Discover more from Fintech Business Weekly
Stripe, Celtic Bank Power "No KYC" Stablecoin Visa Card
Latest Example of Difficulty of Compliance in Banking-as-a-Service Models
Hey all, Jason here.
I’m back home in the Netherlands (for now, anyway). I had a thoroughly enjoyable week in Norway, both in Oslo and touring the fjords.
While software engineering no doubt is difficult, the engineering feats of Norwegian roadbuilders, including a corkscrew-like road inside a mountain, are truly modern marvels. If you have the chance to visit, I can highly recommend doing so!
Existing subscriber? Please consider supporting this newsletter by upgrading to a paid subscription. New here? Subscribe to get Fintech Business Weekly each Sunday:
Laso Leverages Stripe and Celtic Bank To Offer Crypto Users A “No KYC” Visa Card
Since the launch of bitcoin more than a decade ago, crypto platforms and services have matured substantially.
But for crypto maximalists, a major challenge remains: actually spending any of the crypto funds they hold on real-world goods and services.
Interacting with the traditional financial system (“TradFi”) typically means complying with the regulations that govern those institutions, including BSA/AML and KYC requirements.
Privacy-focused crypto firms have pushed — in some cases, broken — the boundaries of what is permissible.
The latest example: Laso, which leverages Celtic Bank via Stripe Issuing, promises users a “no-KYC VISA card.”
The service, which appears to have launched late last year, is pretty bare bones.
Users can open what Laso describes as a prepaid debit card by connecting their Metamask wallet, a popular crypto service, and transferring USDC, USDT, or DAI stablecoins — without providing any identifying information or address.
While the primary offering is a virtual card, the company promises physical cards to users who achieve “over $10,000 in lifetime deposits,” with those depositing more able to request “completely personalized” cards. Laso shared potential card designs with users via its Telegram channel:
There are no terms of service, no cardholder agreement, and no disclosures whatsoever during the signup process or afterwards.
Laso converts the stablecoins to fiat US dollars and immediately issues a virtual card for the amount, less a 6.8% fee to cover Ethereum “gas costs” of converting to dollars and a margin for Laso itself.
On the back end, it seems that users are sending their stablecoins to Laso’s wallet, which Laso then converts into fiat USD and transfers to Stripe Issuing/Celtic Bank via traditional ACH rails.
The latency between converting stablecoins to dollars and those funds clearing at Celtic seems to have been a significant pain point, with the Laso team requesting via its Telegram channel for users not to make “large purchases” due to a potential shortfall in its account funding the issued cards on at least two occasions:
Resorting to asking users to limit their spending could indicate that Laso isn’t a direct customer of Stripe, but rather is leveraging another Stripe customer to issue cards. If Laso were directly integrated to Stripe, it would be able to programmatically handle spend controls via API.
It’s a bit unclear without knowing the exact flow of funds, but Laso’s structure may run afoul of state and FinCEN money transmission laws and regulations. Laso is not registered with FinCEN as a money services business, nor does it indicate that it holds any state-level money transmission licenses.
Laso specifies a $1,000 daily spending limit, which it describes as a limitation “set by FinCEN.” This seems to be intended to avoid meeting the definition of a money services business.
But the carveout for prepaid cards that hold less than $1,000 has limitations, including that it does not permit funds to be transmitted internationally. There don’t appear to be any controls enforcing geographic restrictions on who can open a Laso account or where they can spend, and, according to conversations in the company’s Telegram channel, a “considerable portion” of its user base is in the European Union.
Even at a $1,000 per day limit, users can move significant funds through the platform. And as Laso doesn’t collect any kind of personal identifier, there isn’t any mechanism to prevent users from quickly spinning up numerous Metamask wallets and using them to create corresponding Laso accounts — easily circumventing the $1,000 daily limit.
The exact account structure and applicability of FDIC insurance isn’t clear from the user-facing experience; Laso does not make any claims about the insured status of the funds it holds in US dollars.
To spend the funds held at Laso, the company instructs users to enter Laso’s name and address, rather than their own, when making a purchase. The address Laso uses, 340 South Lemon, is associated with nearly 4,000 companies and more than 2,000 individuals:
While the site describes Laso as a reloadable prepaid debit card, the virtual cards it issues are actually commercial purchasing credit cards. Issuing cards for consumer use on a commercial BIN is a material violation of Visa rules.
