Financial Fraud in Brazil — Issue #19
How the growth of Brazil's fintech sector led to a surge in financial fraud
Hello dear reader,
Today we’ll cover talk about Brazil digital finance sector. The good and the bad.
If you like this newsletter, please share it with a friend. It will only take 10 seconds. Making this one took 14 hours.
The Background
Brazil has fully embraced digital finance.
The total value of digital payments has nearly doubled from 2017 to 2023, soaring from $59 billion to $145 billion.
47% of the population utilizes a digital finance product on a monthly basis, as per Datareportal. This is in stark contrast to 37% in the US or 27% globally.
Brazil is home to Latin America’s largest digital bank, Nubank, alongside other unicorns in the finance sector such as C6, Creditas, Neon, and others.
Digital wallets have witnessed remarkable success, with the most popular one, PicPay, boasting 62 million users. Additionally, PayPal, Mercado Pago, PagiBank, and others each have tens of millions of users.
In under two year after the start of the pandemic Brazil’s financial system added 16 million people. Now, over 85% of Brazilians have access to financial services, up from 57% in 2009. The vast majority of that growth was enabled by digital finance.
We can point to three major enablers of this industry.
Enabler #1 — Pix
One of Brazil’s notable achievements was the introduction of Pix, an electronic payment system enabling instant transfers between demand, savings, and prepaid payment accounts. One of the primary objectives of this new system was to decrease reliance on cash payments.
Launched in 2020, within just three years, Pix surpassed cash, credit, and debit cards to become the most popular payment method. This success was facilitated by several factors:
Speed: Each transaction averages a mere 3 seconds.
Transaction costs: With only 0.33% per transaction, it significantly undercuts the 1-2.5% charged for debit and credit cards.
Involvement of major banks: Participation by major banks is mandatory.
Government oversight: Brazil’s Central Bank oversees Pix, thus curbing fees and ensuring fair competition.
Network security: Various mechanisms are in place to minimize fraud and maintain compliance.
Standardization: Both user interface and API adhere to standardized formats, enhancing usability and interoperability.
Arguably the most striking stat about Pix is the following:
71.5 million individuals (as of December 2022) who had not made any electronic credit transfers over a one-year period prior to the launch of Pix and are Pix users now.
Meaning that half of Brazil’s adult population were not actively engaged in any electronic payment systems before Pix, and within just two years, they adopted one.
Speed and interoperability serve as Pix’s primary selling points. These factors incentivized banks and other financial institutions to join the system, resulting in 799 participants by mid-2023. On the consumer side, Pix has already reached 80% of the adult population and 13 million businesses. Businesses even provide discounts to Pix users, as they no longer have to endure lengthy check-clearing times or pay credit card fees.
Enabler #2 — Open Finance
Banco Central do Brasil and the National Monetary Council define Open Finance as:
…the sharing of data, products and services between regulated entities — financial institutions, payment institutions and other entities licensed by BCB — at the customers' discretion, as far as their own data is concerned (individuals or legal entities).
While Pix caters directly to consumers, Open Finance is an infrastructure play.
The concept behind Open Finance is straightforward. Brazil's financial landscape is largely dominated by major banks. For instance, the top five banks hold an 80% share of the loan market. By granting access to data, Open Finance aims to cultivate a more competitive environment, empowering consumers—not just incumbents—to control their data.
Presently, most Open Finance solutions target the B2B segment. Examples include Belvo, offering a comprehensive fintech solution, and Datanomik, which aids businesses in managing their finances across multiple accounts.
Although Open Finance is still in its nascent stages, with certain infrastructure components yet to be fully implemented, it already boasts over 42 million consents, with 28 million of these being unique.
Enabler #3 — Regulatory Changes
Since the early 2010s, Brazil has been modernizing its regulatory environment in the finance sector.
It all began in 2010 when the duopoly in the payment processing space was dissolved. Specifically, a payment processor named Cielo held an exclusive agreement with Visa, while Rede had a similar arrangement with Mastercard. This forced each merchant to purchase or rent a POS terminal for each processor. In 2017, the BCB (Brazilian Central Bank) abolished these exclusive agreements between payment processors and credit card networks, paving the way for companies like SumUp Brasil, Stone, and other emerging payment providers.
In 2013, the government introduced narrower banking licenses. Previously, every new financial institution had to meet all the requirements imposed on a bank, a process that took years and required significant capital. Narrower licenses streamlined the licensing process, making it easier and faster. These new regulations played a crucial role in enabling companies like Neon to launch.
Another significant change occurred in 2018 with the introduction of two new licenses in the credit market: the Direct Credit Institution (SCD) and the Peer-to-Peer Institution (SEP). These licenses empowered startups to operate directly in the credit space without having to partner with a major financial institution.
The Problem
Innovation not only fosters promising products and solutions but also creates ample opportunities for fraudulent activities. We see this today with AI, we’ve seen before with digital advertising.
Nowhere is this more pronounced than in the realm of finance. Despite the remarkable innovations in the fintech space, Brazil has been grappling with fraud significantly.
Banking trojans have emerged as the primary tool for fraudulent attacks. Brazil leads globally with 1.8 million attempted infections from June 2022 to July 2023, with 8 out of the 13 most popular trojans globally originating in the country. The country witnesses approximately 2,800 fraud attempts per minute.
Estimates indicate that the Brazilian banking system suffered losses of $500 million in 2022 due to fraud, with around 70% of it linked to Pix. Moreover, not all fraud cases are reported to banks, suggesting that the actual figures could be higher.
