title: APIs of evil: studying fraud as infrastructure
author: Complex Systems with Patrick McKenzie (patio11)
contenttype: podcast
publication: Complex Systems with Patrick McKenzie (patio11)
published: 2026-02-12T08:00:00+00:00
sourceurl: https://pscrb.fm/rss/p/prfx.byspotify.com/e/media.transistor.fm/58566867/e7bdd1b1.mp3
word_count: 9048
Welcome to Complex Systems, where we discuss the technical, organizational, and human factors underpinning why the world works the way it does. Hi, Dio, everybody. My name is Patrick. I'm NC, better known as patio 11 on the internet. And I have a confession. I love fraud, which is obviously prepared bits about money for a while. Nothing I like committing fraud. It's an evil act. But I just think it's so intellectually interesting. Partly for the same sort of like viewing NASCAR crashes, reason that people like truth crime generally. Partly because fraud is, in its own way, a reflection of how real systems operate. I think there was a bond once that all sufficiently evolved organisms have parasites. And this is true, both of organisms in the living sense of the term and also any sufficiently evolved complex system has parasites. And if that complex system continues to exist in the world, it has evolved sufficient defenses against those parasites. Also, fraud itself is infrastructure directly and to the extent that we like studying infrastructure because it teaches lessons about other infrastructure, studying fraudulent infrastructure. You know, the API is the evil as it were. It allows you to cross apply learnings from that to the more important infrastructure that sits in our lives. And so, in that general sense of the mission, I'd like to read an essay that I wrote recently, fraud investigation is believing you're lying eyes, published on February 6, 2026. And I'll flag for those of you who don't know. This is a largely nonpartisan podcast and I largely write nonpartisan professional spaces. But this does come up against a few sociopolitical cleavages in the United States. So, I warn you about that in advance. There was a recent attempt to buy an independent journalist to expose fraud in a Minnesota social program. It was deeply frustrating. The journalist had notably poor epistemic standards, which secondary media has seized upon to dismiss their results. The class-based sniffing almost invariably noted that prestige media had already reported stories, which rhymed life core allegation, while sometimes implying that makes the allegations less likely to be true through logical pathway, which is a bit mysterious to me. The journalism went viral anyway, in part because of sensationalized framing, in part because of signal boosting by an aligned media ecosystem and aligned politicians, and in part because the journalism develops one bit of evidence that has a viscerality that paperwork dives off and lacks. These purported child care operations routinely have no children in them. Fraud has become quite blissized in the United States for the last few years. We had a poorly calibrated federal initiative led by a charismatic tech entrepreneur who believed it would unearth trillions of dollars of fraud that focused substantial efforts on large programs which are comparatively fraud-resistant. Across the aisle, we have reflexive dismissal that fraud happens in social programs, which functions as air cover for scaled criminal operations, which loot many varied social programs, and are sometimes run out of geopolitical adversaries of the US, including by ambiguously retired members of their clandestine services. I have a footnote here, and in the essay there are four links if you want to read about this, that's a frequent problem. That footnote annotating a report of a surprising number of students using AI to get through their one-of-a-course work in a California community college. In a thing you will see frequently in fraud investigations, early detection of anomalies does not necessarily imply successful identification of the underlying fraudulent enterprise. A teacher was scandalized that his third of their students are using AI to write papers. These quote-unquote students are identities puppeted by a criminal organization to siphon federal funding out of community colleges towards accounts controlled by the criminals. I award myself one cookie for correctly predicting this on Twitter when the AI paper came out. Back to the essay. I worked in the financial industry for a few years. We do not have the luxury of pretending that fraud is something invented by our rivals to besmirque our good name. It hits the profit and loss every quarter, and will eat you alive if you're not at least minimally competent in dealing with it. Conversely, it is well understood in the industry that the optimal amount of fraud is not zero. I get some credit for popularizing that phrase. But Dan Davies originally invented his book, Flying About Money. Or a close snow globe phrase at any rate. The financial industry has paid at least tens of billions of dollars in tuition here. Overwhelmingly, one learns about fraud in it through the apprenticeship model, with different firms having different internal levels of understanding on the shape of the elephant. The industrial organization presumes small numbers of people architecting anti-fraud systems, and relatively larger numbers of investigators and analysts operating these systems on a day-to-day basis. There does exist some formal knowledge sharing between firms. If you work in payments, try getting invited to the Chatham House rule sessions held by, oh yeah, I can't say. Despite that social technology being originally developed for the benefit of government and press actors, it's my general impression that US benefits programs don't yet see themselves as sufficiently yoked by adversarial attention to benefit from their own Chatham House series. Perhaps that should change. And so, for the benefit of fraud investigators with badges, press cards, or gopros, some observations from a community of practice with an extensive and mostly non-public body of work. But first, a tiny bit of throat clearing. In which we briefly return to Minnesota. Minnesota has suffered a decade-long campaign of industrial scale fraud against several social programs. This is beyond intellectually serious dispute. The 2019 report from the Office of Legislative Auditor, a non-partisan government body, makes for gripping reading. The scale of fraud documented and separately alleged in it, staggers the imagination. States-owned investigators believed that over the past several years, greater than 50% of all reimbursements to daycare centers were fraudulent. Separate officials took the novel position that they were only required to recognize fraud that had happened after securing a criminal conviction for it. Since they'd only secured a few criminal convictions, there was no way that the fraud was that high. As to