lucrative that smart money (and some investors in his funds!) thought Madoff was doing it, thus generating the better-than-market stable returns for over a decade through malfeasance. Of frontrunning Madoff was entirely innocent.

Some more principled crypto participants have attempted to discourage exchanges from trading with their own customers. They have mostly been unsuccessful: Merit Peak Limited is Binance’s captive entity which does this. It also is occasionally described by U.S. federal agencies as running a sideline in money laundering, Alameda Research was FTX’s affiliated trading fund. Their management was criminally convicted of money laundering. etc, etc.

One of the reasons this behavior is so adaptive is because the billions of dollars sloshing around can be described to banks as “proprietary trading” and “running an OTC desk”, and an inattentive bank (like, say, Silvergate, as recounted here) might miss the customer fund flows they would have been formally unwilling to facilitate. This is a useful feature for sophisticated crypto participants, and so some of them do not draw attention to the elephant in the room, even though it is averse to their interests.

[1] Not all crypto trades are pre-funded. Crypto OTC transactions sometimes settle on T+1, with the OTC desk essentially extending credit in the fashion that a prime broker would in traditional markets. But most transactions on exchanges have to be paid immediately in cash already at the venue. This is very different from traditional equity market structure, where venues don’t typically receive funds flow at all, and settling/clearing happens after the fact, generally by a day or two.

[2] I note, for the benefit of readers of footnote 0, that there is often a substantial gap between the time when market dislocation happens and when a trader is informed they were ADLed. The implications of this are left as an exercise to the reader.

The ultimate goal of financial plumbing is to enable commerce in the real economy. Consider the humble window: it is a fairly expensive, surprisingly high-tech manufactured good, installed by the dozen in homes by artisans. A window represents a supply chain, and one part of that supply chain is a sales process, convincing a homeowner of the desirability of updating their windows. The sales representative running that process would urgently prefer to leave their single visit to the home with not just tentative measurements but with a durable commitment to buying the window and financing firmly in place for it.

Why finance the purchase? Windows cost $1,000 to $3,000 each and updating all or a large fraction of them quickly becomes a mid-five figures project; relatively few homeowners will pay upfront with cash. Moreover, the sales process would strongly prefer the purchase be financeable, because that will sell more windows than a counterfactual world where windows were only available for cash.

One could imagine a world in which window manufacturers or installers provided financing off of their own balance sheets. This would be a rough world for them: they have upfront capital outlay (the window) and would recoup only after extended periods, bearing credit risk all the while. No, they would prefer to sell windows for money. It’s frequently delivered in milestone payments, perhaps half prior to manufacturing the windows and half upon successful installation.

You could imagine the buyer could bring their own financing, perhaps by going to their usual bank and asking for a home improvement loan. That product very much exists, but it might be surprisingly less attractive to all parties: it will be costly, low margin for the bank, and have poor operational dynamics for the window company. And so you could imagine the window company asking the financial industry to come up with an alternative.

That alternative exists, and can underwrite and paperwork a four-party commercial loan in fifteen minutes, before the salesman has even left their home visit that sold the window. We’ll return to it in a moment.

Again, very many banks do actually make home improvement loans available. But they’re not wonderful loans for the banks.

We’ll begin with the somewhat awkward dollar amount: a home improvement loan is enough money to hurt if it goes bad, but not enough money to justify a high-volume well-oiled machine to underwrite, not like e.g. mortgages. And indeed that is what many banks will immediately try to sell you if you ask for a loan for the purpose of home improvement: can we instead counterpropose a home equity line of credit (HELOC)? You can then borrow against your existing home equity, withdrawing cash, and we have no objection to you swapping cash for a window, a decision we need hear no more about. We have a supply chain for mortgages, including HELOCs, and this supply chain will decrease our capital requirements while smoothing every part of underwriting.

Why does the bank want to take the window out of the window purchase? Because a home improvement loan otherwise requires multiple operationally intensive document reviews and conversations where bankers talk to construction company office managers. Those conversations are frequently unhappy ones.

Consider the case where a construction project flies off the rails, which has been known to happen. The window company says it has installed the windows, and potentially they have a certificate proving that they were indeed installed, allegedly signed by the homeowner or their spouse on the date of installation. The homeowner, however, is unhappy with the windows: they are drafty; the color isn’t the same as the brochure; and goodness was this what they agreed to pay e.g. $25,000 for?! They don’t want to pay it anymore.

The bank must be the adult in this scenario, to release that second milestone payment. They very possibly could be drawn into litigation over their decision, because a few tens of thousands of dollars is just enough to justify calling a lawyer. Then the bank will have to have their own lawyers defend their own contracts in an expensive proposition over what is, to it, a small-dollar loan.

It’s not nearly this hard to generate $25,000 of balances with a credit card issuing business. You mail out the cards and people buy airplane tickets. And then the airline pays you 200 basis points off the top even before you get to originate the high-interest loan! Great business to be in and you never have to talk about a stewardess spilling someone’s drink or it raining in Hawaii that week.

Meanwhile, the window installer has their own complaints about this loan, even before it is originated. Between the day the salesman shakes hands with the customer and the bank commits to the installation, they have very little they can do to influence success. The homeowner might develop buyer’s remorse and, while they might have signed a contract, it’s just rough to compel payment for windows which don’t exist yet. Your staff will not enjoy the process, your reviews will suffer, and it’s not guaranteed that your contract will hold up: in some states, your customer might even have legal right to sever during a cooling-off period. You would prefer to accelerate delivery to avoid them cooling on the idea of windows.

But the bank is slow and has a bespoke underwriting process which requires information from you but which you cannot control, because the window installer is not the bank’s customer. They can’t call the bank up and yell at the underwriters to move faster, and they can’t debate the bank over a credit decision, where a perfectly good sale gets nixed six weeks later because the bank just isn’t feeling it. Very few of those sales will result in the buyer arranging successful alternative financing, partly for very human reasons and partly for a mechanical one: the fact of the hard pull on the credit report for the original loan origination plus non-issuance of a loan from one’s home financial institution signals to the rest of the world “Oh goodness there are probably better ex-ante risks in the economy than this one!”

No, what the window installer wants is a lending product which can be issued at scale, very predictably, in as short a timeframe as possible, by financial institutions responsive to it who ask very few followup questions, always fund milestone payments promptly, and actually want this business.

That product exists.

Consumer credit issuance is, unless it comes directly from a manufacturer, a privilege reserved by law for regulated financial institutions. But, as we’ve established, regulated financial institutions don’t lust for this business on their own balance sheets at scale. (Recharacterizing the home improvement loan as a draw on a HELOC allows the bank to quickly get it off their balance sheet, because the HELOCs will generally be securitized. You could theoretically securitize a large pool of installment loans if you had a business process to generate them, but unless a bank specializes, they are unlikely to have core depositors simply ask for enough of these every year to justify building out the framework required to do this.)

Why is it reserved by law for financial institutions? As Bits about Money mentions often, financial institutions are a policy arm, and one thing the state requires is that Compliance make sure the financial institution is not abusing customers. The state believes that a e.g. window installer might use high-pressure sales tactics or say untrue things to a homeowner about how e.g. an interest-free financing period works, and then perhaps forget about those things when the customer complains. It believes, rationally, that financial institutions will keep extensive records of what they communicate about loans, that those records will be truthful by default, and that the financial institution will not endanger its permission to do business over a single product. Also, and this is a blunt but true observation, the state trusts white collar employees and executives at banks more than it trusts blue collar window installers.

So we need a bank involved, but that bank does not necessarily need to lend (from its own balance sheet). The bank could immediately sell a large portion of the loan, retaining perhaps 1% for form’s sake, to a private provider of capital.

But, again, it is unlikely that a bank will want to call around to hedge funds and see if there are any takers. Someone needs to have capital providers have a standing offer to snap at this product quickly.

That standing offer is variously called a forward funds flow agreement or warehouse financing. I’ve previously discussed the mechanics for Buy Now Pay Later (BNPL), and they’re the same here. Someone, typically a facilitator and not the bank itself, has brought the capital partners to the table, negotiated terms, and has prepared them to receive what they want: millions of dollars of loans, at attractive prices, with known-in-advance credit characteristics… originated by a massively scalable process, conducted partly by commission-earning sales reps bearing iPads into houses needing windows and partly by web applications and operational teams.

This machinery wasn’t originally perfected for windows. It was originally aimed mostly at solar installations, which were heavily tax-advantaged at the time. Capturing the tax credit required a sale and upfront capital outlay, and the pitch was essentially “Sign these loan docs for free money for all of us and, also, you’ll get some solar panels.” But the credits eventually expired, the addressable market for solar got more tapped, and the software and companies yearned for more originations. So, sign these documents, get windows at attractive prices.

The loan application begins with the customer verbally informing the salesman of their phone number or email address. They get given a link which swiftly brings them to a competently-designed web application. That application asks a few simple questions that are required for underwriting. The two most important ones that are not on a credit card application are “Is this your house?” and “Do you live in this house?” This is because the capital partners are much, much more confident that people will not welch on debts tied to their primary residence than that every real estate investor will be above water if 2008 happens again.

Questions about your finances are extremely pro-forma. You’ll be asked to self-state your income, but no attempt will be made to verify it. A credit report will be pulled, which satisfies the twin purposes of a) derisking the applicant pool and b) verifying, via checking for the presence of a mortgage, that you do actually own the house.

I ended up in a fraud queue at this point in the process. Story of my life. The facilitating company does not expose to the sales rep why you are in the fraud queue, but the clock is ticking, and the rep will (hypothetically) strongly prefer continuing to drink tea and chitchat rather than leaving and letting one resolve that issue asynchronously. It was resolved by a combination of automated submission of a passport photo (again, shockingly competent software by the historical standards of loan origination) and an analyst manually clicking a button in a web application.

If I were to speculate what that analyst was doing, it would be reviewing the facts: credit report says high credit score, credit report shows a mortgage, credit report does not match this address, but government-provided ID does match the asserted identity. And thus the wager: is he in his own house, or has he decided to pull a hilarious prank on a window installer and buy someone else windows with a hedge fund’s money? The analyst swiftly concluded I was probably in my own house. (Why did I end up in the fraud queue? I have a lot of weirdness, such as not being listed on the deed due to holding title through a land trust, for privacy reasons. Unfortunately, perhaps that sometimes makes it difficult for cron jobs to conclude I own the house.)

Once you’re approved for the loan, you are automatically sent loan documents for signature. This will not be compelled at the meeting, but the installer sure would appreciate you signing before they leave. Compliance has extensively briefed them on where the line is. Compliance has, in fact, extensively briefed them on many lines, and because Compliance cares more about the law than it does about paying programmers to code a login form, I was able to read their entire Compliance training series and presentations to installers.

Don’t lie. Don’t translate any loan docs from English or provide any gloss of the terms. Don’t say any of the forbidden phrases like “guaranteed approval”, “same-as-cash financing”, “interest-free financing”, etc. And definitely definitely do not touch their phone or computer during the application process.

The financial industry learned some things during the global financial crisis about aggressive salesmanship by its agents. Almost every bullet point in that 40 page PowerPoint has a stack of criminal convictions, billions of dollars of losses, or both to justify it.

The salesman will first quote a scary number designed to anchor you, then present the discount available if you commit within a month. They will then say there is a sweetener if and only if you sign before they leave. Compliance is very clear that if you say that in the context of acting as an agent for a financial institution it had better not be a lie, but percentages are percentages and window companies like making deals for windows, and I would not bet against the proposition that they would offer other inducements on other days for other reasons, perhaps summing to similar numbers.

They then present financing terms. I was pleasantly surprised that this was not presented in the typical obfuscating car dealer financing four square method. The real price stays onscreen on the iPad at all times and you are presented with columns for choices: pay cash (they mean immediately deliverable value, not actually specie), 12-month deferred interest financing, 15-year fixed rate financing, and pay in milestones (e.g. 50% deposit, 50% due on installation) on a credit card.

Compliance will inform representatives that you are absolutely not supposed to use the words “same as cash” and “interest-free” to describe 12 month deferred interest financing. This salaryman is unfortunately forgetful sometimes and so I cannot quite recall what the friendly local salesman actually said while pointing to the iPad. The offer is “If you fully pay for your windows within the next 12 months, you just pay the sticker price. If it takes you longer than that, you will pay us interest, starting from the date of installation, at a rate which is materially higher than the rate we quote in the next column.”

You might think, given that sketch, that the system is trying to trick naive homeowners and surprise them on day 366 with a nasty bill. I’m slightly more sympathetic. This offer is designed to be attractive to people who can bring their own financing without making the window installation dependent on that financing. If, for example, a customer does not currently have a HELOC, but is pretty sure they can get a HELOC, the window installer is saying “Great, convince any bank to give you a HELOC, then do a draw any time in the next year and repay us, and we’ll foot the interest until then. But to be clear this window is going in irrespective of your future discussions with banks. Our capital partners do not want you to attempt to skate if your financing falls through, if you get divorced, if your tax refund is smaller than expected, etc, and you will be penalized if you attempt to turn this into a backdoor installment loan.” 

But the next column is where the real action is. I was quoted 6.99% APR for equal amortizing payments over 15 years. They, naturally, express this as a monthly number, but the contract floridly and in bold print (as required by regulations) discloses e.g. total interest cost over the life of the loan, the fact there is no pre-payment penalty, etc. This is as honest as consumer lending can possibly be.

You e-sign the loan documents and then the salesman thanks you for your time and arranges for another professional to come back and redundantly measure the windows. He measured for the quote, and the quote is good, but they’ll measure again because a quarter inch matters a lot more for the physical universe than it does for the spreadsheet. Then the order goes to the factory and, a few weeks later, they install the windows. You sign an acknowledgement, and then the automated software springs back into action, starting the clock on your interest and collecting payments.

Here I am going to speculate in reliance upon publicly available data sources rather than use information which I know as a result of private commercial negotiations. Window salesmen are not the only professionals who have been to Compliance training.

In the 15-minute window between the loan being applied for and signed, software has conducted a four-way commercial negotiation between the window installer, the facilitating entity, the bank, and the capital provider. The loan contract is between the customer and the bank (again, it has to be, regs) but the capital provider is a specialist institution.

There are a few banks which specialize in doing business like this. One of them is Cross River Bank, which keeps a keen eye on trends in consumer lending.

A bank which originates a loan might charge the facilitating entity an upfront fee-for-services, collect a servicing fee from the capital providers sliced out of the APR quoted to the customer, and of course retains actual economic interest in the loan… well, OK, a few hundred dollars of the loan, so that it can tell its regulators “No, really, we are lending money! It would be calumny to describe this situation as renting out a banking license!” Indicatively, that fee for services might look something like 1% of total loan volume, and the servicing fee might be 1% of the outstanding balance annually. (Mortgage servicing fees are about 0.25% but houses cost more than windows do and so you get an economy of scale. The servicing is essentially the same amount of work: you need a 1-800 number, lawyers on standby, the capability to receive checks, etc.)

So who is the capital provider and what are they getting? It will generally be a specialist fund, like say Sunlight Financial, whose name alludes to the solar business they got started in. You might naively assume “OK, 6.99% to the consumer, 1% servicing fee to the bank, so they get 5.99% APR on the loan, right?” I doubt that is the full calculation.

One reason is that loan sounds awfully cheap: the 10 year Treasury rate is currently a hair over 4%, so why would you give a consumer 15 years fixed rate financing for 6%? Even with excellent credit quality, 2% spread doesn’t sound like enough money to make a business out of this.

But: what if, like BNPLs, you could charge someone else a bit of money? Who benefits the most from this transaction? The window installer. So charge them for it. They’re clearly willing to pay something like 2.4% of the entire transaction size already, because they will happily let you buy windows with a credit card. So that’s the floor. A BNPL provider can charge Sephora something like 6% to sell lip gloss. That might be the ceiling. So can you get them to kick in… 5%? Probably.

That moves the APR as perceived by the lender to about 7.9%. (Ask Python or Excel if you don’t believe me.) It’s a bit better than this, too, because of what will happen to the fund if interest rates fall. The value of outstanding bonds increases if rates fall, but this consumer loan might get rolled into e.g. a newly cheap HELOC if rates fall. (The free no-penalty prepayment option is a fundamental challenge in mortgage finance.) So by default this is a lose-lose situation for the lender: if rates rise the value of the loan falls, if rates fall the loan very possibly gets repaid early. But with the origination fee from the installer, if rates fall and the loan is repaid early, the return on capital over the lifetime of the loan rises sharply.

If the loan is repaid after 7 years, which is approximately the average tenure in a house in the U.S., the real rate is about 8.15%. If it’s extinguished after a year, perhaps due to rates-related refinancing, about 12%.

These numbers start to sound attractive to credit funds, particularly when you have a repeatable process for generating them at 9 figure scales with independent credit quality.

As an additional wrinkle: is Sunlight the ultimate source of capital at risk? Well, if I were Sunlight, I might think of tapping the booming private credit market: borrow at a lower rate than I earn in expectation on my portfolio, collect the spread. If I were Apollo (such a natural brand to associate with sunlight, and among the world’s largest credit funds), I might buy an insurer or figure out how to get retail investors private credit exposure to fund billions of dollars to anyone who creates a loan origination engine with demonstrable credit quality.

For much more on that side of things, you should read Money Stuff or listen to Odd Lots, which cover “private credit is the new bank lending” all the time. I’m just presenting the speculative case for how private credit turns permanent capital vehicles into windows.

Compliance will tell you not to describe this as unsecured lending to the customer. I am so forgetful as to offhand comments made during sales presentations, though.

Formally, the lender does have a security interest. However, they do not want to go to the trouble of “dirtying the title” by getting a lien on the house. That can’t be done in 15 minutes. No, they only have a security interest in the window they financed.

A security interest in a car is valuable because people are quite attached to their cars and, if push comes to shove, you can repossess a car. A security interest in a house is valuable because people are quite attached to their homes and, if push comes to shove, you can foreclose on a mortgage and repossess the home. A security interest in a window is valuable because… a security interest in a window is actually not valuable.

However, by construction, the commanding majority of borrowers here have excellent credit. One factor decreasing their credit risk is that many consumers are, and this is an underwriting term of art, “judgement proof.” If you sue them for performance and a court gives you a judgement, that is worth the paper it is printed on, because they have no easily attachable assets and they might have employment in a System D fashion where garnishing their income is difficult.

A homeowner, on the other hand, always has one asset you can attach: the house, by filing a lien on it after receiving the judgement. A lien against a house is an immediately monetizable asset in the United States, because it blocks the sale of the house until it is satisfied, and there is a specialized financial ecosystem which is happy to buy that lien and then attempt collection by some combination of a) asking nicely and then in the alternative b) waiting patiently.

And so the lender’s contract is, to the extent it is concerned with credit risk, concerned with swiftly demonstrating to a court: valid contract, loan paid for windows, customer isn’t paying, issue us judgement, thank you very much, we’d like to file that judgement as a lien against coincidentally the same house. It’s only fair.

Nice new windows are better than broken ones, and the process of buying them is now painless at an attractive financing cost. They are still expensive, but homes are expensive.

Every time anyone mentions innovation in consumer lending, the same comment is made: isn’t this just the financial crisis all over again? Aren’t we stacking up billions of dollars of low-quality loans with intermediating layers of complex products like CDO-squared? Isn’t this going to blow up?

That’s an understandable point of view. But: there is an actual underwriting process here. We replaced “You write a lie on paper, no one reads it” with a computer program that never gets bored at comparing databases. The borrower is actually reasonably good credit quality, rather than a ninja (“no income, no job”; one of the subprime lending era excesses was writing NINJA loans in quantity). 

If the installer successfully leans on the origination machine to lower underwriting standards and let anyone who can fog a window buy one with a smile, then the losses are largely not in the regulated banking sector and backstoppable by taxpayers. They’re mostly to sophisticated investors in credit funds, who are being paid handsomely to take that risk. The system is also self-correcting: early defaults would cause the credit funds to tighten their risk appetites and constrain originations fairly quickly, rather than encouraging refinancing to juice origination numbers, until we were all holding (to quote Margin Call) the biggest bag of odorous excrement ever assembled in the history of capitalism.

Besides, if credit quality keeps you up at night, you should be much more concerned about bog-standard commercial real estate loans.

Much of the operation of the financial industry is legible to people outside of it. Your credit card works basically like you understand it to (excepting the occasional mythmaking about second order consequences). Debates about what terms banks are allowed to offer on credit cards are fairly straightforward and can be easily followed by non-specialists.

But some issues are under the hood, and a societal debate about them doesn’t exactly wear its consequences on its sleeves. Consider the controversy over Section 1033 of the Dodd-Frank Act (and even that framing is an effective medication for insomnia).

In July, JPMorgan Chase announced its intention to charge fintechs for access to so-called Open Banking data. This comes amidst a consortium of banks trying to sue this hithertofore obscure regulation out of existence.

Almost all discussions of it center on “data”, but it’s actually a fight about payments, and whether banks have a right to monopolize and charge for all economic activity their users engage in, irrespective of whether the bank operates the payment method.

Cards on the table: I previously worked at, and am an advisor to, Stripe, a financial infrastructure company which facilitates customers’ use of both bank-sponsored (cards, etc) and competing (account-to-account, stablecoins, etc) payment methods. Stripe does not necessarily endorse what I say in my personal spaces. (I’m also a user and tiny shareholder of Chase. One presumes they also don’t endorse what I say in my personal spaces.)

The Dodd-Frank Act was passed in the wake of the 2008 financial crisis. It included a combination of needed reforms and, effectively, partial negotiated settlements for the way in which banks had reaped enormous profits originating mortgages of less-than-stellar quality then left taxpayers holding the bag once those mortgages could not be repaid.

We’ve previously discussed one of the knuckle raps: banks had their debit card interchange capped, with an exemption for small banks. (Interchange is the fee card-accepting businesses pay to transact with bank customers.) The Durbin Amendment became a major pillar of fintech companies, as it established a revenue model for them. It also became something of a lifeline for smaller financial institutions, particularly those that partnered with fintechs.

Did banks like the interchange cap? No. It made a very lucrative line of business rather less lucrative. Taxpayers had provided about $245 billion in capital to backstop banks, and they (through the ordinary operation of a representative democracy) got a post-hoc concession for it. 

The interchange cap was not the only concession in the Dodd-Frank Act. Section 1033 was another one: it is designed to increase competitiveness in financial services by establishing a presumption that banks must allow users to access their own data, including through competing providers.

In the intervening years, that competition has arrived. The banks do not like it, and would prefer it if it went away.

Financial institutions offer their customers a complex bundle of services.

You might reasonably expect that Open Banking is a fight over the budgeting app space. The banks have, via the magic of account records, a large portion of the underlying data about a household’s finances. You could imagine software using Open Banking to allow it to slurp in transactions and then categorize them. That would compete against the lackluster offerings the large banks have in their apps.

But Open Banking is not actually a fight over budgeting apps. Banks don’t make money on them and the best known standalone budgeting app, Mint, was acquired for a relatively small amount of money.

Payments, on the other hand, are an enormous business. They are monetized both by banks and by a diverse ecosystem of fintech providers.

The data banks find it annoying to make Open are, principally, account numbers. This is because, due to the long shadow of checks, possession of an account number (plus the routing number, identifying the bank) is sufficient to attempt to debit a bank account. Direct account-to-account transfers, including “pulls”, are a common payment method in many countries, but they are not a large share of consumer to business payments in the United States.

Why not? One reason is that the user experience of asking someone for their account number is pretty awful. There is no way to check in real time whether an account actually exists. Credit card numbers, in addition to having infrastructure which allows you to query them in real time, are specifically formatted so that typos in them are easily catchable.

Since you can’t know whether the account exists you certainly can’t know its current balance or whether a transaction posted against it today will succeed in a few days or be reversed for insufficient funds (or another reason). This means that businesses which use account transfers as a payment method would frequently suffer credit losses if they released goods or services at the time of “payment.” For many businesses, that isn’t a worthwhile tradeoff.

So they keep using cards. Cards give much stronger (but not foolproof) real-time guarantees of funds availability and likelihood of a transaction going through successfully. The ergonomics of card acceptance, at the register, through your phone, or in a web browser, are also much more palatable to most customers.

Several fintech companies, including Stripe, realized that they could use Open Banking to make account-to-account payments something customers would actually enjoy. The user is prompted at checkout whether they’d like to pay directly from their bank account. They log into their bank account and grants the fintech read access. This is a much stronger signal of authorization than simply knowing an account number. (We print those on every check, after all, and a check is designed to be handed to a cashier or waiter you’ll never meet again.) The fintech then grabs the account number and perhaps e.g. looks up the current balance.

Then, they can pull money from the account, through an ACH debit.

The ACH debit itself is not Open Banking. It is the ordinary operation of existing payment rails in the financial system. The ACH debit was just made much more convenient by Open Banking.

Most use of Open Banking is through so-called aggregators. Plaid and Yodlee are well-known examples.

Prior to the existence of Open Banking, the aggregators (and businesses which needed the data they can make available) were largely forced to build supportability networks, bank by bank, by writing so-called screenscraping software. Screenscraping software emulates someone typing the password into a bank’s website then browses through a live bank account to extract the information needed from it. Hopefully that screenscraping software isn’t bugged, because bugs in scrapers that interface with consequential systems are terrifying.

Aggregators would then ask users to share their bank account passwords, so they could operate the bank accounts via software automation, to get the data the aggregators’ business customers were interested in. Like, say, account numbers.

This is a worse model for users and security of the banking system than Open Banking, because sharing bank account passwords leads to misuse of accounts. The flow for Open Banking, in the best implementations, redirects users to the bank site to authorize the data sharing, without forcing the user to irrevocably cough up the keys to the kingdom.

ACH debits are not new. Businesses have been able to use them for decades. You very likely use them yourself to e.g. pay recurring bills every month, like utilities, mortgage, or credit cards. ACH debits have just been very annoying to use for payments online or at cash registers, and so almost all consumer to business payments go over card rails instead.

ACH debits are almost free.

NACHA, which administers ACH, charges a per-transaction fee of ​​1.85 hundredths of a cent. This compares favorably to regulated debit card interchange (21 cents plus five basis points of the transaction size) and extremely favorably to Durbin-exempt debit cards or credit cards (generally about 2.X% of the transaction size plus 20-30 cents). The interchange fee is paid mostly to the card issuing banks.

Banks would strongly prefer the world not make novel payment methods that are convenient and cost accepting businesses less than cards. Banks are interested in Section 1033 because they want to continue earning interchange revenue on coffee purchases and software subscription invoices. 

But payments for goods and services are not the only interesting Open Banking use case. Useful infrastructure, once it exists, tends to get incorporated into everything.

When you open a brokerage account or engage with crypto companies, you are quite likely to pass through an Open Banking flow to link your existing bank account. You’ll use your linked bank account to fund your investments and, hopefully, eventually receive your returns. 

Older users might remember that this used to require asking the brokerage to make trial transactions, typically pushing two ACH payments under $1 in total and asking you to confirm the amounts. This would demonstrate that you hadn’t typoed your bank account number, that the account could actually accept transfers, and that you (presumptively) had authorized access to that account, given that you could read recent transactions at will.

Trial transactions are painful for all parties. They insert a multi-day wait into the account opening process, and many customers abandon the process during that lull. Brokerages and fintechs were overjoyed that Open Banking largely allowed them to move away from trial transactions to authorize every new account.

There are also clever uses of Open Banking to piggyback on banks as oracles. For example, how do you, a financial institution or insurance company, know that I, a particular natural person, have authority to direct Kalzumeus Software, LLC to open a new financial account? One way you could establish that is to ask me to submit a copy of the LLC’s Articles of Organization and a Certificate of Good Standing from the great state of Nevada. Then you pass those to a backoffice paralegal, who can ascertain that the Articles name me the Managing Member, and empower the Managing Member to open new financial accounts. This costs $50 to involve Nevada, and very many small businesses in America will not succeed at the task “please locate an authoritative copy of your Articles of Organization.”

A much faster way is to use an Open Banking aggregator to read a bank account statement issued to Kalzumeus Software, LLC. This allows a second financial institution to make the reasonable inference that if I habitually direct a small business’ banking, as demonstrated by being able to grant access to its accounts, then I probably direct a small business’ banking. This will save their operations team from reviewing 100 pages of boilerplate and cut down on account opening time. (This is one of the rare and underacknowledged benefits of Know Your Customer regulations. Since banks are understood to have KYC responsibilities, the bank “vouching” for you as a customer in this fashion is treated as strong evidence by others in the economy.) 

So why is Open Banking in the news now? We’ve had Open Banking for almost 15 years. The competing payment products work and work well. They are lower cost to accepting businesses and easy for customers to start using. Customers are switching to them in increasing numbers. Not all of them, but enough to worry the banks into wanting to strangle the upstarts.

This has happened via a regulatory push, litigation, and ultimatums over fees.

The Consumer Financial Protection Bureau finalized its rule for Section 1033 in late 2024. As you can tell by the lag between 2010 (when the Dodd-Frank Act was passed) and 2024, it was something of an involved process.

Relevantly, the CFPB which passed this rule was the Biden administration CFPB. I try to be non-partisan in professional spaces but will need to neutrally observe how partisan players have seen the CFPB.

The CFPB was not well loved by many people in the finance industry or the fintech community. Critics alleged that the CFPB was less a federal agency and more a one-woman show, with the stars being Senator Elizabeth Warren and a ventriloquism dummy. This was unfair. The CFPB staff was actually quite intelligent in anticipating Senator Warren’s preferred positions and rulemaking to achieve them without the dreary necessity of her writing legislation or convincing Congress to vote for it.

As I mentioned last December in discussing the debanking discourse, influential supporters of the second Trump campaign, including fintech and crypto investors, wanted the CFPB’s scalp. They essentially got what they wanted. The CFPB was hollowed out early in the new administration.

In a swift and ironic turn of events, a policy promoted by the crypto industry due to their frustration with the decisions of large banks (regarding their industry’s supportability) was quickly used by large banks for commercial advantage, catching the crypto industry in the crossfire.

Prior to the election, the Bank Policy Institute, a banking industry trade group, and the Kentucky Bankers Association sued to prevent the CFPB’s rulemaking from taking effect. I think an informed person would understand that their legal arguments are pretextural. Their policy arguments, against the normative intent of Open Banking, I’ll return to below.

The CFPB initially defended the suit vigorously, but the newly hollowed out CFPB in June announced its intention to surrender.

This has caused a bit of chaos in Washington, as Section 1033 is administered by the CFPB but is part of the financial regulatory apparatus that crypto companies actually like.

Exchanges largely monetize by charging a vig on crypto purchases, and the so-called “onramp” (transfering money from the traditional financial system to the crypto ecosystem) enables the rest of their revenue (such as e.g. receiving a cut of interest earned by stablecoin issuers or staking the coins owned by customers).

Exchanges want to accomplish the onramp at the lowest possible cost, which is through ACH debits. Their desired outcome is the new user uses an aggregator to authorize a debit from their bank account. Then, the debit is very close to free, both for the first transaction and also for subsequent transactions using the same banking details. (The exchange bears a bit of credit risk, since the debit is not known to settle successfully until about two business days later and it can be reversed long after that if it was fraudulent. These issues cost Coinbase about $20 million last quarter. It dries its tears on money.)

The legal and regulatory wrangling continues. It’s difficult for me to read tea leaves from Washington in the best of times, and in the interests of avoiding partisan commentary, I’ll refrain from confidently guessing whether statements of the administration predict its future actions over multi-week timescales.

The credit card brands, which were originally created by banking consortiums, consider Open Banking data aggregators to be an existential risk to their business. They have long wanted to co-opt or kill them.

That isn’t just me saying it. Visa attempted to buy Plaid back in 2020. The argument to Visa’s board was (pg 5) that Plaid could potentially be a, quote, “existential risk” to their debit card business, which threatened a $300 to $500 million a year revenue hit. It was cheaper to take them off the table, even at $5.3 billion. Call it an insurance policy, their CEO said.

The FTC quashed the acquisition, saying it would have the anti-competitive harm of protecting the debit card business. The FTC alleged that Visa had a near monopoly in online debit transactions. (This payments geek thinks there is actually a vibrant competitive landscape there, including internationally.)

Some commentators might assume that that was one of the Commissioner Lina Khan era anti-monopoly interventions. (This enforcement environment was part of the causus belli which flipped some notable Silicon Valley personages. It’s a complicated story and not particularly well-told by the press, in part because people with a nuanced view of the situation no longer respond to press inquiries, due to journalists’ repeated defection in an iterated game.)

While I’m not a close follower of anti-trust enforcement, I do happen to know how to use a calendar, and so feel obliged to mention that the action to stop the Plaid acquisition was late during the first Trump administration.

Politics legendarily creates strange bedfellows. Crypto companies are now asking the CFPB to revive a regulation protecting a business the first Trump administration kneecapped, after which the second Trump administration hollowed out that same agency, despite campaigning against kneecapping tech and crypto—leaving the CFPB, long a sworn enemy of big banks, in Chase’s corner dismantling the crypto industry and suppressing competing payment methods, because the administration apparently thinks that’s what its backers want.

Yep, one’s head spins.

Chase is the largest bank in the U.S., maintaining checking accounts for approximately 44 million Americans, and therefore makes up a hefty chunk of total transaction volume within the financial system.

To avoid adversarially screenscraping banking apps, which is unreliable and a bit of a security hole, the better way to do Open Banking is to negotiate API access with as many banks as possible. (Companies make APIs available to let developers access data from them in a safe and controlled fashion. API access allows customers to give secure, scoped, and revocable access to their financial information. Handing over a password is not ideal for those properties.) 

This will customarily require signing a contract with the bank, obligating you to e.g. not steal the money, not attempt to hack bank servers, and not abuse customers’ expectations. These are all reasonable requests, swiftly agreed to. Most of the aggregators had agreements in place with Chase, which eagerly promotes their API access to developers.

In July, Chase started sending data aggregators notices about upcoming changes to their agreements.

The typical notice between financial institutions and developers downstream about changes to contracts is something along the lines of “We updated the wording in our privacy policy.” 

These notices weren’t that. Chase was altering the deal; pray that they do not alter it further.

Chase demanded payment for access to Open Banking APIs, and would cut that access if companies interfacing with them did not acquiesce. The fees demanded were enormous.

A fintech industry trade group was quoted by the Financial Times as saying:

“Across all the companies that received the notices, the cost of just accessing Chase data is somewhere from 60 per cent and in some cases well over 100 per cent of their annual revenue for the year … Just from one bank.”

Plaid was asked for $300 million, which would be 75% of their 2024 revenue. That is likely more than the wages and benefits for all of the 1,200 people who work at Plaid.

Even as someone whose perennial advice to companies was Charge More, these don’t strike me as serious proposals to put a reasonable price tag on valuable services.

The prospect of Chase monetizing Open Banking has dragged some other banks into the fray; PNC is also looking at taking a bite at the apple. The table gets crowded quickly if even a fraction of the next 4,500 banks try to join.

You can imagine some rapid back-and-forth happening between bank and fintech negotiators happening in the background. There is some reluctance in the industry to speak of that openly, partly because negotiations are delicate and partly because some fear retaliation elsewhere in their business relationships.

But, helpfully, the banks have published their arguments, directly and via their industry associations. They are not particularly persuasive.

