PayPal’s history of fighting fraud

PayPal revolutionized anti-fraud measures. Now, new technologies are taking inspiration from the payment giant

In PayPal’s earliest days, fraud threatened to topple the peer-to-peer payment giant. Credit card chargebacks were soaring, criminals were using the company to launder money, and phishing attacks led to outright account theft. By the early 2000s, the fraud rate had soared above 120 basis points—costing the company millions and threatening to break already brittle relationships with credit card associations. In fact, according to The PayPal Wars, the company was once incurring $2,300 in fraud losses every hour.

“Had PayPal not found a way to get fraud under control, it would have destroyed the company,” Eric Jackson, the company’s former marketing director, wrote in his book The PayPal Wars. “Unchecked fraud would have put all of our legitimate customers and the very existence of our payments network at risk.”

In an environment where consumers had come to rely on their credit cards to protect them against fraud with no questions asked, they expected the same of this new payment system provided by PayPal.

PayPal’s situation—then as now—illustrates the unique challenges fintech companies face in balancing ease-of-use with stiff security and compliance requirements. Today, however, PayPal’s innovative approaches to combating fraud have become as core to its business as the transfer of money in the first place.

To fight fraud, the company’s now-famous CTO, Max Levchin, and engineer David Gausebeck, worked to develop a mechanism that would complicate account creation for fraud rings without discouraging potential customers or reducing conversions. What they came up with was an early version of CAPTCHA technology, now used practically everywhere, to block spammers from creating fake accounts.

Levchin also built an algorithm called Igor (fondly nicknamed after a Russian fraudster who had taunted them in earlier days—and the type of actor the program was designed to help catch) to help identify abnormal patterns in one of the first major commercial applications of big data.

Between the CAPTCHA solution and Igor, PayPal’s innovative solutions turned out to make a huge impact. Within a few months, PayPal’s fraud rates had dropped dramatically, taking the company from major loss to being one of the safest companies around. Maybe more importantly for the long run, the shift helped PayPal win favor among consumers, businesses, and governments. Today, 170 million people use PayPal, and the company’s fraud rate is only 0.32 percent of revenue, nearly 75 percent better than the 1.32 percent average among merchants, according to LexisNexis’s 2015 study “True Cost of Fraud.” The company didn’t stop there, though: It now also employs thousands of agents to manually sift through data and help refine models.

These approaches—leveraging data and technology to stamp out risks—have become the company’s signature. Last year, PayPal processed $235 billion in payments from four billion transactions. It spends some $300 million annually on anti-fraud measures.

“We are subject to the same regulatory regime as banks in money laundering,” PayPal’s senior director of global risk sciences Hui Wang told [WSJ Risk & Compliance Journal in June 2015]( WSJ Risk & Compliance Journal in June 2015), referring to Know Your Customer rules.

As such, PayPal has continued to refine the machine-learning techniques that help the company better understand its customers; these techniques help surface potentially fraudulent transactions, such as an unusually large purchase or a sudden burst of activity.

“It is true that the way we know a customer is not the traditional way of meeting a customer and getting the customer to provide in the branch some physical evidence of identity,” Wang continued. “We think, though, that the amount of data we collect on the customer–some of it provided by the customer and verifiable, some of it data we use for purposes including fraud management–taken together provide us with good view of the customer identity.”

And when PayPal uncovers a pattern, it sometimes becomes a rule that can be applied to combat other instances of fraud that fits the same profile.

“We view financial risk as very technology-driven,” Chief Risk Officer Tomer Barel told the WSJ. “What we find is that our ecosystem requires a very high level of investment in customizing solutions, because the threat is very significant and the economic structure in the payment space is such that the cost of mistakes is high.”

Indeed, the cost of mistakes is nothing to sneeze at: In January, PayPal agreed to pay around $3.2 million to settle a class-action suit from users who were locked out of their accounts between 2006 and 2015. PayPal pins the frequency of such cases at less than 2 percent of accounts, and its risk team says it’s getting better at identifying risks and reducing false positives all the time.

But this underscores the challenge of marrying two of the biggest challenges facing players in the payments space: reducing friction for users and keeping them happy while meeting compliance requirements. Fraud is a universal problem in financial services, but PayPal was perhaps the first to demonstrate that a business whose core competency is technology is especially suited to addressing these problems—providing a compelling case study for others can do the same.