put a number on it, repeatedly, they declined. The investigators alleged repeatedly visiting daycare centers which did not factually have children physically present at the facility, despite reimbursement paperwork identifying specific children being present at that specific time. The investigators demonstrated these lies on timestamp video, and perhaps in another life would have been YouTube stars. Our social class is intensely versed straight forwardly recounting these facts, partly due to political valence, and partly due to this particular fraud being dominantly conducted within a community which codes as disadvantaged in the US socio-political context. Fraudsters are liars, and will cheerfully mouth any words they believe will absolve them of their crimes. If an accusation of racism gets one of free past to steal hundreds of millions of dollars, they will speciesly sue you electing racial discrimination. That empirically worked in Minnesota. The OLA takes explicit notice of this multiple times. A coordinator for the fraud operation is on the record to local media explaining the strategic logic of accusations of racism, and a judge was even moved to make an extraordinary statement, to clarify that the bad faith lawsuit alleging racism did not achieve success through the formal judicial process, but rather through the voluntary compliance of government actors shamed by its allegations. As a side note, one has to be able to hold two thoughts simultaneously about fraudulent operations. They can be quite sophisticated, with respect to exploiting socio-political cleafages in their targets, while also being comically inept at faking evidence elsewhere, such as having a single person write dozens of adjacent rows on a sign in sheet. This routinely surprises observers, and it should not surprise them. The financial industry also has the division of labor in it. The person are architecting the fraud department's standard processes is well-paid, well-educated, and routinely brings cross-disciplinary expertise to bear. A fraud analyst one, on the other hand, bears a lot of similarity to a call center employee, in terms of compensation, education, and permitted amounts of agency. In the immediate wake of the Independent Journalist Report, the great and the good rallied around the organizations he accused. Of course, it was natural that journalists wouldn't get immediate access to children if they asked. Of course, there is a certain amount of informality in the sector. Of course, as the New York Times very carefully words met recently, Minnesota officials said in early January that the state conducted compliance checks at nine child care centers after Mr. Shirley posted his video, and found them, quote, operating as expected, and quote, although it had, quote, ongoing investigations, and quote, at four of them. One of the centers, which Mr. Shirley singled out because it misspelled the word learning on its sign, has since voluntarily closed. An inattentive reader might conclude from this paragraph that the Times disputes Shirley's reporting. To the extent that bits about money has an editorial line on that controversy, it is this. If you fish an upon to known to have 50% blue fish, and pull out nine fish, you will appear to be a savant-like catcher of blue fish, and people claiming it is unlikely you have identified blue fish will swiftly be made to look like fools. But the interesting bit of the observation is, almost entirely, the base rate of the pond. And I think journalism and civil society could do some genuine soul searching on how we knew, knew, the state of that pond, but didn't consider it particularly important or newsworthy until someone started fishing on camera. But this is not a publication about particular puns. It is a publication about getting better at fishing. Common signals, methods, and epithenominant of fraud. Fraudsters are playing an iterated game. The best nonfiction work on fraud is Dan Gavey's line for money. In it, you'll find replete examples of something well-known to fraud investigators. The dominant next adventure for a former fraudster is, opening up a new fraud. And therefore, if you want to identify a ridiculously high hit rate of frauds and round N plus 1 of a game, so easy, it's practically cheating way to do so, is to look at what known fraudsters from Mount N are doing today. There's a genuine difference in the culture and epistemology of the financial industry versus the government of the United States here. In the financial industry, we keep blacklists, and getting a second chance after obvious misbehavior is intentionally non-trivial. This runs against deeply felt values of civil servants. An actuation is not a conviction, an absent clear authority to impose consequences in a new program, an actor convicted at enormous social cost. It emerges to a new program officer as Tape LaRassa, equal and moral worth to any randomly chosen citizen. I will not argue that MasterCard, which maintains the match blacklist, has better moral intuitions than the founding fathers. I would, however, happily suggest the government not assume that the Constitution contains emanating penumbres, obligating it to be repeatedly taken advantage of by the same people in the same fashion. We are not forbidden object permits. Minnesota raided the Sunshine Child Care Center in 2022 on suspicion of overbilling. No charges were brought, and when investigators imply it was less than exoneration and more an interdepartmental flumble. That operation was owned by one Fusia Hassan, a separate child care center owned by Fusia Hassan was featured on YouTube recently. This follows on $1.5 million of funds received through feeding our future, a scaled fraud operation, which is generated over 70 indictments, five criminal convictions, and 50 guilty pleas. What a set of coincidences. Perhaps Hassan has, as she has alleged in a lawsuit, been a frequent target of racially motivated government investigations into a successful serial entrepreneur in the child care field. The fraud supply chain is detectable. Much of the intellectual effort in policy circles around fraud is aimed at retail level fraud by individual beneficiaries. Most fraud, like most scale property crime, is actually the result of a business process. This is an elementary fact of capitalism. It is deeply disconcerting to find every benefit program independently discovers it, a decade too late to do anything about it. Most bread is not baked by amateurs and their kitchens. It comes from a bakery, which exists to bake bread, and hires specialists in baking bread, and then supports them with capital intensive built infrastructure. Fraud develops the supply chain. Some elements in the supply chain are dual use. The bad guys use Excel for the same reason that every business uses Excel. Some elements in the supply chain, though, are specialized infrastructure, with no or diminimous legitimate purpose. Those elements can be profiled. I worked at Stripe for several years and currently an advisor there. Stripe does not endorse what I write in my personal spaces. In its own spaces, Stripe has discussed being able to follow fraudulent operations since efficient detail to determine when the operators went to lunch. Fraud shares specialists quite frequently. They use the same incorporation agents, the same mail services, the same CPAs, the same lawyers, et cetera, et cetera. You can make the same observation about many communities of practice. It is a non-coincidence that many tech startups are at 548 Market Street in San Francisco. 