The best one is that banks bear risk here, and want to price it. Should a bank authorize a third party to use Open Banking, that third party might use it to exfiltrate value from a bank account. Should a bank customer authorize a transaction but regret it, perhaps because it was to a scam operation, they might ask their bank to make them whole.

Banks bear this fraud risk, the same as they do when they pay out a fraudulent check, until they can recover the money by reversing the transaction. They will not always be able to successfully reverse the transaction.

This is structurally similar to banks’ obligations under Regulation E for debit cards and Regulation Z for credit card purchases. If a consumer gets abused over card rails, the bank is good for it by regulation, less a $50 deductible that the industry universally waives in the interests of their good name. Banks are quite happy with this responsibility for cards, because card issuing prints money, but Regulation E covers almost any form of electronic payment and almost any imaginable form factor of abuse. (For non-limiting examples, see the AI-sung ditty, Doesn’t Matter, That’s Reg E.)

But account-to-account payments are less like cards and more like checks. Indeed, the Automated Clearinghouse part of “ACH debit” refers to being a clearinghouse for check payments. 

Banks will occasionally take fraud losses over checking accounts. They mostly can’t charge for checks directly; customers expect to write them freely and businesses expect to deposit them for, at most, a nominal fee. Certainly you’d be laughed out of the boardroom if you suggested a check fee scaling with the size of the check. That’s check cashing nonsense, and not something that regulated financial institutions or their customers expect.

Dimon, in his 2024 letter to shareholders, laments that typical retail checking accounts are a low- or negative-margin business. As an avid reader of Chase shareholder letters, I know why Chase operates that business anyhow: it’s the foundation of their relationship with households, which they largely monetize through credit card issuance, mortgage origination, and the like. It’s also operated by design to charge lower-income lower-asset consumers less and reliably increase monetization over their long relationships with the institution

The deposit franchise, which contributes a lot to the Fortress Balance Sheet™, is most valuable when it attracts retirees, small businesses, and others who keep larger balances earning 0.01% in a savings account or nothing in checking. As a cost of acquiring that business, it offers accounts to e.g. a teenager who wanted to cash the paycheck for their summer job, even though the margins on that account might be negative for the next ten years.

And so suggesting that retail checking account availability is threatened by banks’ responsibility to monitor transactions and pay out if they make mistakes in authorization is, frankly, an insult to the intelligence of anyone familiar with banking.

Checking accounts are also a public service expected by society of banks. This is in return for their lucrative monopolies on industries like e.g. consumer debt issuance and explicit and implicit taxpayer backstops of their operation. Chase is intimately familiar with those, most recently from when it cashed a $13 billion sweetener check to acquire a failed bank.

We have made enormous strides, both from the financial industry and civil society, in banking almost everyone. That should not immediately imply “and thus banks get to charge a fee on every transaction in society.”

Chase is extremely capable of shipping payment products that customers actually want to use. Witness the Chase Sapphire Reserve, which probably half of fintech VCs and management teams use to pay for dinners, to my casual observation.

When Chase can’t successfully convince a customer to use a Chase payments rail that has a Chase CSR standing by to help out at 2 AM, Chase shouldn’t charge the accepting business money. Chase should understand that Open Banking and account-to-account payments are close in character to a check: one facilitates them in the ordinary course of business, for close to free, as part of the larger package offer.

Banks additionally make the argument that Open Banking leads to screen scraping. Certainly, as a financial technologist, I would prefer high-quality APIs with reasonable security guarantees. And some banks, like Chase, used the fifteen years of advance notice they had to develop these.

Other banks had other priorities, and are now using their own inaction to argue that screen scraping is a threat. (One can’t help but notice the bait and switch: first say aggregators must use official APIs rather than screenscrape, then claim that anyone who’s viewed developer documentation has agreed to a bill for 75% of their revenue.)

The banks additionally argue that fintechs are freeriding on substantial technology investments made by banks to serve their customers. This is extremely selective memory. Stripe did over $1.4 trillion in payment volume in 2024. Using no private information whatsoever, that implies that Stripe alone paid the banking industry somewhere in the general neighborhood of $20 billion in interchange fees.

Twenty. Billion. Dollars. From one firm alone.

It’s a little rich, pardon the pun, to cash a check for $20 billion and then whine about fintechs freeriding on your IT spend.

Credit cards are an enormously lucrative business for banks. The capability for businesses of all sizes to transact with customers worldwide over those rails is an enormous service to the world. 

But cards are not and cannot be the last word in payments. We, as a society, should continue making things people want. Sometimes, the natural way to buy those things will be less compatible with cards or the assumptions baked into cards’ business model.

There has been quite a bit of enthusiasm for stablecoins in some quarters recently. Part of the sales pitch for stablecoins has been that you get to bypass the traditional financial system rails. This sales pitch does not accurately predict the operation of stablecoin businesses with material volume. Those are often operating something of a crypto mullet, with a stablecoin in the front and a bank transfer in the back. Those bank transfers are often substantially facilitated by Open Banking. This is a necessary part of the growth story for stablecoin businesses, as they are increasingly attempting to interact with the real economy, rather than crypto speculation. The real economy wants dollars and doesn’t much care what brand of database your backoffice uses.

People, particularly at the socioeconomic margins, increasingly use things which aren’t exactly a plastic rectangle. Sometimes that is a Cash App or a Venmo, or wallet directly integrated into a phone, or whatever a YC company invents next week. Our international peers like Japan (and our adversaries) have thriving payments ecosystems.

Developing these innovations will almost always need to touch the banking system because, at the end of the day, businesses want dollars. If we award banks the ability to impose a fee on any transaction that competes with their card business, that will strangle some of these innovations. This would be unfortunate, because customers and businesses benefit from choice.

It also helps us keep the banks on their toes. The industry tends to default to sleepwalking with regards to core services. Bank apps actually being quite good in the last few years is not simply a reflection of their general technical competence. They invested deliberately, after decades of underprioritization, because they saw the younger generation increasingly defecting to apps, and then they realized that would eventually threaten the deposit franchise.

The banks aren’t inherently opposed to shipping good products! They do it frequently! But if you ask the question slightly differently, they will happily bankrupt anyone who threatens revenue streams which are fat-and-happy. In that world, you get to use 1999 banking websites on Internet Explorer 5.0 forever. (And if that sounds unlikely, speak to a Korean friend sometime.)

There was also something of a kerfuffle with regards to banking supportability decisions recently. I have a nuanced point of view on it, but if I can offer a comment: when you let banks look into the economic logic of their customers’ lives to determine their pricing structure, you’re giving them the capability to pick winners and losers.

It has been reported that Chase wants a two-tier pricing system for Open Banking: one fee for data access and another, much higher, fee if someone uses that data access to facilitate a payment. These are the same products from Chase’s perspective. The same servers hold the same data. The same CSR stands ready to answer the call if a customer’s data leaks. But one of them is inimical to Chase’s preferences, and so they charge it more to discourage it.

We should not allow banks to get into the habit of sending demand letters to ruin the economics of businesses they simply do not like. Those demand letters will be inevitably abused, including in ways which are not determined by any conceivable direct business interest.

Banks are good at much of what they do, and it is quite profitable. If they want to maintain their share of wallet in their payments businesses, they employ intelligent people who are capable of shipping good products. Let them compete for the business. They’ll frequently win it, fair and square, including from me. But if customers choose to use someone else or if they mistakenly release payment to a fraudster, eh, have your teams break out Excel and try better tomorrow.

In the sciences they call it the file drawer problem: studies that fail to achieve significance or reach the "wrong" conclusion end up hidden away, creating a distorted picture of reality. 

And so here's me rescuing something from the file drawer of banking procedure: a tale of two Americas, one bank branch, and $50,000 in cash.

A style magazine published an account of a large cash withdrawal that didn't match my understanding of banking reality. I burned several thousand dollars and a year investigating. I now doubt that account less, because I understand the context better.

There exist thousands of banks in the United States, each one independently operated with their own procedures, work forces, and circumstances. They are, broadly, similarly constrained by regulation, industry practice, culture, and perception of the threat environment. There is no such thing as a perfectly typical bank, banker, or banking client. But if we were to ignore the messiness of the real world, for the purpose of making a larger point, here is what is supposed to happen when a customer comes in and asks to withdraw $50,000.

A bank doesn’t expect its CEO or Head of Compliance to individually make decisions on every withdrawal. It has designed procedures to achieve the outcomes it (and its regulators, and other stakeholders) desire, and trained staff in how to implement those procedures. Those procedures happen to very explicitly contemplate this transaction.

The teller or personal banker, junior though they may be, is supposed to ascertain the identity of the customer, and ask themselves whether this is a typical transaction for this customer. Do they, perhaps, run a cash-heavy business which, every few weeks, takes out $50,000 to e.g. stock the ATM fleet they operate? If yes, either the staff knows that to be true personally, or this fact is noted on their account. (That note was written after the bank got extremely familiar with their cash management needs, for reasons.)

Very few customers routinely withdraw $50,000 in cash. We move to the next step on the flow chart. Here, the bank staff will begin to deploy some mix of truths, half-truths, and white lies.

One statement, which may be anywhere along that spectrum, is that the bank branch does not have $50,000 cash on hand. Across all bank branches in America, this is frequently actually, mathematically true. A true-ish variant of it is that the branch does actually have a bit more than $50,000 cash on hand. The branch needs it to service customers with routine cash needs, and the instant customer cannot be allowed to wipe out the bank’s on-hand cash reserves, because that will cause them to disappoint dozens or hundreds of customers between now and the rebalancing shipment of cash they will swiftly order. And then there is a false variant, where at some branches this is factually as operationally straightforward as exchanging a $20 bill for two rolls of quarters, but where the lie is institutionally excusable to save this customer from themselves.

Many people who have never withdrawn $50,000 in cash do not have great reasons for suddenly wanting to withdraw $50,000 in cash. It is quite likely they are being scammed or otherwise victimized. The bank, in consideration of its legal and ethical duties to its customer, would prefer to not facilitate this, even unknowingly. Over the universe of all people with this request, the bank knows, in its soul of corporate personhood, that it has actual knowledge of what is likely happening here.

And so, the staff will likely say that the bank has a rule, procedure, or request that the customer call them a day or two in advance of making large cash withdrawals. This will “allow us to get the cash together.” Now, in point of fact, there is a number that the branch manager could call to ask for an extraordinary shipment of physical currency, but this is mostly intended as a speedbump. Scams and other forms of exploitation rely on isolating the victim and pressuring them into making poor choices. Mandating a cooling-off period causes some scams to effervesce like dew in the morning sun.

Perhaps, as happens in many non-routine requests in banking, the customer will call in third-party professionals. Perhaps the customer, annoyed that the $50,000 they need to consummate a real estate transaction isn’t trivially on offer, might phone their real estate lawyer. This is music to the bank’s ears. Not every voice on a telephone is actually a lawyer, and not every member of the bar upholds its strict standards of professionalism and moral uprightness, but lawyers are so much easier to work with than civilians. And, should the matter be reviewed later, the bank will be able to document its reasonable reliance on representations made by a lawyer.

Fraudsters have frequently targeted real estate transactions in recent years. Banks are acutely aware of this; it’s covered extensively in their professional journals and in circulars from regulators. But banks, who have extensive experience with real estate deals, know that a few hiccups on closing are stressful for customers, but very rarely actually blow up transactions, certainly not like scams blow up bank customers.

The bank is unlikely to reach confidence, in this circumstance, in just a minute or two in the teller line. Many well-off people, with great relationships with their banks, with extensively paperworked transactions, will go through more than a half-hour of hoop jumping to get approval for anomalous transactions.

But suppose, for some reason, the calls do not happen and the extended due diligence is not performed. What is supposed to happen next? Well, typically at large money center banks (and here I cite both general industry knowledge and also sources familiar with banking procedure), the staff dealing directly with the customer will summon a second individual. Sometimes this is the branch manager, sometimes it is a peer. Sometimes the next action takes place verbally. Sometimes it happens in specifically built software which keeps an audit log of both staff signing off.

The bank invokes the Two Man Rule. (Yes, this has been renamed in many—but not all—formal documents recording procedural controls. Regulators have, generally, reviewed and approved those documents.)

If both individuals are satisfied that the anomalous transaction is not sufficiently hinky to refuse, it goes forward. This will generally require asking the customer about what they intend to do with $50,000 cash. Banks very rarely ask this question at $50 or $5,000.

Bankers, by law and custom, holistically review these situations. Elements considered include the account records, the experience of branch staff with this particular customer, and a host of context cues which the financial industry would prefer to dissimulate about.

If you are, for example, a lanky thirtysomething who waltzes into a branch in San Francisco and asks for a six figure wire to fund an investment, helpfully mentioning that you have the KYC/KYB information in a clear plastic folder, neither of the Two Men are likely to actually ask to read that folder. If you walk with a cane, if you speak with an accent, if you present as not really understanding the rituals you are engaged in, the bank and its staff will pay radically more attention to you, frequently not in ways you will enjoy.

Let us assume that a $50,000 withdrawal happens, through some pathway. It will have one more mechanical consequence. Very soon after the withdrawal, the bank will be obligated to file a Currency Transaction Report (CTR) with the Financial Crimes Enforcement Network (FinCEN), unless the customer has had a previously-approved status as someone who routinely needs to do this sort of thing, which almost no customers have. The CTR is a write-once read-probably-never document which mostly serves to get the customer’s banking information into a trivially searchable database for law enforcement.

And then what happens to the $50,000? Whatever the customer wants, really. If they want to put it in a shoebox and give it to a courier, it is, at that point, no longer the bank’s problem.

In February 2024, the style publication The Cut published on its site, and concurrently in the print edition of New York Magazine, an article titled “The day I put $50,000 in a shoe box and handed it to a stranger I never thought I was the kind of person to fall for a scam.” It was written, in the first person, by a financial advice columnist who previously wrote for the New York Times business section.

The Cut and New York Magazine are owned by Vox Media, a private equity firm with material investments in advertising platforms (“We Create Premium Advertising Solutions”, “We Enable Media Companies To Build Modern Media Businesses”). Vox also publishes an eponymous website, notable for popularizing the term-of-art “explainer” and for publishing, about covid, analysis that aged more poorly than perhaps anything in the history of the written word. (It subsequently unpublished it.)

Many of Vox’s publications are good at what they do. The shoebox piece successfully achieved virality and follow-on coverage by several media orgs. A media critic could point to reasons why, such as the specificity and viscerality, the it-could-happen-to-anyone framing, and the complicated mix of schadenfreude, voyeurism, and self-protective reassurance which make so-called “true crime” explorations so explosively popular.

Vox Media sell ads with rate cards justified by the storied legacy of New York Magazine, which has won Pulitzers before, against articles of the caliber produced by The Cut. The print edition of the piece is immediately preceded by a fashion spread for “TOM FORD Halter-neck Jumpsuit and Black Stamped Croc Bar Belt, at tomford.com” A similar item, U0269-FAX1105, on the site bears the price tag $5,790, which is capitalism’s surest signal as to who it thinks is reading a publication.

For a quick vibe check on editorial standards of any publication, by their fruits shall you know them: just read the headlines. I checked them the morning of a presentation on this investigation, and they were “The high stakes of the group family vacation”, “George Clooney didn’t appreciate Biden criticizing his wife”, “The film exec distracted by her crushes at Cannes”, and “Madam Clairevoyant: Horoscopes for the week of June 9-15. Mars, planet of action, moves into steadfast Taurus. Time to knuckle down.”

Time to knuckle down… on hard-hitting journalism about banking procedures.

When I reached the bank, I told the guard I needed to make a large cash withdrawal and she sent me upstairs. Michael [a member of the scamming team] was on speakerphone in my pocket. I asked the teller for $50,000. The woman behind the thick glass window raised her eyebrows, disappeared into a back room, came back with a large metal box of $100 bills, and counted them out with a machine. Then she pushed the stacks of bills through the slot along with a sheet of paper warning me against scams. I thanked her and left. 

As the piece went quite viral on Twitter, a number of people reached out to me. One specific question asked was “Are high-value withdrawal rooms a thing?”, which I answered, somewhat confusedly, “I could believe that there is, somewhere among 76,000 bank branches in the United States, a room designed to make $50,000 withdrawals. But no, the standard branch layout has no such room designed or designated.” 

If a customer needs privacy, the branch has several rooms with doors, behind which banking business is routinely conducted. Those rooms are not fortresses. The branch is not a fortress. It's primarily a sales office for financial services that happens to handle some cash.

Then, I read the article, with a particular attention to the paragraph quoted above. I felt that several elements of this paragraph were inconsistent with the standard practice of banking.

I have an immense regard for journalism, generally, but the institution has been duped before. Stephen Glass comes to mind. One of the earliest bits of hard evidence against him was that he confabulated evocative details about the built reality of buildings he claimed to have visited. The shoebox piece contained much evocative detail, including some details I felt were, unbeknownst to almost all readers, likely to be checkable… and unlikely to have been checked.

Thus began an investigative journalism project, which ended up taking almost a year.

Having once worked for a Communications department, which very definitely does not endorse anything I say in this piece, I am aware of a social ritual of reporters and PR teams. You can send PR an email and ask them for a reply. By convention this is called a comment or a statement to pretend it is something vastly different in character than an excerpt from an email.

If one defects from this social ritual, many responsible professionals will conclude that one has something to hide. This is part of the reason why e.g. the largest banks in the world will swiftly answer questions asked by reporters working for, for example, a low-circulation weekly in Topeka, Kansas. This produces immense social utility, including by acting as an escalation pathway into the bank regarding, e.g., “Does the bank have a comment on why it is foreclosing on Ms. Mildred, who has shown this reporter a carefully maintained collection of checks that appear, to this reporter, to have been deposited?”

On February 22nd, 2024, I sent an email to Vox Media and asked for a comment. You don’t need to be bitten by a radioactive spider to do this. By custom, PR departments publish contact details widely, in part to avoid hostile journalists construing a lack of contact information as a refusal to comment.

There is, however, a performance of class that is helpful in getting PR departments to take you seriously. Mentioning that you are an avid Factorio player might not counsel an immediate reply to one’s questions. The following introduction is designed to compel one.

My name is Patrick McKenzie. I write a column titled Bits about Money, which frequently covers financial fraud and operational mechanics of banking infrastructure. I have previously appeared on Bloomberg and in the New York Times.

I read with interest the article about $50k in a shoebox, which was also published in the print edition of New York Magazine. I may reference it in future writing.

All claims in those paragraphs are true. Some people resent that one can assert authority simply because of implicit blessing of high-status institutions. I leave anyone to their aesthetic preferences, but will mention that this is a very important lesson for how halls of power in New York and Washington, D.C. work. 

When the New York Times attempts to commission a piece from you, they will say apologetically that they can’t pay that well for it, but almost nobody writes for the Times for the money. You are paid in a different coin. Flash it, John Wick style, at a PR department, and it immediately takes you seriously, or it is quickly brought to task by New York’s hidden-in-plain-sight subculture of character assassins.

My email to the press contact asked a few questions and avoided explicitly broaching the question I was most curious about: Did the editorial process understand this piece to be an exercise in… creative writing? This felt unlikely, but magazines publish a spectrum of artifacts. Some pieces are roman à clefs, some are pastiches, some are based in a true story, and some are the more traditional understanding of journalism. On the text of it, the piece reads like it is reporting a true event, but it is in a style magazine and does run next to a piece titled Tweencore (“What the 13-and-under set is shopping for.”) and, you know, one may be forgiven some doubts.

A spokesperson for New York Magazine replied with a statement for publication which removed all doubt about how it perceived this story.

The story was thoroughly fact-checked prior to publication, and as part of this process, we reviewed the writer's bank withdrawal, recordings of phone calls and text messages with their scammer, and their statement to the police.

Since I had publicly expressed doubt that there was any fact checking process, I corrected the record.

Published statements or comments routinely occur in the context of a larger conversation. This is rarely mentioned, and I am promoting this subtext to text. There may have been any combination of on the record, on background, or off the record statements between myself and Vox Media. The world may never know.

But generally speaking, careful titration of how much information passes between PR and reporters, including restrictions (which are closer to handshake agreements than contracts) on what can be used where and when, enables a brisk favor-swapping economy. That economy has failed to function recently in the tech industry, as I discussed previously with Kelsey Piper. (Kelsey works in a different part of the Vocis machinae.) 

When it does function, society gets the usual benefits of journalism, PR departments grumble a bit but play the game, the Bat Phone to mortgage servicing gets answered on the first ring, and advertisers sell their wares to willing customers to pay for it all.

So Vox Media’s statement through a spokesperson effectively definitively resolved my doubts about editorial processes… but this did not resolve my doubts about banking procedure. 

Fraud investigators, law enforcement, and journalists alike frequently start with intuition then backfill with objective facts. My intuitions were screaming.

The article does not actually name the bank or the bank branch, despite a scene unambiguously set within it, despite the centrality of its failure to the narrative, despite repeated identification of firms that were utterly uninvolved. The transaction does not proceed as what a bank expects to happen if someone asks for the entirety of their savings account in cash. Physical details provided for flavor purposes are very rare in the universe you live in.

The claimed fact checking process struck me as… other than robust, in worlds where parts of the article were not factually accurate.

For example, there are many ways to “review a bank withdrawal.” That review can involve five or more parties, and I’ve been on almost all ends of it at various times. Some “reviews” are low-friction but low-robustness, such as e.g. asking someone to see a screenshot of their mobile phone or a printout of a bank statement.

As I once told a colleague in an unrelated context: a printed bank statement is of limited probative value because it could be forged by a bright high school student.

The financial industry has a variety of ways to resolve this, depending on how much time and toil it wants to expend on the investigation. For example, you can call the financial institution which issued the statement in question, announce that you are in a room with their customer, and then ask their customer to ask them to read the financial institution’s copy of the statement into the open line. Many people I have told about this ritual assume that, due to security concerns, no bank will engage in it. Nope! This is extremely routine and will happen tens of thousands of times next Tuesday. It is obviously more trustworthy than a copy of the statement whose chain of custody includes a non-bank actor.

Anyhow, some years after cracking wise about bright high school students, I chanced upon an infelicity which happened to New York Magazine. It published that a Stuyvesant high school student had made $72 million trading stocks and was shortly to open a hedge fund.

This is obvious nonsense and would be detected within seconds of conversation by anyone professionally involved in hedge funds, but we have a ritual in our society which blesses some writers as being owed the benefit of the doubt when they publish obvious nonsense. If it ran in the pages of New York Magazine, and New York Magazine engaged its standard fact checking process by sending someone to Stuyvesant to review a bank statement, and that piece of paper said Chase at the top and an eight figure number at the bottom, then the clearly the story is defensible, right.

No! Of course not! New York Magazine got punked by a teenager. 

And so, reading New York Magazine’s newest written statement about thoroughly fact checking a bank withdrawal, I thought “After ten years memories fade. Vox is currently wearing New York Magazine as a skin-suit, so who knows if anyone involved in that fracas is still around. Perhaps current staff reviewed the newest issue’s most important transaction in an other-than-robust fashion.”

Texts from the scammer? Voice recordings? A statement to the police? All of these struck me as highly correlated rather than being independent evidence: all reliable if one trusts the writer, and all unreliable if one does not trust the writer.

Never having employed or encountered this writer myself, before she wrote things I believed to be improbable about banking procedure, I reflected on what I do trust. 

I trust the physical reality of the world. I trust that it is very difficult to corrupt the archives of societal institutions.

Vanishingly few bank branches put teller windows on the second floor. Many people have not ever had reason to deeply consider this true fact about the world. Relatively few people have ever made real estate decisions about siting bank branches or sketched layouts for them.

By coincidence, my father has. And, as someone who listened attentively at the dinner table and on car rides as he geeked out with his eldest son about the relative merits of various corners in Chicago, when I read that there was a bank branch in New York City with thick glass on the second floor, I thought “If that unicorn exists, I can probably narrow it down to a single physical location.” 

New York City, ye capital of the world, ye center of global finance, ye city which never sleeps: poets say you contain stories beyond numbering, but bike messengers can count your bank branches. A few hundred. Done. A diligent person could walk into every last one. (Of course the public can just walk into bank branches. That is what they are for.)

I started by attempting to narrow the set, to save some shoe leather. One gets a free 90%+ reduction by narrowing it to one bank in particular. Bank regulators keenly track deposit share concentration (and, therefore, bank branch concentration) in major markets, and NYC, the majorest market, is gardened with an exactitude that makes the feng shui look effortless.

Who knows the bank? Well, Vox (by implication of their statement) must know the bank, and the writer certainly knows the bank, and perhaps one of these would give an on the record comment naming the bank.

The writer engages in freelance journalism, has a professional website which lists her email address, and swiftly answered a question from another writer, on the record.

Bank of America.

Now we are getting somewhere.

Bank of America will trivially give you a list of all Bank of America locations in Brooklyn, for many reasons, including “We would certainly hope you find our financial centers for your financial services needs. We didn’t build this branch footprint and lease out desirable locations for a half century and sweat the details about curb cuts for the sheer joy of it all.”

One can, if one is unusually punctilious, cross reference their list against public records.

One useful sort of public record is the Office of the Comptroller of the Currency’s weekly bulletin, which includes all bank branch closings for nationally chartered institutions in the United States. Why would one care about those bulletins? An investigation, conducted in February 2024, about branches open on October 31st, 2023, might otherwise miss some which closed in the interim. And so I told my research assistant to read a few months of bulletins. (He surprised me by saying there is a search engine these days. Well, this wire transfer compliance influencer learned a new trick in 2024.)

And so we had twenty two Bank of America branches in Brooklyn to look at.

I’m in Chicago, and flying to Brooklyn to spend three days walking into branches seems like an obviously irrational use of my time. So, in the finest tradition of publications assigning scutwork to junior employees, I sent Sammy to Brooklyn instead.

We excluded any buildings which physically didn’t have a second floor. We used sophisticated techniques taught in journalism school, like the fact you can press ten buttons on an iPhone and then someone at a bank in Brooklyn will immediately answer questions like “Does your branch have a second floor?”

We kept a detailed spreadsheet, in the expectation we might eventually have to show New York media outlets that we had done our homework. A timestamped call here, a Street View there, our search area narrowed precipitously.

The final round of investigation involved Sammy physically entering bank branches, walking to the second floor, and looking for physical details consistent with the story as published.

This is a long way to say: I am very confident indeed that the only place in the world the described bank transaction could possibly have taken place at is 1 Flatbush Avenue, at the teller window, on the second floor. Right here.

We took this photo in March 2024, only weeks after publication of the original article.

And then we entered a long, long holding pattern, trying to find one trusted institution to say that, as of earlier than February 2024, they understood the transaction to either a) definitely have taken place at 1 Flatbush Avenue or b) definitely not have taken place at 1 Flatbush Avenue.

If the incident took place in the physical world, then the geospatial reality of the world imposes some constraints on the narrative. The writer unambiguously locates their narrative in Brooklyn. But Brooklyn is large.

Could we narrow it down? Could we do that using only independent, trustworthy information?

I trust, for example, that the city of New York keeps mostly accurate records about who owns property. These are quite useful for e.g. facilitating the orderly operation of the country's largest real estate market. The records are publicly available through the Automated City Register Information System (ACRIS).

I learned two things from ACRIS in early 2024.

One was an address on a mortgage. That address is, factually, a thoroughly doable walk from 1 Flatbush Avenue.

The other: this outsider, trusting at face value representations made by a news publication about the socioeconomic status of the subject of a story, did not successfully predict other facts present on that mortgage.

Socioeconomic class, unfortunately, has a great deal of bearing on how a bank would choose to interact with an individual. This is particularly true as one approaches either end of the socioeconomic spectrum, away from the mass market that most people assume banks must be serving at all times. We have often discussed discontinuities in service at the lower end of the spectrum in Bits about Money. There exist… other discontinuities.

I realize that commenting on the socioeconomic status of a crime victim is uncouth, particularly in ways they might not choose to describe themselves. Class is unfortunately essential to understanding what actually happened at 1 Flatbush Avenue on October 31st, 2023. Permit me a brief recital of the source of my confusion.

This outsider perceived a through-line of the Cut piece as being that the writer made other-than-rational decisions about $50,000 because their financial life was on the line. Here are some select non-consecutive paragraphs reproduced verbatim, with bolding added to highlight statements this outsider apparently read incorrectly.

Calvin [a member of the scamming team] wanted to know how much money I currently had in my bank accounts. I told him that I had two — checking and savings — with a combined balance of a little over $80,000. As a freelancer in a volatile industry, I keep a sizable emergency fund, and I also set aside cash to pay my taxes at the end of the year, since they aren’t withheld from my paychecks.

I almost laughed. I told him I was quite sure that my husband, who works for an affordable- housing nonprofit and makes meticulous spreadsheets for our child-care expenses, was not a secret drug smuggler. “I believe you, but even so, your communications are probably under surveillance,” Calvin said. “You cannot talk to him about this.” I quickly deleted the text messages I had sent my husband a few minutes earlier. “These are sophisticated criminals with a lot of money at stake,” he continued. “You should assume you are in danger and being watched. You cannot take any chances.” 

Fifty thousand dollars is a lot of money. It took me years to save, stashing away a few thousand every time I got paid for a big project. Part of it was money I had received from my grandfather, an inheritance he took great pains to set up for his grandchildren before his death. Sometimes I imagine how I would have spent it if I had to get rid of it in a day. I could have paid for over a year’s worth of child care up front. I could have put it toward the master’s degree I’ve always wanted. I could have housed multiple families for months. Perhaps, inadvertently, I am; I occasionally wonder what the scammers did with it.

Because I had set it aside for emergencies and taxes, it was money I tried to pretend I didn’t have — it wasn’t for spending. Initially, I was afraid that I wouldn’t be able to afford my taxes this year, but then my accountant told me I could write off losses due to theft. So from a financial standpoint, I’ll survive, as long as I don’t have another emergency — a real one — anytime soon.

These statements, and others throughout the article, conjured a particular image for me. It was that the writer was upper middle class, dealt with a bit of financial anxiety common to many individuals in precarious or not-particularly-remunerative employment circumstances, and was abused by professional con artists in a calculated fashion to prey upon this financial insecurity.

When recounted these same statements, my friend Byrne Hobart, who has actually lived among this social milieu before, laughed knowingly and said “Ah, family money.”

I will now add three true statements to the above sketch, in the hopes that you understand this transaction the way that a Bank of America teller understood it.

The writer’s positive home equity, trivially available to the bank which wrote their mortgage, is well in excess of ten years of the median household income for New York City. The writer is the president of the family charitable foundation, which per its annual filings with the IRS has in the recent past held approximately $2 million in marketable securities. And the family estate in Connecticut (which the writer’s parents live at) was featured in the local paper, highlighting two hundred years of history.

Discovering these facts radically changed my impression of why, per the writer’s written communication with me, she was not asked for the purpose of a $50,000 withdrawal by any bank staff. It no longer looks like a surprising lapse in procedure, when someone attempted to empty their entire savings account and wasn’t even half-heartedly counseled about caution. It looks like trivial cash management of a well-off, presumptively sophisticated client, whose household, resources, and probable financial future were thoroughly known to the bank.

Would the bank prefer the teller to ask one more question in this circumstance? Perhaps. But it won’t lose sleep over the matter.

Bank of America was asked about this transaction by the New York Times: “‘We have extensive efforts to warn clients about avoiding scams,’ said a Bank of America spokesman, William P. Halldin, via email. The bank declined to comment further.” (The Times, citing policy, refused to confirm the bank branch it understood the transaction to have taken place at.)

And thus we return to our earlier question: can we find an institution which will divulge where this transaction was claimed to have taken place at? Vox Media, the writer, and the New York Times have all been asked, and we do not have an answer yet.

Bank of America is one of the largest depository institutions in the world, and reliably files Currency Transaction Reports when someone moves $10,000 or more into, or out of, the bank in cash. I thought it would be extremely unlikely that FinCEN would cough one of these up to anyone who asked.

But a recent development in Freedom of Information Act jurisprudence gave me some hope: the FOIA now, per the Ninth Circuit, allows for “statistical aggregate data” to be FOIAed. And I thought there was some hope that FinCEN would, rather than showing me a very private Currency Transaction Report, answer a simple question about statistical aggregates.

So I filed a FOIA request, 2025-FINF-00126, asking for a statistical calculation to be done:

How many currency transaction reports were filed. In Brooklyn. For a withdrawal of between $48,000 and $52,000. On October 31st, 2023. Broken down by branch address.

FinCEN efficiently processed this FOIA request, returning a definitive answer in less than two weeks: hell no. It asserted the same argument rejected by the 9th Circuit, that responding would require creating a new record (the results of the SQL query) and therefore it had no obligation to do so. It also asserted a statutory exemption which very broadly applied to many records kept by FinCEN. On reading the statutes, I thought FinCEN likely had the right of them, even if it was unlikely to prevail on the statistical aggregate issue.

Drats. It was worth a shot.

The statement from Vox Media claimed that the writer had filed a police report.

From the perspective of a fact-checker, police reports serve a useful tripwire function. Lying on one is a crime. It is not a particularly serious crime (a class A misdemeanor, which also covers “spilling a drink on someone” and “shoplifting a bottle of Tide”).

One is welcome to one’s guess as to how often New York prosecutors enforce this law, particularly against people in our social class. But it is a useful Schelling point for society: a news publication can gesture in the direction of a police report, and say “Well, everyone knows what a police report means”, and we all pretend that it means a police report necessarily contains no lies.

No police officer need disabuse journalists of their illusions here. Should a publication ever get put to the question, it will immediately pivot into “We didn’t say we agreed with or believed anything on the police report. We simply neutrally reported the demonstrable fact of the police report. Obviously we intended nothing else by bringing up a police report.”

But police reports remain useful even in a world where they sometimes contain lies, because they establish paper trails which are extremely difficult to retrospectively fudge.

I was most interested in two facts on the police report.

One was metadata: when was this report received? (It obviously reads a bit differently if the report was created in response to the fact-checker asking for it, right.) The other: did, prior to the publication of the story, the writer consistently cite 1 Flatbush Avenue, the only location in the physical universe the transaction could have taken place at, as the location the transaction took place at?

I tried to get that police report, by several methods. By June 2024, getting impatient, I was at the point of forcing enthusiastically encouraging the NYPD to follow the law and provide it to me.

Police reports, like many public records, are retrievable under the Freedom of Information Law, New York state’s legislation which mirrors the federal FOIA. The statutory deadlines are five business days to acknowledge a request, and then twenty business days (or such time reasonably required) to release the records or cite an exemption under the law for not disclosing them.

I filed FOIL-2024-056-16750 on June 26th, 2024. On the last possible day, the NYPD updated its timeline to successfully locate a police report: it would need until November. OK, fair enough. I was a bit busy myself, being involved in a house purchase and move, and my one paper copy of a style magazine was hanging out in a box in the basement while we repainted. Perhaps the New York Police Department, annual budget $5.8 billion, was likewise quite busy.

November came. November went.

Eventually, concerned that Santa would not deliver the Christmas present I most wanted, I began to press the NYPD for answers. I did this using a voice and mien which I call Dangerous Professional. Three messages, one phone call, no dice.