Furthermore, the fraud rate is on the rise. In 2021, 1 in 5 Brazilians claimed to have been victims of financial crime, which escalated to 3 in 5 a year later. Since the pandemic, scam activity has surged by 165%. Law firm Cardoso & Zaniboni highlighted that the demand for consultations regarding fraud increased by 30% in 2023.
Compounding this issue is the fact that criminals are devising increasingly sophisticated methods to gain access to people’s accounts:
They may send a link through WhatsApp or SMS, enticing users to download an app that impersonates a legitimate authentication app. This type of malware, known as PixPirate, steals banking and credit card information and can bypass two-factor authentication. Fraud occurs when a transaction is initiated, allowing fraudsters to alter the transaction's destination or redirect it to the fraudster’s account.
Manipulating images to deceive facial recognition systems, thereby circumventing biometric recognition systems.
Sending WhatsApp messages to users, enticing them to transfer money through Pix with promises of doubling the amount. This scam continues until the victim realizes that no money is returned.
Traditional phishing scams, where individuals are tricked into transferring money through Pix, remain common.
Local government and banks are actively addressing the issue of fraud.
Pix, along with other security measures, implemented a R$1,000 (~$200) limit on transactions between 8 pm and 6 am. Although these measures were relaxed in 2023, restrictions on the amount and timing of money transfers or withdrawals still exist. Additionally, a database of fake accounts has been established since criminals often utilize a single account to defraud numerous users simultaneously.
Another measure enforced by the Central Bank is the requirement for information sharing. When one bank identifies a fraudulent transaction, it must share information regarding the suspected account, including any evidence gathered.
Private institutions have also taken proactive steps in this regard. For instance, Nubank clients can create a safe zone at home or work, selecting a trusted WiFi network for transactions while limiting transaction values outside of these zones. PagSeguro offers a tool called PagShield that analyzes transactions in real time to detect fraud.
The Reasons
Brazil’s non-cash payments are growing, and the country has a large population many of whom are just beginning to navigate the digital landscape. That’s the combination that fraudsters want to see.
Brazil ranks among the world's least trusting nations, yet there's a notable trust in financial institutions to combat fraud. This trust likely spills over into a general confidence in these institutions.
Moreover, the introduction of digital banking is relatively recent for most Brazilians, and many lack extensive experience navigating the risks inherent in the digital era. There's a prevailing belief that financial institutions prioritize their clients' interests and have implemented thorough measures to safeguard their funds.
If a person in not used to interacting online, they wouldn’t know what links to click. They haven’t even heard the term ‘banking trojan’.
Adding to the complexity, Brazilians are among the most active users of WhatsApp. This large and active user base makes the app an attractive gateway for fraudsters to access users' devices. Despite WhatsApp's efforts to combat such threats, these measures have proven insufficient.
The Solutions
Fraud's prevalence has spurred the emergence of numerous solutions.
One such solution is Combate à Fraude (Caf), which focuses on two key areas:
Identity verification (KYC/KYB): Caf aids businesses in verifying the identities of their customers and business partners through document verification, biometric checks, and liveness detection to ensure authenticity.
Fraud Detection and Prevention: Their platform detects fraudulent activities during the onboarding and authentication processes.
Caf has experienced remarkable growth. Founded in 2019, it has already raised $32 million and operates in at least 50 countries. The company saw a tenfold increase in revenue in 2021 and further growth by 250% in 2022.
Another notable example is Konduto, a fraud-prevention solution primarily tailored for e-commerce stores.
Here's how it works. The company's systems capture over 2,000 variables, including visit origin, price, time spent on the site, number of pages visited, number of products viewed, password changes, and more. When a customer places an order, Konduto receives order details and the customer's information, such as credit card details, and swiftly analyzes the order to approve or block it.
Konduto claims to analyze 244 million orders annually on its website. Assuming this data is for 2023, the company has grown by 39% since 2019, when they analyzed 175 million orders.
Silverguard is an interesting consumer-facing product. Firstly, it provides an app serving as a protective layer in the event of a stolen phone. However, its most compelling feature is a scam-reporting solution named SOS Golpe, built on WhatsApp’s infrastructure.
In the event of fraud, the victim can activate a Silverguard chatbot. This bot asks the user a series of clarifying questions, analyzes the responses on the backend, and generates a report. This report is then forwarded to the bank, requesting the blocking of the disputed amount and the recipient account at the destination bank.
I’ve mentioned that one way criminals obtain access to users’ accounts is through biometric data. Well, Minds Digital provides an alternative to traditional biometric data, which is your face, with a voice authentication technology.
It works for both app and WhatsApp verification. And the way it works simple, yet elegant. Let’s say you want to authenticate a transaction through WhatsApp. Users are prompted to provide basic information and then record an audio message saying a specific phrase, such as an order number. Minds Digital compares this message to a previously recorded audio sample from the user, thereby verifying or preventing the transaction.
To date, the company has successfully authenticated 5 million customers and prevented 12,000 fraud events totaling $6 million.
The takeaway
Financial fraud has existed for a while. The growing number of solutions to prevent fraud begets a growing number of ways to commit it. This race doesn’t seem to be coming to end any time soon.
Looking ahead, the implications of widespread biometric authentication are a bit terrifying. The potential for AI to convincingly mimic a person’s voice or appearance raises a lot of questions about the future of digital security in.