548 Market Street is not the world's hippest coworking space. It is the address for Earth Class mail in San Francisco. There are many PO box providers in the world. Many geeks with taste reach for UCM. It's about money is legally required to maintain a postal address. And if you were to ever send me a physical letter at it, that would also end up in the hands of an Earth Class mail employee. Elsewhere in the world, there exist PO box providers whose customers statistically include fewer AI labs and more frauds. One imagines the specialist and fraud at the storefront picking up the day's take from 15 separate boxes. Elementary work, graphing supporting infrastructure, even on something as unsfisticated as butcher paper, frequently on revels fraud networks. Data science has any number of more sophisticated approaches. Jetson later Lewis, an academic who now routinely works with government, and has previously been on complex systems, has discussed summer approaches which work based on widely commercially available data sources. There was an emerging defenders advantage here in the age of LLMs, since exploratory work in visualizing and walking network graphs is getting much cheaper. You no longer need to buy, volunteer and engage a corporate deployed engineer to cluster IP addresses. A non-technical fraud investigator could get an LLM to do that, while eating at Chipotle, and the lunch would cost more. This democratization of capabilities is relevant to journalists, formal and otherwise, and also to governments. RFPs and software contracting, once de facto mandated a multi-year lead time to do an automated network analysis, if an analyst thought, perhaps, their program might need one. Now that is an afternoon's work, if we allow ourselves to do it. We should. Investigators should expect to find ethically clustered fraud. As mentioned, there is enormous visceral distaste for the conclusion that a particular fraud ring operates within a particular community. This is quite common. You should expect to find circumstances which rhyme with it when conducting effective fraud investigations. You should not abandon fraud investigation when you chance partners. People assume a level of ethical fraudness here which is not warranted. You would, if doing ethnographic work on perfectly legitimate businesses across many industries, routinely discover ethnic concentration rather than population level representation of where you looked. The patels run the motels. One doesn't need to adopt grand theories about how certain groups are predisposed to becoming pharmacists or startup employees or lying cooks. Simple microeconomic reasoning explains reality easily. Firms hire the people they already know like and trust. This will routinely include friends and family. Who are going to be much more like the founding team than they are like randomly drawn members of the population. This is the default outcome. Fraudsters do have one structural factor here. Everyone wants to trust their co-workers. Fraudsters need to trust their co-workers who will remain loyal, even upon threat of prison time. This necessarily selects for tighter bonds than typical workplace. Made off was a family affair. SPF was sent in on again off again romantic relationship with the chief lieutenant. Neither of these facts is accidental or incidental. That's the other ethical dimension of being other than blind concentration. So-called affinity frauds do not merely recruit fraudsters from affinity groups. They recruit victims from affinity groups. Made off mobilized the social infrastructure of the Jewish community in New York and Palm Beach to find his marks. Community members certainly did not intend their charitable foundations to be looted by a fraudster. It was an emergent consequence of trust networks. This also happens in shows and communities. FTX was, in material part, an affinity fraud against effective altruists, who are not a religion or ethnic group as traditionally construed. And so when the great and the good turn a blind eye towards abuses because the perpetrators share an uncomfortable common factor, they are often simultaneously turning a blind eye towards abuses of a community whose interest they purport to champion. As an aside, this happens in the financial industry as well, and it's something that you catch formal advice on how to talk about. So for example, the government of North Korea engages in routine attempts at looting the financial industry, including banks and most recently cryptocurrency exchanges and other operators in the crypto ecosystem. And so you can say things like, we're being targeted by the North Koreans and Cheongyang. And that's legal because you're referring to a government to not people whose ethnicity happens to be in North Korean. Now, I think you should not say, is we're being targeted by the millions in Glendale, California, even though you might well be being targeted by an organized criminal group whose members are overwhelmingly Armenian, based in Glendale, California. Citibank was actually targeted by this organized criminal group, and I think with very high probability to actually exist in the world. And some Citibank employees said and did some unwise things internally with regards to their countermeasures that being victimized by this group that was routinely having people's identities, possibly with, possibly without, the collusion of the people who had identities were used, open up large lines of credit with Citibank and then upscound with all the money. So Citibank did unwise things and describing this internally. And they did some illegal things, such as, holistically identifying Armenians based on the tendencies that happened sometimes in their last names, and then refusing Armenians credit. That is radioactive illegal in the United States. And so the consumer financial protection bureau finds Citibank 25 million dollars and put it under an antitrust degree. And so you have to be able to hold two thoughts in your head at the same time. On the one hand, like, there really are bad guys in the world. And sometimes there is a way to describe those bad guys, which is true to the facts. And we'll get you in trouble if you use it in so many words. One of the things that CFBB points out in the citation