And so, in February 2025, after a full six months of waiting on the NYPD, I got out my call log and penned a FOIL appeal. After a brief recitation of the procedural history, that letter did a bit of calculated knife twisting:

This request was filed on June 26th, 2024, more than six months ago. It was originally assigned a Due Date of November 4th, more than two months ago, by the NYPD. Despite three attempts to request an update via the Contact the Agency form online and one telephone message, I have yet to receive any non-automated contact from the NYPD about this request.

The statutory timeframe for production of documents in response to a FOIL request is twenty business days from the acknowledgement of the request. The NYPD's failure to produce this document in more than 100 business days is, accordingly, a constructive denial of the request.

I hereby appeal the NYPD's denial, and require that it produce the documents described in the FOIL request or provide me with its reasoning under the statute why it cannot do so. 

An attorney for the NYPD wrote back, forecasting a response within the statutory timeframe (10 business days for an appeal). The substantive response said that the appeal was moot because… the Records Access Officer had, subsequent to my appeal, made a determination that the NYPD did indeed keep police reports and could indeed release them in response to FOIL requests.

Oh happy day.

The police report contains a statement recorded by the police made on October 31st, 2023. I have lightly rewritten police shorthand and corrected some inconsequential spelling mistakes:

Complainant/victim further states listed perpetrator stated complainant/victim needed to pay in order to avoid being arrested. Complainant/victim states she withdrew $50,000 in U.S. currency from Bank of America, located at 1 Flatbush Avenue, at 3:10 PM.

And there we have it: reliable chain of custody to a claim made about the physical world at a known time, within hours of the alleged incident. This transaction was alleged to have happened at 1 Flatbush Avenue. Months later, in writing of her memories of the day, the writer offered a seemingly inconsequential detail about going up stairs to visit a teller window.

That seemingly inconsequential detail is, if one has a very particular set of interests, and is willing to put an irrational amount of work in, independently verifiable. Of all the bank branches in all the towns in all the world, the only one where a Bank of America teller awaits Brooklyn socialites behind thick glass on the second floor is, indeed, 1 Flatbush Avenue.

This would be a very different piece if that police report, or any other documentation at a trusted institution, named e.g. 266 Broadway instead.  

As for the rest of the shoebox piece? I have no informed point of view on anything in a style magazine, except for the banking.

This column doesn’t offer investment advice, as I am not a registered investment advisor. This is not merely a mandatory disclaimer; this is a warning. We will discuss some specific securities below that I am not merely incapable of recommending.

Finance performs a strange alchemy, teleporting value through time and space. Ordinarily, Bits about Money focuses more on the plumbing of it than the deals. But a deal enthusiast who goes by The Conservative Income Investor recently flagged a capital raise to me. It has everything: echoes of the culture that is the American PMC 2020-2024, complex financial structuring, a novel web application to move money, a crypto company in the background, and municipal politics. So it seems squarely within this column’s beat.

The municipality happens to be Chicago, my hometown and (after a 20 year stint in Japan) current residence. And so I feel some sense of civic duty, as a Chicagoan, taxpayer, and reasonably financially sophisticated person, to say the following publicly: What the hell, Chicago.

But before we get to present-day shenanigans, we need to go back several decades, because municipal politics is inextricable from the shenanigans.

Chicago and the state of Illinois more broadly have a deeply unserious polity. It has mortgaged its future through consistently overpaying public sector employees (principally, in Chicago, police/fire/teachers) and undertaxing. Neither decreasing total compensation of public sector employees nor reneging on previously-negotiated deferred compensation (pensions and healthcare for retirees) nor raising taxes to appropriate levels is considered politically palatable. One reason is that the Illinois state constitution (Article 13 Section 5) makes public employee pensions sacrosanct. The constitution is, of course, not a fact of nature; it is a political compromise by, again, a deeply unserious polity.

Long-time watchers of state and local politics know Illinois pensions are the worst funded in the nation, state officials celebrate when Wall Street upgrades its credit rating from close-to-junk, and the possibility of a federal bailout was a constant political issue for decades until it happened by stealth during covid.

And so Illinois and Chicago specifically are constantly on the make for new revenue streams. One which was mooted since my childhood in the 1980s was an expansion of gambling. So-called sin taxes (on gambling, liquor, tobacco, and similar) are politically attractive because they do not cause as much opposition as raising consumption or property taxes.

And so Chicago has had a decades-long campaign to build a casino within city limits. Why couldn’t Chicago actually get this done in several decades? One reason is the usual incompetence. The other reason is that the political economy of casinos is controversial. Many policies create winners and losers, but casinos inescapably create losers much more directly than most policies up for vote. Local political elites often band together against them, worried about siphoning money from local consumers. They also worry that they tend to create spillover effects, such as crime and moral collapse among a portion of patrons.

And so, as I once mentioned in a podcast with Thinking Poker, pro-casino political coalitions try to pick off anti-casino political elites by assuaging their concerns and/or bribing them. (In Japan, the de facto concession was “We’ll limit the amount Japanese people can lose here and maximize for soaking Chinese tourists. Now, let’s write that down in a way which doesn’t say exactly that, because it sounds bad if you put it that way.”)

In Chicago, much of the opposition came from African American political elites. They had the usual set of concerns for casinos, plus one other which is slightly more idiosyncratic. A belief with wide currency in that community is that the community would be much more wealthy than it currently is, but for vice entrepreneurs siphoning that community’s resources out of the community. This belief has lead to e.g. pogroms against Korean liquor store owners. I direct interested readers to histories of the Rodney King riots or the Asian American experience in 20th century America. (This was covered extensively in an elective I took more than 20 years ago, and so I have since forgotten the academic citations for this true but parenthetical point.)

Bally’s won the bid for the newly licensed Chicago casino in 2022, in part due to offering the right mix of concessions and inducements in its Host Community Agreement. One of those was promising Chicago that the new casino would be at least 25% owned by women and Minorities. The M is capital in the Chicago municipal code, and I will preserve this stylistic choice, because the word does not mean what most educated Americans assume it means. We shall return to that meaning later.

In fulfillment of its obligations under the HCA, Bally’s Chicago, Inc., an entity in the corporate web which will build and operate the casino, has conducted a stock offering since December. It runs through January 2025.

The stock offering has a prospectus associated with it. BCI does not appear to be relying on an exemption from registration, in the fashion that e.g. most startups would, restricting them to raising money from accredited investors.

While reading the prospectus, I read a much-remarked-upon statement, and assumed it was a misprint.

This offering is only being made to individuals and entities that satisfy the Class A Qualification Criteria (as defined herein). Our Host Community Agreement with the City of Chicago requires that 25% of Bally’s Chicago OpCo’s equity must be owned by persons that have satisfied the Class A Qualification Criteria. The Class A Qualification Criteria include, among other criteria, that the person:

• if an individual, must be a woman;
• if an individual, must be a Minority, as defined by MCC 2-92-670(n) (see below); or
• if an entity, must be controlled by women or Minorities.

Why did I assume this was a mistake? Well, for one thing, on the face of it Bally’s has told the SEC that this offering is only available to Minorities who are also women, which does not match the intent expressed elsewhere or during their roadshow. I have immense sympathy for drafting errors. Bally’s, feel free to let the lawyers know they forgot a significant “or” on the first bullet point. [Post-publication edit: An actual lawyer, not an Internet lawyer, informs me that the first bullet point has an implied "or" in this construction. Mea maxima culpa, associate who drafted this.]

The other reason I thought this was likely a mistake is that the American social, legal, and constitutional order is profoundly opposed to discrimination by race, and considers that action malum in se. Even when individual actors want to do it, they usually feel embarrassed enough about it to dissemble. 

For example, the last few years tech companies absolutely, notoriously engaged in legally prohibited discrimination in hiring, sometimes as an intentionally directed and explicitly written down policy. This is often assumed to be a conspiracy theory by disaffected white males. Perhaps that is an understandable belief, since people who read the project plans either a) supported them or b) value their future careers and are therefore mostly not leaking them, and thus we only have public evidence of those project plans which end up screenshotted in litigation. Similarly, when I say that the state of California proudly engaged in redlining in the provision of lifesaving medical care in 2021, many people of good-will assume that I simply must be mistaken. I get it, but I was there.

Returning from the ancient history of 2021 to this very week: Chicago has directed a private entity to segregate, and that entity is segregating, principally via web application. If you attempt to engage Bally’s for an investment here, you will see the following blocking question during qualification stages for the investment opportunity. (The web application will also ask for your name, address, social security number, and accredited investor status.)

There is a right answer to this question. If you give the wrong answer, Bally’s will decline you the opportunity to invest. You get entirely stopped by the web application.

I express no opinion on whether this is legal, by Bally’s or Chicago. After all, I am not a lawyer, and this has certainly been seen by many lawyers at this point, in e.g. preparing the submission to the SEC. Presumably all of them went through 1L courses which introduced concepts like the Fourteenth Amendment, case law which says government actions discriminating by race are subject to strict scrutiny, and case law which says that the government cannot proxy through a private entity to do things it is prohibited to do itself. And clearly no one admitted to the bar in Illinois thinks that Chicago can waive the U.S. Constitution if it considers that politically advantageous to get a gridlocked casino through municipal politics.

So I will charitably assume the existence of a memo where competent professionals have laid out a case for the legality of this course of action. They must have concluded that no future Department of Justice Civil Rights Division, not even in an administration elected after the Host Community Agreement had been inked, would descend upon this official act like the hammer of an avenging god.

As Matt Levine beat me to observing: awkward timing.

Long-time observers of Chicago politics might opine that the city very rarely does anything without creating a carveout for politically connected individuals. The local phrase for this sort of social connection is having “clout” or, sometimes, “is clouted.” You can find examples of the sort of carveouts Chicago reserves for the clouted in the professional histories of the board members of Bally’s Chicago, Inc, for example, which are included in the prospectus.

So what’s the carveout here? The definition of a racial or ethnic minority is a legendarily contentious one in U.S. politics, largely because inclusion or exclusion from it makes one eligible (or ineligible) for concrete benefits. Sites of contention often include e.g. are Asian Americans a minority, or are e.g. Cuban Americans Hispanic, etc.

Chicago leaves itself an out for its definition of Minority, which lets it designate any individual or group as a Minority, on an ad hoc, unreported, unaccountable basis. That sounds like I must be strawmanning Chicago. See the below screenshot and explanation in the prospectus

Quoting the prospectus:

Qualification under [the final] clause is determined on a case-by-case basis and there is no exhaustive or definitive list of groups or individuals that the City of Chicago has determined to qualify as Minority under this clause. However, in the event the City of Chicago identifies any additional groups or individuals as falling under this clause in the future, members of such groups would satisfy the Class A Qualification Criteria.

Now, fairminded people reading “groups… found by the City of Chicago to be socially disadvantaged by having suffered racial or ethnic prejudice or cultural bias within American society” would note “Well, OK, on the face of it, that definitely includes e.g. Jewish Americans or Irish Americans. We have some lamentable history as a nation and city, sure. But no intellectually serious person in the United States considers Irish Americans ‘a racial or ethnic minority’ in the common usage of the term.” And thus, the capitalization of Minority.

You’ll have to ask the city for their list of ad hoc exceptions made under this bullet point. Long-time watchers of Chicago municipal politics, however, might say that asking is of limited utility.

I will note that, as a matter of engineering fact, the web application will blithely accept self-certification under this bullet point for anyone. You are welcome to your guess as to whether Bally’s or any city employee will review the 1,000 investors individually and, if they review them, what the process is for determining whether e.g. a particular Patrick counts as a Minority or not. 

I’d wager there is no process at all here. It seems like a better bet than most offered in the casino.

Bally’s Chicago is a product of Bally’s, a publicly traded company. You can read their 10-Ks. According to their most recent quarterly report, they operate 15 casinos across the U.S., and have substantial online gambling operations. Like many casinos, they are somewhat diversified, insofar as a casino resort also functions as a hotel and restaurant/bar/etc venue.

Bally’s Chicago has a complex capital stack, which one would probably need to understand to evaluate the opportunity to invest in it. I am not saying “complex” as a criticism: this is fairly ho hum by the standards of large commercial real estate developments, a subject I am not an expert on but grew up hearing about at the dinner table. I am heavily implying that I would not expect a Chicagoan picked at random, or for that matter an alderman, to be able to look at the following diagram and correctly describe what it means. Prospectus, ibid, pg 145.

The entity which Chicago is stumping for is Bally’s Chicago, Inc. (BCI), the central square on that diagram. Marks investors are receiving ownership in that entity, not in the casino, which will be operated by Bally’s Chicago Operating Company, LLC (BCOC). That entity gets 25% economic interest in the future profits (insert very material asterisk here) of the casino; the other 75% flows to Bally’s Chicago Holding Company, LLC (BCHC). BCHC is a wholly-owned subsidiary of Bally’s, Inc, the publicly traded company.

When one offers someone the opportunity to invest in something, one has to decide upon a valuation for the something. The price of a slice of the pie is set in notional reference to the price of the whole pie.

Bally’s says that its good faith guesstimate on the whole pie is the economic interest in future profits of the Chicago casino is… a billion dollars exactly. The prospectus, as is wont for these situations, disclaims floridly that that price might not be accurate. One example of many: “We made a number of assumptions to determine the price of our Class A Interests. If any of our assumptions are incorrect, including our assumptions regarding the total enterprise value of the Company, then the Class A Interests will be worth less than the price stated in this prospectus. In such case, the return on investment or rate of return on an investment in our Class A Interests could be significantly below an investor’s expectation.”

Bally’s will, as is standard and customary for this sort of thing, pretend that investors have read and understood the ~200 page prospectus, and civil society will pretend to believe them.

It isn’t extremely improper to pick a billion dollars out of one’s hindquarters as an investment valuation. That particular number exerts a sort of memetic quality in e.g. Silicon Valley, and there are legendary amounts of negotiation between sophisticated parties to accept just a bit more structure to get a e.g. $920 million valuation to a $1 billion valuation, because so-called unicorn status is good for PR, for attracting prospective employees, and (a real factor) for founder ego.

But if you invest at a valuation not justified by the fundamentals of the investment, you will tend to underperform. This is an inescapable fact of investing. (And that is why the sophisticated investors, accepting a “worse” valuation, want “better” structure to compensate for it.)

And this partially explains why Chicago is holding a roadshow in African American churches attempting to convince participants to invest in a mezzanine-y equity slice of a casino at a $1 billion valuation, perhaps at 100X leverage. (I tip my cap to publicly available reporting of the roadshow.) And not, for example, attempting to convince Goldman Sachs to put together some sophisticated investors and take down the $250 million allocation.

Chicago’s pitch to investors, delivered (per above reporting by Triibe) by “City Treasurer Melissa Conyears-Ervin and members of the Chicago Aldermanic Black Caucus”, emphasizes the potential of creating “generational wealth” (direct quote) with this casino investment. This point of view aligns with the above described political economy of attempting to buy off influential communities and/or community elites with an equity carveout, which successfully got this particular casino through decades of political gridlock.

And so the investment case implies that Bally’s is intentionally giving takers something for nothing. That is, they must be sandbagging the valuation they assigned to this bundle of rights: it’s not really worth $1 billion, it is worth e.g. $5 billion. Only you favored Chicagoans well-loved by your alderman are able to buy at the non-market price, leading to essentially free money. Not merely small amounts of it, either. Generational. Wealth.

The pitch very likely explicitly said the requisite words about this being a risky investment, wink wink, and very definitely described an opportunity for extreme levels of leverage and a lengthy expected road to ROI, which we’ll return to in a moment.

Do I think sophisticated investors would agree with Bally’s that this bundle of rights is worth $1 billion? Reader, I do not.

One reason is the perception of an absence: why is this pitch being given to individual savers in a church at a minimum investment of $250, and not in a swank office to an entity capable of committing $25 million? But perhaps I’m just suspicious.

No, let’s go to more direct evidence: if 25% of this bundle of rights is worth $250 million, then 75% must be worth $750 million, right? And if an entity owning 75% of the bundle, Bally’s, also owns 14 other casinos, online gambling properties, and similar, then that entity must be worth a lot more than $750 million, right?

The market does not agree with this assessment. The entire market capitalization of Bally’s (NYSE: BALY) is, as of this writing, ~$1.5 billion. What’s the difference between the $50 million average imputed value of the other casinos and the $750 million imputed value of the Chicago casino? The $750 million is made up, that’s what.

And, again, the real unspoken logic of this pitch is that the bundle of rights is getting sold on the cheap, and that it is actually worth much more than $1 billion. It very clearly is not, or sophisticated investors would be swooping in and buying BALY’s common stock. Crack it open like an oyster and dig into that sweet sweet Chicago gambling revenue if you need to!

This is somewhat elementary and handwavy napkin analysis of a complicated business which, like most casinos and hotels, is heavily levered with a complex capital stack. But the investment case gets smothered by a napkin.

The Host Community Agreement, as above, obligates Bally’s to find a way to sell preferred Chicagoans $250 million of stock. This was likely complicated by rich Chicagoans not being suckers and less-well-off Chicagoans not having $250 million lying around.

And so Bally’s has introduced a novel structure.

In brief, that structure sells stock to investors on credit, with the credit being extended by Bally’s, and paid down by future dividend distributions of the stock. If you’re very interested in the mechanics, you can find them at length in the prospectus, but the complex legal code is an excuse for this screenshot:

What is the “Attributable Subordinated Loan?” I’m glad you asked. Bally’s staked (ba dum bum) BCI with a few hundred million dollars to fund development. Where did it find the money to do that? A mix of equity and debt financing, as is common for virtually all complex commercial real estate transactions. Bally’s, per their most recent 10-K, has long-term debt from sophisticated investors which costs them 5.x% per year. (It would be more expensive if they wanted to lock that down today.)

In return for Bally’s advancing BCI money through BCHC, BCI owed BCHC money, on an intercompany IOU. This capital offering cancels that intercompany IOU and replaces it with the Subordinated Loans. The prospectus does not quote the rate that the left pocket of Bally’s charged the right pocket of Bally’s. It does quote the rate for the Subordinated Loans: 11% annually compounding quarterly.

The road show makes much of the fact that this leverage is non-recourse. Quoting the Triibe reporting again:

The loan is non-recourse, explained Sidney Dillard of Loop Capital Markets, who is the underwriter of the offering, during the information session. “That loan is not recourse, meaning that you are not responsible for it,” she said.

I am not someone who has ever offered SEC-registered securities for sale, but I am aware that when one does that, one has to adopt a certain level of care with respect to how one simultaneously a) sells a product that one has to offer and b) describes the operations of that product without wandering into lying.

And so this writer would not describe “non-recourse” as a loan one is not responsible for. I have a non-recourse mortgage. I am very, very much responsible for paying the mortgage. If I do not pay the mortgage, I expect to swiftly not own the property securing the mortgage. The “non-recourse” bit means that the lender cannot come after your other assets or income, for example by suing you for a judgement, then forcing you to disgorge your savings account or e.g. interests you own in your small business' LLC.

The Subordinated Loans are, per the prospectus (probably a bit more reliable than the understanding of e.g. Chicago employees on the finer details), not between the owners of the Class A-{1,2,3} equity and any Bally’s entities. They are strictly loans between Bally’s entities themselves. Those loans are senior to Class A-{1,2,3} equity in the payments waterfall of future profits (we need that asterisk again!) from the casino to equity holders. The expectation is that Bally’s will individually book repayments against records which are kept on a per-shareholder basis without actually obligating the shareholder, while keeping the actual cash thrown off by the casino, prior to eventually releasing a shareholder from the indebtedness that Bally’s will say that, technically speaking, they have not actually incurred.

At that point, the shareholder will own the slice of equity that an unsophisticated listener of that roadshow might think they own free-and-clear.

Now, Bally’s forecasts that many shareholders will be very underwater on these investments. (Wow, that’s a robust sentence.) Prospectus, ibid, pg 23:

Given the capital intensity of developing, constructing, opening and operating a casino resort project of this scale, we currently expect that Bally’s Chicago OpCo will not have any OpCo cash available for distribution until approximately three to five years after our permanent resort and casino begins operations.

Assuming the most charitable estimate from that range, a Class A-1 shareholder will have $250 of equity securing a notional $25,000 investment and future obligations of approximately $34,000 (three years of compound interest at 11% on initial principal of $24,750). This suggests that the holder’s equity value is planned to be negative and that no sophisticated investor would purchase that investment for the $25,000 which the unsophisticated shareholder might believe it to be worth in 3 years. They might be willing to pay something more similar to, hmm, negative nine thousand dollars.

Seen in that light this offer of investment sounds predatory. But don’t worry, Chicagoans, Bally’s has your back. You do not have to worry about not being able to sell your stock due to its lack of intrinsic value, because you are not able to sell your stock. Prospectus, ibid, pg 179 under heading Shares Eligible For Future Sale, and elsewhere in the document.

Class A-4 holders, the ones with no notional debt, who purchased their shares for $25,000 cash-on-the-barrel, are not eligible to sell their stock at any time except as allowed by Bally’s to people approved by Bally’s. (I’ll flag that this is not an unusual term in private equities. Bally’s pre-commitment to discriminating racially against future prospective buyers? That’s unusual.)

Buyers of Class A-{1,2,3} stock are unable to sell until the associated Subordinated Loan is paid off in full.

One wonders whether senior Chicago officials will be doing a roadshow in 2030 explaining what happened.

While the natural expectation is that one is participating in the profits of the casino, the prospectus helpfully clarifies that one is not. The "cash available for distribution" does not necessarily correspond 1:1 with profits. It... well. See the discussion on page 22 and 23 of the prospectus, including the excerpt below.

While we and Bally’s Chicago OpCo intend to make distributions equal to 100% of the cash available for distribution and OpCo cash available for distribution, respectively, on a quarterly basis, the actual amount of any distributions may fluctuate depending on our and Bally’s Chicago OpCo’s ability to generate cash from operations and our and Bally’s Chicago OpCo’s cash flow needs, which, among other things, may be impacted by debt service payments on our or Bally’s Chicago OpCo’s senior indebtedness, capital expenditures, potential expansion opportunities and the availability of financing alternatives, the need to service any future indebtedness or other liquidity needs and general industry and business conditions, including the pace of the construction and development of our permanent resort and casino in Chicago. Our Board will have full discretion on how to deploy cash available for distribution, including the payment of dividends. Any debt we or Bally’s Chicago OpCo may incur in the future is likely to restrict our and Bally’s Chicago OpCo ability to pay dividends or distributions, and such restriction may prohibit us and Bally’s Chicago OpCo from making distributions, or reduce the amount of cash available for distribution and OpCo cash available for distribution.

Now, as someone who grew up with a father constantly complaining about sharp operating in Chicago commercial real estate, I can quickly outline about two dozen different ways for one to cause the operating company here to a) transfer money to other corporate entities and b) therefore have less cash available for distribution.

As a representative but not limiting example, you can probably choose your own marks for technology services from a parent to a great-grandchild subsidiary. Sure, there is some notional expectation that the marks be at arms-length price, but what is the arms-length price for e.g. casino loyalty accounting software and a particular chain's database of existing users? What low-resourced investor could possibly mount a court challenge against the entity with all the data necessary to value that asset. In Las Vegas, a casino has to calculate and diligently communicate the house edge before raking punters. Here... not so much.

That would require sharp operating... of a sort which is extremely routine in Chicago commercial real estate. This is a constant risk of being the junior partner in a structure, particularly without an aligned senior partner who would be as adversely impacted by sharp operating as you would be. Of course, here the senior partner owns e.g. the database they are renting to the entity that they also control, and so funds available for distribution from that entity might not match the expectations of junior partners.

Pick your sponsors carefully, folks.

Suppose, and this is very unlikely because it is illegal (Reg T) but run with it, that one has a typical brokerage account in the United States and, with $250, purchases $25,000 of marketable securities. Those securities periodically throw off dividend payments. One periodically pays one’s brokerage interest, because one has borrowed money from the brokerage to buy those securities on margin.

In the typical case, one would be taxed upon those interest payments, which are income. One does not simply net one’s margin interest against that income before paying taxes. One instead must itemize deductions, and then one will be able to (on Schedule A) deduct investment expenses, as described in Publication 550. Feel free to run this by your accountant; the details get complicated and wonky.

If one does not itemize, as many lower-income taxpayers do not, one must of course simply pay the tax on the entirety of one’s interest income. If one protests that one does not actually have any interest income, because it has been taken by one’s brokerage to pay margin interest, the IRS will not be maximally sympathetic.

Bally’s has very creative professionals involved in the structuring of this offering, and realizing the above issue would compromise fitness for purpose, they have… adopted a theory. I will quote that theory, from the prospectus, verbatim. I have taken the liberty of bolding an important bit in the middle of this.

Section 305 of the Internal Revenue Code provides that if a corporation distributes property to some shareholders and other shareholders have an increase in their proportionate interests in the assets or earnings and profits of the corporation, such other shareholders may be deemed to receive a distribution that could be a taxable dividend. In this case, because we and Bally’s expect to treat the Subordinated Loans as “stock” for U.S. federal income tax purposes, “property” distributions will likely be considered to be made to “some shareholders” of Bally’s Chicago, Inc. as payments are made on the Subordinated Loans, and equivalent cash (“property”) distributions will be made with respect to the Class A-4 Interests. In addition, as payments are made on the Subordinated Loans, particularly those that repay the original principal amount of such Subordinated Loans, the proportionate interests of holders of our Class A-1 Interests, Class A-2 Interests and Class A-3 Interests in the assets or earnings and profits of Bally’s Chicago, Inc. may be viewed as increasing. Accordingly, it is possible that such increase could be treated as a deemed distribution under Section 305 of the Code or otherwise as taxable income to such holders under other theories. However, under the Treasury Regulations relating to Section 305 of the Code and other IRS administrative guidance, certain financing arrangements in the form of preferred stock investments that fund a corporation and then are systematically eliminated through property distributions until they are fully retired, and are designed to facilitate the ownership of a business with an effect of increasing another stockholder’s proportionate interests in the assets or earnings and profits of a corporation over such period, do not result in a deemed distribution to such other stockholder. The applicability of these authorities to the holders of our Class A-1 Interests, Class A-2 Interests and Class A-3 Interests in this situation is uncertain. Although the matter is not free from doubt, we intend to take the position, and this discussion assumes, that U.S. Holders of applicable series of Class A Interests would not be treated as receiving a deemed distribution from us or otherwise realizing income as a result of repayment of the Subordinated Loans corresponding to such shares. However, there can be no assurance that the IRS will not take a contrary position, for example, treating the proportionate interest in our earnings and profits owned by U.S. Holders of the applicable series of Class A Interests as having increased upon repayment of the Subordinated Loans corresponding to such shares, and treating such U.S. Holders as having received a distribution. In that case, such deemed distribution will be taxable as a dividend, return of capital or capital gain as described above under “— Distributions,” and U.S. Holders may be subject to U.S. federal income tax without the receipt of any cash. U.S. Holders should consult their own tax advisors about the application of Code Section 305 and any other potential deemed receipt of income risk with respect to our Class A Interests .

Now, I’m neither a lawyer, tax accountant, nor am I someone who listened carefully to the roadshow when it doubtlessly stepped through this for the benefit of the audience. But here’s what it means:

Bally’s is taking the position, though they acknowledge that the IRS might disagree, that owners of the Class A-{2,3,4} interests aren’t actually getting any income until the Subordinated Loans have been paid in full. This means that they don’t have to pay income taxes in years where they are not actually receiving cash distributions.

No, they wait until the Subordinated Loan is paid in full, and then immediately owe income taxes in one whack, at the difference between their basis in the stock (say, $250) and the then-FMV of the stock (say, $25,000). Resulting in Bally’s diligently filing a document with the IRS saying that e.g. a lower-income Chicagoan has just received a bit less than $25,000 in income from them, and should probably pay taxes on it. You can, of course, receive income without receiving immediately available cash; it happens all the time in tech, and is the cause of much structuring to avoid the consequences of it, which can be painful for e.g. early career employees. 

Those taxes will be paid substantially out-of-pocket, because there is almost no conceivable universe where a stock of an actual healthy operating enterprise worth e.g. $25,000 pays an ordinary dividend of e.g. $5,000. The market would adjust the value of the stock upwards to account for the extraordinarily rich stream of dividends, which would adjust the tax bill upwards.

Financially sophisticated investors might prepare for a tax bomb like this by e.g. borrowing against the value of the stock. That’s basically impossible for this issuance, due to the stock not being publicly listed, the restrictions on transfer, small dollar amounts, etc. The other option is, of course, selling the stock, to whomever Bally’s deigns to approve.

Tax-motivated transactions are, of course, motivated transactions, and the lucky buyer will probably be able to extract a bit of a deal, doubly so because they are likely much more sophisticated than the initial buyer of the stock, and they have less risk to account for (because of e.g. several years of operating history of the casino before the tax bomb explodes).

I am not an investment advisor, and not your investment advisor. I am, however, a recreational poker player who lives in Chicago. I intend to periodically donate money to the Chicago economy by making poor decisions on the river at Bally’s Chicago.

I do not, however, presently intend to participate in Bally’s stock offering, nor do I presently intend to buy their common stock.

I will note, out of an overabundance of scrupulousness, that I own a tiny amount of MGM stock, which is a direct competitor to Bally’s. I caught the poker bug at a conference in Las Vegas (hosted at the Tropicana, since acquired by Bally’s and then brought down in a controlled implosion).

MGM, across the street, actually had poker tables. I have had many enjoyable post-conference excursions staying at their hotel to (in several but not all years) lose money at those tables. I bought the stock for the same reason I buy stock in every hotel, airline, bank, and similar I use: in the unlikely event a not-particularly-high-stakes poker player has a routine customer service complaint, Investor Relations is available as an escalation strategy, over e.g. hotel staff who might be long-since inured to listening to complaints from people who lost money in a casino.

Oh yeah, I mentioned that there is a crypto angle to this. The registrar and transfer agent for offering 100:1 leverage to retail investors on a casino stock is, see prospectus pg 41, BitGo Trust. If I had made up that detail, as a crypto skeptic, you might have accused me of being a bit on the nose.

Happy New Year! I have a housekeeping message (which you will see immediately below, if you’re reading this via email), a review on 2024, and then some updates about Bits about Money as a publication. Spoiler: BAM is not going anywhere; I’d be obliged if readers supported it with money.

Are you reading this in a web browser? Supporters of Bits about Money who got this in an inbox saw a brief reminder about billing details. If you are a paying supporter of BAM and need a refresher on billing details, see the account portal, which will likely require a magic link to be sent to your email address. If you have further questions or concerns, email me.

We’re up to 53 essays at Bits about Money. Nine of those were new in 2024. This is a bit below my target, assuming typical form factor, which is 2,000 to 8,000 words. However, a few of the 2024 essays were longer-form deep dives, so I was approximately happy with BAM’s delivery in 2024. I am also broadly happy with how the publication has evolved.

The best piece of last year is almost certainly Debanking (and Debunking?). I am told it is still bouncing around the corridors of power. The piece addresses Marc Andreessen et al’s claims that crypto has been discriminated against as a result of intentional action by the government. We examine the procedural history, law, incentives of commercial actors, and political ramifications of these claims in substantial depth.

It is a rare piece about financial regulation of the cryptocurrency industry that is publicly praised by both the crypto VC who came up with the phrase “Choke Point 2.0” (“... the best and fairest treatment of the issue [I] could expect from a skeptic…”) and also by a former federal banking regulator (“This is a tour-de-force. This is absolutely excellent. Anyone interested in this issue should read this piece.”) Citation links.

The experience of writing that piece sort of brought BAM together as a project for me. Publications often have a beat and/or self-conception. BAM is aimed pretty squarely at deep dives into the weeds at the intersection of finance and technology. Blogs/Substacks/etc, however, sometimes suffer from being experienced by readers as disconnected essays unified only by authorial voice and recurring themes. And so it was edifying when, in explaining e.g. why crypto entrepreneurs and bodegas alike experience AML-related debanking, I was able to refer to substantial past dives into related topics, in addition to other reporting, statements of federal agencies, and similar. The substantial discussion of how the crypto industry underrates its own credit risk to banks, which included an extensive worked example of how Voyager Digital’s bankruptcy sunk Metropolitan Commercial’s crypto practice, was improved by many previous discussions of how deposit accounts in the U.S. are actually credit products.

The year also featured some pieces I’m almost uniquely qualified to write, such as the (fast!) postmortem on the Crowdstrike bug bringing down banks nationwide (including an analysis of why regulatory diktat and enterprise SaaS sales motions resulted in a security software monoculture). I also wrote an extended explanation of medallion guarantees, ACATS, and why your brokerage is unlikely to verify with you if another brokerage asks them to send away all your assets. Executive summary: you probably don't need to worry about this, but brokerages certainly do.

All in all, a pretty good year!

I’m presently coming up on the two year anniversary of leaving full-time employment. (I remain an advisor at Stripe, my prior employer. Stripe does not necessarily endorse what I write in personal spaces.)

I’ve treated these last two years as something of a sabbatical, after many fairly intense years focused on work to the exclusion of other concerns. This allowed me to relocate my family from Japan to America (mostly for family reasons), catch up a bit on fatherhood and video games, and spend some time thinking of what I want to do next professionally. I do not yet have a high-quality answer to that, but when I do, I’ll let the Internet know.

Professors sometimes use sabbaticals to write books. I likewise used freed up cycles to produce public professional output. BAM is the best known at present.

I also started a podcast, Complex Systems, which is very likely relevant to your interests. Complex Systems is perhaps a 40% overlap with BAM in terms of topics. The remainder involves wide-ranging discussions about various forms of infrastructure with experts in those fields. You can find it in your podcast client of choice or on the above website.

Complex Systems has published 26 episodes since July 2024, and (thanks to my intrepid assistant Sammy and the relative ease of speaking rather than writing book-length pieces) actually sustains a predictable publishing schedule: every week on Thursdays (less holidays).

BAM readers would likely enjoy my conversations with Lars Doucet on property taxation in the U.S., Ricki Heicklen on teaching trading in capital markets, or (my father) Jim McKenzie on commercial real estate development. If you are more of a reader than a listener, you'll be happy to learn that there is a full transcript (and substantial inline notes) with every episode.

An announcement: sometime in 2025, Bits about Money will release a companion audio version. I’m still playing with the exact format, but an experimental episode had me read a classic BAM issue (The optimal amount of fraud is non-zero) aloud and enhance it with essentially live commentary. I’ll let you know once there is a dedicated podcast feed for you to sign up for. This audio product will be free and public, thanks to the generous support of BAM readers. I presently intend audio episodes to follow the publication of BAM issues by a week or so. This product was built in response to requests from members, because apparently some of you e.g. want to listen about financial infrastructure at the gym or during your commutes. I’m happy to oblige.

I’m presently planning on ~12 issues of BAM in 2025, indicatively, but I understand that readers are primarily interested in quality/taste/curation and not word count. Should plans change, I’ll let you know.

Future topics are, as always, both dealer’s choice and heavily informed by suggestions from readers. Sammy and I are (knock on wood) nearing the tail end of an involved investigative journalism project which I’m excited to share, on bank fraud. Investigative journalism is an interesting change of pace from the usual explainers, commentary, and deep dives, but you should expect those to remain the heart of the publication.