The rule requires a short- and long-form disclosures and clarifies how and when the protections afforded by Reg E, including fraud liability limitations and dispute resolution, apply to prepaid cards.
Laso doesn’t provide any kind of disclosure, and it isn’t clear how or if the company complies with applicable Reg E protections.
Issuing its cards as commercial payment cards in Laso’s own name enables the company to earn substantially more interchange income than if they were issuing true prepaid consumer debit cards.
The commercial purchasing cards Laso is using Stripe to issue are intended for mid-size to large enterprises for the purpose of enabling corporate purchases without purchase orders/invoices — not for consumer/household use:
No KYC, No Problem?
In addition to lacking any kind of cardholder agreement, terms of service, or disclosures, the legal and compliance problems here will be obvious to anyone familiar with BSA, PATRIOT Act, OFAC, and related anti-money-laundering and KYC requirements.
The PATRIOT Act requires financial institutions to collect name, address, date of birth, and government identifier, which must be an SSN if a user holds one, as part of their account opening process.
While institutions aren’t required to verify each piece of information, they must formulate policies and procedures such that they are able to form a “reasonable belief” in the identity of their customers.
In addition to the PATRIOT Act requirements, there are additional rules and regulations around ensuring compliance with sanctions, accounting/transaction monitoring, SAR filing, and so on.
Laso’s site states that “anyone with an Ethereum wallet” is eligible for a Laso card, though a footer on its website further clarifies that:
Laso Card is available in most countries, but is not available in the Balkans, Belarus, Iraq, Lebanon, Liberia, Libya, North Korea, North and South Africa, Somalia, Syria, Ukraine/Russia, Venezuela, Yemen, and Zimbabwe. We are always working to bring our service to all our users.
Laso seems to be attempting to circumvent BSA/AML, KYC, and PATRIOT Act requirements by describing its service as a prepaid card.
While it is true that non-reloadable cards, like Visa-branded gift cards, do not require cardholder information, they are, by definition, not reloadable, have caps on the amount they can hold, and do not permit cash/ATM access.
For reloadable cards, like what Laso purports to be offering, Visa’s own documentation makes clear that accountholder data must be collected before allowing an initial load of more than $1,000, reloading, or cash access:
Laso Demonstrates Gaps In Stripe, Celtic Due Diligence & Third-Party Risk Management
But it would be impossible for Laso to get this product to market without the capabilities provided by Stripe and Celtic Bank.
Stripe’s own documentation makes clear that KYC/KYB, transaction monitoring, AML, and sanctions screening are compliance requirements that prospective customers must comply with if applicable:
Yet Laso clearly is not in compliance with these basic requirements.
While Stripe handles onboarding and due diligence for customers using its Stripe Issuing product, ultimately, responsibility for ensuring compliance and liability for violations lie with the underlying bank partners — in this case, Celtic.
Recent regulatory actions against Blue Ridge and Cross River (also a Stripe Issuing partner) and updated third-party risk management guidance make clear bank regulators are paying closer attention to risks in banking-as-a-service models — including the kind of serious BSA/AML and KYC gaps demonstrated by Laso.
While the most likely outcome for Laso is that it gets shutdown, the headaches it is likely to cause may reverberate far beyond Stripe and Celtic Bank.
Even if these control failures don’t lead to a formal regulatory action, there is likely to be heightened scrutiny, whether from regulators or internally, of new programs and a thorough review of existing clients — including large programs like Shopify and Ramp, both of which issue cards through Stripe and Celtic.
That such an obviously non-compliant service is live in production — with over 1,000 cards issued and nearly $1 million in funds processed — suggests serious due diligence and third-party risk management failures at Stripe and Celtic Bank.
A representative for Laso Finance did not provide an official comment by the time of publication.
A representative for Stripe could neither confirm nor deny if Laso is a Stripe user.
A representative for Celtic Bank said, “The activities described on the Laso Finance website are not authorized by Celtic Bank.”
Representatives for Visa did not respond to requests for comment.
Thanks to Matthew Goldman for flagging this product to my attention — if you don’t already subscribe to his excellent CardsFTW newsletter, I highly recommend you do!
Looking to learn more about BaaS? Get Fintech Business Weekly’s 2023 Banking-as-a-Service Market Analysis now.