for the cent degree and 25 million dollar fine is that investigators had said, well, don't write down what I'm about to tell you about the bad guys, of what we're going to do with them. Now, don't write down the crime I'm asking you to commit is bad. Don't write down the following thing which is socially radioactive and the system that we operate in I think is maybe a little bit less bad. You do have to be able to discuss the bad guys and some commonalities among them. And as mentioned earlier, it's an open secret in the financial industry that people who are ambiguously affiliated with the Russian government. And when I say ambiguously affiliated here, I don't mean like they live in Russia. Maybe they meet the government for drinks sometimes. I mean, no, they previously had badges that the, you know, clandestine services the Russian government and they maintain professional connections with people who can like still have badges to get you into the most secured facilities in that country. And they commit crimes deliberately at the best of the Russian government. And so you really have to be able to talk about, like, Russian state-sponsored activities against financial services organizations to usefully work in defending against, well, Russian state-sponsored activities against financial services organizations. But you have to be careful about how you describe that, right? Because you can't say like, oh, the Russians took another whack at us today. It's not all the Russians clearly and there are many Russians who are wonderful people and are great at, you know, law abiding consumers of financial services. I don't think those are two very difficult ideas to keep in more and set at one time. But people sometimes pretend it's more difficult than it is. I think the acknowledgment of an adread sounds cooler in Japanese. Konoban-kumi-lap-su-gi-no-sponsan-no-take-yo-de-it-bo-ko-dishimasu. Cool, right? Complex systems is presented by Mercury, radically different banking. If you followed my work for a while, you know I sincerely love banking, including the parts of it which suck. I have spent hundreds of hours getting compliance to approve a young denominated wire, fighting a mainframe built in the 1960s to get an account statement and playing phone tag across three continents to check on the status of a payment. I also use Mercury, which has required absolutely none of that nonsense. They are a banking provider which works the way software people expect banks to work. The website and mobile app are joy to use, getting you quickly through your task and then back to growing the business. If you're a founder, save your cycles for building and talking to customers, not for banking operations. Their wire experience specifically is the best available anywhere. Trust the guy with wire transfer compliance influencer written on his business cards. Free for domestic US wires in both directions takes less than a minute to send one and I've never had an issue requiring human intervention after pushing go. Mercury works for you on your first day on your first dollar and will scale to wherever your business takes you. Really, a large portion of startups have invested in and 300,000 businesses of all sizes. Visit mercury.com to learn more and apply online in minutes. Mercury is a fintech company, not an FDIC insured bank. Banking services provided through choice financial group and column NA, members FDIC. Anyhow, back to the essay. High growth rate opportunities attract frauds. As covered extensively in lying for money, the necessary fundamental conceit of a fraud is growth in a business that doesn't happen in the real world. Every lie told incurs the debt to the truth and one day the debt will be paid to quote the excellent drama miniseries Chernobyl. Fraudsters forced all the day of reckoning by telling a bigger lie, increasing the debt, which, mostly as a side effect, alleges that you're growing much faster than most of your legitimate portfolio. Happily, many businesses have figured out how to keep track of fast growing customers. Tracking rocket ships doesn't require rocket science. Sort by growth rate descending on new accounts will turn up a lot of interesting observations about the world. One is that Fortune 500 companies sometimes open new accounts and you probably don't need to open a fraud investigation file in that case. Another is that some people claim to be feeding millions of meals to a community of tens of thousands of people beginning from a standing start and growing local social services at a rate which an Uber Eats City manager would not expect to achieve in the wildest dreams of their Gold to Market Plan. Feeding our future had a compound annual growth rate, Kagger, of 578% sustained for two years. Uber, during their meteoric growth period and core of rideshare services, had an average Kagger of 226%. Their best year was 369%. But if you asked in Minneapolis in 2021, you would quickly find someone who had been in an Uber, but failed to find anyone who had eaten courtesy of feeding our future. So curious, given that they were dropping one of the fastest growing companies in history on growth rate. Investigators in Minnesota were ringing the alarm bells for years about impossibly fast growth in feeding our future's reimbursement requests, including at new facilities. Feeding our future felt it was maxed out on the fraud it could conduct at existing sites and expanded voraciously, including, most prominently, enrolling numerous restaurants as, quote, feeding sites, end quote. Copy paste of the usual playbook and requested reimbursements for implausible volumes at those sites, paying kickbacks to many participants. This required growing as fraud, which you get the general idea. We could have gotten off the bus at many points, and I suppose at some level that is a question of political will. The highest growth rates in the economy generally are in newer fields. You basically can't sustain the alternative. This doesn't imply that those fields are fraudulent, but they will tend to disproportionately attract frauds. The defenders in those fields have not yet paid their tuition to the school of hard knocks, and so attackers will target the weaker systems. The high growth rates of legitimate businesses, function as kind of protective cover for high stated growth rates of illegitimate businesses. A cager of 1,000% looks implausible for a restaurant, but barely meets expectations for an AI software shop. And, now to put to find a point on it, many people are invested, literally and metaphorically, in whatever today's new hypothesis. People who could not secure an allocation in the more legitimate ends of it, will sometimes find themselves adversaries selected by less solubrious actors. This will read to those people as a justly earned success. They might even have their marketing department right up their victimization as an indisputable success. In