Bits about Money is supported by its readers. Thank you, again, to those of you who helped me pay the mortgage while writing 53 unpaywalled deep dives about financial infrastructure. I’m particularly committed to keeping Bits about Money publicly accessible for free, which is unusual for professionally-focused writing of its caliber. Your support allows me to do that. It is also essentially an ongoing bid for me spending time and attention on writing focused on this beat specifically.

I sometimes get asked why there is not a paywall. That is certainly not a revenue-maximizing decision. (Many technologists have deeply irrational cherished beliefs on this score.) BAM doesn’t have a paywall because I optimize for its reach and impact over its financial success. That has always mattered because some readers, like students and regulators, either can’t afford a subscription or (for structural/cultural reasons) find it difficult to justify expensing a trade journal. Most of BAM's hundreds of supporting members are professionals in tech and/or finance; support which is cheap to you is useful to many, including in leveraged fashions (e.g. via informing better public policy or educating prospective employees for your company).

The public availability also helps for an emerging use case: when you talk to LLMs about these topics, that actually works pretty well. This didn’t require a special negotiation with the labs; their crawls include the public Internet, in a way that they don’t include most professional writing about finance. When I was younger I would have apologized for this fact, because it means that a user asking an LLM about crypto-oriented debanking might get an answer informed by me, and not by e.g. the Wall Street Journal. As of today, the weakest link in the chain is the LLM, because my writing on debanking is substantially superior to the WSJ’s.

(The WSJ is very, very good at what they do, which is weighted more towards breaking news and not towards expert commentary on why the world works the way it does. I hope they negotiate a side agreement such that LLMs grow up reading the WSJ, much like I did. As I’m less capable of negotiating agreements with every lab in the world, publishing to the open Internet accomplishes the same aim.)

If you already are a paying Bits about Money supporter, thank you for your support. If you aren’t, please consider purchasing a membership. Most supporters are on the annual plan (currently $165 a year). We also have memberships available on a month-to-month basis and a more expensive option, playfully named after my most useful pricing advice to others.

A Bits about Money membership is likely a tax-deductible expense for businesses. It is also likely covered by your education budget if you work in tech or finance. Most of your other questions are answered on the memberships page.

Thanks in advance for your consideration. As always, I read emails sent to me, and particularly welcome comments on topic selection.

See you soon.

Recently, noted VC Marc Andreessen kicked off a discussion about debanking, in a podcast with his co-founder Ben Horowitz (begins at 7:42) and in an appearance on Joe Rogan’s podcast. The venture firm they founded, a16z, also published a brief on this topic.

The central thrust, quoting a16z’s brief (ellipsis in original): “Debanking can therefore be used as a tool or weapon systemically wielded by specific political actors / agencies against private individuals or industries without due process. Imagine if the government decided who could or couldn’t get electricity merely because of their politics, or some arbitrary reason… without having to explain, notify, or offer recourse. That’s what’s happening with debanking.”

If you are new here, you are presently reading a column which routinely covers compliance-oriented topics at the intersection of the financial system and technology companies. This topic is pretty central to my beat, and I have some relevant personal knowledge.

“It’s not a conspiracy theory if people really are out to get you.” sums up part of my reaction to this, but only part. There exists some amount of conflation between what private actors are doing, what state actors have de facto or de jure commanded that they do, and which particular state and political actors have their fingers on the keyboard. These create a complex system; the threads are not entirely divorced from each other.

A few disclaimers:

I previously worked for Stripe, and am currently an advisor there. Stripe is not a bank, but many regulated financial institutions have similar considerations. I’m not speaking for them. Stripe does not necessarily endorse things I say in my own spaces.

The recent debanking discourse focuses (and overfocuses; see below) on crypto. I am (somewhat notoriously) a crypto skeptic. Arguments aren’t soldiers; the truth is the truth. The truth sometimes favors crypto advocates in this discussion, and where it does, I will cite sources extensively. Where it doesn’t, I will mostly cite sources extensively.

The debanking discussion arises from an explicitly political project. Moreover, questions of public policy are frequently political in a democracy. The ballot box is the ultimate check on government abuse of power. While I have no project here, and try to be non-partisan in professional spaces, to ease the fears of crypto fans: I’m definitely not a secret Warrenite.

“Debanking” describes a cluster of behaviors.

The most salient one is involuntarily closing a customer’s bank account, often a long-established one, optionally without presenting a reason. Because “debanking” is an advocacy term, that often gets conflated with declining to open an account for a person or a business.

These two things are very different in their impact on the person/firm and in our moral intuitions. It’s the difference between getting divorced and being turned down for a date.

Advocates often invoke a user-centric perspective of debanking, focusing on the impact on individuals/firms. Then, they conflate it with regulators’ decisions regarding bank supervision, in ways which are facially not about direct user impact. We will return to bank supervision later.

Industry doesn’t call it “debanking.” This is partly for the usual corporate euphemism reasons. This is partly because industry does not always share assumptions of how the world should work with advocates, and is concerned that “debanking” smuggles in those assumptions.

So when one discusses this with colleagues, one might use words like offboarding, derisking, closing the accounts of a customer, etc.

There is often an implication, and much rarer a reality, that the debanking decision is not one of a single financial institution. Sufficiently correlated “independent” decisions by financial institutions could deprive a firm or individual of access to banking services. We will explore some coordination mechanisms, which are overstated, and some correlation mechanisms, which are poorly understood.

We’re hearing about debanking because it sometimes affects socially established wealthy entrepreneurs and their companies. Some people it happened to are densely networked and also affiliated with talented communicators that have (in the parlance of our times) a platform. It is important to say from the jump that this is not the typical profile.

A huge majority of all people who find their accounts involuntarily closed will have been let go for credit risk or operational cost reasons. Overdraft your account repeatedly and look unlikely to be able to pay the fee for this service? Expect to lose that account, and probably all other accounts at that institution.

Do you know anyone with a parent advanced in years, who is dealing with challenges of aging, perhaps has gotten scammed a time or three, and might occasionally lash out at customer service employees? Debanking is more relevant to their interests than they might currently appreciate.

Decisions to debank an individual will often debank their controlled entities, and vice versa. Debanking will also not infrequently swiftly cascade to accounts in the same household, regardless of title (non-specialists can round this to “name on the account”; industry can’t). Banks institutionally consider those accounts in the same household to be highly likely to be under common control, regardless of what paperwork, account holders, or politically influential subcultures believe. This is an area in which the mores of the banking industry are much closer to the traditional middle class than to coastal elites.

Sometimes, though, one gets one’s accounts closed because one has activities which are outside a bank’s risk tolerance or contrary to their compliance posture. This was cited to me both times I was debanked.

Once upon a time, I had a U.S. checking account. One day, the bank called me, and asked me why I was averaging two incoming ACH transfers a day. I told them that I ran a sole proprietorship selling software over the Internet. The ACH transfers were from from my two payment providers, which paid me out my sales (less fees) once per business day. The bank thanked me for my explanation and told me they thought the business sounded legitimate. Then they said I had 30 days to move the business’ funds flow to a different bank, or they would close all my accounts.

“Banksplain that offboarding?” Typical retail consumer checking accounts are, on the spectrum of the full menu of banking services, extremely low-risk, not a focus of bank examiner time, and institutionally preferred by both banks and regulators because of core financial access concerns. Accordingly, the amount and degree of monitoring a bank invests in the consumer checking line of business will be relatively low, in line with a risk analysis it performed. Its regulator has read that analysis and decision, and expressed no objection to it.

This particular bank did not, at the time, have a small business practice within its personal banking division. Very many banks do, but this particular bank did not. And thus this bank had not built out the higher degree of policies and procedures that would support small business banking. A surprising example of a small business that demands drastically more thought than you would think is discussed in detail below. The bank, on learning I had a sole proprietorship banked with them, considered that behavior innocent but not supportable, not because it didn't like my business but because it knew it had no built out infrastructure to support any business.

At the second institution, I once checked my U.S.-organized individual retirement account from a Japanese IP address. I had done that many times, but I did it one last time, too. This caused a short phone call, where the bank’s affiliate confirmed that I indeed lived in Japan, then informed me the account would be immediately restricted and then closed. I would need to make arrangements to request my shares be transferred to a new (U.S.) brokerage account, or authorize them to sell and mail me a check.

“Banksplain that offboarding?” This was likely downstream of a procedure implemented to ensure that the institution’s affiliated securities firm did not act outside the scope of its broker-dealer licenses, which (the institution was aware) did not include any with Japanese regulators.

When these events happened, it was very annoying. I did not contemporaneously understand why they were happening. They required me to take time away from life, my day job, and business to make more phone calls, learn more things about the financial industry, and ultimately open new accounts.

That is the typical end to a debanking story. “And then, I opened a new account.”

Immigrant communities keep lists of which banks most want their business. So does the community of people who run small software businesses online. And so, while immigrants and small software companies deal with substantially more banking friction than the typical American working for Google or a university does, they are both very bankable.

Consider crypto entrepreneurs who have received an offer of investment of several million dollars. One might be able to hold the ideas in one mind simultaneously that a) there is some diversity of life experiences in that group but b) on average though, they are very socially advantaged, when considered on most of the usual axes. Despite those substantial advantages, it has been persuasively alleged that their companies and the entrepreneurs themselves routinely suffer debanking. 

I also understand this to be true, in large part downstream of one risk factor that they hit more than almost all legal businesses of comparable scale and sophistication. There have been times and places where this challenge made crypto firms almost unbankable to the extent banks knew what they were doing. And it directly drives decisions against crypto founders and employees.

I’ve written extensively about KYC and AML and will not recap all of it here. Banks have a panoply of obligations under regulation. One of those is that they have to write AML policies, including policies which identify high-risk activities. Then they have to follow those policies. You can overpromise but you cannot underdeliver; after you’ve told a regulator you will do X, not doing X can result in fines and other punishments, even if the regulator did not tell you to do (specifically) X.

Before we reach crypto, consider AML risk and its consequences among money services businesses.

Running a money services business (MSB) is virtually universally called out as a high-risk activity by banks’ internal AML policies. Explaining why would require explaining the entire history and object of AML. Please just take as writ for the moment: all banks have a list, those lists rhyme with some variation, and MSBs are on all the lists.

Some banks have built out so-called enhanced due diligence (EDD) programs under which they will bank MSBs. Many banks have not; if a business banking at one identifies itself as an MSB, or if their ongoing monitoring of transactions suggests one is probably an MSB (for example, if there are ACH pulls from Western Union for tens of thousands of dollars, which will suggest to an analyst that the business is probably a Western Union agent), the bank intends that business to get a letter.

Whether they successfully execute on the letter, and the decision the letter announces, varies, but in terms of intent, they intend to consistently reach the decision given similar facts.

That letter will, in all likelihood, not be candid as to what is happening or why. It may not cite that the customer is an MSB. It may not cite why the bank believes that. It will not recount the bank’s internal AML policies which identify being an MSB as a high-risk activity, though it might say four or five templated words about risk. It will not explain the bank’s strategic decision to not invest in a compliant EDD program that would allow it to service MSBs.

No, the letter will say that the bank is closing the customer's accounts.

It may describe this as a "business decision", using those two words, of the bank. It will often say that this decision is final. The decision is probably not actually final. That is an opening negotiating position, like “We don’t negotiate salaries.” If you don’t argue the point, it has achieved its objective. The grain of truth within it is “We probabilistically think that talking with the typical recipient of this letter is negative expected value.”

Why doesn’t the bank want to talk with the typical recipient about it? Because the typical MSB is a bodega with a sideline in alternative financial services.

You might think that it is absurd that the government would concern itself with MSBs that are clearly the sideline of the local bodega. Without reaching the question of whether this priority is absurd, I invite you to peruse the Financial Crime Enforcement Network’s Enforcement Actions For Failure To Register As A Money Services Business. These are a small sample of real enforcement actions. That sample was chosen by FinCEN and I think reasonable people understand it was not chosen by FinCEN with a goal of embarrassing FinCEN or the entire AML regime that ensures FinCEN employees will have a job tomorrow.

I will take the liberty of fictionalizing names here, to give you the flavor of real people with real businesses that FinCEN both a) prosecuted and b) posted trophies of pour encourager les autres : Bob Smith d/b/a Bob’s Fast Gas. Taro’s Snack Shop, Inc. Cheap Phonez 4 U, Inc. Ben Goldberg d/b/a Kosher Foods.

FinCEN has posted the full text of each settlement, frequently including a restatement of their alleged violations. In many of those documents (not all of them!), if one credits FinCEN’s narrative as Gospel truth, one will believe: yeah, this is absolutely a bodega. The Financial Crimes Enforcement Network has jammed up the guy behind the counter because he failed to have a written AML/KYC policy and because when he traveled overseas the person he hired to mind the store was not trained in AML. Having won the case, they fined him $10,000. Given that, a fair-minded reader immediately assumes the bodega is probably not actually a front for the Colombian drug cartels, Hamas, or a foreign intelligence operation.

With this well-evidenced understanding of FinCEN’s… quixotic interest in the crime of selling money orders and also laundry detergent and delicious sandwiches, you can understand why a bank, attentive to FinCEN’s desires here, is doing something that strikes many people as insane. It has employed teams of people whose job is to make sure it sifts the rogue bodegas from the garden-variety bodegas before FinCEN asks “Why did you move money for a rogue bodega!? How many times do we have to tell you people! BE ON THE LOOKOUT FOR ROGUE BODEGAS.”

Running EDD processes and ongoing monitoring is expensive. Banking a bodega isn’t very lucrative. And thus most banks won’t bank a bodega that is also an MSB, despite them having no particular malice against bodegas or the people who run them. This won’t change if the bodega owner calls to them to protest that he is a legitimate businessman, that this debanking is un-American, or that he feels like they are discriminating against him for being an immigrant. That’s a conversation the bank has had a thousand times and never want to have again… with a bodega owner.

Some MSBs are fintechs. They have teams of people who are extremely aware of financial regulation. Those professionals intentionally chose a bank which was capable of banking at least some MSBs. They then had a laborious bespoke conversation about risk tolerance and mutually agreed-upon compliance procedures.

More than zero fintechs have been debanked over the years, but they probably don’t first learn about it from a paper letter. Their team of people who do bank things all day would have heard from the team of people that do fintech things all day, likely beginning many moons ago. And if they got the letter, they would understand generally why they got the letter, and not be so oblivious as to trust the literal text of the letter.

Class is an interconnected set of culture, scripted behaviors, and the advantages and disadvantages that attach to them. The culture that is the American professional-managerial class has a relationship with truth which occasionally confounds outsiders to it. An American PMC member, particularly one with a professional specialization in banking, understands an offboarding letter to be a ritual object rather than something meant to be taken literally.

Many regular people who get the offboarding letter are confused and upset. Most people who get this letter are insufficiently expert in the financial system to understand what is going on. Many of them are (perhaps sensibly) enraged that the bank seems reluctant to offer answers. If they successfully pry answers out of the bank, the answers sound like nonsense or change constantly.

Here, advocates often say that banks lack fundamental humanity, regard for their customers, or simple competence. I’d tell them that is neither here nor there, but the challenges described in Seeing like a Bank drive far more of this than malice, apathy, or incompetence as such. It is a systems issue.

But AML-driven offboarding has one particular spectral signature which is worse than normal debanking, which will always be a confusing, unpleasant experience for most customers.

Some of these customers are getting the letter because the bank looked into their account after a transaction was flagged as suspicious. This generally happens because an automated system twinged on it. Most of the so-called “alerts” are false positives, but banks are required to have and follow a procedure to triage them. That procedure is typically “Send a tweet-length summary of the alert to an analyst and have them eyeball things.” Every bank needs at least one person triaging alerts; the largest banks have thousands.

What if the analyst, on the basis of their training, experience, and data available from the alert system and from the account history they can access, decides that a transaction has… more than nothing irregular about it? Then they compose a specially formatted memo.

That memo is called a Suspicious Activity Report (SAR). The bank files it with FinCEN, via a computer talking to a computer after the analyst pushes some buttons. Then the analyst goes back to triaging incoming alerts.

Busting bodegas is a sideline for FinCEN; receiving SARs is their main job.

A SAR is not a conviction of a crime. It isn’t even an accusation of a crime. It is an interoffice memo documenting an irregularity, about 2-3 pages long. Banks file about 4 million per year. (There are some non-bank businesses also obliged to file them, but nobody is presently complaining about decasinoing, so ignore that detail. Banks are the central filers of SARs.) For flavor: about 10% are in the bucket Transaction With No Apparent Economic, Business, or Lawful Purpose. FinCEN has ~300 employees and so cannot possibly read any significant portion of these memos. They mostly just maintain the system which puts them in a database which is searchable by many law enforcement agencies. The overwhelming majority are write-once read-never.

Banks are extremely aware that most SARs are low signal, and that a good customer might wander into getting one filed on them. But there are thresholds and risk tolerance levels. And SARs will sometimes, fairly mechanically, cause banks to decide that they probably don’t want to be holding a hot potato. It’s risky, plausibly, and expensive, certainly. At many institutions, for retail accounts, the institution will have serious questions about whether it wants to continue working with you on the second SAR. It will probably not spend that much time thinking deeply about the answer.

So can the bank simply explain to the customer that staff time preparing SARs is expensive and that routinely banking customers who turn out to be real money launderers is a great way to end up with billion dollar fines? No, they cannot.

The typical individual named in a SAR is low-sophistication and cannot meaningfully participate in a discussion with a Compliance officer, because they’re very probably at the social margins. Do you have a favorite axis of disadvantage? Immigrant, no financial background, limited English ability, small business owner, socioeconomic class, etc? The axis has non-zero relevance to one’s probability of getting a SAR filed on oneself due to innocent behavior. Very many people who have SARs filed on them are disadvantaged on several axes simultaneously.

No, the bank cannot explain why SARs triggered a debanking, because disclosing the existence of a SAR is illegal. 12 CFR 21.11(k) Yes, it is the law in the United States that a private non-court, in possession of a memo written by a non-intelligence analyst, cannot describe the nature of the non-accusation the memo makes. Nor can it confirm or deny the existence of the memo. This is not a James Bond film. This is not a farce about the security state. This is not a right-wing conspiracy. This is very much the law.

If you work at a regulated financial institution, in the U.S. or any allied country, you will be read into SAR (and broader AML) confidentiality within days of joining. You will be instructed to comply with it, very diligently. If you do not, your employer may suffer consequences. You personally are subject to private sanction by your employer (up to and including termination) and also the potential for criminal prosecution. If your trainer speaks with a British accent, they will phrase the offense as “tipping off.”

It’s not just illegal to disclose a SAR to the customer. It is extremely discouraged, by Compliance, to allow there to be an information flow within the bank itself that would allow most employees who interact directly with customers, like call center reps or their branch banker, to learn the existence of SAR. This is out of the concern that they would provide a customer with a responsive answer to the question “Why are you closing my account?!” And so this is one case where in Seeing like a Bank the institution intentionally blinds itself. Very soon after making the decision to close your account the bank does not know specifically why it chose to close your account.

This strikes many people as Kafkaesque. (Me, too!) It is the long-standing practice of banking in the U.S. and allied countries. It is downstream of laws passed by duly elected representatives. It was not capriciously developed as a political tool in the last few years. (We’ll get to those.)

Crypto-investing VCs are not low-sophistication operators of the corner bodega. They are extremely aware that crypto is on the high-risk list at many institutions. They would prefer this were not so.

Their preferences regarding the high-risk list at, say, portfolio fintech companies are sophisticated and nuanced. For example, they will (accurately!) say that the high-risk list authored by a company socially close to them did not arise in a vacuum. Certain entries were foisted upon them by financial partners. Their financial partners will, over drinks at the bar, very quietly, say that they can relate to occasionally feeling powerless. And, though many will find this dumbfounding, their regulators will frequently say the same thing.

Occasionally. About some entries. We shall return to the mechanisms.

Plausibly some crypto founders are low-sophistication about the finance industry in their early days as founders. This is not a judgement about one's character. Nobody is born knowing everything, and very few people will have a serious and informed encounter with this topic ever, not in school, not at work, not in being a generally well-read individual, unless and until it is professionally relevant to them.

Perhaps a founder might ask a friend: “I run a legitimate business which happens to be in crypto and suddenly found my personal accounts closed. Why did this happen? I did nothing wrong.”

Playing the odds? The bank thinks there is an unacceptable risk that you will use your personal accounts to launder money on behalf of the business (and/or its customers, etc). The bank has insufficient controls to give them an appropriate level of certainty as to whether you’re doing this or not. They are disinclined to find out the hard way, so they invite you to find another bank.

Why do they think you might launder on behalf of the business? In part because of the extensive history of crypto companies laundering funds through the accounts of their founders and employees, specifically, and the banking industry’s highly-evidenced belief that businesses and their owners routinely commingle funds, generally.

Tether maintained access to the banking system by, among other mechanisms, having their executives establish accounts in their own names, stashing funds in the name of a lawyer, and using their non-executive employees as money mules. SBF had many talents but one of the main ones was money laundering. A major mechanism for that was loaning money (mostly customer assets and mostly sham loans) to employees then representing to banks (and others) that the employee was making an independent transaction not affiliated with FTX/Alameda/etc.

One would have to be very new or very incurious to be interested in crypto companies and be unaware of this history. Banks were rarely incorporated yesterday, and certain varieties of incuriosity-with-benefits are extremely frowned upon.

But there is something to the critique, by advocates, that rampant lawlessness within crypto for a decade and a half shouldn’t cause an institution to stereotype an innocent crypto founder. Advocates want debanking to only follow an investigation uncovering a) strong evidence there exists b) a particular articulable risk which c) society actually cares about.

Part of it is philosophical: they believe they are entitled to something like individualized attention and a presumption of innocence. This assumption is deeply embedded in our legal system.

We do not have this assumption embedded in our banking system.

It would be laughable for credit accounts: “I have never defaulted on a loan from you, and therefore, you must give me the benefit of the doubt, and issue this loan.” No intellectually serious person expects that from banks. No, we construct probabilistic models about who is likely to repay based on observable factors, less some factors which society has disallowed us from using under the law. If we deem you insufficiently likely to repay the loan, even if you are still very likely to repay the loan, you don’t get the loan. Finance is not high school; 92% is not an A- anymore. We don’t have to wait for you to default, or have any individualized suspicion about you, or conduct a years-long fact-finding process.

One is prohibited in discrimination in lending on basis of, for example, race. Why? The American people feel quite strongly that they want this to be true, and so their representatives passed a series of laws. Those laws are well-established and uncontroversial. You also, as young data scientists quickly learn, can’t use customer zip codes, no matter how probative they are. This is because they have a very high risk of being an effective proxy for race. (Aside: this is why California used zip codes when it wanted to prioritize the delivery of lifesaving healthcare to patients of favored races, primarily for political reasons.)

One is not prohibited from using someone’s occupation or ownership of a business as underwriting criteria. Those happen to be incredibly probative and, not incidentally, separate rules literally require that we ask. (AML rules require a bank opening an account with ongoing transaction capability to ask for what your source of funds will be, which will often include wages and/or business income, and banks then generally need to know “... OK, wages for what?”)

Is there a built-out appeals process or higher authority with respect to being declined banking services? Don’t our moral intuitions require there to be one?

Many people with “capitalist” in their job title will tell you that there is, indeed, a higher authority to complain to if a capital allocator rejects your pitch. It is Mr. Market. That capital allocator has competitors. Go pitch them. Are there projects that no capital allocator will fund? Absolutely. That’s an important part of why we pay allocators: they assist us in not frittering away resources society expects to fund e.g. teachers' retirements on non-productive uses.

And so allocators will tell you: If you can’t find any allocator who will back you, despite your belief you have a good business plan, and your business plan requires capital to execute, you do not have a good business plan, and you should do something else with your life.

I have yet to meet a venture capitalist who believes that passing on a pitch should be subject to review by a higher authority than their partnership. Many do not, as routine practice, tell entrepreneurs why they passed. Pure downside. Passing is not an invitation for the founder to work their persuasive magic on you. The meeting was the opportunity for that; the meeting is over.

But banks are, certainly, not venture capitalists. There is an aspect to banks which is not exactly dissimilar in character to infrastructure providers. Utilities are frequently invoked as an example here. Why would we construct a society in which power companies needed to make underwriting decisions in supplying power?! (I think people surprised there may be surprised to do deep dives into e.g. negotiating power purchase agreements.)

Banks, in addition to providing infrastructure, are also neck deep in capital allocation. Some bits of the bank might be more like one's conception of a power company, and some bits of the bank might be more like one's conception of a venture capitalist. And some bits might be confusing hybrids of two intuitions.

It may surprise you that a simple vanilla deposit account is both infrastructure and also a capital allocation decision.

For one thing, typical deposit accounts in the U.S. are actually credit products. It's baked in and can't be baked out without making them unfit for purpose.

For another:

Sources of credit risk to the bank are substantially broader than simple non-repayment of funds borrowed. A financial institution can take a credit loss on banking a business without having what most non-specialists would consider a credit relationship. This is particularly true when banking financial service providers.

Here’s a worked example:

Suppose a crypto exchange blows up out of nowhere, in an absolutely freak accident that happens in about 20% of all exchange-years. The last financial institution banking them can end up holding the bag.

Voyager Digital was a regulated institution that was publicly traded. It had adults at the helm, a Compliance department, some level of written risk processes, and legitimate backers, including well-known venture capitalists.

Voyager blew up, because none of the above are sufficient to prevent you from blowing up.

When they blew up, their bank (Metropolitan Commercial) received a slew of ACH reversals. Customers (often quite reasonably!) felt that they had sent in money to buy crypto, but they hadn’t received their crypto, which feels quite a bit like fraud, and so they complained to their (the customer’s) bank.

Metropolitan characterizes that complaint as fraudulent behavior. There are certainly fraudulent accusations of fraud made to abuse cryptocurrency exchanges, by paying for crypto, claiming you didn’t get the crypto, and then getting your money back while you keep the crypto. However, the customers Metropolitan wanted permission to stiff perceive themselves as having no money and also no crypto. The customers had traded money for a claim against a bankruptcy estate.

Crypto is a product with widespread adoption across the socioeconomic spectrum, I am told. Do you think a random person off the street would, on being asked "Define a claim against a bankruptcy estate?", have a really confident, automatic answer to that question? I think they would probably have a more confident answer to the question "Have you ever tried to buy a claim against a bankruptcy estate?"

So what happens if one calls one's bank and says “I opened an app on my phone. I tried to buy something. I didn’t get it. Those bastards kept my money.” Very frequently, your bank’s customer service rep will type some brief notes into a web application then hit a button. The customer service rep is trained to sound helpful when this happens. Their skill with that... varies. They make, oh, $15 an hour and are not trained like a district court judge. They will conduct no real investigation nor careful balancing of facts and circumstances. They are likely entirely unaware of notorious bankruptcies in the crypto industry, which are an infintessimally small portion of all complaints that reach their telephone queue. Customer didn’t get something from an Internet merchant? Push the button, read the script to the customer, disconnect, immediately serve next caller.

That button will, some steps later, mechanically cause Metropolitan to transfer back some money to Voyager’s now aggrieved customer, which (importantly) Voyager did not actually have to distribute, because it was in bankruptcy. Whose balance sheet did it come off of, then? Metropolitan’s. Their shareholders had just performed the sacred duty of equity: taking the credit loss so that depositors didn’t have to.

If you are banking a quickly growing financial services firm which has large daily funds flows, and charging small per-transaction fees and/or earning net interest on deposits, the total amount of money at risk (within the chargeback or reversal window) as of time T can be vastly larger than the total revenue charged for services at all times 0 through T inclusive. A handwavy approximation for it: number of days in the relevant chargeback/dispute window times average daily transaction volume times dispute percentage. (This will be in the low to high tens of percent. It depends on many factors, including the sophistication of your customer base, whether well-informed guides to consumer rights in banking go viral within it, and similar.) 

And thus banks are very selective with respect to what financial services firms they bank. Because one blowing up, just one, can sink the entire related business line.

Voyager and Metropolitan ended up asking the court to change the rules of the ACH protocol in their favor. Then banking technologists told the court that the ACH protocol was computer code maintained in a decentralized fashion and thus beyond the purview of any court. Wait, no, that sentence is from my unpublished cyberpunk novel and somehow made it into this essay by accident; please disregard. No serious person would say courts cannot interact with software or the people who write it. The court ordered a protocol upgrade. The court’s order was swiftly carried out, like many court orders, by responsible professionals employed by several firms.

Metropolitan, of course, got sued over the whole Voyager fracas. A major aspect of the lawsuit: Voyager intimated to customers that they would be covered by FDIC insurance and so their funds on deposit were safe. Voyager’s CEO has alleged that Metropolitan’s management suggested this selling point. Voyager’s marketing department published objectively false statements regarding FDIC coverage. “[FDIC coverage] means that in the rare event your USD funds are compromised due to the company or our banking partner’s failure, you are guaranteed a full reimbursement (up to $250,000).”

Marketing departments frequently misunderstand fine distinctions here, which is why, at well-operated financial technology firms, Legal does not let marketing write one single word about FDIC insurance without their sign-off. The fateful two words above are “the company”: FDIC insurance does not and has never backstopped the obligations of non-insured clients of the banking system. It only backstops the obligations of insured financial institutions. (Had Metropolitan failed, Voyager’s customers may have had recourse to FDIC insurance, but Metropolitan did not fail.) 

And so the FDIC has not paid Voyager’s customers one thin dime, nor will it ever. It has neither obligation nor legal authority to do so.

The FDIC is institutionally very opposed to fraudulently inducing customers to transact via claiming FDIC coverage. The FDIC is a banking regulator, among other things, and we’ll discuss them more in a moment. But they are, first and foremost, in charge of the deposit insurance fund. Crypto’s history of falsely promising that the FDIC will make customers whole for its own failures is one reason why the FDIC is institutionally wary of crypto.

Metropolitan then ceased crypto banking. Several banks which had major or incipient crypto practices ceased crypto banking roughly contemporaneously.

Was Metropolitan within its rights to do so? Ab-so-lutely. 

Was it within its power to not exit crypto banking? Some thumbs were placed on the scale, and Metropolitan acknowledges this, though they probably were not dispositive for Metropolitan specifically. Their incipient crypto business blew up in their face. Heads would likely have rolled in any event.

Metropolitan characterized their decision as influenced by commercial and regulatory concerns, but long coming. Quote:

Today’s announcement of our exit from the crypto-currency related asset vertical represents the culmination of a process that began [six years earlier] in 2017, when we decided to pivot away from crypto and not grow the business.

Suppose you are an internal advocate for crypto at a mid-sized bank in the U.S. When you bring your proposals to management, one of the things that will cause a chilly reception is the regulatory environment, certainly. Another one is that management can read the newspaper. Other banks which got this pitch and greenlit it took huge losses, ate months of negative headlines, and will be under examiner’s microscopes for at least the next year. This happened over almost no revenue. Why should management say “Yes, as long as it is only the high-quality crypto companies, as long as you cross your Is and dot your Ts, this seems like a low-risk business to be in? Yeet me some Shiba, bro.”

Anyhow, when a crypto founder couldn’t find a bank in 2011, one could be excused for blaming reflexive banker conservatism and low levels of technical understanding. Crypto has had a decade and a half to develop a track record to be judged on. Crypto is being judged on that track record.

Some advocates consider this unfair. Sure, sure, there was some… cowboy behavior in the early days, but that’s just the price of innovation. The freaks and geeks are always on the cutting edge of technology, and well, you know, I suppose they might not always listen to lawyers. But the early days are basically over. We bring something completely new to the table. We are responsible professionals with a compliance-first mindset. We are thoroughly committed to working with partners in finance and government to assuage all concerns. We have impeccable pedigrees. We say all the right things, in all the right accents. We are capable of hiring lobbyists, making campaign contributions, and engaging in a considered media strategy, too!

Much has been written about Sam Bankman-Fried and his co-conspirators and enablers. That story remains extensively misunderstood and undercovered relative to its importance.

SBF et al orchestrated a sequential privilege escalation attack on the system that is the United States of America, via consummate skill at understanding how power works, really works, in the United States. They rooted trusted institutions and used each additional domino’s weight against the next. A full recounting of the political strategy alone could easily fill a book. The forfeiture allegations fill 26 printed pages at 1-2 lines per targeted politician. The United States has also alleged that he tried to buy the Bahamas.

SBF and most of the co-conspirators were focused on the Democratic side of the aisle. His cutout Ryan Salame was the bagman for the Republican side of the aisle. Salame’s own lawyers, in their sentencing memo (pg 11), in what is a unique legal strategy, disclaimed any good intent: “Whatever the topic, Ryan’s ultimate purpose for [meetings with government officials including including Senator Mitch McConnell and then-Congressman Kevin McCarthy, focused on pandemic preparedness] was eventually to influence cryptocurrency policy.”

SBF was not charged for the bribing officials part of the crime tapestry, putatively due to treaty commitments to the Bahamas. C.f. the extradition treaty, Article 3. (I absolutely believe that that was a complication and disbelieve it was a hard constraint.) It was an element of plea deals by several co-conspirators, most of whom got lesser sentences for cooperating with the government. Salame was uncooperative and sentenced to 90 months. SBF’s parents appear unlikely to be charged. This is despite them being active and knowing participants in crime, including providing their son with extensive advice, in writing, on topics germane to their professional expertise. For example, his mother, a Stanford law professor and Democratic bundler, advised him to use his coworkers as straw donors to avoid compromising optics via mandatory disclosure laws. IANAStanfordLawProfessor, but that is plainly illegal.

SBF was considered, for a time, the heir apparent to George Soros. He was the next generation’s well-monied Democratic standard bearer in Washington. One major reason why crypto has experienced what feels like performative outrage from Democrats since 2022 is that they are trying to demonstrate that crypto did not successfully buy them.

Many in Washington, like many in crypto, have… selective memories of what meetings they took, transactions they entered, calls they made, and cookies they noshed on in 2020 and 2021.

But to remove the beam in my own eye before casting out the mote in another’s: SBF struck me as whip-smart, extremely cynical, but sincere with respect to his motivations. I thought him likely one of the most competent operators in crypto. (Don’t assume that I meant that as high praise, please.) Also I understood him contemporaneously to be Tether’s bagman and told people, privately, “Don’t get too close; 5% chance he goes to prison.”

In hindsight, I overrated the competence in several important domains, and totally missed the massive fraud. This was in no small part because of a strong sense of fellow-feeling. We have blind spots the size of Jupiter for people who remind us of ourselves and our closest friends. It’s hardwired into humanity, I think.

Anyhow, Tether’s current most important bagman is Howard Lutnik, who may be stepping back from the position, as he’s currently leading Trump’s transition team and has his eyes on bigger prizes. Forget MicroStrategy’s high implied volatility. Lutnik convertible arb would be the trade of the century.

Some crypto advocates believe it’s unfair to tar the industry with the SBF brush, for either industry internal reasons (“He was CeFi not true DeFi, and tried to force the rest of us along with it! Nuts to him!”) or political reasons (“Not my side of the aisle! Salami, you said? Never heard of him neither!”) 

Here we are again at the tension between a) democracies should practice careful consideration of individuals on their merits and reject collective punishment but b) the political system shouldn’t have the memory span of a squirrel.