Bunq Puts Investor Spat Behind It, Announces €44.5 Million In Additional Funding
Dutch neobank bunq, which we profiled previously here, announced it has raised an additional €44.5 million in equity funding.
The announcement comes a day after reports that a dispute between bunq and its primary external investor, Pollen Street Capital, spilled into public view.
In the suit, bunq founder, primary shareholder, and CEO Ali Niknam alleges Pollen Street had reneged on an agreement to invest additional capital in the bank.
According to the suit, Pollen Street was reluctant to make additional investments without substantial changes to the company’s growth strategy. Part of the strategy shift Pollen Street sought was the sale of CapitalFlow, an Irish lending company bunq acquired for €141 million as a vehicle to deploy its growing base of customer deposits.
Pollen Street believes the valuation of bunq has declined substantially since its investment of €193 million, which valued the company at €1.6 billion in late 2021 — arguably the frothiest time for fintech.
Ultimately, it seems bunq and Pollen Street were able to come to terms, with the company announcing the additional funding in an inside round that included Pollen Street, Niknam, and bunq CIO Raymond Kasiman.
The additional capital was raised at the same €1.6 billion valuation — though it’s unclear what other terms or structure of the round entailed.
CFPB Highlights Opportunities Of Cashflow-Based Underwriting
In a blog post last week, the CFPB shared analysis highlighting the potential benefits of cashflow-based underwriting to provide a more complete picture of credit risk, particularly for applicants with credit scores below 720.
There are, however, some important caveats with the analysis the Bureau used here: the sample size is small (hundreds of consumers) and the cashflow-data is self-reported. The analysis leverages the CFPB’s Making Ends Meet survey panel linked to its Consumer Credit Panel dataset.
The study uses three proxies for cashflow: high accumulated savings; regular savings with no overdrafts; and paying bills on time.
The Bureau’s analysis suggests that users who self-reported these positive cashflow indicators were less likely to have a serious credit delinquency.
For example, those reporting high accumulated savings were less likely to have serious delinquencies than those who did not have such savings at every credit score band:
The same general pattern holds for the other two cashflow proxies.
This outcome isn’t surprising — after all, if someone has significant savings, or saves regularly and doesn’t overdraft, it intuitively makes sense that they may be less risky than borrowers who don’t exhibit these behaviors.
This analysis, though encouraging, is but a single data point. The post suggests additional potential areas of study:
Whether underwriting models solely based on cashflow data are more predictive than underwriting models solely based on credit reporting data;
Whether underwriting models solely based on cashflow data are more equitable than underwriting models solely based on credit reporting data;
Which cashflow variables and proxies matter more for prediction; and
Which people benefit more from cashflow data;
Whether the combination of credit reporting and cashflow data adds much in either predictiveness or equity over and above either the credit reporting or cashflow data in and of itself.
The CFPB hopes to facilitate the data needed for cashflow-based underwriting by finalizing regulations governing “open banking” in the US, known as 1033, in reference to the section of 2010’s Dodd-Frank reform that requires customer data portability.
Fintech Funding Q2 Insights: FT Partners
For anyone watching fintech VC activity, FT Partner’s Q2 quarterly insights likely won’t be a huge surprise: total fundraising volume for the quarter came in at $10.5 billion — a long way off from the nearly $40 billion in VC activity back in Q2’21.
Fewer, smaller deals are getting done. While there are plenty of notable shifts happening in the VC space (and with their LPs), the one that jumped out was the sharp pullback of once-prolific crossover investors like Tiger Global:
And Tiger wasn’t alone. Softbank, once known for handing out large checks and generous valuations with little due diligence, has slowed its fintech investing to a crawl, doing just three deals in H1’23:
Other Good Reads
VC Performance and LP Returns (Frank Rotman)
What Do We Get With The Federal Reserve’s FedNow Instant Payments? (Ron Shevlin/Forbes)
Should Consumers Trust Generative AI? Wrong Question. (Fintech Takes)
US regulator accuses banks of misreporting deposit data (FT)
About Fintech Business Weekly
Looking to work with me in any of the following areas? Email me.
Fintech advising & consulting
Sponsoring this newsletter
News tip or story suggestion — reach me on Signal at +1-316-512-1571
Early stage startup looking to raise equity or debt capital