the essay, I went to right up their victimization to Sequoia's profile on Sam Bingham-Freed, this brilliant young entrepreneur who plays League of Legends and his committee meetings with him. And the indisputable success is a direct quote by the Small Business Administration with respect to some of its pandemic era paycheck protection program and other loan guarantee programs. That success, not entirely indisputable. And so, if you're a defender who has many different lines of business and also has limited resources or political will, where should you deploy those resources? Should you place your bets on, for example, Social Security, a multi-trillion dollar program whose primary source of growth is fun to conjure, but then requires 70 years of seasoning? Or should you place them on the paycheck protection program or pandemic era on employment insurance, or genetic testing, or non-emergency medical transport? Despite those being smaller line items, they probably had more juice worth squeezing and the fraud is more easily detectable. Just look. You can read the essay for the links but all four of those are notoriously fraud-prote, federal programs. There are links in the financial system. It's about money has extensively covered anti-money laundering and no-your-customer regulations, and I won't rehash those regimes today. A bit of tacit knowledge in the financial industry. Some actors in the set broadly considered trustworthy, are more worthy of trust than others. And some are less. We are generally discreet about writing this down in as many words, but as an analogy, cross-national regulatory bodies require to maintain a list of high-risk jurisdictions to do business in. You are generally required to do enhanced due diligence on customers, activities, and similar, touching on the high-risk list. If you are particularly competent and there are pluses and minuses to being competent in detecting fraud, you might have the analogous list of U.S. financial institutions, which are not entirely from sport bad guys. You might wonder why it is not invariably a professional credit to be good in detecting fraud. Well, you will not be the most popular person in the firm at the bonus time. That generally goes to the firms who, the folks who sold the high-growth counts. Again, high-growth counts look like success until you presented unambiguous evidence that you were in fact being defrauded the whole time. And the people who owe their professional reputations and promotions and bonuses to the fact of having been recently defrauded will often deny to like the last extremity and quite a bit beyond that that no, no, no, this was absolutely legitimate. Have you met Sam Bankman free? He's a wonderful guy. Obviously, we weren't defrauded here. A couple weeks later, all right, reality sets in. If one hypothetically has the list of financial firms, that is one more signal you can use in evaluating any particular count and a one-stop shop for developing a list of accounts to look into. It would be uncouth of me to name that has poor controls. But for a general example of the flavor, CMI's scathing commentary on Silvergate's AML and KYC program. Without using any proprietary information, I predict confidently that Silvergate Bank banks many more multi-billion-dollar frauds as a percentage of their customer base than almost any of the US's 4,500 banks. Trivial substantiation here. Divide FTX's bank by the total count to customers. Financial industry is definitely not allowed to proxy for. One of the first things you learn as a data analyst is zip codes are extremely probative and you are absolutely not allowed to use them. The American system remembers the experience of redlining and has forbidden the financial industry from ever doing it again. And the industry mostly respects that. But good news. Institutions with weak controls environments are not, in fact, simply a proxy for who banks disadvantaged people. Some of them are good at their jobs. Some of them less so. And the fraudsters know it. This sometimes happens with the knowing connivance of the financial institution and or their staff. For much more on that, see histories of the saving some own crisis or the line for money chapter on control frauds. But more commonly, it is simply a community of practice developing organic knowledge about who is just very easy to get an account with. Which intends to cycle through accounts and identities in a much higher rate than baseline. You would prefer to do business with a bank that does not detect net malfeasance. And so you will disproportionately end up banked along with money of your buddies at the least attentive place still capable of getting a license. And so an agency trying to find a fraudulent network might want to look at fraud cases by routing number and then start making some judgment calls. One of the reasons the government had deputized the financial industry is that it is good at keeping spreadsheets in order to make sure that the government should have the responsibility to request for them. Perhaps the government should call up a few of their deputies and say, so not alleging anything here. But we think you might have a list carefully maintained by your fraud department for your own purposes. We want to see that list. It would be pro-social if you to give us a copy of it. As an aside, there are many communities of practice in the world. And most of them are not criminals, thankfully. And general go for after a public-private partnership in Japan. And so one thing this private partnership would do was send researchers who are mostly people with PhDs that went to Japanese universities and the overall majority of them were Japanese citizens. They would send them to the United States to do post-ap work or similar at American universities or industrial organizations. So, like everybody else who intends to exist in the United States of America, really, really helpful for Dr. Taro if he had a bank account as soon as he landed in the city. But Dr. Taro has usually never existed in the United States before. How do we handle this? Well, we had one person who was very comfortable with reading reports about the United States of America and getting on the phone with people who worked in American financial institutions and saying the following. Hi, I'm Dr. Taro's secretary. Dr. Taro is getting posted in a account for him. What do I need to give you to make that happen? And the financial institution we had the most success with this was with controlled a bank but was primarily a discount brokerage. And so, in the regulatory environment at the time, discount brokerages had relatively less than terms of KYC rig and roll than banks did. You still had to know who the person controlling a brokerage account was. But it was relatively easy to pass the United States to open a U.S. brokerage account. And so, Dr. Taro would open a U.S. brokerage account. And then, Dr. Taro's