Once upon a time there was an impressively unprincipled set of decisions made. Like many such tales, it didn’t happen as one discrete event in a smoky backroom. It started small and then cascaded, was covered up, and then came to light. Then, it was roundly and justly castigated.

There are certain incredibly non-salubrious businesses that make routine, intense use of banking rails and which simultaneously generate many customer complaints. Debt collectors are one such business.

Full disclosure: I was an unpaid advocate for consumers with issues with debt collectors (and banks, FWIW) for many years, and have described debt collectors as “among the most odious hives of scum and villainy as exist in the United States.” I’m also grouping a few clusters of consumer credit bottom feeders under “debt collector” or we’d be here all day: payday lenders, so-called “credit repair” companies, and debt-adjacent telemarketing.

Banking regulators, in response to customer complaints (which savvy customers, such as customers who listen to advocates like yours truly, will sometimes route through regulators because that achieves better outcomes than routing through CS), warned banks that debt collectors appeared to be at grossly disproportionate risk of ACH transfers that customers claimed were unauthorized. Customers claiming this are not always being candid. However, debt collectors do routinely abuse one’s common intuitions about how banking rails work as an intentional strategy. See the above piece for elaboration at length.

Now, banks who bank debt collectors can math out how many of their ACH payments are complained about. One can make an argument that those banks might not have institutional knowledge that complaints about debt collectors are structurally anomalously high, for Seeing like a Bank reasons. One could further argue that a regulator can licitly tell a bank something they don’t know. That sounds reasonable and an appropriate use of a public servant’s time.

Those banks that would open accounts for debt collectors (n.b. not all banks!) are OK with having that business. Debt collection, while not salubrious, is legal and regulated in the United States. Banks are not one-stop monitoring shops for all of their customers’ various obligations under the law.

But working through legislatures and courts is slow and expensive. Why not simply deputize the banks? We already have them run private intelligence agencies! How much of a reach is it for them to also run private consumer protection bureaus?

The Obama administration didn’t like debt collectors, for very similar reasons to why I don’t like debt collectors. And so they broadened the critique: the risk in banking bad guys was broader than the (known, accepted, controlled, and certainly not existential) risk of ACH reversals. Those customer complaints, those complaints could harm the bank’s standing in the community. That could result in e.g. a withdrawal of customer deposits. This would imperil the bank, for the usual reason. And if something could imperil banks, why, that should naturally cause the FDIC to make its opinions known.

Get out of peril, by kicking debt collectors to the curb.

But the FDIC had to be persuaded into that point of view, by a cadre of very talented people.

The Department of Justice had a legal theory, which it was quite proud of. The Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) gives the DOJ a hunting license for any fraud (and many other crimes) which affects a federally insured financial institution. FIRREA was passed after the savings and loan crisis, to protect small financial institutions from peril and thereby avoid another crisis.

Now your common sense understanding might be “Oh, Congress probably intended on cracking down on fraud targeting banks which, I don’t know, was big enough to imperil a small community institution? I could see a really large fraudulent bank loan imperiling a small bank. And checking the history books, there were some wildly fraudulent bank loans mixed up in the S&L crisis. OK, so we federalized prosecution of defrauding a bank like that? Sounds reasonable.” 

If you have that intuition, you are apparently not creative enough to have worked as a lawyer in the Obama admin DOJ. No, their thought was that if you provide rails which facilitate fraud, such as giving a fraudster a bank account, you are affecting a financial institution: yourself. And so, the DOJ can go after you, for self-harm. Note that you do not need to lose money, oh no, the DOJ can also go after you because the way you affected yourself was to cause your regulator to like you less. When you settle with the DOJ, it will extract an enforceable promise in writing that you will stop your campaign of self-harm, and also stop banking specifically enumerated industries, like payday loans.

I realize that this sounds unlikely. The following is a direct quote (expanding acronyms) from the DOJ Office of Professional Responsibility, in the report (pg 16) where they exonerated DOJ lawyers.

As more fully explained below, the [Consumer Protection Branch] has relied on the “self-affecting” theory, as well as additional theories of liability, in three cases arising from the Operation Choke Point initiative.

Now when the DOJ or FDIC tells you, a bank, to do something, or strongly suggests that you do something, that usually isn’t the end of the argument. You can certainly haggle. You can even fight… to a degree.

This is a multi-year iterated game with repeat players, each of whom has limited resources and very complicated preferences. Both sides are constantly picking their battles. There is give and take. When your counterparty is happy with you, your emails get returned faster, you get more of your asks, and you can report smooth sailing to your boss. Both banks and regulators are ultimately made up of people, with emotions, career paths, and annual performance reviews.

Banks do not actually make a lot of money from servicing debt collectors. The culture that is banking looks at the culture that is debt collection and sees slimy people who are beneath it. And so the banks frequently obliged. Many of them, in their offboarding letters to debt collectors, were unusually candid relative to the standards of offboarding letters: it’s not you, and we apologize for this, but we’ve received regulatory guidance about your industry, and as a result our appetite to serve your industry no longer exists.

As it turns out, the Obama administration had many diverse policy preferences.

It wasn’t particularly in favor of guns, for example.

Gun sellers don’t use banks in the way that debt collectors use banks. They do not routinely trick customers into the gun-for-money transaction. They don’t make particularly intense use of ACH pulls (confidence: 99%, on general industry knowledge) and don’t have particularly high dispute rates (confidence: 95%, same).

But regulators, having discovered that “reputational risk” attached to anyone you didn’t like with nary a whisper of complaint, believed that banking gun sellers was high-risk. Haven’t you read the newspapers? School shootings. Do you want any of that sticking to you? You are imperiling your good name, and therefore the stability of your deposit base, and therefore your bank, and therefore the insurance fund, by accepting the business of gun sellers.

In Congressional testimony, the FDIC said that it hadn’t ordered anyone to debank disfavored businesses.

What we have done is we have tried to be very clear in putting out our guidance to say very publicly and clearly that as long as banks have appropriate risk mitigation measures in place, we are not going to prohibit or discourage them from doing business with anyone with whom they want to do business.

This individual might perceive themselves as telling the truth here. “Justify to me why the payday lenders are not on your high-risk list.” and then “Do you have a built-out EDD program for the deposit risk caused by payday lenders?” followed by “Then are you sure you should accept that business?” are consistent with this statement, individually and as a script. (Those are not quotes, but rather indicative summaries of stages in a conversation. I believe them to fairly characterize conversations that the record abundantly shows happened.)

The FDIC Office of the Inspector General, in an investigatory report, attempted to shift all blame for Operation Choke Point to the DOJ.

We found no evidence that the FDIC used the high-risk list to target financial institutions. However, references to specific merchant types in the summer 2011 edition of the FDIC’s Supervisory Insights Journal and in supervisory guidance created a perception among some bank executives that we spoke with that the FDIC discouraged institutions from conducting business with those merchants. This perception was most prevalent with respect to payday lenders.

When a regulator publishes position papers that it wants you to do something, and reiterates this in individualized supervisory guidance, that tends to create a perception in this author that the communicated policy direction was not YOLOed onto the Internet by a room full of monkeys banging keyboards randomly.

As frequently happens, the individual officials who had instructed banks to debank the targeted industries ignored Stringer Bell’s dictum on taking notes on a criminal conspiracy. Emails sent within the FDIC and DOJ were routinely archived, and banks (of course) keep copies of correspondence from their regulators. Those emails said what they said, and what they said was pretty damning.

For example, the Department of Justice’s internal Six Month Status Report On Operation Choke Point (excerpted in Congressional reporting) said:

Finding substantial questions concerning the legality of the Internet payday lending business models and the loans underlying debits to consumers’ bank accounts, many banks have decided to stop processing transactions in support of Internet payday lenders. We consider this to be a significant accomplishment and positive change for consumers  . . . Although we recognize the possibility that banks may have therefore decided to stop doing business with legitimate lenders, we do not believe that such decisions should alter our investigative plans.

Not once, not twice, not a handful of times, not a loose confederation of rogue examiners. Three of six regional directors of the FDIC offices told the OIG that they understood Washington to want payday lending discouraged and two of them said there was an expectation to, in the words of the OIG, direct institutions that facilitated payday lending to “pursue an exit strategy.”

Did that require top-down direction? You can, in fact, generate nationwide programs with local offices doing strikingly similar things without top-down direction. The combination of a monoculture plus a policy direction that lower-level staffers believe in is often sufficient to make it happen. We have extensive experience of this in tech and finance, as discussed later.

Japanese has a beautiful word, sontaku, for the attitude and actions a diligent subordinate would take without his superior’s explicit instruction, believing them to anticipate his boss’ desires. Sontaku is a core skill in the American professional class. People possessing it are sometimes described as “motivated self-starters”, “high-agency”, “bold”, ”takes initiative”, ”acts like an owner”, etc. You are a very, very bad Compliance professional if you aren’t constantly sontaku-ing your regulator. You are also a bad Regional Director of the FDIC if you aren’t constantly sontaku-ing Washington.

But Operation Choke Point, specifically, simply was official policy. If it wasn't, no entity as complicated as the United States can ever be described as having even once had an official policy.

As the former Chairman of the FDIC wrote in a WSJ editorial:

Internal Justice Department papers released by the House Oversight and Government Reform Committee make it clear that Justice prefers coercing banks to drop customers through Operation Choke Point rather than prosecuting illegal or fraudulent businesses directly because it’s easier, faster and requires fewer resources.

Operation Choke Point wasn’t just targeting debt collectors, gun sellers, and payday lenders. No, the FDIC’s bullet-pointed list was 30 entries long. They range from clearly abusive and illegal (scams) to “One could construct a narrative by which banking that industry is challenging” (pornography) to “a grab bag of things we dislike” (racism and… fireworks? Really?)

Operation Choke Point, once it came to light, caused a media and Congressional furor, because it was arbitrary and lawless. (I am using that in the ordinary sense of an American who took civics, not in the specialized sense of a DOJ lawyer, who might bristle for being called “lawless” when they had three court cases and one 25 year old statute which are clearly explained in the memo as adding up to them being able to do everything they did.)

The architects of Operation Choke Point steadfastly denied it was designed to do what it was manifestly designed to do. They denied it did what it manifestly did.

The agencies were then pointedly accused of lack of candor with Congress. If you tell a Congressman he isn’t reading the WSJ right, but internally your bosses are high-fiving themselves over that WSJ article, and they are high-fiving themselves because finally the WSJ is covering their important work accurately, Congress will not be pleased. Then they will show you a copy of your bosses’ emails, which they can subpoena, because they are Congress. (House Oversight Committee report, ibid, pg 10)

Some scholarly literature is sympathetic to the regulators’ point of view. (More is not.)

If you want a steelman, that’s the best one you’ll likely find. It acknowledges the DOJ’s efforts to interdict fraud by creatively interpreting FIRREA and targeting third-party payment processors and banks, accuses the financial industry of making a fuss over this for self-interested commercial reasons, performs a modified limited hangout of the high-risk list, and claims that the gun industry cynically glommed onto the news cycle for political reasons despite no actual enforcement specifically addressed against it.

My point of view? I can read emails. They say what they say, even when acknowledging what they say would cost a public servant their job. I read the postmortems (including many years ago; this sort of thing was my hobby before it was my job). I view them as face-saving exercises written, in no small part, by civil servants mortified that their peers could lose jobs and pensions simply for implementing the Administration’s policy preferences using colorable authority.

Sometimes, people have been known to lie in politics. Sometimes justice is not done. I know, try to weather the shock you must feel.

Operation Choke Point was mostly forgotten, except by banking nerds.

Until…

Nic Carter, a crypto VC and podcaster, who occasionally does very good work, has been steadfastly attempting to brand a constellation of regulatory activities regarding crypto as Choke Point 2.0. This branding is an attempt to delegitimize them by associating them with politically-motivated lawlessness. It has since become popular among crypto advocates.

Unlike Operation Choke Point, which actually was a centrally directed operation with written project plans, status meetings, ongoing progress reports, and a code name decided by the participants (who, in hindsight, should have talked to their own Comms department and picked something that didn’t sound nefarious to describe their plans), Choke Point 2.0 stretches like taffy to attach to any recent regulatory activity crypto advocates don’t like. So we’ll have to review quite an involved history of very disparate issues to give advocates a fair hearing.

Carters' work, which is extensive on this topic, exists in pieces like Did the government start a global financial crisis to destroy crypto?

To answer the question in the title: no, it did not. We started a financial crisis which to-date is mercifully narrow as an underappreciated side effect of interest rate hikes to tame inflation.

Silvergate: Crypto had a bank, doesn’t now, and misses the good days

Crypto advocates have specific and general concerns about banking supervision at a small number of banks acutely relevant to their interests. They have tied these concerns to the debanking narrative.

They do not evince attention to detail or familiarity with the procedural history of specific examples they invoke, though some have attempted some original reporting with respect to these issues. That is to their credit.

As we’ve established, almost all banks consider crypto businesses to be high-risk, and avoid them. There was a small cadre of banks which had active crypto practices. Those banks purported, to the public and their regulators, to have the EDD required to bank them compliantly. This was incredibly operationally useful for crypto, for one very obvious reason (substantially every business needs a bank account) and one less obvious one.

Crypto talks a great game about decentralization, but centralized systems are more efficient than decentralized systems. When riding banking rails, making transfers outside of regular banking hours (which have five twos of uptime) is difficult. This exposes firms to risk and acts as a constant cost of capital. 

Crypto trades 24/7. Crypto firms would like to settle crypto trades, particularly between stablecoins and the USD backing them, 24/7. Crypto’s solution to this was to all bank at the same bank, Silvergate, which I described (with some surprise, when they IPOed) as the First National Bank of Crypto.

Silvergate had a particular product called the Silvergate Exchange Network (SEN). SEN was both a) boring infrastructural plumbing and b) extremely important to the crypto industry. Oh boy, do crypto companies miss SEN. In sum, SEN would allow substantially 24/7 book transfers between Silvergate customers to shift USD balances between their bank accounts. This would let them constantly settle the USD leg of crypto trades between each other.

This was particularly important for stablecoin issuers, like Circle, which issues USDC. Circle’s main custodial bank for USDC was SVB. Circle wanted to be able to issue marketmakers like DRW and Alameda Research hundreds of millions of USDC 24/7 at any hour on any day with no more than a few minutes of latency, or redeem USDC for greenbacks in a similar fashion.

Now, a thing you will frequently see in fintech banking, and which is not itself at all inappropriate, is a fintech having multiple banks with a division of labor. One of those banks might agree to have a fintech’s customer-facing high-velocity low-EOD-balance transactional activity. And one of those banks might agree to have a fintech’s low-velocity high-EOD-balance deposits. These are very different business propositions for the banks! They imply different risks, different core competencies, and different revenue opportunities. 

If you are running businesses which both a) have high daily inflows and outflows and also b) want to keep billions of dollars in the regulated banking perimeter, you very much need partners comfortable with both halves.

The argument you make, as a fintech, to the bank with your deposit business is that the other bank is also a competent, U.S.-regulated financial institution, with good AML and KYC controls (among others). Therefore, when your business makes one wire at the end of the day to settle up with its omnibus account at that bank, netting over several hundred thousand customer transactions, perhaps for several hundred million dollars, your bank should be comfortable, even if it has very little exact knowledge about what happened today. 

Probably the same story as yesterday, and tomorrow, and Compliance can sleep the sleep of the righteous, because their trusted peers have an appropriate degree of controls in place. The bank custodying the money mountain is thus certainly not aiding and abetting money laundering. It can rely on the second bank’s own surveillance and controls, in addition to the crypto firm’s compliance department. There will be many formal contractual promises and informal verbal or written assurances made about this. And this works and serious people can accept it but the factual probity of the high-velocity transactional bank is extremely load-bearing.

Silvergate was not a competently run institution.

SEN did not, in fact, have a robust controls environment. It, in fact (para 70), had functionally no transaction monitoring. Silvergate had bought a standard package that a lot of banks use for automated monitoring, but due a configuration issue, it was off for SEN transactions.

Carter describes this state of affairs as follows: “Silvergate’s transaction monitoring system for SEN had gone through an upgrade and experienced an outage.”

Silvergate was institutionally aware of the “outage” but unable to remediate it.

I have an engineering degree, have founded five software companies, have worked in the tech industry, and in my entire career, I have never described an engineering investment I failed to make for fifteen months as an “outage.” After a day it is an outage, after a week it’s a human competence issue, but after a year it ferments into sparkling tech strategy.

During that period, SEN transacted over a trillion dollars. Silvergate was not unaware that SEN had an up-and-to-the-right usage graph (congratulations!). They were just routinely ignorant of funds flows they were facilitating with their banking license, sized in the billions of dollars per day. We know this because of Silvergate’s contemporaneous internal communications, the technical reality of the artifacts they had purchased and implemented, and sworn statements in litigation and to regulators. It is beyond intellectually serious dispute.

What of it, though? Is that just a harmless paperwork glitch? I'm glad you asked.

Intrabank book transfers are historically low-risk for money laundering because they’re ineffective at accomplishing layering: the same Compliance department can see both legs. Moreover, the majority of them are between entities known to be under common control. The purpose of layering is to break the chain of surveillance; swapping between your left pocket and your right pocket in front of a Compliance officer doesn’t accomplish this. This assumption of low-risk was apparently, per Silvergate’s employees, baked very hard into ATMS-B, the new-and-improved monitoring suite Silvergate had implemented.

However, SEN transactions, while implemented as intrabank book transfers, are in fact high-risk. The designed intent of SEN is to allow counterparties not under common control to settle one half of a transaction, at very high velocity. The other half generally occurs on a blockchain, unsurveilled by the bank. Seeing one half of transactions is fairly risky. Seeing neither half sounds like you are swapping bank deposits for cash equivalents, at the scale of billions of dollars per day, with no functional AML monitoring program in place.

This is not just me saying it. Kathleen Fischer, Chief Risk Office of Silvergate, said internally, of the lack of SEN monitoring: “We have known of this issue and either we have established other controls to account for it or we haven’t, and we have to take our lumps.”

Silvergate had not, in fact, established other controls.

Carter claims that all clients of the bank had gone through rigorous KYC and onboarding processes. Silvergate may have consistently conducted KYC and onboarding processes, but one could forgive a skeptic for believing them to be pro forma.

Silvergate onboarded several entities relating to Binance, a confessed criminal conspiracy which extensively engaged in money laundering. Binance and its management are Bond villains; they gleefully flouted the law and engaged in jurisdictional gamesmanship to avoid financial regulation, for years. Binance et al transacted $22 billion through Silvergate.

Mandatory compliance training is such a drag, and sometimes we like to spice it up with fun games. Let's play Spot the Red Flags together.

We have just received an account application from a Seychelles-domiciled corporation beneficially owned by a globally notorious billionaire. He disclaims any permanent address. The beneficial owner receives regular negative news coverage. He and his company have received multiple orders to cease business from peer nations. Those orders cite offering financial services without a license, suspicion of money laundering, willfully non-compliant posture, and extensive documented lies to regulators. The corporation has no operations or employees; it is strictly a shell. The planned funds flow is receiving inbound wire transfers, including international wire transfers, from counterparties which the bank will have only fragmentary third degree knowledge of. The corporation intends to immediately transfer those deposits to a third-party financial institution. This is to facilitate those counterparties’ purchase of pseudonymous bearer instruments, specifically, cash equivalents. The corporation anticipates billions of dollars of volume, in transaction sizes up to eight figures.

Silvergate happily opened an account (pg 4) for Key Vision Development Limited, the above-described shell company, and allowed it to deposit and withdraw over $11 billion. Now, credit where credit is due, Silvergate did debank Key Vision Development Limited in 2021. The record doesn’t say why, but perceptive readers may be able to hazard a guess. But Binance’s main entities still enjoyed attentive service, or perhaps more to the point they enjoyed all the inattention they were getting with their service, until the bank folded.

But the main rake Silvergate stepped on, repeatedly, was its relationship with FTX/Alameda and its executives. They were collectively the bank’s largest client and comprised tens of percent of its deposits. Silvergate’s monitoring of their usage was minimally grossly inadequate, as the bank and its executives admit.

Carter quotes an unnamed Silvergate executive as saying the following, which is roughly consistent with their prior statements to the media and to regulators.

Where we were not as buttoned up as we should have been was in regards to the FTX/Alameda clients. That was a function of the bank growing incredibly quickly[.] … Probably we could have figured out FTX was brokering deposits via Alameda. In retrospect I think we could have pieced this together and figured it out. But this is not a legal failure and we’re not required to catch everything. Our program passed legal muster. That’s something we could have done a better job of. But there was no intentional wrongdoing or cooperation with the bad guys.

This is consistent with things they have said previously, but does not demand unlimited deference.

Ryan Salame, a subject matter expert in laundering crypto money through the banking system (skills described by his lawyers, see pg 7 and onwards), tweeted that it beggars belief that Silvergate did not know that Alameda Research and North Dimension were in fact receiving FTX customer funds flow. Salame has repeatedly stated that Silvergate intentionally orchestrated that funds flow in concert with him. Even if it had not, Salame is just right: even if FTX concocted the scheme internally and even if Salame somehow managed to push all the buttons himself, Silvergate had to know.

But suppose you credit neither Salame nor I with understanding how banks work, or you demand unquestioning deference to executives’ denials, perhaps because one believes that a bank executive would never ever lie. The picture most favorable to Silvergate is that, during multiple years of being monomaniacally focused on growth to the neglect of its responsibilities under the law, it routinely underperformed the competence bar required of regulated financial institutions in the United States.

Silvergate voluntarily liquidated in the wake of the FTX implosion. Limited props for them here: they managed to do this in a mostly orderly fashion, as opposed to Signature, which had substantially less crypto exposure but blew up. (Signature had an analogous book transfer API product, called Signet. It is a smaller part of their story.)

Carter has a number of complaints with regards to supervisory activities relating to Silvergate Bank. One of those is that he alleges the Office of the Comptroller of the Currency disallowed Silvergate from selling SEN. I find this allegation very plausible, if not specifically evidenced. Silvergate was operating a trillion dollar laundering machine which had drawn immediate demands for corrective action for an extended period, had not taken aggressive corrective action, and then had proximately caused enormous consumer harm in a way which was maximally embarrassing to many policy actors. When the bank’s Chief Risk Officer predicted incoming lumps, these were the sort of lumps she was predicting.

Carter further alleges, and I think this is substantially original reporting (and good on him for it), that the FDIC and other banking regulators gave verbal guidance that banks should get crypto deposits below 15% to be “safe and sound.” If a banking regulator invokes those words, they are not making a suggestion. Carter complains that there is no statutory authority to pick this arbitrary number, that this threshold makes banking crypto functionally impossible, and that it is specifically chosen to kill targeted banks.

Some regulators are disclosure regulators. The SEC comes to mind. Some regulators are prudential regulators. The ordinary operation of prudential regulators is to take broad statutory direction and transform it, sometimes via the rulemaking process and sometimes via more informal guidance (and, even the FDIC will tell you, “moral suasion”). This process yields both concrete asks and fuzzier spectral ranges subject to ongoing negotiation between regulators and the regulated.

Does the FDIC have statutory authority to pick magic numbers? Yes, in the political system of the United States, it does, and it can cite that authority to you at length. The FAA has statutory authority to pick magic numbers for bolt torque. The FDA has statutory authority to pick magic numbers for permissible flow rates for ketchup.

Are regulators overreaching here? Not obviously so! Look at the above description of Operation Choke Point and their theory of regulatory authority there. It requires magical thinking to connect banking a payday lender, reputational risk, a run on your bank, and endangering the deposit insurance fund. It very much does not require magical thinking to think that crypto deposits are flighty, correlated, and could cause a run! We were experiencing actual crypto-induced runs! 

A reasonable argument can be made that the problem with regulators was not abuse of discretion. It was needing to pay for past regulatory mistakes and/or missed opportunities with overcorrection following substantial consumer harm. Examiners (stunningly) missed that Silvergate’s new business model, which they had IPOed on the strength of, had materially changed from its days as a sleepy two-branch real estate bank! That reasonable argument has been alluded to… by the Federal Reserve! See Findings, pg 2.

Does the 15% threshold make it generally impossible to bank crypto? Empirically not; other bank’s crypto practices are well beneath that threshold, which likely informed how it was chosen. Metropolitan, for example, had about 25% at the peak and then drew down to 6%. It fairly persuasively told stakeholders that it had done a good job of risk management. And, not incidentally, Metropolitan is still with us. And so regulators could very reasonably say: “OK! 6% is all-else-equal green, 14% is yellow, we don’t want you spiking to 25% anymore, 96% is deep #%*(#(ing don’t even think about it red.”

And you could make this same observation about many banks with a crypto practice. Coinbase doesn’t keep customers' money in a mattress. Their main bank’s crypto exposure is… <Jamie Dimon grabs the keyboard>FORTRESS BALANCE SHEET</Dimon not actually grabbing the keyboard>.

Carter further alleges or insinuates (it’s a bit unclear at times which he is going for) that Senator Warren and/or regulators colluded with short sellers to intentionally kill Silvergate, via sparking a liquidity crisis.

He specifically cites this letter by Warren et al, which includes the sentence “Should it need extra liquidity, your bank has access to taxpayer dollars through the Federal Reserve Bank of San Francisco and the Federal Home Loan Bank of San Francisco.”

Carter argues that sentence was intentionally inserted to put pressure on FHLBSF to demand repayment of advances. That would force Silvergate to find liquidity at a time where that would be incredibly difficult. Silvergate, subsequent to that letter, did repay those advances, and said in a securities filing that this required them to accelerate securities sales, leading to rumors in the industry that this forced their hand on deciding to close. FHLBSF has squarely denied pressuring them to accelerate repayment.

Short sellers made a killing on Silvergate, certainly. I absolutely believe that short sellers communicated with Senator Warren and regulators and additionally would credit that they did this strategically to bring pressure to bear against the bank. Evidence in favor: they say they did and bragged about it, while nailing Silvergate's hide to the wall.

But the reason short sellers made billions shorting Silvergate is primarily because they were right and early about Silvergate.

Marc Cohodes (a noted short who was deeply short Silvergate) and Ram Ahluwalia (a crypto investor with a very good understanding of bank regulation) had a debate about Silvergate prior to its collapse. I will not recount it for you on a line-by-line basis, but on listening to it at release, I felt “Cohodes is winning this by a mile, despite Ahluwalia being better calibrated on whether banking a single money launderer would indict a compliance program in the eyes of a regulator.” (I was at the time effectively constrained from trading in bank stocks, but I took professionally significant action after listening to that podcast.)

I think one could make some criticisms of Cohodes, or of short sellers generally, but “They were fundamentally more wrong than right about the short thesis, and needed government intervention to make it pay out” requires ignoring mountains of evidence. You are invited to look back, with full oracular hindsight, on what Cohodes said in that presentation.

A heuristic I have long used, as a once-upon-a-time debater: if one side is impressively detail oriented, and randomly selected details are trivially sustained, and the other side doesn’t allege details but pounds the table a lot, bet on the first team.

Or, if you want, you can bet on their former executives. Their former CTO (after being Chief Operations Officer), who is also the CEO’s son, has a Twitter account. You can find his side of the story on it. For a bank executive he is remarkably cavalier with characterizing the contents of communications from his regulators.

For example, he writes “The Sunday after Thanksgiving in 2022, regulators went after 5 banks simultaneously[.] Up to that point the regulators were not objecting, Silvergate brought them along, and suddenly everything changed[.]” 

In fact, in April 2022, Silvergate had received a Matters Requiring Immediate Attention (MRIA) from the Federal Reserve specifically concerning the adequacy of its BSA/AML monitoring program. They received a similar MRIA in November, but by that time, they were cooked. See SEC complaint, para 80, substantially confirming representations made in a deposition by “Former Employee 5” (a Compliance official) in this lawsuit, which explicitly allege MRIAs. A MRIA, as distinct from a Matters Requiring Attention (MRA; a formalized supervisory directive which they expect you to pay substantial attention to in the ordinary course of business), is a drop-everything-and-fix-immediately command.

The Federal Reserve has required language (pg 3) for when it communicates MRIAs. The Federal Reserve supervises many banks, at all levels of scale and sophistication. This includes small town community banks where board members are typically local real estate developers. To ensure that low-sophistication bank executives or board members do not miss the fact that an MRIA is both an order and a shot across the bows and should be understood as such, that language is: “The board of directors (or executive-level committee of the board) is required to immediately…” (bolded in original)

The SEC has since charged Silvergate executives with misrepresenting the truth to investors about the depth of their liquidity problems in the immediate wake of the FTX collapse.

Suppose one believes, arguendo, the protestations of Silvergate management that it had seen the implosion of their largest customer, and a ~70% outflow of deposits, and was still ready to keep chugging along.

In that world, is the regulator saying (approximately) “We support banking legal industries, given an adequate controls environment. However, you must get your crypto deposit concentration to below 15%?” compatible with the continued existence of Silvergate specifically, after early November 2022?

I agree here with Carter and crypto advocates: no meaningful concentration limit on crypto is compatible with the continued existence of Silvergate after early November 2022. Even a 50% concentration limit is impossible; 15% is worse.

Simple math: for each dollar of deposits that you don’t bleed off, and you really can’t bleed off many post-run, you need to find someone willing to deposit about $5. Even if your sales pitch made angels weep to hear it, that is an impossibly tall order. Silvergate had no path to swiftly raising many billions of dollars of deposits from non-crypto depositors.

Silvergate had attracted its existing deposits via what would most charitably be described as intense attention to the needs of the crypto industry. It had no advantage over any bank in the U.S. vis banking any other individual or industry, and it had many disadvantages. It was under a PR cloud, because facts about its behavior over the last few years were being reported. It was obviously wobbling as an enterprise.

Most deposits are attracted by offering routine bank services (the sort that Silvergate had no edge on providing to non-crypto clients). This is referred to in industry as the “deposit franchise.” Banks have an immediate option to raise deposits in a hurry, forgoing years of sponsoring Little League teams, showing up for the annual town festival, and asking about your holiday plans over a coffee. You can skip the sweat-and-smiles business and proceed directly to paying through the nose, by attracting the custom of sophisticated financial professionals who place money at the banks bidding highest for it in the country. This is called deposit brokering.

At any price Silvergate was capable of paying for deposits, there was a regional bank that would have matched or exceeded it, because (unlike Silvergate) many regional banks have a material first-party loan book (and ongoing origination apparatus) which they reasonably believed would continue to exist, and deposits are a funding source for that loan book (and apparatus).

A deposit broker would reasonably model that hypothetical replacement bank as being a higher priority for receiving extraordinary backstopping if that ended up being necessary. This would play into their credit analysis of that replacement bank if the deposit broker was trying to place, for example, a $200 million certificate of deposit, almost all of which is uninsured (subject to bank credit risk) absent extraordinary government backstop.

Crypto advocates are notably incurious about non-crypto banking and don’t seem to understand why non-crypto regional banks were being heavily shorted in late 2022 and early 2023. I believe that, for many crypto advocates, including some who are well-educated financial services professionals, including some whose portfolio include many financial services companies, this is not very cynically ignoring background unfavorable to their narrative. Rather, it is because they genuinely do not understand what a sudden hike in interest rates would do to the balance sheet of a bank, in the same way that many software engineers do not understand what a sudden interest rate hike will do to the value of their equity. I would credit the possibility that some crypto advocates do understand how bank balance sheets are affected by interest rates, and are choosing to not contradict their standard bearers in public.

I am unconvinced that the concentration limit was the but-for cause of Silvergate’s demise, though I could be persuaded to that view.

My default view is that if every government employee had been furloughed on Thanksgiving Silvergate would likely still have closed. Its regulators had utterly lost confidence in it, true, but its customers had also lost confidence in it, in no small part because a) they knew they had wired money to Silvergate and b) they knew they now didn’t have their money (because SBF et al had misappropriated it). That’s a bad set of facts for a long, happy banking relationship.

I also think, and won’t ask advocates to acknowledge this, that a post-investigation Silvergate which managed to exist would be unable to offer the product that people were really buying. It was the Schelling point for everybody in crypto. That is why SEN worked. In no conceivable universe does Silvergate keep Binance as a client after it gets put under the microscope. A crypto Schelling point which Binance can’t touch is not a crypto Schelling point. Absent that Schelling point, if Silvergate was simply a bank that would let you park a $3 million seed round and cut paychecks while you worked on your solidity… that Silvergate is not a business. And it’s a bad time to not be a business while you’re sitting on a portfolio of MBS in late 2022 and early 2023.

But suppose arguendo that the government intentionally precipitated conditions incompatible with Silvergate continuing to remain in business and also that this was the but-for cause of Silvergate’s demise.

Is that a norms violation? Do we allow the government to close banks?

If you’ve worked in the financial industry in any capacity, you went to mandatory Compliance training. Attendance is taken and you likely had a refresher annually. And there were smirks, and jokes. And your trainer said, very seriously, “Pay attention. This is important. If we eff this up, they can do anything to us, most likely large fines but up to and including closing this firm. You, personally, could go to jail.”

Most people in finance heed this lesson. Every year, some don’t, and they learn why this training is mandatory.

Should we allow government to close banks? Yes.

Reasonable people can disagree as to the thresholds that extraordinary remedy should require and the procedural form it should take.

If we were still on debate team, you might ask me for a concession “Government needs to specifically admit that Silvergate was intentionally closed” and I’d counter “Sure, will trade you: opposition needs to concede that Silvergate was actively aware including at the executive level that Alameda and North Dimension were intentionally receiving incoming FTX customer funds flows.” About fifteen minutes later, I think neither side is thrilled, both sides learned something they find edifying, and there probably exists mutual agreement that either Silvergate had to go. or in the alternative Absent extraordinary government support, Silvergate was doomed after the FTX fiasco. 

Complaints that Signature Bank did not need to be placed in receivership 

Carter believes Signature was targeted in an analogous fashion. In part this is in reliance on their board member Barney Frank, who maintained (in media interviews contemporaneous with the collapse, and after it) that Signature was solvent and had sufficient liquidity at the end of a week which had seen a bank run.

Perhaps some have forgotten the context of that week. On March 8, Wednesday, Silvergate announced it was closing. On March 10th, Friday, SVB was placed into receivership, after the most explosive bank run in history. On March 10th, still that same Friday, Signature experienced a run of $18.6 billion of deposits in the space of hours.

That context refreshed, let’s review where Signature believed its business was on March 11th and 12th, over that weekend.

Signature experienced difficulties telling a plausible story involving numbers which added up  (pg 35) that weekend. Quoting that postmortem:

Signature needed to provide reliable and realistic data, particularly concerning immediately available liquidity and ongoing deposit withdrawals, to inform the analysis the Regulators and Signature needed to perform to understand the Bank’s liquidity position. Once Signature began providing any data on these key issues, the Regulators found the data was inconsistent and that it continuously changed in material ways. 

Signature execs, et al, were on a series of conference calls with regulators for an entire weekend. They began with regulators taking note of the bank run and candidly announcing the bank was in mortal peril. Signature proceeded, in the regulators’ view, to confabulate about liquidity sources, composition and quality of assets, and current withdrawal requests pending, through either malfeasance or spectacularly poorly timed technical incompetence. Regulators felt that, at this pivotal moment, Signature was dangerously disconnected with reality, like an executive describing the weekend as (this is a quote) “uneventful thus far.”

It is a serious accusation to say Signature was confabulating. Banking regulators are (mostly) serious people.

Quoting the postmortem again:

For example, through Sunday afternoon, Signature represented to the Regulators that nearly $6 billion in liquidity from its commercial real estate portfolio would “Very Likely” be available to the Bank on Monday. The Regulators were aware, however, that it would take weeks for the FRBNY to review and value that portfolio.

Was Signature aware that its commercial real estate portfolio could not possibly be good collateral on Monday? Manifestly so.

A brief explanation for the benefit of readers unfamiliar with commercial real estate (CRE) banking:

Signature’s plan was to pledge portions of its CRE loan portfolio to the Federal Reserve Bank of New York the Monday after the critical weekend. It thought that the Fed would credit them for the value of the portfolio less some haircut. Signature would then immediately wire what the Fed credited them to the customers demanding their deposits. Simple as.

However, CRE loans are not fungible, easy-to-analyze assets like e.g. Treasury bills or even mortgage-backed securities. They’re complex, bespoke legal agreements, in the best of times. 2023 was not the best of times for the New York commercial real estate market, as anyone who reads the newspaper is aware, and so you can’t simply value those loans by copying outstanding balances into Excel then chugging a tiny bit of math. You’ve got to read the darn things, construct a model (which, if you were someone with skin in the game, would asymptotically approach re-underwriting those loans because New York CRE is that bad), come up with your impaired valuation, and then, haircut that.

Signature Bank had a crypto sideline but its beating heart was the New York CRE market. This is a bank that breathed New York real estate. It beggars belief that they thought that portfolio would be Very Likely to be good collateral in merely wall-clock hours of work.

You know what this reminds me of? This reminds me of one Sam Bankman-Fried who, on finding himself in what he believed to be a survivable liquidity crisis, began wildly writing indicative numbers down on napkins and/or Google Sheets. SBF still doesn’t understand why nobody believed him. Just look at the napkins!

We are not required to believe your napkins, Signature, if they contain obvious untruths, or if the napkins evolve wildly in inconsistent ways over the course of a single meeting.

The most critical question for Signature’s liquidity position was “How much money will customers wire out on Monday?” This is straightforward banking, which regulators pressed them to do all weekend: a) sum up how much money customers have asked for on Monday, in the hundreds of current pending wire requests b) project a worst case scenario for how that number will evolve, as more customers put in wire requests, before Monday morning.

Here is the time series (taken from above report, pg 40) of those two questions being asked repeatedly in a 48 hour window. Observe how often, a few hours after Signature has made a (new, even-more-worst-than-previous) worst case scenario, the known wire requests have already exceeded that worst case scenario. 

Signature then communicated a new worst case scenario, which felicitously was only as far away from known wire requests as their previous worst case scenario had been, almost as if they were learning nothing from repeatedly being wrong.

This played out multiple times.

Signature believes it understood where it was that weekend. The above picture is almost proof positive that it did not. They also understood their experience of the weekend to be signaling how the worst was over. 

Quoting postmortem again (pg 6):

Over the weekend, Signature’s estimates of pending deposit withdrawals increased, going from $2 billion on Saturday evening to $4 billion Sunday morning, and then to $7.4 billion to $7.9 billion by Sunday evening. These numbers represented known deposit withdrawals. Despite the run on Friday, March 10 and the negative news over the weekend, Signature insisted that additional withdrawals would be minimal on Monday. The Regulators assessed this projection as unrealistic and that the Bank needed to be prepared to handle another significant deposit run. (emphasis added)

Signature believes it could have white knuckled through the hurricane and emerged victorious on Monday. Then it had projections by which it would suddenly, indeed miraculously, have sufficient liquidity on Tuesday, Wednesday, Thursday, and Friday. And then the hard work would start. It would bank the heck out of its remaining customers, start finding buyers for its valuable assets over the ensuing months, and somehow pull this off. Because it was solvent!

Signature had critical liquidity issues, no real path to solving them, and lost the confidence of its regulators, during a bank run which was worsening by the hour. That is a recipe for receivership. No conspiracy is necessary to explain what happened.

The rest of the postmortem is worth reading, too, and deeply wonky in the way that excites banking nerds. Where else can you read a scintillating discussion on what capital call loans are acceptable collateral at the Fed emergency window?

Crypto likes novel crypto-using banking products

In 2022, the FDIC sent out a wave of letters to banks. Prying these letters from the FDIC has been a bit of a project, requiring Coinbase and other interested parties to do quite a bit of arm wrestling. The letters which have been released, grudgingly, are heavily redacted.

A brief commentary on transparency: democratic governance simultaneously requires substantial transparency and also requires the government to be able to have private conversations.

Curtains of secrecy are frequently invoked cynically to cover abuses. For example, you could say “That protest is a foreign influence operation! I cannot disclose my basis for thinking that, for reasons of national security! You should therefore act as my proxy to suppress this protest!” (Uh, spoiler alert, we will return to this later.)

In the culture that is banking supervision, however, privilege will frequently be asserted fairly maximally on routine supervisory communications with banks. This is because they are institutionally wary of causing risk to banks by signaling to the market or depositors that those banks have lost the confidence of regulators. Banking regulators are terrified of “self-fulfilling prophecies.”

You need to be able to have candid conversations with regulated entities for the same reason coworkers need to be able to have candid conversations with each other. Privacy enhances candor, even when those conversations implicate third parties, even when third parties would really love to be a fly on the wall.

And so I think there is a legitimate balancing act to be done here. But I’m sympathetic to crypto advocates who say (paraphrase) “This is backroom maneuvering to do something we don’t like. You won’t even admit the thing you are doing! And, confound you, after you are dragged kicking and screaming to admitting the thing, you’ll probably claim it is good! Like they did after Operation Choke Point!”

Conversely, when the government is capable of publishing extensively researched position papers and extensively footnoted indictments, that should give you more confidence that it is less likely to be engaged in lawless, arbitrary behavior. Not limitless confidence, certainly, but it is evidence in a direction.

Carter surmises that the expurgated supervisory letters are regarding NYDIG’s proposed product which would allow banks and credit unions to offer customers direct Bitcoin exposure. You can analogize this to the feature in Cash App which allows you to buy Bitcoin, without being able to transfer it, except it would happen in your banking app.

I think Carter is very likely (90%+) correct with respect to identifying the subject of these letters. Much of the pack is dated shortly before the FDIC did, indeed, publish public guidance about banks directly offering crypto products. NYDIG was the firm with the most progress against the opportunity (source: general industry knowledge) that otherwise fits with what we can read of the letters.

So: is this a stunning inversion of our democratic norms? No. Banking regulators get to weigh in on proposed banking products. That is the absolute core of the job. That will extremely routinely result in saying something which rounds, like many of the letters do, to “We are going to have a considered think about this and get back to you, but in the meanwhile, please don’t roll this out widely.” (The think was had; the results were published. Many crypto advocates do not like those results, and are asserting procedural irregularities because of that.)

Does this meaningfully prohibit the crypto industry from offering retail users financial services? No. You can buy Bitcoin exposure in Cash App, Venmo, Robinhood, Coinbase, Fidelity, Interactive Brokers, any brokerage account capable of trading U.S. ETFs, and many more places besides. Crypto advocates cheerfully blast out press releases about how many ways are coming online every week to buy their tokens from them at very reasonable prices prior to lunar travel.

Is there a facially plausible reason for attempting to institute a consistent policy among regulated banks, in a way there was not for Operation Choke Point? Again, a core concern for the FDIC is that unsophisticated customers don’t assume that their risk assets get FDIC insurance. Customers naturally assume their bank app gives them FDIC protected things. For those bank apps which include non-FDIC insured products, like insurance offerings or e.g. affiliated brokerage accounts, the disclosures are bespoke and extensive.

Some crypto advocates would prefer to have screen real estate in community banking apps. I bet FanDuel would, too. But them being disappointed is not the claimed threat to democracy.

Some politicians exercised extraprocedural influence

Some readers might remember Libra, Facebook’s attempt at creating a (substantially) worldwide economic network with a token which was variously described as a USD stablecoin or perhaps some sort of currency basket. Libra was a consortium project, with Facebook as the de facto anchor and a number of industry partners. (Stripe, my former employer, was a consortium member at one time. I reiterate the above disclaimer that they do not necessarily endorse things I say in my personal spaces.) 

Libra did not live to see the light of day. Some time later the project was abandoned by Facebook and the technology was sold. It sold to Silvergate, back when Silvergate felt like despite the stupendous growth in the core business, sure, it had managerial attention to devote to M&A, what else would bank management possibly find to fill its time?

David Marcus, who led Libra, recently wrote that Libra was killed by extraprocedural influence aimed at consortium members. He specifically identified Secretary of the Treasury Janet Yallen as directing the Chair of the Federal Reserve Jay Powell to kill the project. He then alleges that, quote:

Shortly thereafter, the Fed organized calls with all the participating banks, and the Fed’s general counsel read a prepared statement to each of them, saying: “We can’t stop you from moving forward and launching, but we are not comfortable with you doing so.” And just like that, it was over.

I have never worked at a bank and so never been a fly on the wall with a conversation with the Fed’s general counsel. I can, however, read. I have read many letters in my life written by serious people in positions of authority. And I once happened to read one which threatened the recipients in a clumsy, unambiguous way.

That letter was sent to all members of the Libra consortium. The letter is mostly about Facebook, rather than Libra. A representative sample:

Facebook is currently struggling to tackle massive issues, such as privacy violations, disinformation, election interference, discrimination, and fraud, and it has not demonstrated an ability to bring those failures under control. You should be concerned that any weaknesses in Facebook’s risk management systems will become weaknesses in your systems that you may not be able to effectively mitigate.

This was written after the Cambridge Analytica affair, when the security state and New York media mutually convinced each other that it is possible to steal a U.S. presidential national election with a copy of the social graph and an advertising budget of approximately $180,000. They seemed quite sure Russia had already shipped a working proof of concept. Of course, after 2020, we know that only enemies of democracy make specious and unevidenced accusations of fraud in U.S. elections. The rules change so quickly in Washington, it sometimes confounds my poor techie mind.

But this letter was written in 2019 and democracy still hung in the balance like an embattled chad (apologies to younger readers: your central association with that word is not the central association of older millennials). And so the authors of that letter, Senators Schatz and Brown (who sits on the Financial Services Committee), observed that the recipients had an excellent business and it would be a shame if something happened to it. And something would certainly happen to it if they went forward with Libra.

I realize this sounds like paranoiac ramblings. Here’s the exact money quote:

If you take this on, you can expect a high level of scrutiny from regulators not only on Libra-related payment activities, but on all payment activities.

It would be grossly improper for me to use non-public information about what a particular payments company understood that to mean. But, in my capacity as your friendly neighborhood financial infrastructure commentator, I predict that a typical financial industry CEO, threatened in that fashion by two senators, would be appropriately alarmed.

Threatening the core business over Libra hits partners with reverse operating leverage, a concept which more people in startups and finance should be aware of. One reason for the Innovator’s Dilemma isn’t within the four corners of the innovation itself, and it isn’t simply that the incumbent firm has gotten fat and happy, and wants to enjoy its margins rather than cannibalize them. It is that the innovation may require taking a risk that, if it blows up, blows up not just the (tiny, at the margins) innovation but the (gigantic) existing business which incubated it.

Google invented transformers, and they are more interesting than anything Google has done since Search, but you use ChatGPT and Claude because no Google exec was willing to blow up Search or AdWords over the geeks’ shiny new toy. It was the largest missed opportunity in the history of capitalism and they did it entirely to themselves, in (relatively tiny) part out of fear of what Washington would say. In the worst scenario of the government relations team, I doubt they conjured up “Oh two U.S. senators will explicitly threaten us with being dismantled brick by brick before this even gets to alpha.”

It is sometimes said that the dictionary definition of chutzpah is murdering your parents and then begging clemency from the judge because you are an orphan. A close runner up: when you threaten consortium members to peel them from the consortium then cite the consortium’s declining membership as a reason to threaten the consortium.

Quoting a Hill staffer, who believes that (in hopefully fair paraphrase) Facebook was simply wildly underprepared for political reality and that there was nothing improper done:

[Libra’s extremely cold reception] could be because it was tied to Facebook or could be the consortium bleeding members (each leave prompted a NYT/WSJ story which every Member of Congress read).

So yeah, that’s what the naked exercise of power looks like. And yeah, it happened. I have no strong view on whether the Fed calls also happened but, uh, that claim sort of rhymes with the letter, doesn’t it.

I will say one positive thing about the Senators writing the letter: they were sufficiently proud of their work that they posted a contemporaneous press release with the full text. Transparency is not dispositive proof of virtue. The extraprocedural threat is right there in the text. But a democracy should naturally prefer transparency, and for political decisions to be made by elected officials, over secret decisions by people who will, even in the event of extraordinary malfeasance, still have a job, a pension, and power after the inquiry.

Andreessen also claimed (to Rogan) that Senator Warren created the Consumer Financial Protection Bureau and that its purview is doing, quote, “Whatever [she] wants.” 

… Yeah, that’s pretty much my read, too.

I agree with some of their substantive positions and disagree with others, but it seems like a cadre of young, ambitious acolytes who understand their founder’s vision and are eager to implement it. I’ve been orbiting Silicon Valley for a long time and know the type of organization. I didn’t realize official Washington also had them. I am insufficiently politically aware to name another agency in Washington which demonstrates such a pronounced founder effect.

The CFPB’s interaction with debanking, however? De minimis. 

The CFPB wrote a position paper against it. I expect people sympathetic to the CFPB to use that position paper as political/PR armor against their opponents, who are banging the drum about the broader debanking issue.

That position paper and $5 will buy you a cup of coffee at Starbucks, because the debanking bits are buried under issues the CFPB actually cares about, like taking a stick to Big Tech companies. Have you ever wondered about the consumer harm caused by… Apple Pay? Then you’ll be happy to know that they’re on the case.

It has been alleged that there were top-level decisions to debank individuals on the basis of their political views. There is overwhelming evidence that this happened systemically at the formal direction of national political authorities… in Canada.

Briefly, 2020 and 2021 saw substantial disruptive political protests. One of them, chiefly targeted at pandemic lockdowns, was conducted by truckers in Canada. It was unusually effective, in part because the so-called Freedom Convoy physically blocked roads in Ottowa, the capital, and at at least one border crossing to the U.S.

Blocking roads is a protesting tactic frequently employed by a variety of (mostly left-wing) activists. It is extremely annoying, arguably ineffective, and sometimes results in punishment. Punishment in a democracy customarily follows the ordinary operation of the judicial process. In the classical case, there is a formal particularized accusation, a trial, and a conviction, and only then, punishment.

Blocking roads sometimes suffers no real sanctions, because annoying and ineffective left-wing protesters still have expressive rights. Sometimes, prosecutors exercise their discretion to favor those rights over the freedom of movement and economic activity implicitly granted to other members of society.

So that was two scenarios for how things normally play out: punishment under the law, or, no punishment. Not this time, though.

Prime Minister Trudeau reacted to this protest as if it were a prompt national emergency and/or state-sponsored terrorism (a claim which was contemporaneously made about it, out of the side of officials’ mouths). He invoked the Emergencies Act, which would have the effect of awarding temporary, extraordinary executive power. The government then directed the immediate freezing of the financial accounts of anyone connected to the protests, at banks and non-bank financial platforms which Canada believed had been used to fund the protest. There were also some ancillary actions, like directing the truckers’ insurance companies to suspend their driving insurance.

Officials in Canada claimed that they were selectively targeting the ring leaders or organizers of the protest narrowly, and were not attempting to consequence people for protected political speech. These claims were lies.

The orders were, in fact, not narrowly drafted.

The assistant deputy finance minister admitted to an inquiry that the government had contemporaneous knowledge that it named accountholders who were not present at the protests, and ignored this to prioritize speed of implementation. She further said, and this is a quote, “The intent was not to get at the families”, and when a democratic government starts a sentence that way something deeply #*&$#ed up has happened. Canada believes more than 200 accounts were frozen, and that is an interesting selectivity for “ringleaders” or “organizers” of a protest. (By my count, Canada itself has only a few hundred ringleaders.)

This is almost certainly an undercount, and if one does not understand the mechanism, one is not competent to work in or regulate the financial industry.

Pop quiz to see you whether you were paying attention in Compliance training: Abel transfers Bob $25, ostensibly for charitable or political purposes. Bob is specifically identified to you by the government as a terrorist later that week, his charitable fundraising apparatus is specifically called out as a concern, and you are directed to move with the utmost urgency to interdict all financial activities of Bob in any form whatsoever. Abel is not mentioned to you by name. And thus the question: this a) should have no impact on your relationship with Abel, b) should have an immediate, profound impact on your relationship with Abel, or c) I don’t know.

The government’s answer whether individuals not named by the government specifically were impacted was (paraphrasing) “I don’t know.” I don’t know whether any donors were impacted. I certainly wouldn’t expect anyone to have understood our intent to be applying the text of the order to the sender of a $25 donation. I don’t know if anyone did.

I don’t know if shooting someone will injure them or not. One might miss. I do know that my estimate of them being severely injured that day moves substantially up relative to similarly situated individuals one did not shoot. That is, presumably, why one chose to shoot them.

The invocation of a national emergency was pretextural. In the parliamentary inquiry, the deputy minister of finance said that the protests were a, this is a quote, “first-tier issue” because they… threatened U.S./Canadian negotiations on subsidies for electric vehicles.

And so when people say that targeted debanking can be used, even in a democracy, for arbitrary and capricious punishment of disfavored individuals on the political speech, laundered through the banking system, with no substantial procedural recourse, I agree with those people that that is a risk.

We just watched it happen.

Some people claim politically-motivated debanking is not merely a risk but is, in fact, the ordinary practice of the United States.

It is not.

Some people claim it is the ordinary practice within the United States to debank political conservatives, to cause them to be unable to purchase food, to interdict their child support payments (as happened in Canada).

This does not happen as a matter of routine in the United States. Some people passionately believe that unarmed black men are routinely murdered by police officers. That is untrue, no matter how passionately it is believed, no matter how central that narrative is to a political project, no matter whether one supports the broader aims of that political project. That is not to say that it has never happened.

Michael Jordan once had a great line, explaining his political neutrality: “Republicans buy sneakers.” Imagine, for just one moment, what it would look like to live in a nation where Republicans actually were at constant and material risk of being debanked for their political views.

Republicans would, notoriously, only buy their sneakers in cash. Fundraising dinners would customarily have large burlap sacks next to the swanky tablecloths. You yourself, because you have at least one conservative friend, would have had an awkward conversation at some point where you suggested splitting a dinner with Venmo or tried to swap investing tips, and then realized this was a faux paus, because as everyone knows, conservatives are routinely denied access to the financial system.

This is not the world you live in. You would only need to trust your own eyes and common sense to comfortably exclude it.

There exist occasional abuses by individuals at private actors which are politically motivated. There exist some private actors who have made policy decisions, sometimes accidentally and sometimes because they have corporate (or influential-subgroup-within-the-corporation) preferences, which structurally disadvantage certain relatively narrow segments of the political spectrum.

In a world where that much more limited claim is happening, one will be able to assemble some data points to tell a story about the much larger claim. It’s important to understand what the actual true story is, because we should want to invest our collective efforts in avoiding abuses, and that requires one to know how they actually happen.

Andreessen said the following to Joe Rogan:

“Here’s a great thing. Under current banking, regardless, regulations, after all the reforms of the last 20 years, there's now a category called a Politically Exposed Person (PEP). And if you were a PEP, you are required by financial regulators to kick them off, to kick them out of your bank. You're not allowed to have…”

Rogan interjected:

“What if you're politically on the left?”

Andreessen answered:

“Well, that's fine. No, because they're not politically exposed.”

I have some challenges in life. One of those is that sometimes I am unable to tell if someone is making a claim about the reality we live in, or if they’re bullshitting with a bro. This has, over the years, caused me much embarrassment. You obviously do not want to intrude on a bullshitting session and say “That isn’t true!”, because truth is not the point of a bullshitting session. And you don’t want to say “And once a monkey flew out of my butt!” if someone is trying to describe reality. They will not laugh, and you will be sad.

So I recuse myself from the above conversation, that I have no usable bead on, and will take this opportunity to lecture the Internet about PEPs.

Politically Exposed Person (PEP) is a term of art in Compliance, arising from Bank Secrecy Act (BSA) reporting requirements. It means a national-level senior official, most typically in U.S. usage, one attached to a foreign government. Quote: “The Agencies do not interpret the term ‘politically exposed persons’ to include U.S. public officials.” (Like many financial regulations, the U.S. has intentionally caused its concern with PEPs to metastasize to aligned countries. In some of those countries, financial institutions are obliged to treat from-their-perspective-domestic senior political officials/etc as PEPs.)

PEP status also attaches to the close family members and close associates of a PEP. Who is a “close associate”? Write down your understanding of that, run it by your regulator, and then comport your affairs consistently with your written understanding. Lots of banking regulation works like this: plodding, iterative development of internal policies, with occasional spot checks on performance under those policies, including as part of scheduled bank examinations.

PEPs are believed to present elevated money laundering risk. Some of them control national resources directly, and others may be at risk of e.g. bribery.

There is not an official regulator-blessed list of which positions are presumptive proof of PEPiness. This is one of those things that banks need to write down in their procedures then run past their regulator, who will either say “Sounds good! Definitely EDD those PEPs!”, or “I dunno. I know it’s a schlep but you’ll want to grep more PEPs.”

A typical list will include e.g. president, head of state, members of the national legislature, cabinet officials, supreme judiciary body judges, head of the central bank, cabinet-equivalent ministers, etc etc.

You can absolutely bank PEPs, just like you can bank high-risk businesses. You need to EDD them. Certain banks, largely ginormous money center banks with global operations, put in the specialized work to do this. This is because (with absolutely no insinuation of impropriety here!) private banking, and their banking activities on behalf of e.g. governments and multinational corporations, benefit from paying attentive service to rich and powerful people so that they talk you up to their rich and powerful friends.

Now, an individual private banker might be tempted to give more than attentive service. Regulators frown on that, hence PEP status and PEP screening tools.

What is a PEP screening tool? I’m glad you asked. Many people will open accounts with you every day. You can, if your policies and regulator allow it, ask all of them “Pardon me sir/madam: are you the president of a foreign nation? Answer quickly because I’ve got about 15 more of these.” But the vast majority of new customers will think you are very stupid.

You can’t not know, though. Very plausibly, you don’t trust a 22 year old drawn at random from your employee base to have comprehensive knowledge of the spouses of the current membership of the Sąd Najwyższy.

Since software is eating the world, you can buy a product from any of a number of firms that will ask software these questions. You run an identity by it, and it says “Elected to the upper house of the Japanese Diet in 2022; likely a PEP” or “Unlikely to be a PEP.”

This will allow you to decrease customer and employee friction in many of your product lines, while having a responsive answer to your bank examiner when they ask about your PEP program. The other parts of your PEP program will be dreadfully boring. You will write a procedure which says that e.g. that if news reporting or facts available the bank cause it to understand an existing customer to be newly a PEP (or uncover previously missed PEPness), this will trigger a review of their account relationship, which you would duly document. Then, you would add them to your EDD process for PEPs.

EDD for PEPs is (bottom line here) going to require someone to write a quarterly memo saying “Uneventful quarter. The $1.2 million incoming wire was sale of private residence. We commissioned an appraisal (attached) and, based on comps, seems reasonable. Account holder’s title to property confirmed via title search (attached); it substantially predates most recent election. No other items of note.” 

And that’s all you need to know about PEPs.

PEPs are extremely uncommon in the world relative to all people/firms. My one professional encounter with the concept when a particular bank claimed a European mayor of a small city was a PEP, on basis of being a politician, and would require EDD to onboard. I protested on behalf of the user. Compliance got annoyed at me for PEPsplaining them.

Earlier we mentioned that the combination of a monoculture plus a plainly stated or implied policy directive can cause ambitious or ingratiating individuals to take action in the absence of any order to do so. This is very much a risk.

And if you care about debanking, you should care about this mechanism a lot more than you care about PEP minutiae.

Permit me a brief detour from banking to the Internet companies that run so much of our modern world.

It is fairly well understood by people that closely follow the tech industry that Trust and Safety teams were for years a locus of micropolitical action, some of it originating with uninvolved users on Twitter, and some of it originating within the house.

Trust and Safety is a platform function which will always be with us, even if the teams involved are rebranded in the future. A platform without it will routinely expose users to child pornography and videos of people being beheaded by terrorists. Some people commit evil and depraved acts and they want the world to know. Internet platforms understand there are legal consequences if they have no Trust and Safety function. Internet platforms are built by people who have strong moral intuitions. Internet platforms are businesses, and they understand that they will not stay in business if they allow their gardens to be choked by weeds.

The prevailing political culture of Trust and Safety teams was, well… look, let me level with you. Get a group of twentysomething San Franciscans with college degrees together. Now, filter out all the ones who can get a high-paying engineering job or would be reasonably fundable. Now, select of the remainder those who would want to stay, for several years, in a position where they are in charge of being a hall monitor on every human utterance which travels over electrons.

I think fairminded individuals of many political persuasions will understand that the population who gets through these filters uses the spelling “freeze peach” instead of “free speech” at a much higher base rate than the American population does.

Individuals in Trust and Safety, and sometimes Trust and Safety as a system, at various times in various places, may have engaged in some shenanigans. That isn’t a load-bearing claim for the below extension of this argument to debanking, but it happens to be true, and I’d be remiss if I didn’t say it.

Senior management at AppAmaGooFaceSoft doesn’t really keep a close eye on low-paid operational employees making decisions unless they cause substantial PR or government relations backlash. Trust and Safety is staffed (mostly) by low-paid operational employees, and frequently most of the operational work is outsourced, because there are some aspects to the job which are soul-crushing. And so Trust and Safety was not exactly under a constant microscope. Senior executives had businesses to run, and were happy that they never saw beheading videos.

Trust and Safety would happily “deplatform” people whose politics they disliked for fairly benign reasons, while zealously defending people whose politics they liked.

This is an iterated game, and people realized you could just ask Trust and Safety to deplatform someone. Product teams built some flows to expedite this. You could “brigade” those automated tools (e.g. act in concert with friends to mass report a social media post), or make a fuss on Twitter (and wait for a company to perceive brand risk), or just ask an individual Trust and Safety person at a party.

And thus, shenanigans.

This was substantially exacerbated once government actors realized they could make Trust and Safety feel really special by having them have monthly meetings with Certifiably Important People. Does senior management not appreciate your important work? A pity. We at the FBI, at the CDC, at the White House certainly do. We want to have an ongoing dialogue about your important work and how it contributes to the national interest.

Eventually, at and around these meetings, those attendees began to ask Trust and Safety “Will no one rid me of this turbulent priest?” And then after having done that for a while, we slouched into a situation where there was an official at the White House who understood his job to be being the Illegal Orders Czar. He badgered Facebook, Twitter, and similar on a post-by-post basis and also zealously advocated at the platform-wide policy level. I’ve never met him but I bet he thinks he is a good person and very good at his job.

We had a number of officials, in various government departments, who believed they could enact policy preferences more effectively by working through catspaws than by the ordinary operation of the government. But it is a singular fact that one of them was in the White House. He once invoked direct personal interest, from POTUS, explicitly, in writing, to jawbone Youtube to up its censorship game. Citation (pg 19).

These communications were frequently in the style of moral suasion. We're all on the same team here, and we just want to make sure we're on the same page. This was very frequently true and not all of those overlaps in preferences would seem shocking to people who passionately believe in the U.S. Constitution.

On those occasions where platform policy didn't appear to be on the same page with the preferences of government actors, the velvet glove came off. Explicit threats were made, in writing. They were made in the context of a larger explicitly communicated campaign to put Big Tech under a microscope and break it up if it got out of line.

Andreessen, who is on the board of Facebook, has discussed the perception and mechanisms of the shenanigan era and then the attempts-at-explicit-compulsion era. I refer interested readers to his words in other places, because I really do want to get back to banking regulation.

I only know what I read in court documents, hear on the grapevine, and very occasionally see with my own two eyes. What I know is sufficient to agree with Justice Alito: “If the lower courts’ assessment of the voluminous record is correct, this is one of the most important free speech cases to reach [the Supreme Court] in years.”

The weaponization of Trust and Safety by the “misinformation” industrial/academic/NGO complex and partners in government is a scandal. Tech was… complicit? I think that is a fair characterization. We were complicit for a few years. We have since found our spine, and expressed some amount of regret for decisions made contemporaneously with the demands.

One notable specific example of this change: Mark Zuckerberg, in a letter to Congress: “I believe that the government pressure was wrong, and I regret we weren’t more outspoken about it. I also think that we made some choices that, with the benefit of hindsight and new information, we wouldn’t make today.”

What do Trust and Safety decisions on e.g. misinformation or hate have to do with debanking? Regrettably, more than one would think.

Compliance is also a monoculture. Good news: Compliance across the banking industry and related companies is substantially more politically diverse than Trust and Safety was in San Francisco. Compliance decisions are also much more commercially meaningful, directly, than Trust and Safety decisions are. Compliance has to sacrifice a paying customer; Trust and Safety just needs to sacrifice advertising inventory. It's hard to recruit customers but ginning up more advertising inventory is fairly straightforward. You can do it simply by making different product decisions about ad load, for example.

Bad news: Compliance is designed to be a monoculture. First among all things, if you work in Compliance, you must be good at being an ingratiating rule-follower. I do not mean the word “ingratiating” as a criticism. I mean it as a description of an affect. You must perform compliance to work in Compliance. If you do not, if you have a rebellious streak, if you throw elbows in meetings with your regulator, you will be replaced by someone who is not incompetent at the job they were hired to do.

Compliance staff, particularly at senior levels (where they are deciding policy instead of merely clicking on alerts), are central members of the American professional-managerial class. And the culture that is the American PMC has some quirks.

The American PMC is periodically seized by… maniac moral fascination. Andreessen has previously called this phenomenon the Current Thing. Scholarly literature has sometimes used the phrase “moral panics”, but those are usually described as sweeping through general society. I prefer Andreessen’s formulation to capture the distinctive way the PMC—his class, my class, and (very probably, since you voluntarily read several thousand words about banking regulation) your class—performs itself.

If one is worried about extraordinary debanking, worry less about formal guidance, and worry more about the Current Thing. Because Compliance doesn’t need to get an email from a regulator or read a position paper to get the Current Thing. The Current Thing was in the New York Times this morning. The Current Thing is all over Twitter. The Current Thing is in the air we breathe. Who could possibly be so oblivious as to not understand the Current Thing? Certainly not a competent professional in a bank or fintech Compliance department.

Our model for conspiracies frequently supposes some central actor. The Current Thing has no central actor. When it is no longer the Current Thing, when sanity reasserts itself, we will look for evidence that it was the CIA or the Russians or the Soros network or the Kochs or misinformation or any of the thousand excuses we have used to protest our innocence. We will break out scanning tunneling microscopes to go over the audit logs.

And we will discover that, at worst, there was a trivial halfhearted attempt to bootstrap coordination, but it cannot possibly explain the firestorm, which kicked off faster and had more lockstep alignment than we could accomplish on our best day with the utmost of our capabilities.

My goodness, can you imagine what our companies would achieve, can you imagine how effective at its aims the government would be, can you imagine how much money would be made, if we could simply declare a Current Thing at will.

There exist past Current Things.

The United States had a rough few years with destructive political protests at which people sometimes died. And the Current Thing demanded you make very fine distinctions indeed between destructive political protests at which people sometimes died.

For example: sometimes exuberant political speech on issues of obvious national import devolves into destructive political protests at which people sometimes died. Can you fund protesters’ legal expenses, or advocate for them? What if you are, say, a national-level U.S. politician? What is the exact decisioning flowchart here?

Now some people might think: “Would Compliance debank you over that? Of course not. That is mainstream political speech; we don’t debank people for mainstream political speech. And of a national-level U.S. politician no less?! Goodness, can you imagine the headline risk? Can you imagine the government relations risk!?”

And other people might think: “A U.S. politician is carrying water for political violence!? That is a shocking violation of norms, and must be opposed by all right-thinking people! Granted, we will certainly eat headline risk for this, because we are in a deeply divided nation, but we should swiftly withdraw all financial services! And technical services and social media services and if they get their underwear laundered by a service turn that one off too!”

These two models have very different ex ante prediction of the behavior of corporations.

Which produces the right output? Neither. It turns out that behavior is very context-dependent.

Sometimes you’re uncontroversially allowed to fundraise for people who got arrested at a riot. Sometimes, while it might make people uncomfortable, you will be allowed back into polite society if you staff or fund the storming of a Capitol building. Sometimes, after destructive political protests at which people (including cops) died, tech companies donate money to the organizers, because the political project seems to be of ongoing importance, and clearly nobody intends for there to be deaths at a political protest.

But sometimes, after destructive political protests at which people died, the Current Thing breaks the other way. Sometimes, this causes the great and the good, and also Compliance officers, to immediately throw all levers in their power.

The Current Thing requires no top-down direction. The White House doesn’t need to call. A senator’s letter will arrive days too late to matter.

Some people passionately believe the Current Thing from four years ago. But it seems like the consensus on it, and it was an automatic consensus in many places professionally relevant, is shifting under our feet.

What is the consensus in Washington right now? I’m pretty good at reading tea leaves in Japanese but have limited ability to decode Washingtonese. My present model for the new consensus: “It’s a shame when people die, of course, and political protests should probably not be destructive, of course, but the political leadership of the U.S. is acceptable in polite society, of course, and it would be irresponsible to support a coup, of course, because all Presidents of the U.S. have been legitimately elected, of course, and because there has never been an attempted coup in the United States, of course, and if anyone ever said anything different well sometimes political speech gets feisty, of course.”

The Current Thing does not always favor the political left. “Russian sympathizers have taken over the highest levels of the U.S. government! We need to...!” seems to have sharply different political valence depending on exactly what tone of voice you say it in.

The Current Thing is not always even conveniently describable by the left/right axis, though sometimes it gets drafted. At no point prior to it becoming a Current Thing did anyone anywhere on the U.S. political spectrum care about drinking straws. I think ostentatiously using a plastic drinking straw might be a right-aligned signifer now in some circles. Ponder that statement. Ostentatiously. Using. A. Plastic. Drinking. Straw.

Sometimes, the alignment of the parties pivots on a dime while a new Current Thing is developing. Understanding that that happens is one of the most important contributions the Current Thing concept offers.

One of the few blessings of middle age is that one has lived through many Current Things. If one is reflective about it, even if one has fairly strong and fairly stable convictions, even if one remembers on occasion enthusiastically supporting the position that happens to be the one that is one’s party’s line on an individual Current Thing, one has distinct, vivid memories. One remembers what everyone around you once believed about a thing, and they believed it with passionate intensity, and now they believe literally the opposite thing, with equally passionate intensity. And they seem to not remember and they don’t seem to be insane. You can easily have a conversation about any work-relevant issue which isn’t the Current Thing. Your counterparties demonstrate object permanence in those other conversations.

I will leave debating individual examples to people who write about politics for a living or follow it for the vicarious thrill some people get from team sports.