secretary, of course, really, would call the 1-800 number attached to the brokerage and say, I see that your firm also offers checking accounts. Dr. Taro is a customer and good standing of your firm. Can Dr. Taro please get any checking accounts as well? What information do you need to make that happen? Well, the accounts in the United States and America, before they had ever officially set foot in the United States and America. Some years later, the brokerage slash bank that I was doing that for was hit by ex-sitions from a regulator that had enabled a large amount of fraud in a relatively similar pathway. And when I read that report, I thought, well, you know that kind of tracks frauds openly subordinate identities. There's a thriving market to be used in fraud. This is because bad actors prefer not putting their own names on paper trails certain to become evidence because they frequently burn themselves early in their careers and because institutions have gotten done to the wisdom of collecting lists of ultimate beneficiaries. Sometimes this is a social process conducted at, for example, the dinner table. Sometimes the market is explicitly a market. Jetson recounted that, they're arriving potential patients, first with donuts, and then with cash. This is extremely common. In Minnesota, parents were recruited to child care providers with the promise of cash kickbacks or, in a detail, we'll return to in a moment, fictitious paperwork to no showjabs, sometimes at substantially fictitious companies. Fraudsters sometimes exercise some level of operational discipline in their communications. The bad guys have also seen the wire. A population of people willing to be named in a federal indictment over $200, necessarily selects preferentially for individuals who are not experts at operational security. They will sometimes organize recruitment very openly, using the same channels you use for recruiting at any other time. Open Facebook groups, reddit threads, and similar. They will film TikTok videos, flashing their ill-gotten gains, and explaining steps in order for how you, too, can get paid. Now, knowing that there exists the frequent epithenomenon where fraudsters recruit strawmen to use their identities to qualify for payments. Suppose that you have entirely new enterprise whose first customers are individuals A, B, C, and D. You know from past records that A, B, C, and D have all been customers of an organization which you know, positively, was a fraudulent actor. You might infer from this that A, B, C, and D might have sold their identities once, but you probably don't have sufficient information to convict them of that in a court of law. It is, of course, possible that they are simply unsophisticated or that bad actor to obtain their information without their knowledge. For example, by misappropriating a client list from a previous corporate entity they happen to own, work for, etc. Do you have enough information to take a more detailed than usual look at this totally new enterprise? I think you do. As an aside, the financial industry is extremely aware of this fact pattern even though not everybody within the financial industry is aware of it. So a number of years ago my wife worked for a bank. We're a bank like financial institution and went to the same compliance trainings that everyone went to. Then she married me. I ran a small business for a while. That business closed and I went to work in a company. And when I was closing down the business, Rudiko said to me, hey wait, before you close down that business like that still has a big count open, that still has corporate paperwork. Why don't you just sell it to somebody? I said, oh honey, the people who want to buy a business is closing down. To get access to a bank account or a corporate paperwork, they are not good people. Just like no, someone will buy that for like $2,000. They saw a flyer about it once. Like honey. That flyer was published by a very not good people. We definitely, definitely do not want to meet them. Take their money, get embroiled in their schemes, etc. Because when the scheme inevitably comes to light, it will be my name on the paperwork and not in Japan, the people who are doing that are mostly ukusa. A symmetry and attacker and defender are burdens of proof. We have choices as the defender and what levels of evidence we require to enter the circle of trust. And what our epistemological standards are and how much evidence we require to forcibly exit someone from the circle of trust. A detail from the Minnesota cases is that these burdens are asymmetric in a way which just advantages the defender. All of us. That decision is a choice and we should make better choices. For example, the primary evidence of a child attending a date cure was a handwritten signing sheet of minimum probative value. Prosecutors referred to them as almost comical and useless. They were routinely fraudulently filled out by a 17-year-old signing for dozens of parents sequentially in the same handwriting, except in cases where they were simply empty. To refute this evidence, the state forced itself to do weeks of takeouts, producing hundreds of hours of video recording, after which it laboriously reconstructed exact counts of children entering an exiting of facility. Compare that with the billing records, and then invoice the centers only for proven over billing. I'm general industry knowledge. If you are selected for examination of, for example, your credit card processing count, and your submission of evidence is, oh yeah, those transactions are ones we customarily paperwork with a 17-year-old committing obvious fraud. Your account will be swiftly closed. The financial institution doesn't even have to reach a conclusion about every dollar which severed flow through your account. What actual purpose would there be in shutting the barn door after the horse is left? The only interesting question is, what you'll be doing tomorrow, and clearly what you intend to do tomorrow is fraud. We can architect the asymmetry in the other fashion. Legislative businesses will customarily, as a fact of their operations, put enormous effort into creating visible effects in the world, which are tributes to check. In technology circles, this is sometimes called a proof-of-work function. Once upon a time, a team of fraud analysts asked how they could possibly determine frauds from nonprofits, without having extensive industry knowledge about every possible commercializable human activity. I suggested that a good first pass was, just as corresponded for a quick video, shot on their cell phone, of their workplace. That is minimally invasive for a business owner. Generates a huge amount of signal, including a signal that can be correlated across the counts, and can be easily adjudicated by non-specialists in a minute. No multi-months take out if their storefront is required. Of course, you can convincingly