I don’t know what to do with the Current Thing observation, generally. I just want to get back to writing about wire transfer compliance. But if the next Current Thing happens to arrive, and it is… squirrels, then there exists the risk that Compliance will develop an intense interest in squirrels. And fifteen years from that day, Compliance will still take the time, once a year or so, to review the necessity of updates to the squirrel interdiction policy.

Some people reading this are very, sincerely concerned with debanking.

Permit me to give you tactical advice to advance your values: put as many calories as possible into designing countermeasures to the Current Thing causing swift, arbitrary action against (primarily) existing accounts by Compliance. You probably won’t abolish Compliance departments as an institution. You probably won’t convince banks to bear the stupendous losses they’d get if they had to open accounts for substantially all comers. Bury Compliance in paperwork and delays for closing an account. You can tell your friends (or enemies) “Well, it’s as serious as evicting someone, so it should be as rigorously documented as evicting someone is in a reasonable city. Like, say, Chicago or New York.”

If you do this, there will be tradeoffs. You will see them most directly in unwillingness to bank marginal prospects for accounts, and indirectly in measurements of unbanked/underbanked in populations you care about. But this will, very effectively, cut down specifically on disruption caused to people and companies by the offboarding letter.

Now plausibly you might say there is a free lunch: just be morally righteous and have a backbone. And I agree, in a limited sense. Some virtues are free lunches. We want more of them.

But those virtues are empirically insufficient to guarantee behavior. Tomorrow’s Current Thing is very, very powerful, and it might even be aligned with your inclinations. And look back at history: the voluminous history of humanity, the recent history of one’s nation or industry, or even one’s personal Twitter archives. Look how many times righteous people with substantial backbone heard about the Current Thing and said “... Nah, not the hill I want to die on.”

Sometimes rich, powerful people just tweet things. (I can relate; I just tweet things all the time.)

But sometimes there is an agenda. “You’ve got an agenda!” is sometimes used as a cynical attack in politics. Democratic governance necessarily requires at least some people to have agendas.

Agendas are frequently published, much more frequently than they are secretly swapped in back rooms. Telling people what you want is a necessary step in getting what you want. Talking about the agenda is really useful for coordinating support for the agenda.

Crypto, like any industry, has people with a diversity of views in it. But one can’t losslessly describe the world without being the world, and some lossy models are still useful. 

I have taken the liberty of writing a compressed version of what crypto wants, for the benefit of readers who might not geek out on this stuff. If you’d prefer hearing it from them directly, out of concern I’m being unfair, see this thread. Alternatively, you can read the writings of the advocates already namechecked, or spend a few days digesting the policy papers of their lobbyists.

Crypto wants all banks to be directed to bank “all legal businesses”, by which they mean crypto companies and crypto founders. They will want an end to banks having discretion in onboarding clients to “vanilla” deposit products, first. They will claim they want this pretty much across the board; their exception will be e.g. Hamas. You get a corporate checking account, you get a corporate checking account, everybody gets a corporate checking account.

Having achieved this for low-risk vanilla products, they will want sharply less resistance for e.g. high velocity facilitation of funds flows by financial services firms, as long as those financial services firms say the usual things about playing ball, even if those financial services firms are crypto native. Their most immediate concern is exchanges, but they also want less resistance to novel products and use cases.

Crypto wants their bank back. They don’t care what the name on the door is, but they want a bank which can do instantaneous book transfers and will accept basically all comers. Not Hamas, no, but if you would not onboard an entity controlled by CZ, Justin Sun, or someone understood to be Tether’s new best friend, you do not understand the assignment.

They want it to ask the minimum number of questions required to continue servicing high volumes compliantly in the United States, primarily. Their secondary priority will be serving as wide a footprint as can be reached without endangering the business within the United States. The U.S. is where the money is and they know this.

Crypto, nominally, would be happy with changes to U.S. financial plumbing that allowed you to stitch a SEN-equivalent product out of other banks. But they think they’ll probably need a bank, and they think that bank will probably not be their bank if they are just a quickly growing startup business within a ginormous bank. No, they want a bank with 100%-or-as-close-as-makes-no-difference crypto deposit concentration, which will cater assiduously to their needs, and which will fight the good fight if they ever need it to.

Crypto will compromise on (read: sacrifice the chance of directly doing business with firms or individuals from) Russia, without notable complaint. When the conversation turns to China… well, you know, a lot of financial innovation was forced to flee to… many countries in East Asia, including some of our truest friends, under the previous regime. It would be a shame if you sacrificed American competitiveness and national security by not inviting those dollars back to where we can see them.

Crypto will be very in favor of U.S. national interests vis China, and some crypto investors have any number of proposals on how NatSecTech will help close the technical capabilities gap on e.g. manufacturing drone components. They have a number of portfolio companies to introduce you to, Washington, and plan to have more shortly.

If you are a regulator and don’t want crypto to have a bank, they want you to be promoted to private citizen as early as possible. And they want to make it very, very, very clear to junior staff that the same awaits them if they get out of line.

If you engage crypto in Washington and present as clueful, perhaps by saying “Aren't most of the fruits of the innovation you just described as having departed the U.S. due to the previous administration actually custodied in New York right now? At Cantor Fitzgerald, right?”, crypto will say “Yes, I am glad you brought that up. Stablecoins are one of the world’s largest users of U.S. Treasuries. We have a position paper about this. It is critically important to maintain the U.S.’s lead in stablecoins. You should prefer them be custodied within the United States. We think we have workable solutions for doing them within the regulated perimeter.”

And what about the elephant in the room? "Is that a Republican joke?!"

Crypto wants full unreserved repudiation of all guidance that suggests cryptocurrencies are high-risk. Pause letters, position papers, informal guidance, supervisory questions, they want it all swept clean with a broom. They don’t care all that much about what banking regulators do after that, but if you want a suggestion, it should be asking banks about their crypto strategy, listening attentively, then exercising moral suasion if they don’t have one. If banks identify barriers to adoption of blockchain technology, advocates want regulators to react to that like the emergency it is.

Crypto wants banks to be able to custody cryptoassets. There is a highly technical accounting standard that you probably don’t care about, which governs how much capital a bank needs to back assets it custodies. A bank needs $1 in equity capital to custody $1 in digital assets. This makes running a crypto custody business within the banking perimeter a non-starter.

Crypto already has crypto custody products available, but they are at places like e.g. Coinbase and not e.g. State Street. Crypto wants a custody business within the banking perimeter, because they perceive this as necessary to ease institutional adoption. They want parity with traditional risk assets (like equities), minimally. If they get that they’ll pivot to asking for a thumb on the scale. Crypto is not wrong that capital requirements place a thumb on the scale for some politically preferred assets (e.g. MBS).

Crypto wants to rewrite the formal history of the 2023 banking crisis. There are several supervisory reports which lay out a narrative, some linked above. You will replace and repudiate those reports. The new ones will claim that the failure of the banks was proximately caused by explicitly directed political action by the prior administration. You will aver that this and similar supervisory actions are against the policy of the United States. You will look the camera in the eye and, very sternly, say that banks acting contrary to this instruction will feel the full weight of the federal government arrayed against them.

Crypto doesn’t really care about what you say about SVB or First Republic.

Crypto wants Fed master accounts for state-chartered crypto-native financial services companies. Simple enough. They want them with the automaticity that a community bank gets them. We show our charter and ask; you issue.

Crypto wants the SEC to provide a repeatable, predictable path for selling tokens to ordinary Americans as early in the issuer’s lifecycle as reasonably feasible. The existing registration and exemption regime that non-crypto startups are under is, pointedly, one cross crypto/tech investors are extremely familiar with. They do not want parity with that regime.

They want to be able to sell tokens to retail, because retail is where the money is.

They are actually pretty sincere that as long as you give them carte blanche to sell to retail, they will follow the procedures you outline to unlock that. $1 million in compliance cost for an unrestricted offering is fine, and will cut down on headline risk by chasing away some of the 2017-era-ICO nonsense. Venture firms will be happy to underwrite the ante.

After you give them this, crypto will industrialize and blitzscale efforts to market crypto investment opportunities as investment opportunities to all Americans who currently invest in any capacity whatsoever and many who do not. They know (to a mortal certainty) they can sell tens of billions of dollars of these products if allowed to. That would be a failure, because crypto has required so much infra investment to get to the present day. Crypto's ambitions are much higher. They do not think trillions of dollars are out of reach. Trillions would be a success.

Crypto is starting to get just smidge impatient about when they get their trillions. Some crypto investors are on a shot clock, because they have made promises to capital partners. For many of them, Bitcoin at $100,000 is amazingly good news but not by itself a victory condition. They need that path to a trillion dollars of token sales.

Crypto wants permissive guidance about novel crypto-adjacent banking products. Banks should be able to issue crypto-backed loans at parity to public equity-backed loans, for minimally the majors (BTC/ETH). Stablecoins should get treatment similar to a CD- or moneymarket-backed loan. (These are all very niche products, yes, but what is finance if not people who are very creative at imagining circumstances where you'd want very niche products.)

Everything else banks offer? We want it, too, on equal footing.

Crypto wants some institutional examples made. They want at least one regulator canceled-without-replacement and they want the world to understand that crypto did it. They don’t expect it to be the Fed (not realistic) or the FDIC (indispensable infrastructure; keeps retail happy). The CFPB though? They’d take the CFPB.

And now you know why we’re having a sudden conversation about debanking.

Programming note: Bits about Money has been a bit irregular recently.

I’ve recently booted up the Complex Systems podcast. It is now up to more than a dozen episodes, including interviewing my dad on real estate development (which is something of a BAM deep (curb) cut). The podcast features Bryne Hobart and other guests you’d probably enjoy on a weekly basis. Since I am more of a writer and very plausibly you are more of a reader, being here and all, note that I include fully edited transcripts (with inline commentary) on all episodes.

I also took my hand at bespoke engineering work wildly outside my expertise with a complex capital stack, and the managerial attention required has been significant. Or: we bought a house and it needs work.

I hope to get on a more appropriate cadence soon, and beg your forbearance (and also understanding that when Factorio: Space Age drops I am unlikely to get much writing accomplished for a week or two). 

Fiction is underrated as a means for concretely impacting the real world and learning about it.

The Social Network is substantially made up, more a source for vibes rather than a source for facts. Even the vibes fail to cohere with reality. And yet it convinced many proto-founders to put in YC applications. This matches the previous experience of Michael Lewis (who purports that Liar’s Poker was basically factual, but meant as a cautionary tale), who launched many careers in finance.

And sometimes fiction doesn’t just give you vibes; it gives you models. The Phoenix Project is actually assigned at some infrastructure companies, because the narrative makes the pedagogy about project management go down more easily. (Often compared with The Goal, which does similar for manufacturing.)

In that spirit, I have a few highly opinionated choices for works of financial fiction that more people should read.

I’ve avoided listing some very worthy books which mention finance. The Iron Bank is balderdash with a nonsensical business model (if you’re bad at credit analysis and rely on winning wars to make up for it, you are not a bank, you are a private military contractor), and while Thorin’s Company does temporarily collapse over a contractual dispute caused by insufficiently clear demarcation of rights between share classes, that is a tiny detail.

The Big Short (book and film) — Written before Michael Lewis started his career in financial-inspired fiction, the Big Short is a dramatization of a gang of outsiders (and insiders who are presented as outsiders for narrative convenience, a theme Lewis will return to frequently, not always with self-awareness) who correctly predict the mechanism and course of the global financial crisis. The work is basically accurate (though it could stand to talk a lot more about repo funding, which is the bit about the crisis that non-specialists are most likely to miss). Congressional testimony, industry analysts, and dinner conversations with people who were in the room all mostly align with it.

For people who have limited facility with mortgage finance, the Jenga scene in the movie is a much better primary on collateralized debt obligations than most formal primers on them. And it matches the actual pitch deck Deutsche Bank used for the proposed trade, which is one of the best tours de force of financial writing ever seen, made even better by the reader’s knowledge that the authors of it end up being absolutely right. (Much of the best writing in the world sits eternally below the waterline; the only reason you perceive this tip of the iceberg is because it was evidence in the Congressional investigation.)

Both book and film also spend time on a crucial insight: it is not enough to merely be right and contrarian, not if you want to make money. You also need an instrument to encode your bet, a source of capital, and substantial operational chops. This includes counterparty risk management, which is particularly important when you’re predicting the end of the world as we know it.

Margin Call (film) — Margin Call is a fictionalized extrapolation of what it was like to be on the inside of could-have-been-anyone, absolutely-not-Goldman-Sachs investment bank during the later stages of the financial crisis. Although it covers much of the same procedural ground as the Big Short, it is not a particularly good way to learn about the mechanisms.

What it is stellar at—almost unmatched in fiction—is depicting archetypes that are both dramatically compelling and reasonably true to those working at various levels in the industry.

The two most important scenes in the film are both meetings, and the film respects its audience a lot more than Big Short does; at no point does anyone need to get into a bubble bath to hold your attention. Those scenes have an entire subgenre on YouTube of commentators explaining the subtext, about which characters are (with a very-well-calibrated spectrum of convincingness) disclaiming knowledge about things they actually certainly knew, about the power dynamics between executives near the heights of capitalism, and similar.

If you take one thing away from Margin Call, take the character of Carmelo. He has one line in the movie, delivered after the CEO requests a particular task after a well-compensated executive has reported it impossible: “It is done.” Some commentators believe the point is that Carmelo is a ruthless, willing-to-use-violence henchman waiting in the wings of an investment bank. These commentators do not understand the point of Carmelo being in this meeting, and fail to understand why Carmelo achieves success in the film. He is a dramatic convenience embodying agency and willingness to work outside the normal process in abnormal times. Carmelo is not any particular person, but many organizations have Carmelos, and probably more should.

The Dragon’s Banker (book) —  sometimes, a title has you at hello, and then goes on to underpredict the actual work. That’s the Dragon’s Banker in a nutshell. How could one possibly spoil this? It has dragons. They need banking. Their banker banks the heck out of them. It turns out that banking dragons is difficult due to their diverse needs and demanding expectations of their bankers. Nothing in the book would surprise a private banker.

But most of us aren’t private bank bankers, and the book is one step ahead of even a very genre-savvy reader. I caught myself saying “Hah, brilliant idea, but of course the dragon is going to fail KYC and AML screening” about a page before the banker unspools his plan for defeating (somewhat anachronistically advanced levels of) KYC and AML screening.

It’s not a bad plan, given the setting. Also, somewhat self-indulgently, no character in fiction has ever more caused me to feel more represented than the banker did around the “I love my job.” line. (Though, if I were actually in the text, I would certainly not take his approach with respect to pricing services. If you’re not comfortable charging market rates for financial services to rich clients, private banking is a bad field to be in. No client incapable of burning you to cinders is worth talking to!)

The Dagger and the Coin (book series) — let the name of capitalism never be besmirched with allegations that it has only a single dragon/banking crossover. This is a worthy entry in the genre. It suffers a bit from extensive plot not about banking and characters who barely speak to dragons. But all of that irrelevant fluff makes it one of the most underrated fantasy series I’ve ever read. (It has the best twist in fantasy, which almost recharacterizes the work as understated cosmic horror.)

More relevantly, we get a fairly extensive look at a not-quite-Medici-but-it-rhymes merchant bank. Unlike the Iron Bank, this one has a plausible business model and clientele, focused primarily on distributing risk among merchants for sea voyages and on capital development for land-based productive enterprises. Merchant banking is heavily under-understood by people interested in finance, but is critical to the history of it (and still practiced, in derivative forms, in the present day).  

Bonus entry: Shylock’s Children (Japanese film) — The subtitled version exists and is licensable—I watched it in in-flight entertainment once—but it was a relatively minor release in Japan and may not be conveniently findable on streaming services. This is a pity, and if you can find it, it is very worth your time.

The plot centers on fraudulent shenanigans at a Tokyo bank branch. One imagines the pitch meeting: “Another police procedural, maybe?” “Overdone, but perhaps the world really needs some salaryman-on-salaryman hardcore banking action. I want gritty realism like a crisp fold on the inkantourokushoumeisho (document attesting to the registration of a personal or corporate seal with the responsible local government agency) to compare the specimen with the presented version of a company’s stamp to verify authenticity.”

“Not too much realism, though, for it to work there will need to be a nation’s worth of fraud happening at this one branch. But we’ll populate it with characters so true-to-life that salarymen will think we had a spy camera in their offices, set design that will give them flashbacks, and a really moving meditation on moral culpability and the difficulty of choosing righteousness after being tempted into compromising one’s principles. It will complement texts on the fraud snowball, like Lying for Money, very well. And of course we’ll use Shakespeare as framing device for this narrative, because these characters would of course attend a Shakespeare production in Tokyo, which our audience doesn’t have to be told is a very normal thing to have happen.”

If you have the opportunity, it’s sublime.

See you next time, and do check out Complex Systems if you haven't already. It is in your podcast-delivery-vehicle of choice or at the website.

Programming note: I recently launched a weekly podcast, Complex Systems with Patrick McKenzie. About 50% of the conversations cover Bits about Money's beat. The remainder will be on other interesting intersections of technology, incentives, culture, and organizational design. The first three episodes covered teaching trading, Byrne Hobart on the epistemology of financial firms, and the tech industry vs. tech reporting divide. Subscribe to it anywhere you listen to podcasts. If you enjoy it, writing a review (in your podcast app or to me via email) helps quite a bit.

On July 19th, a firm most people have sensibly never heard of knocked out a large portion of the routine operations at many institutions worldwide. This hit the banking sector particularly hard. It has been publicly reported that several of the largest U.S. banks were affected by the outage. I understand one of them to have idled tellers and bankers nationwide for the duration. (You’ll forgive me for not naming them, as it would cost me some points.) The issue affected institutions across the size spectrum, including large regionals and community banks.

You might sensibly ask why that happened and, for that matter, how it was possible it would happen.

You might be curious about how to quickly reconstitute the financial system from less legible sources of credit when it is down. (Which: probably less important as a takeaway, but it is quite colorful.)

Something like 20% of the readership of this column has an engineering degree. To you folks, I apologize in advance for the following handwaviness. (You may be better served by the Preliminary Post Incident Review.)

Many operating systems have a distinction between the “kernel” supplied by the operating system manufacturer and all other software running on the computer system. For historical reasons, that area where almost everything executes is called “userspace.”

In modern software design, programs running in userspace (i.e. almost all programs) are relatively limited in what they can do. Programs running in kernelspace, on the other hand, get direct access to the hardware under the operating system. Certain bugs in kernel programming are very, very bad news for everything running on the computer.

CrowdStrike Falcon is endpoint monitoring software. In brief, “endpoint monitoring” is a service sold to enterprises which have tens or hundreds of thousands of devices (“endpoints”). Those devices are illegible to the organization that owns them due to sheer scale; no single person nor group of people understand what is happening on them. This means there are highly variable levels of how-totally-effed those devices might be at exactly this moment in time. The pitch for endpoint monitoring is that it gives your teams the ability to make those systems legible again while also benefitting from economies of scale, with you getting a continuously updated feed of threats to scan for from your provider.

One way an endpoint might be effed is if it was physically stolen from your working-from-home employee earlier this week. Another way is if it has recently joined a botnet orchestrated from a geopolitical adversary of the United States after one of your junior programmers decided to install warez because the six figure annual salary was too little to fund their video game habit. (No, I am not reading your incident reports, I clarify for every security team in the industry.)

In theory, you perform ongoing monitoring of all of your computers. Then, your crack security team responds to alerts generated by your endpoint monitoring solution. This will sometimes merit further investigation and sometimes call for immediate remedial work. The conversations range from “Did you really just install cracked Starcraft 2 on your work PC? … Please don’t do that.” to “The novel virus reported this morning compromised 32 computers in the wealth management office. Containment was achieved by 2:05 PM ET, by which point we had null routed every packet coming out of that subnet then physically disconnected power to the router just to be sure. We have engaged incident response to see what if any data was exfiltrated in the 47 minutes between detection and null routing. At this point we have no indications of compromise outside that subnet but we cannot rule out a threat actor using the virus as a beachhead or advanced persistent threats being deployed.”

(Yes, that does sound like a Tom Clancy novel. No, that is not a parody.)

Falcon shipped a configuration bug. In brief, this means that rather than writing new software (which, in modern development practice, hopefully goes through fairly extensive testing and release procedures), CrowdStrike sent a bit of data to systems with Falcon installed. That data was intended to simply update the set of conditions that Falcon scanned for. However, due to an error at CrowdStrike, it actually caused existing already-reviewed Falcon software to fail catastrophically.

Since that failure happened in kernelspace at a particularly vulnerable time, this resulted in Windows systems experiencing total failure beginning at boot. The user-visible symptom is sometimes called the Blue Screen of Death.

Configuration bugs are a disturbingly large portion of engineering decisions which cause outages. (Citation: let’s go with “general knowledge as an informed industry observer.” As always, while I’ve previously worked at Stripe, neither Stripe nor its security team necessarily endorses things I say in my personal spaces.)

However, because this configuration bug hit very widely distributed software running in kernelspace almost universally across machines used by the workforce of lynchpin institutions throughout society (most relevantly to this column, banks, but also airlines, etc etc), it had a blast radius much, much larger than typical configuration bugs.

Have I mentioned that IT security really likes military metaphors? “Blast radius” means “given a fault or failure in system X, how far afield from X will we see negative user impact.” I struggle to recall a bug with a broader direct blast radius than the Falcon misconfiguration.

Once the misconfiguration was rolled out, fixing it was complicated by the tiny issue that a lot of the people needed to fix it couldn’t access their work systems because their machine Blue Screen of Death’ed.

Why? Well, we put the vulnerable software on essentially all machines in a particular institution. You want to protect all the devices. That is the point of endpoint monitoring. It is literally someone’s job to figure out where the devices that aren’t endpoint monitored exist and then to bring them into compliance.

Why do we care about optimizing for endpoint monitoring coverage? Partly it is for genuinely good security reasons. But a major part of it is that small-c compliance is necessary for large-C Compliance. Your regulator will effectively demand that you do it.

Falcon runs in kernelspace versus userspace in part because the most straightforward way to poke its nose in other programs’ business is to simply ignore the security guarantees that operating systems give to programs running in userspace. Poking your nose in another program’s memory is generally considered somewhere between rude and forbidden-by-very-substantial-engineering-work. However, endpoint monitoring software considers that other software running on the device may be there at the direction of the adversary. It therefore considers that software’s comfort level with its intrusion to be a distant secondary consideration.

Another reason Falcon ran in kernelspace was, as Microsoft told the WSJ, Microsoft was forbidden by an understanding with the European Commission from firmly demoting other security software developers down to userspace. This was because Microsoft both a) wrote security software and b) necessarily always had the option of writing it in kernelspace, because Microsoft controls Windows. The European Commission has pushed back against this characterization and pointed out that This Sentence Uses Cookies To Enable Essential Essay Functionality.

It would be an overstatement to say that the United States federal government commanded U.S. financial institutions to install CrowdStrike Falcon and thereby embed a landmine into the kernels of all their employees’ computers. Anyone saying that has no idea how banking regulation works.

Life is much more subtle than that.

The United States has many, many different banking regulators. Those regulators have some desires for their banks which rhyme heavily, and so they have banded into a club to share resources. This lets them spend their limited brainsweat budgets on things banking regulators have more individualized opinions on than simple, common banking regulatory infrastructure.

One such club is the Federal Financial Institutions Examination Council. They wrote the greatest crossover event of all time if your interests are a) mandatory supervisory evaluations of financial institutions and b) IT risk management: the FFIEC Information Technology Examination Handbook's Information Security Booklet.

The modal consumer of this document is probably not a Linux kernel programmer with a highly developed mental model of kernelspace versus userspace. That would be an unreasonable expectation for a banking supervisor. They work for a banking regulator, not a software company, doing important supervisory work, not merely implementation. Later this week they might be working on capital adequacy ratios, but for right now, they’re asking your IT team about endpoint monitoring.

The FFEITC ITEH ISB (the acronym just rolls off the tongue) is not super prescriptive about exactly what controls you, a financial institution, have to have. This is common in many regulatory environments. HIPAA, to use a contrasting example, is unusual in that it describes a control environment that you can reduce to a checklist with Required or Optional next to each of them. (HIPAA spells that second category “Addressable”, for reasons outside the scope of this essay, but which I’ll mention because I don’t want to offend other former HIPAA Compliance Officers.)

To facilitate your institution’s conversation with the examiner who drew the short straw, you will conduct a risk analysis. Well, more likely, you’ll pay a consulting firm to conduct a risk analysis. In the production function that is scaled consultancies, this means that a junior employee will open U.S. Financial Institution IT Security Risk Analysis v3-edited-final-final.docx and add important client-specific context like a) their name and b) their logo.

That document will heavily reference the ITEH, because it exists to quickly shut down the line of questioning from the examiner. If you desire a career in this field, you will phrase that as “guiding the conversation towards areas of maximum mutual interest in the cause of 'advanc[ing] the nation’s monetary, financial, and payment systems to build a stronger economy for all Americans.'” (The internal quotation is lifted from a job description at the Federal Reserve.)

Your consultants are going to, when they conduct the mandatory risk analysis, give you a shopping list. Endpoint monitoring is one item on that shopping list. Why? Ask your consultant and they’ll bill you for the answer, but you can get my opinion for free and it is worth twice what you paid for it: II.C.12 Malware Mitigation.

Does the FFEITC have a hugely prescriptive view of what you should be doing for malware monitoring? Well, no:

Management should implement defense-in-depth to protect, detect, and respond to malware. The institution can use many tools to block malware before it enters the environment and to detect it and respond if it is not blocked. Methods or systems that management should consider include the following: [12 bullet points which vary in specificity from whitelisting allowed programs to port monitoring to user education].

But your consultants will tell you that you want a very responsive answer to II.C.12 in this report and that, since you probably do not have Google’s ability to fill floors of people doing industry-leading security research, you should just buy something which says Yeah We Do That.

CrowdStrike’s sales reps will happily tell you Yeah We Do That. This web page exists as a result of a deterministic process co-owned by the Marketing and Sales departments at a B2B software company to create industry-specific “sales enablement” collateral. As a matter of fact, if you want to give CrowdStrike your email address and job title, they will even send you a document which is not titled Exact Wording To Put In Your Risk Assessment Including Which Five Objectives And Seventeen Controls Purchasing This Product Will Solve For.

CrowdStrike is not, strictly speaking, the only vendor that you could have installed on every computer you owned to make your regulators happy with you. But, due to vagaries of how enterprise software sales teams work, they sewed up an awful lot of government-adjacent industries. This was in part because they aggressively pursued writing the sort of documents you need if the people who read your project plans have national security briefs.

I’m not mocking the Federal Financial Institutions Examining Council for cosplaying as having a national security brief. (Goodness knows that that happens a lot in cybersecurity... and government generally. New York City likes to pretend it has an intelligence service, which is absolutely not a patronage program designed to have taxpayers fund indefinite foreign vacations with minimal actual job duties.)

But money is core societal infrastructure, like the power grid and transportation systems are. It would be really bad if hackers working for a foreign government could just turn off money. That would be more damaging than a conventional missile being fired at random into New York City, and we might be more constrained in responding.

And so, we ended up in a situation where we invited an advanced persistent threat into kernelspace.

It is perhaps important to point out that security professionals understand security tools to themselves introduce security vulnerabilities. Partly, the worry is that a monoculture could have a particular weakness that could be exploited in a particular way. Partly, it is that security tools (and security personnel!) frequently have more privileges than is typical, and therefore they can be directly compromised by the adversary. This observation is fractal in systems engineering: at every level of abstraction, if your control plane gets compromised, you lose. (Control plane has a specific meaning in networking but for this purpose just round it to “operating system (metaphorical) that controls your operating systems (literal).”)

CrowdStrike maintains that they do not understand it to be the case that a bad actor intentionally tried to bring down global financial infrastructure and airlines by using them as a weapon. No, CrowdStrike did that themselves, on accident, of their own volition. But this demonstrates the problem pretty clearly: if a junior employee tripping over a power cord at your company brings down computers worldwide, the bad guys have a variety of options for achieving directionally similar aims by attacking directionally similar power cords.

I found out about the CrowdStrike vulnerability in the usual fashion: Twitter. But then my friendly local bank branch cited it (as quote the Microsoft systems issue endquote) when I was attempting to withdraw cash from the teller window.

My family purchased a duplex recently and is doing renovation prior to moving in. For complex social reasons, a thorough recitation of which would make me persona non grata across the political spectrum, engaging a sufficient number of contractors in Chicago will result in one being asked to make frequent, sizable payments in cash.

This created a minor emergency for me, because it was an other-than-minor emergency for some contractors I was working with.

Many contractors are small businesses. Many small businesses are very thinly capitalized. Many employees of small businesses are extremely dependent on receiving compensation exactly on payday and not after it. And so, while many people in Chicago were basically unaffected on that Friday because their money kept working (on mobile apps, via Venmo/Cash App, via credit cards, etc), cash-dependent people got an enormous wrench thrown into their plans.

I personally tried withdrawing cash at three financial institutions in different weight classes, as was told it was absolutely impossible (in size) at all of them, owing to the Falcon issue.

At one, I was told that I couldn’t use the tellers but could use the ATM. Unfortunately, like many customers, I was attempting to take out more cash from the ATM than I ever had before. Fortunately, their system that flags potentially fraudulent behavior will let a customer unflag themselves by responding to an instant communication from the bank. Unfortunately, the subdomain that communication directs them to runs on a server apparently protected by CrowdStrike Falcon.

It was not impossible at all financial institutions. I am aware of a few around Chicago which ran out of physical cash on hand at some branches, because all demand for cash on a Friday was serviced by them versus by “all of the financial institutions.” (As always happens during widespread disturbances in infrastructure, there quickly arises a shadow economy of information trading which redirects relatively sophisticated people to the places that are capable of servicing them. This happens through offline social networks since time immemorial and online social networks since we invented those. The first is probably more impactful but the second is more legible, so banking regulators pretend this class of issues sprang fully formed from the tech industry just in time to bring down banks last year.)

I have some knowledge of the history of comprehensive failures of financial infrastructure, and so I considered doing the traditional thing when convertibility of deposits is suspended by industry-wide issues: head to the bar.

A hopefully unnecessary disclaimer: the following is historical fact despite rhyming with stereotype.

Back in 1970, there was a widespread and sustained (six months!) strike in the Irish banking sector. Workers were unable to cash paychecks because tellers refused to work. So, as an accommodation for customers, operators of pubs would cash the checks from the till, trusting that eventually checks drawn on the accounts of local employers would be good funds again. 

Some publicans even cashed personal checks, backed by the swift and terrible justice of the credit reporting bureau We Control Whether You Can Ever Enjoy A Pint With Your Friends Again. This kept physical notes circulating in the economy.

As I told my contractors, to their confusion, I was unable to simply go down to the local bar to get them cash with the banks down. I don’t have sufficient credit with the operator of the local bar, as I don’t drink.

I told them, to their even greater confusion, that I had considered going down to the parish and buying all their cash on hand with a personal check. Churches, much like bars, have much of their weekly income come through electronic payments but still do a substantial amount of cash management through the workweek heading into the weekend. I’m much more a known quantity at church than I am at the friendly neighborhood watering hole. (Also, when attempting to workaround financial infrastructure bugs to get workers their wages, consider relying on counterparties with common knowledge of James 5:4.)

I eventually resolved the issue in a more boring fashion: I texted someone I reasonably assumed to have cash and asked them to bring it over.

Financial infrastructure normally functions to abstract away personal ties and replace favor-swapping with legibly-priced broadly-offered services.

Thankfully, while this outage was surprisingly deep and broad, banks were mostly back to normal on the following Monday.

My family recently bought a duplex in Chicago, after years of living in Japan. This exposed me to Relatable Banking Influencer Content. One facet of it is the largest bill you’ll ever get from the insurance industry for the most inscrutable reason, which I thought would be interesting to cover.

Every time you transact in property, you will notice a variety of ticky-tack transactional frictions added to a (hopefully) itemized list. The largest, by a substantial margin, are agent commissions, which have come under substantial scrutiny for their set-by-a-disciplined-cartel character.

Next up on the list is a bundle of services around “title.”

The rest is a mix of government fee passthroughs and Obvious Nonsense, such as a $125 “water processing fee,” $55 for a wire transfer where that number is just made up, etc. But if I were to go through each of the 16 line items summing up to $1,400, we’d be here all day.

So, let’s talk about the title industry.

Ownership is a bundle of property rights, which exclude others from using a thing, and which are hopefully (for the owner) enforceable by the legal system in the case where the larger societal system fails to agree on reality. That is the very orthodox, first-year law school answer, at any rate.

Title in real property is the aggregate of rights, commitments, and contracts which make up an ownership claim. And here it gets into gloriously wonky real estate operational trivia about the difference between an easement versus an encroachment, the justiciability of restrictive covenants written by societies far less enlightened than the present, and similar. But in common usage, you can round title to “who owns this address and how do we know?”

You might reasonably think that you know about title because you can look it up in a database, probably maintained by the government. Here you run into a fascinating historical detail.

Most people assume ownership is recorded in some sort of government database, in the same sense that your bank balance is recorded in some sort of bank database. If you assume this, you’re right… for many places in the world.

For example, if you wonder who owns a particular tiny sliver of Tokyo, you can hire a judicial scrivener to go ask the government, and in a fairly deterministic fashion they will bring you a piece of paper saying that the Legal Affairs Bureau’s records show one Patrick McKenzie as very definitely owning it. That piece of paper suffices as proof of title for almost all purposes in Japan. Courts, lenders, and the ward office will all treat it as one step below holy writ.

The United States, perhaps surprisingly, is not operationally capable of producing that piece of paper. There is no government body in the United States which will confidently say that, as of this instant, Patrick owns this property to the exclusion of all others. Serious professionals who work in or adjacent to the real estate industry understand this incapacity of the United States and organize their lives around it.

As a broad sketch of varied practice over the 50 states, the relevant government body (here, the Cook County Recorder of Deeds) does not record ownership but rather records certain private transactions. Current ownership is not an independent fact; current ownership is the sum of all compounding transactions since time not-quite-immemorial. (Cryptocurrency enthusiasts might see a parallel: blockchains typically don’t record balances. Software operating on top of the blockchain probabilistically estimates balances by being aware of all transactions that happened since genesis.)

At some point in the very near future, it will be a matter of the public record that I bought a property from a particular seller, and that a bank filed a lien against that property due to me taking out a mortgage.

Users of the database will infer that, since the last few entries in the database were that seller buying the property from someone else, recording a mortgage, and extinguishing that same mortgage on full payment, and there are no other recent entries, that I very probably own the property.

There is an important difference between “very probably owns” and “certainly owns.”

I lied. I don’t actually own any property in Chicago. My wife and I are beneficiaries of a land trust. The land trust actually owns the property. It is contractually obligated to allow us to live there, receive all rents and other benefits which derive from ownership, and pay us when the trust decides to sell the property, which it will eventually do. The trustee cannot independently decide to sell the property; it must, under law and contract, faithfully execute our directives.

“That sure sounds like ownership, Patrick.” Oh yeah, it’s designed to be equivalent to ownership in every way except basically one.

While there are other reasons to use them, the dominant use case for land trusts is mild privacy preservation. Because maintaining records regarding real estate implicates the public trust, in much of the United States, those records are public records. When this required actually schlepping down to the county clerk’s office to review yellowing papers or microfiche, the fact of the records being public was an interesting bit of operational minutiae for practitioners but had very little impact on owners.

But we have computer systems these days maintaining the records, and also vast secondary ecosystems of data brokers who ingest public records at scale and collate them with other information about people, searchable by other identifiers. As a consequence of this, in Chicago (and many other American cities), if you know a homeowner’s name (or address, or phone number, or…) you can have the full text of their mortgage, address, purchase price, monthly payment, etc etc, with 30 seconds of effort. No login or reason is required.

Many people react quite negatively when they learn this. If you are currently reacting negatively, I express no judgment.

This strikes me as similar to many questions about privacy rights. The range of human preferences is wider than anticipated. Framing influences perception quite a bit (“Anyone on Twitter can figure out your children’s exact walk to school” sounds different than “Your property tax payment is a public record” despite being the same physical database entry). Our laws have (as a descriptive not normative statement) not been updated in the wake of technological progress.

And so, I pay a very boring company $300 a year for a two-page contract that makes them our trustee. They have that contract in a filing cabinet. It is (assuming competent execution, always a risky assumption in the real estate industry) not cross-referenced in any databases. You can get them to show it to you, but you’ll need a court order, and fighting that court order is basically their reason for existing.

Many people, when they learn about land trusts, immediately assume that something extremely hinky is going on. Not so much; this is an extremely common way for savvy people to own property. It is in no way a loophole. The same polity which told its elected representatives that it wants property records to be public also told its elected representatives that it wants to exempt the rich, powerful, and savvy from that requirement. (That is a commentary on the American political system, certainly.)

Anyhow, should you want to avail yourself of this the next time you buy property, just tell your real estate attorney “What’s the privacy option in this state? Land trust or something?” They do this all the time. Or you can choose to have your full-text mortgage publicly available and automatically imported into hundreds of data sets. Whichever you prefer.

(As long as I’m adding I-grew-up-discussing-real-estate-quirks-at-the-dinner-table-sorry-not-sorry notes, another use case for land trusts is that judgments against individuals are more difficult to enforce against property held by a trust. LLCs are also commonly spun up to act as legal firewalls for that reason. Ask your friendly neighborhood real estate lawyer; this is common knowledge in that community of practice. Like most complex systems underlying how the world works, it is very understandable by mortal minds, and people who tell you otherwise are lying to you.)

Perhaps the digression about land trusts has helped convince you that, if someone tells you they own a property and want to sell it to you, that claim might be more difficult to verify than you’d naively expect. It is also a claim that can sometimes be falsified well after a transaction.

Suppose a person lives in a community property state. One day, in the throes of passion, they swear their undying love and devotion in front of a justice of the peace, perhaps in a commercial establishment in a jurisdiction well-known in popular fiction for facilitating other-than-considered vows of this nature. That passion wanes along with the alcohol, and everyone involved just tries to forget this incident. A year later, they purchase a property, using their own money and a mortgage. And then, in the future, they sell their property, without asking for permission from their spouse, because socially speaking they are not married.

Does the new buyer actually own the property? No, they do not, because that property has been fraudulently transferred to them, against the interests of the spouse with a 50% claim to it by law. Does a person purchasing it from them actually own the property? Again, no, they do not.

You might sensibly object that no database reasonably available to these innocent buyers recorded the fact of the out-of-state marriage. The law does not care, and remediation at this point will be extensive and expensive.

(If it sounds implausible that marriages are not trivially searchable: the marriage is equally legally valid if conducted overseas. For example, when an American marries a Japanese person in Japan, the right U.S. government agency to register that fact with is no one at all. My wife and I joke about our unlicensed marriage, but it is absolutely valid in the U.S., and rights under it are enforceable by U.S. courts, because of the principle of comity. Comity doesn’t care that your SQL query returned zero records.)

“Undiscovered marriage torpedoes a real estate deal after-the-fact” sounds far-fetched, I know, I know. Every real estate lawyer has variants of this story in particular and another few dozen with similar effect. Partially they’re deployed tactically to drum up additional work for real estate lawyers. And partly they’re only slightly fictionalized versions of real cases where the full details are recorded for posterity by court reporters. (In the category of particularly historically well-attested-to title disputes, a particular family lost their home three times due to title defects. The family was forced to migrate as a result of these disasters. The young son, perhaps scarred by them, later went on to practice law here in Illinois. He is better known for other work.)

So we have a system for remediating title defects.

Our first procedural countermeasure is that one hires a professional to diligently conduct “title searches.” And, indeed, someone is certainly going to bill you for doing this work, and for a non-obvious risk transfer incident to doing that work.

But simply querying the database harder will not, and cannot, shake out all title problems. (Back in the days of yellowing paper and microfiche, knowing how hard your title searcher searched was actually consequential. Now that a twelve-year-old can do a physically equivalent search, the competence distribution is… slightly narrower than it used to be.)

For all those edge cases that no amount of searching can derisk, there exists title insurance. It is a specialized insurance policy which says that, if there is an undiscovered defect in title, the insurance company will pay for the expensive and painful remediation, up to (and inclusive of) simply refunding the entire purchase price of the property to the insured buyer/lender. It is critical to understand that title insurance is effectively mandatory since almost all purchases are financed. Lenders will require a policy be purchased, and they are themselves similarly obligated to require this, due to the supply chain for mortgage financing.

Title insurance has been called an expensive racket. A wag might say that this is grossly unfair. To rackets.

Why? Well, it comes down to how title insurance is priced, sold, and purchased.

To understand that, three magic insurance words you should know: frequency, severity, loss ratio. Frequency is the rate of occurrence of claims. Severity is the cost of claims contingent on claims happening. Loss ratio is the total amount of paid-out claims divided by collected premiums.

Title insurance has extraordinarily low frequency for insurance products. However, when it does pay, the severity can be very high. Title insurance defenders will tell you that the reason title insurance is expensive is because the insurance company is promising to literally buy you a house in event of a problem.

Title insurance defenders are dissimulating, though, because the actual loss ratio on title insurance policies is laughably low. This number is exhaustively tracked by insurance regulators, and floats around the 5% region. And so, of the $4,000 or so that I paid in title insurance, the underwriter expects to pay out $200 in losses.

A high loss ratio means an insurance policy is inexpensive relative to the actual risks it insures; a low loss ratio means the opposite. Title policies are among the most expensive insurance policies issued for any risk whatsoever.

Now you might ask “What is a typical insurance loss ratio?” These are not unknowable numbers; they’re some of the most accurate figures captured by capitalism, with a combination of financial institutions and government regulators obsessed over quarter-to-quarter variations in them. Let me quote a couple of representative examples: fire, 65%. Workers’ comp, 48%. Medical profession liability, 56%. Auto liability, 76%. Homeowner, 82%. Even travel insurance, which is legendarily a poor option for customers (for reasons), pays substantially more out in claims than title insurance does.

So why does this policy cost 10-20X as much as other comparable insurance risks?

We mentioned that title insurance is bound fairly tightly with conducting a title search. In theory, one needs to chain that title search backwards for a few hundred years, at which point there will be an entry that sounds something like “ceded by the king of Spain to the United States” or “acquired by right of conquest.” (These are absolutely real facts that appear in title records. If you want to pay six figures, you can get a degree in philosophizing that all property is based on a theft, late-stage capitalism, etc etc. Few people who work in title insurance have that sort of degree.)

In practice, most title searches are strictly limited. My transaction obligated the searcher to do backbreaking labor and laboriously read twenty four months of transactions (i.e., two transactions) which would take a non-specialist thirty seconds to find using an online publicly available portal. They were not required to read several dozen transactions going back to the digitization of records (which gets you to almost when I was born) or to try to reconstruct what happened to Chicago title records in 1871.

For diligently reading two search results, the searcher was paid $260. ... Or were they?

Yes, according to an invoice. Not really, according to the title industry. But yes again, in reality.

The reason that the title industry says the $260 is not actually earned solely for reading two records is that there is a complex contractual risk transfer happening incident to the search and determining insurability of the title. They, acting as the agent of the insurance underwriter (this would be called a “carrier” in most insurance industries but in title “underwriter” is used to mean “the insurance company” and not “a specific professional at the insurance company”), represent and warranty that they’re making commercially reasonable efforts to avoid “on-record” title flaws (i.e., failing to read those search results accurately).

The title insurance industry expects there to be three main categories of claims.

One, vanishingly unlikely (as a percent of claims) but extremely evocative, is a “historical defect,” where the king of Spain (or, in Illinois, far more likely an Indian tribe or the federal government) has a justiciable concern about the original transfer of land to private ownership.

The far more likely type of claim is “off-record” flaws, where someone has ownership but that isn’t reflected in the searched records. The above ownership-by-undiscovered-marriage scenarios are examples of off-record claims. There is an infinite universe of fact patterns that can result in them, though; this is substantially why title insurance exists.

Then there are “on-record” flaws, where… somebody goofed, and nobody caught it before the transaction closed. There is a clear indication in the search results that the seller lacks legal right to sell the property. Maybe the mortgage isn’t paid and arrangements haven’t been made. Maybe they haven’t gotten a lien released. Maybe they are in the midst of an unresolved divorce. Maybe there is a charming historical anomaly on the deed. (Some anomalies are of a variety that are presumptively void in present-day America.)

In the case of an on-record flaw, where the searcher (who is also usually the agent of the title insurance company) “dun goofed,” in theory the title insurance company can put the claim back on their agent. In theory, that would result in “the system” paying a claim without that claim showing up in the loss ratio. In theory, this means that title insurance isn’t as expensive as it looks.

In practice, this basically never happens. But it’s a nice theory on why title agents deserve to get paid 80-85% of the insurance premium. (These are the standard numbers in Illinois. In some states, it goes as high as 95%. This is, I rush to add, done in the clear light of day. It is definitely not a kickback. A kickback requires someone involved to feel shame.)

Since “basically never happens” is a claim about reality that can be measured with numbers, I’ll observe that title insurance agents themselves carry insurance policies. One important genre is errors and omissions insurance, which can cover them if e.g. they goof and actually have to reimburse a purchaser/lender without the title insurance company covering it. Those policies themselves have a price, and that price encodes the information “we’re talking basis points on basis points of risk here.”

So why do title insurance agents actually get paid so richly, directly driving up the cost of title insurance?

In theory, there is a vibrant, functioning market in title insurance, with thousands of agents ultimately backed by dozens of carriers in Illinois. Price should float down to the minimum amount of loss ratio plus administrative costs plus profit required to sustain a vibrant insurance industry.

In practice, nobody shops for title insurance. I write articles like this as my actual literal job and I didn’t shop for title insurance. I used the insurance company nominated by the seller’s lawyer.

Unsurprisingly, the seller’s lawyer nominated the insurance company that she is an agent of. This was disclosed, in an entirely aboveboard fashion, on one of dozens of documents of paper sent back and forth during the buying process.

You are welcome to your estimate of whether anyone saw fit to explain that document as anything other than “sign this to continue.”

The seller’s attorney earned $625 for legal services in connection with the transaction. 80% of $4,000 in title insurance is $3,200. I think you can make a reasonable estimate as to how important that attorney understands having a ~100% attach rate of title insurance to real estate closings is.

Like all industries, real estate is a very small world, particularly since it is conducted hyperlocally. I have many, many dinner table discussions from my father (in commercial real estate in Chicago for most of his career) about this. My attorney, who I found independent of any other party to the transaction, had interacted with the seller’s attorney on numerous occasions. They mutually collaborated to take a straightforward transaction to a speedy and efficient close.

You are welcome to your estimate of how many times my attorney called attention to the title insurance fee, that the number was set by an act of the seller’s attorney, or that this fee could be shopped.

A really good mental model to carry around for analyzing the finance industry is one-shot versus iterated games. Real estate attorneys model (residential, owner-occupied) closings as effectively one-shot with respect to the client but iterated with respect to the other attorney. If one were conspiratorially-minded, one could say unkind words like "conflict of interest" at this point, but this sort of equilibrium doesn't require anyone to act invidiously. The other attorney is a peer running their business in a socially accepted fashion and very likely quite similarly to how you run your own business. You will see them again both professionally and socially. Why make trouble over nothing.

One reason I personally, despite being fairly financially sophisticated, did not shop the quote was that I was unsure the juice would be worth the squeeze. It’s pretty clearly possible to insure this transaction for 1/10th the price; that pricing prevails in other U.S. markets. It was not obvious to me it would actually be offered by anyone serving Chicago. (You can read a lot on this topic in the book The American Title Insurance Industry: How a Cartel Fleeces the American Consumer. I’ll give you one guess as to the thesis of the work.)

You, dear reader, are highly likely to transact property many times over the course of your life. There is a specific line item on your disclosure that almost all participants will skip over. You might make the decision to shop around on that item, and in doing so potentially save a few thousand dollars for an hour of work. (Bits about Money is supported by members, some of whom just got excellent ROI.)

On a societal level… title insurance adds up, fairly quickly. The typical American purchaser will reside in a house for 7 years, and get repeatedly cheesed in this fashion.

We could simply decide, as a policy priority, to not structure the industry this way. However, this is a classic political economy problem, with diffuse costs and concentrated benefit. The real estate industry is extremely politically powerful. It is nationally distributed, extremely well-resourced, and staffed by vocal pillars of the community. Those advocates are everywhere and talk to likely voters because it is their job to do so and are extremely well-liked. The same lawyer who quietly cheeses buyers on title insurance will, in about half of their client interactions, write a client a very obvious, very salient, very memorable check for multiple years of the client’s salary.

The title insurance industry extracts a relatively small rake, hidden in the minutiae of a complex transaction that most legislators and regulators don’t truly understand. There is a strong, organized constituency in favor of that rake existing. That constituency is not shadowy forces in smoky backrooms. They are pillars of your community. They are your friends and neighbors.

And they, independently and through their lobby, know how to present this business to the American polity. The industry provides a valuable service, and charges money for it, unabashedly. The price is set by a vibrant, competitive marketplace. Historical infelicities like kickbacks have mostly been replaced by market mechanisms, like controlled business arrangements, which are fully disclosed to the consumer. Of course consumers read and understand disclosures. The state even released model disclosure language which the industry adopted almost universally.

Do I think this equilibrium is likely to change? I would not bet on it over short timeframes. But, if anyone out ever wants to take a serious run at disrupting this industry, I’ll happily write you a check.

Many beginnings imply a contemporaneous ending. This is often bittersweet. Some personal news implies a tearful goodbye to soon-to-be-former coworkers. A new adventure of scholasticism and self-discovery means saying goodbye to your high-school friends. And a new brokerage account often implies leaving a years- (or decades-!) long relationship with a firm that stuck with you, feels a bit like a jilted lover, and by the way happens to constructively control most of your net worth.

This particular beginning and ending is mediated by a complex techno-legal system called ACATS: the Automated Customer Assets Transfer System. ACATS is quite impressive, underpins a very important part of the financial system, and some of the quirks of how it operates will probably surprise you.

The title of this issue is a play on an AI-generated song. Infohazard warning about which I am being absolutely serious: you probably have the experience of a song being an “earworm” that you cannot get out of your head. This song is not simply an earworm. It is auditory superstimulus, like the Dorito, carefully designed to taste like nothing in nature. Unlike the Dorito, which someone is guilty of, this song either has no author or has all the authors. I think if you say the words “my cat” to me when I am on my deathbed I will immediately hum three notes. With that very important caveat out of the way, if you want to be mimetically infected as the price of getting this reference, take a listen at Sono here.

Brokerages are regulated by FINRA. FINRA stands for many things, though these days FINRA might deny that it is an acronym. In previous years, though, it was definitely the Financial Industry Regulatory Authority. One reason FINRA is not an acronym, to the extent it is not an acronym, is that an unsophisticated investor might hear that and assume “Ah yes, FINRA is clearly part of the government” and FINRA will immediately swear up, down, and sideways they are not. They are just a financial regulator overseeing trillions of dollars.

Self-regulatory organizations (SROs) are industry associations. There are many industry associations in the world.

Some pool money to pay for a-rising-tide-lifts-all-bovines advertising. Some exist to get peers together for merriment, diversion, and some conspiracy against the public. (This is a joking reference to a famous passage from Adam Smith. On a completely unrelated note, please feel free to introduce yourself if you see me at a software conference. I’ll be doing a talk about raising prices.)

SROs are the type of industry associations that partially exist as a blocking play. If we don’t get our house in order, Dangerous Professionals from the government are going to barge into our house to order it for us. That will be disruptive to providing valuable services to customers at a price they are willing to pay.

Discount brokerages are large, trustworthy, competent institutions. But there are some brokerages which are not. There are wirehouses attached to large investment banks like e.g. JP Morgan (large, trustworthy, and competent, but not a discount brokerage), there is Robinhood (a large discount brokerage), but by far the most numerous are small boutiques which keep on keeping on.

Some of those boutiques have been known to be a bit grasping when assets under management attempt to walk out the door. They would refuse to let their customer leave. When told this was extremely improper, they whined and said it was really difficult to facilitate their customer leaving, and wouldn’t the customer prefer staying, and Cindy who can actually take care of this will be back in the office the first Tuesday after the waxing moon.

And so FINRA listened to its members (brokerages), customers, advocates, and counterparts in government, and passed a rule. Cindy can go on vacation any time she wants, but it is the brokerage and not Cindy who is responsible for outcomes, and only one outcome is acceptable: if a customer wants to move their assets out, you must let them.

The full rule is necessarily more complicated than that gloss of the intent of the rule. It’s not unknowable inside baseball; see FINRA Rule 11870. It is somewhat somnambulance inducing:

When a customer whose securities account is carried by a member (the "carrying member") wishes to transfer securities account assets, in whole or in specifically designated part, to another member (the "receiving member") and gives authorized instructions to the receiving member, both members must expedite and coordinate activities with respect to the transfer..

But, by the standards of many regulations, it is short and actionable.

Rule 11870 doesn’t itself establish a technical artifact but exists in tandem with one: ACATS.

What is a share of stock, really? An abstracted right to ownership of a corporation? A legal contract promising the same? Some complex sociopolitical edifice where judges who are not yet born will of course automatically award surplus returns of an enterprise to an equity holder even when told not to by a nuclear-armed government? A share is all of these things.

But also, in a really important way, a share is an entry in a spreadsheet.

Whose spreadsheet? Everyones’ spreadsheets. Stock that you own, and you really do own it, exists as the superposition of several spreadsheets. Your spreadsheets, for example. Those matter. Spreadsheets (or databases, or blockchains, or… actually no probably not blockchains even cryptoenthusiast technologists don’t believe that will happen anymore) at your brokerage. And then, in a fascinating wrinkle that Matt Levine has covered many times, a spreadsheet at the Depository Trust Company, which keeps almost all the stocks and simultaneously has very probably never heard of you.

So when you move stock between brokerages, nobody needs to print out a stock certificate and courier it across Chicago, New York, or the Pacific Ocean anymore. Thank goodness. (I have no stories, but I have friends who have stories, and the Die Hard steal-the-bearer-bonds plot didn’t come from nowhere.) You just have to coordinate updating the spreadsheets. How hard could that possibly be.

ACATS is a system with technical and legal elements to it. It greatly decreases the number of moving parts required to coordinate updating spreadsheets. The pre-ACATS era meant needing to interface directly with the thousands of other brokerages in the United States. You had to care deeply about the operational differences at their firms. Sometimes your Ops and their Ops didn’t use the same version of Excel. It was anarchy. ACATS puts very diverse firms between a relatively consistent experience, while simultaneously codifying operations and reducing various forms of risk to the process. This is a very common way to create value in financial technology.

A customer selects a new brokerage and tells that brokerage they intend to move in assets. That brokerage, which very much wants to get those assets onto their own books (and spreadsheets, etc etc, as a necessary consequence), will assist them in operating ACATS on their behalf. The customer will very likely never care about nor understand a complex operational symphony happening in the background.

The brokerage will likely kick off a few processes which don’t necessarily happen in Internet time and aren’t strictly coupled but might feel like they are to the customer. They will ask the customer to create a new account, which (extremely relevantly) will require the brokerage running their KYC process on the customer. They will very likely ask the customer for their last brokerage statement. And they will ask the customer to authorize them moving over the previous assets.

That authorization is customarily on a very templated rather short contract / form, and the template is almost inevitably going to rhyme heavily with the template in FINRA Rule 11870. But, in one of those fascinating rabbit holes about how the world actually works, authorization does not mean performing a particular ritual on a particular written instrument. Authorization means permitting something. You can permit something with words, most typically, or even a gesture.

As a very concrete consequence of this, many of those forms will be filled out not by the customer, but by the brokerage employee working on onboarding them. This is not bad and is not fraud. That feels weird to say out loud but it is extremely important: they have authorization. They are doing the thing brokerages do, taking specific authorization for a specific action from a customer and translating it into a complex series of technical and legal processes to cause the physical result in the world that the customer wants to happen.

And so, the form that authorizes an ACATS request might have a signature blank at the bottom. Some of them are signed by the customer, in that the customer had that form physically presented to them and they affixed their signature with a pen. Some are signed by the customer via a solution like Docusign, which might or might not imply that they actually saw an image which physically resembles the form that gets signed.

And some of them are signed on the customer’s behalf. The exact form of that might look like the ASCII characters /s/ John Q. Public. Skeptical? Those are, and these words are carefully chosen to sound very rigorous, “an electronic signature in a format recognized as valid under federal law to conduct interstate commerce.” You probably assumed there would be public key encryption involved in an electronic signature and this is allowed but not required.

All of this is actually normal. 

And, combined with the next bit, it will give many security-minded people an aneurysm.

ACATS is a network of trusted peers who have contractual (and other) relationships with a central organizing entity. One thing peers agree to do is to act upon incoming requests very, very quickly by the standards of financial institutions. One thing they do to accomplish this is very surprising: most ACATS requests will cause the brokerage losing the assets to not verify with their customer that the request is authorized.

“What.”, I hear you ask. No, this is true, and this is designed, and this is normal. It only sounds batshit insane.

Let’s start with the timeline: a brokerage receiving an ACATS request must complete any investigation within three business days. FINRA doesn’t get hyperspecific on any particular thing you must or mustn’t do within those three business days, but that shot clock starts running instantly once your computer gets the message from the other computer.

“Cindy didn’t check her mail because she was on vacation” is not a valid excuse. The brokerage gets only two options: validate (agree to) the request, or take exception to the request. Validation starts a second shot clock to actually complete the spreadsheet updates. It is not quite a no-takesies-backsies decision. True trapdoors are rare in finance. But reversing it is uncommon and unfun for all parties.

You cannot take exception simply because you feel like it. You must communicate one of twelve enumerated reasons. The general flavor of them is “that account has no assets in it”, “that account number doesn’t correspond to an account that exists in this universe”, “the person who you claim has authorized this transfer doesn’t own that account”, etc.

Questions about title, about who really owns the assets in an account, sound really simple to non-specialists who are mostly familiar with individual accounts. John owns the money in John’s accounts, right?

Hah, hah, hah.

The “edge cases” cover trillions of dollars.

John and Mary just divorced and while the account records reflect John as sole owner, the divorce decree says Mary owns half of the account. Your blockchain disagrees with an Article III judge? Then your blockchain is wrong. Fix your blockchain.

These determinations are fact-intensive and, again, are not necessarily obvious to either brokerage or even to the account owner themselves. John very likely thinks he owns his own money and may even think that in a sincere and innocent fashion. The brokerage doesn’t have actual possession of a divorce decree and very likely has no actual knowledge of a contemplated divorce. It doesn’t matter.

Tick tock tick tock. FINRA doesn’t care. The orderly operation of capitalism must go on, private tragedies notwithstanding, and your brokerage must make a determination before three business days are up. Validate or take exception. Those are your only two options.

Now let’s superimpose another difficult reality on this one: brokerages will, in the ordinary course of business, spend long periods of time happily having no real communication with their customers. Oh sure, their customer will receive account statements, and they might even place trades, but the last time a human talked to another human was… early in the 2010s?

Ping, ping, incoming message from ACATS. John purportedly wants to move his assets. The shot clock has begun. You have three business days.

Does the phone number on file from 2004 still work for John? FINRA doesn’t care. Does John still use AOL? FINRA doesn’t care. Can the United States Postal Service successfully put a piece of paper in John’s hand within three business days? FINRA doesn’t care. Will John pick up the phone for an unknown caller attempting to reach him on a matter of urgency? FINRA doesn’t care. Is John in the hospital on his deathbed? FINRA doesn’t care.

Brokerages are broadly competent and they know all of this. They know they cannot, at scale, successfully verify all of the transfers for all of the customers. And so they make a business decision to not contact customers for most transfers by count and reserve extraordinary efforts for contacting only very important customers, who might be most transfers by volume of assets.

The brokerage will absolutely not phrase this as “We don’t verify outgoing transfers.” They will check, and check most diligently, that the account number claimed is the account number, that the name matches the name on file, etc. And their Operations team understands that sometimes names do not match and that is OK, and sometimes it means Nope That’s A Specially Enumerated Exception Right There.

Sometimes they will look at the signature card, because everyone enjoys live action roleplaying occasionally. If John cannot in 2024 reproduce his signature from 2004, I have an epic non-surprise for you: FINRA doesn’t care. But, hey, it is the culture of the United States that financial institutions and expert witnesses in court sometimes do forensic analysis. Do we believe it is possible to compare signatures and gain useful information? Do we believe in the tooth fairy? Yes in some ways and no in others. We take no important decisions premised mostly on belief in the tooth fairy. And, again, “/s/ John Q. Public” is a normal and accepted way to represent John’s consent to move assets.

Small account transfers with paperwork that has no glaring errors will be approved in the ordinary course. Sometimes those transfers will be fraudulent. Brokerages defrauded in this fashion will be annoyed, but not surprised, because they are competent financial institutions. They understand that the optimal amount of fraud is not zero.

So what, ultimately, is a brokerage relying upon when it sends money to /s/ John Q. Public? It is relying on chained trust in a community of practice, and on a web of contracts, and on a business decision, all at once.

And that means that if a bad guy can convince any brokerage in the U.S. that it is John, the bad guy can fairly reliably cause movement of all of John’s financial assets.

You can probably guess the shape of the attack.

Get a copy of John’s ID from, perhaps, a vendor specializing in “fullz” on the Dark Web. Figure out where John keeps his accounts by e.g. just guessing that it might be one of the places where 80% of Americans with assets keep their retirement accounts. Open up an app, tap tap tap, request to move “your” assets to “your” new account. And then lie about being John while telling some truths you know about John.

Now, wait five to seven business days.

Congrats, John’s assets now appear to be in “your” brokerage account. Your brokerage is in the business of giving you access to “your” money swiftly when you want it. Now would be a great time to wire it out, take it out on that debit card connected to the account, place a trade which successfully transfers value to a confederate’s account, etc etc.

Five to seven business days is much more frequent than many Americans, even many wealthy Americans, check their brokerage accounts, and so the money may be spendable before any involved human realizes it has been taken improperly.

This is, obviously, super duper illegal. But in another sense it is just business. For you, as a criminal, this is Tuesday. And for brokerages, well, capitalism hopes they catch most people trying this.

Some brokerages have not successfully caught some people trying this. That is normal and expected. Some brokerages have not successfully caught a rather large number of people trying this.

That was a bit concerning. To FINRA, for example, which has a podcast episode about how it coordinated an industry-wide fact finding process to issue a pair of Reg Notices to let the industry know about this new Wild West of criminality and how to deal with it.

Now, the most sophisticated and competent brokerages already had large security teams working on this problem. But again, some brokerages aren’t nearly as large and well-resourced as a non-specialist might suspect.

Also, how to say this delicately: competence is unevenly distributed in the world. Sometimes this is wonderful; you can pick diamonds in the rough out on the Internet, who have no institutional backing but nonetheless achieve incredible results in deep areas of human endeavor. And sometimes the odd spike is in the other direction: a regulated institution has an important function headed up by a well-credentialed, impeccably pedigreed, speaks-at-conferences, well-liked-by-colleagues-and-friends individual who capitalism should not want in the chair they currently occupy.

A digression: It is considered very impolite in the U.S. professional managerial class to observe that a particular, named professional manager is incompetent at their job. An individual who makes a habit of it will be optimized out of decisionmaking processes featuring PMC members, which is… all decisionmaking processes, effectively. That deviant is ipso facto disruptive to orderly operations and also a bit of a career risk to be in the same room with. And so, even if you know someone to be incompetent, part of being an effective PMC class member in an executive position is to learn the approved euphemisms and rituals.

Anyhow, FINRA issued Reg Notices after a drawn out and somewhat ponderous process, for institutional reasons. They contain some mitigation recommendations that rhyme with “If a customer signs up for an account with you and doesn’t know where their brokerage account currently is, and sequentially asks you to transfer accounts at each of the top 10 brokerages in the U.S., perhaps you might want to look into that.”

When you phrase it like that, it might sound obvious. But for Seeing Like A Bank reasons, the actual screen in front of the actual operations professional who is actually making a the-shot-clock-is-ticking decision on John’s accounts might not display that “John” has recently made four ACATS requests that were each rejected for non-existence. One objective of the Reg Notices is activating a ponderous machine that will eventually get a technologist deep in the bowels in the least sexy part of a brokerage to fix that screen.

This is all normal and working as designed! Capitalism will function on Monday pretty much like it did on Friday! Your assets are safe in an eventually consistent sort of way; your brokerage will eventually come around to agreeing with your view on the matter, regardless of what their first communication says.

If you get mugged in San Francisco, society expresses sympathy, kinda, but you are never going to see your wallet again.

Finance. Does. Not. Work. This. Way.

If your brokerage makes a mistake with your assets, and they have before and will again make many mistakes, then they will make you whole. Financial institutions have capital for a reason. There is a budget for operating losses. There is a budget for fraud losses. The aggregate expenditure of effort by society in solving this problem greatly exceeds the aggregate expenditure of effort by society in solving muggings.

If your balance suddenly goes to zero in a surprising fashion, that will be very stressful for you but they are eventually good for it, with very high probability.

Some people hire a lawyer to resolve this and it’s just about the easiest letter for a lawyer to write: Here’s my best understanding of what my client owns. You think they own nothing. Fix this immediately or tell me in writing why you have decided not to. Lawsuits subsequent to fraudulent transfers and the brokerage deciding that, on reflection, no, they did the right thing are extremely uncommon, both in absolute numbers and as a percentage of all fraudulent transfers. But the nuclear option exists for those very, very, very few customers who need it to compel action.

Should we be satisfied with this? Probably not at the current margin.

Many people who own, and depend upon, assets are not competent enough to project manage the resolution pathway here, and may (largely wrongly) assume that they have been stolen from in a durable fashion. Some might come to this (mistaken) point of view because they talked to a front line customer service representative of the brokerage who, and this is aggravating but it will happen at least once today even in a regulated institution, just makes shit up rather than reading the Emergency Escalations list printed in their cubicle. Some might come to this (mistaken) point of view because their brokerage of choice is other-than-competent at answering utterly routine inquiries and instead they get their information about capitalism from the first person who replies on Reddit, who is not necessarily the custodian of Reddit’s best answer to the question.

Brokerages control many accounts worth $20,000 and some accounts worth millions or much more. Frequently, the formal text of the rules will treat those accounts equivalently. Go read the rule if you have any doubt; there is no This User Is Rich exception anywhere in it. Three business days, FINRA doesn’t care.

One (optional!) control that some institutions use is called a “medallion guarantee”, and it’s a fascinating combination of a physical artifact and a contractual risk transfer.

The receiving institution, who may be ultimately liable (to an action from the transferring institution, to recover the assets they already re-bought for the customer out of their risk budget) for a fraudulent transfer, can optionally require a customer to get a “medallion” issued to move the risk to another institution. Hilariously, that institution can in principle be totally uninvolved.

What is a medallion? A piece of paper that has a number on it and represents a promise. In brief form, that promise is “I, a financial institution who is absolutely good for this guarantee, warrant that I know this to be John. The paper attached to this medallion is authorized by John; he told me so. And if I was wrong, and I am not wrong, I will no-muss no-fuss reimburse you up to $_______.”

So John, when he tells a new company that he would like to move in about $1 million, might get asked to go get a $1 million medallion.

You might think this rhymes with notary services and it rhymes with insurance. All institutions involved will claim it is absolutely not notarization (a state function delegated to private individuals, who are almost universally not good for a million dollars if they screw up) and it is absolutely not insurance (a regulated industry).

Also, medallions are generally free. That surprises people, particularly people who model them as specialized insurance contracts.

The thresholds at which institutions request a medallion vary based on their own policies, but you might reasonably expect $500,000 or $1 million to be important thresholds. If you have an account with a million dollars in it, anywhere, your bank very probably loves you and wants you to be happy. Want a coffee? Stop by any time, they will happily give you a coffee. Charge for the coffee? Laughable. Oh you need an admissible proof of identity for a very wonky financial industry operations issue? Happy to oblige, sir, we are here for any of your diverse financial needs. Can I get you a coffee while you wait.

Yes, the bank is taking risk when issuing a medallion. But it’s a tiny, tiny, tiny risk from their perspective, which insulates the receiving company from a huge risk. The bank has many years of history over which they’ve become thoroughly convinced that John is John. The receiving institution has somebody claiming to be John who spent six minutes filling out an onboarding form in a mobile app. And so the largest firms in capitalism somewhere have a spreadsheet for how much they spent on medallions, much like they can (with difficulty) come up with a pretty exact number for how much they spent on toilet paper.

Toilet paper is substantially more expensive in aggregate even though no individual square of toilet paper has ever caused a $1 million wire.

And, thus, medallions. Most Americans will never see one in their lives. The typical mass affluent user is most likely to see one precisely once, right around retirement age, when e.g. moving their 401k to a new custodian.

But if you’re reading Bits about Money, you are much more likely to get asked for this quaint ritual than the population is at large, and now you know why. And perhaps you won’t be as frustrated as the typical person asked for a medallion, who fumes “Why do I have to walk into a bank just to get them to write ‘Yeah that’s John’ on a piece of paper? Everyone knows I’m John. My drivers license says I’m John. I already gave that to the brokerage. I swear, the entire financial industry is staffed by incompetents.”

Once upon a time there was a financial technologist.

He made it his routine practice to buy just a few shares of every bank he worked with. This was not to make money, it was so that he could write a letter to Investor Relations if there was ever an issue he needed to escalate out of Customer Service purgatory. Investor Relations is highly placed in the org chart of banks and does not relish telling Investors they Relate to that their princess is in another castle.

Some time later, that customer caused another financial institution to ACATS out some assets, including the shares of that bank. Unfortunately, that bank had in the interim had a spot of trouble, and their stock had ended up on a "penny stock" list.

Many large, competent financial institutions have a rule about penny stocks, and it rounds to "absolutely not." And so the financial institution objected to its customer, claiming that it could not process the ACATS request, because it contained a trivial amount of equity in a bank.

In a bit of potent irony, the objecting financial institution owned the bank it objected to holding equity in.

Sometimes, the behavior of a financial institution in the moment looks insane. Often, if you play back history, the insanity is explicable as emerging from individually reasonable actions by several separate parties with only a partial view of the facts.

And, of course, playing history forward, this was trivially resolved. Just another day at the office.