fake a video of working in, say, a machine shop. But fraudsters maintaining spreadsheet row 87 about the machine shop, will find that difficult to juggle with all the other required lies in their backlog. Actual machine shops, meanwhile, include people, which means they include functional cell phone cameras at no additional cost to anyone. You can also get some signal from who can trivially produce a video and who needs a week of advanced notice to find a cell phone to record those machines milling aluminum last week. Fundamentally, we have a choice about where we put our investments in defaying fraud. We should stop choosing to lose. So called pay-and-chase, where we put the burden on the government to disallow payments for violations retrospectively, has been enormously expensive and ineffective. Civil liability bounces off exists only to defraud LLC. Criminal prosecutions, among the most expensive kind of intervention the government is capable of, short of doing kinetic war, only about a 20% reduction in fraudulent behavior. Rearchitecting the process to require prior authorization resulted in an immediate and permanent 68% reduction. I commend to you this research on Medicare fraud regarding dialysis transport, you can see the link in the show notes. And yes, the team did some interesting work to distinguish fraudulent from legitimate usage of the program. Not an emergency transport for dialysis specifically had exploded in reimbursements, see figure one in the paper. They got worse, but because fraudsters adversarily targeted and identified weakness in Medicare. Attackers carefully respond to signals that they think are being sent from defenders. Lawyer for some of the Minnesota defendants, Ryan Pacquiao, was quoted by the New York Times saying that his clients understood Minnesota to tacitly allow their actions. No one was doing anything about the red flags. It was like someone was stealing money from the cookie jar, and they kept refilling it. They kept refilling it from defenders that sent sent message. It will not work out well for you or your program. Fraudsters under paperwork through epiphenomena. Most frauds have rich external lives with a soaring narrative of how deserving people are getting valuable services and or getting rich for being right and early regarding, for example, a crypto asset cross-margining. They tend to be distinctly under paperwork to internally, partly because of synonym for paperwork to be communicated when you get down to it. There is a true number, lie about it, done. Like many time-crest entrepreneurs, busy talking and potential customers, fraudsters put the minimum amount of time necessary into bookkeeping, and even less than that into paperwork in epiphenomena, they're frauds. One example of an epiphenomena is sometimes that beneficiaries need their own paperwork. A legitimate mortgage company employs sales reps in a back office paperwork together to sell a mortgage. Fraudsters mostly don't do that. As an aside, for connoisseurs of the big sort and the financial crisis back in 2008, one I think almost quote from the movie is that during a financial bubble, the detected rate of fraud in the published sector of the economy tends to explode, and that fraud gets increasingly bracing. This is something that, indeed, we saw in the run-up 2008. Why do you all the work of getting through pages of documents together for a new mortgage? When you could simply get someone a no-income, no-job, no-assets, ninja, where I think non-specialists misunderstand what an engine alone is, it doesn't mean the person has no income. It means they have no income that they are able to substantiate in paperwork or that they have not done the work to substantiate in paperwork the income that is claimed on the mortgage application. One of the compensating controls that we enacted after 2008 is no, really, these requirements that you thoroughly paperwork mortgages prior to getting a federal guarantee for them are actually requirements, and we no longer turn the blind eye to staggering amounts fraud in that program. And so, if you have, for example, a statutory requirement that a beneficiary be employed to access services a fraudster might say, don't worry about it. It's just a cert that you are an employee at a cleaning company. It's overwhelming you as an employee of a cleaning company. Skills two birds with one stone. Paying you your kickback while also generating the pay stub that they need you to have to qualify for the government reimbursement. This happened for the OLA's reports, summarizing the results of many investigations in Minnesota. But fraudsters don't actually operate cleaning companies, even in most cases, where they do operate daycares. Cleaning companies are a legitimate business in the main, and working for one is an honest occupation. So if a fraud investigator should feel no sugar in, at calling a cleaning company in the phone book and asking for a quote. A cleaning company, which expresses complete the fuddlement that someone could ask for a quote is providing evidence in a direction. I have to note, as someone who pays to send children to private school, that there is repeat evidence that their school is accepting new children, knocking on the door and asking will quickly result in being given a brochure in the collection. I grew to a dysleamist-managed educational establishment, which does none of these things. And I can imagine an educational establishment, which makes a lot of money. But I have trouble holding both thoughts in my head at the same time. The core frauds are sometimes hearted to an attenuated degree. The peripheral frauds collapse, under even a glance. Architect processes to require more signals regarding the periphery exposing the exact signal that you're using, causing utility of it in the future. You can use this as a parallel construction mansion. Develop leads for investigation using the non-public signal about the periphery. Pull the core records as a matter of routine. Find the discrepancies that all frauds leave in their core records, and then put those in the indictment. Ask your friendly neighborhood lawyer if that passes mustard or if you need to add a sentence rhyming with, the department. Machine learning can adaptively identify fraud. We have discussed some heuristics for identifying fraud. The financial industry still makes material use of heuristics, but heuristic is compression of the real world. It will sometimes lose fidelity to the world. It will frequently, by design, be legible to the adversary. The defender has won advantage the attacker cannot ever replicate data at scale. It knows what legitimate use looks like because it is all the messy, contradictory, varying quality, typos in all data, which legitimate businesses in the real world constantly throw off. You cannot duplicate all the shadows of the wall of Kaleidos Cave without first duplicating the entire world. fraudsters, even quite talented ones, can't do that. There are any number of techniques for machine learning and anti-fraud. Emily Sans has previously discussed some on this program. An important subset of the field can adapt in real time or close to it to changes in adversary or legitimate behavior. For example, COVID surprised the fraudsters. At the same time, it surprised every supermarket in the country. But the expost actions of the fraudsters and the supermarkets were very different. Revenue went up for both, but only one group actually runs a supermarket. And so by adjusting and constantly analyzing data from all users, including retrospective annotation of which ones you've identified to be frauds, you get better and earlier signals on which users are likely fraudulent and which aren't likely not. This can inform outright interdiction or the investigate then punish loop that we ordinarily expect from government. It can also inform less consequential easier to reverse interventions. For example, rather than putting all users immediately through the highest possible ceremony process for an application. You can let most users do a lower burning process, saving the higher levels of scrutiny, for those who signal greater likelihood of being fraudulent. Or you can default to approving more applicants and reserve more of your investigatory budget for post-approval review, with this being equivalently costly by using better task-game of those reviews versus random allocation. Pay-and-chase becomes more palatable if it is not pay-and-pay-and-pay-and-pay-and-pay-and-chase. And more pay-and-till we decide to chase, but stop payments in that decision not after the caching. Machine learning isn't simply useful from a perspective of decreasing fraud. The history of regulation of benefits programs is the history of too late, too harsh, over correction to notorious abuses. Much of what advocates find most maddening and Kafka-esque about eligibility criteria and application processes was voted on by a legislature, but bears the signature of a fraudster with an awful business idea. With a good machine learning practice, you can increase data ingested, but decrease the burden some formal application requirements. This is a no small part because those data points are less probative. They are under the direct control of the attacker and they announce that they will be scrutinized. But it bears the dividend. If you better control fraud, and can successfully demonstrate that to the public and legislators, you can decrease the application burden and perhaps even widen eligibility criteria. Those are both in the direct interests of the potential marginal beneficiaries. And as a callback, this is one of the reasons why affinity frauds, which might recruit fraudsters from an affinity group are also victimizing that affinity group. To the extent that one cares for people who need government-sponsored take care in Minnesota, you should care very intensely that fraudsters are stealing half of those dollars and causing the government to interdict the receipt of the other half of the dollars by legitimate take care providers. A political commentator might focus more on the optics here than on the substance, because that is so frequently where the actual point of leverage is in politics. But the substantive reality of fraud losses matters. It is much easier to tell the story of fraud in benefits programs being rare, opposed by all right-thinking people, and swiftly sanctioned when that story is not an obvious lie. Frauds have a life cycle. You can read lying for money or other histories of frauds for more details on the texture, but in the main, a dedicated fraudulent enterprise is created seasoned for a while before crossing the rubicon. It has a period of increasing brazenness, is detected, is closed, and then is resurrected and the fraudster gets the band back together for round n plus one. We can intervene against the life cycle model if we understand it. This begins with not defaulting to the understanding of investigators that frauds are isolated incidents by disparate individual actors. Those have been known to happen. But frauds are, by total damage, dominated by repeatable business models, perpetrated by professional, specialized, bad actors. We should study them like we study other successful entrepreneurs, and then not invest in them. One actionable insight from the life cycle model. Because the fraudster intends to be in business multiple times in their life, we should track the person to business mapping much more closely than we have historically. As lying for money says, if you're an accountant of willing to go to prison, and you did not get rich via fraud, well, you were a very bad at your job. That's on you. When we give you repeated chances to do it, that's on us. One might think that the simplest imaginable reform is passing some sort of beneficial ownership regulation to unrolled complex corporate structures designed to obscure who is actually puppeting totally not a fraudster LLC. But the simplest imaginable reform is probably just actually reading corporate filings that already exist and are public. Again, most fraudsters are not the hypersubsticated more realities of the popular imagination. The Minnesota fraudsters frequently did not even bother with fake leaves. While they did find some nominee directors in some cases, many of the convicted operated their companies in their own names with no complicated structuring at all. Sometimes, multiple times, consecutively, after the previous entities had worn out their welcome with Minnesota. The Fed should not be surprised when bad guys buy a bank, when buying a bank requires an extended permission seeking process and the bad guys' corporate records dutifully recorded by Maryland, entity D20033544 are signed by a notorious bagman. In the Fed's defense, the bagman lied to them about his intentions, which was outside their world model. It pipped New York Times for figuring that out before the Fed did. This is sadly not the way the world usually works in financial journalism. So should we care about fraud investigation anyway? Responsible actors in civil society have a mandate to aggressively detect an interdict fraud. If they do not, they see the field to irresponsible demagogues. They will not be careful in their conclusions. They will not be gentle in their proposals. They will not carefully wait consequences upon the innocent. But they will be telling a truth that the great and the good are not. The public will believe them because the public believes it's lying eyes. And that's all we have for today. Next week on Complex Systems. Thanks for tuning in to this week's episode of Complex Systems. If you have comments, drop me an email or hit me up at patio 11 on Twitter. Ratings and reviews are the lightblood of new podcasts for SEO reasons. And also because they let me know what you like.