Product-Led Risk Management
Your product & platform contain the strongest signals to manage fraud & credit risk.
Let’s call this “Product-Led Risk Management” - we can’t let “product-led growth” have all the fun.
This term represents my belief & experience that every piece of info your business needs to manage fraud & credit risk can be captured directly from your platform, products, & customers. Every tool you need to mitigate risk can be built within your product.
It’s quite a lofty thought considering all of the external data we’re used to taking comfort in.
I’m not saying external data sources don’t have a time & place - I just think they should be viewed as icing on the risk management cake: your product’s insights.
Why consider this?
I’ve seen businesses that lean into this type of risk strategy drive a number of key metrics, including higher conversion rates, improved pricing & margins, & gains to customer LTV & CAC.
I will describe how utilizing this strategy influences each.
Historical Risk Strategies
Before diving into “product-led risk management”, it’s important to understand the state of current risk strategy and its inputs that got us to how we manage risk now.
To do so, let’s take a look some facts about what these strategies were designed to protect: financial products (and the parties involved).
Historical financial products have involved some aspects of the following characteristics:
Human Relationships
Clear geographical boundaries
Tangible assets
Time (applicant history, product duration, time to complete & close the deal)
Communication (think document exchange, emails, phone calls)
These inputs bred a type of risk management that’s built around their known existence. A few basic examples that come to mind:
Covenants - Legal agreements that protect the lender or capital provider. Generally includes adherence to extensive risk & financial metrics, exchange of collateral, and more.
Financials Analysis - This assumes both reliability of the documentation and time to sufficiently analyze
Character of the applicant - Deeply understanding the applicant & what the product will be used for.
External scoring systems - These systems rely on the entity applying having an established track record & aggregating behavior into a score
Why shift towards product-led risk management?
There is a time & a place for deploying the historical strategies listed above. They will almost always hold value for some businesses at certain stages.
However, for technology businesses who are finding product market fit & beginning to scale quickly, these strategies need to adapt in order to facilitate growth.
To win & grow in today’s world, financial products must:
Be delivered fast
Via a great experience
With competitive terms
In addition to this criteria, customer characteristics have shifted drastically:
Geographic lines are blurred
Many companies have no or few tangible assets
Many applicants have no history to reference (think inception companies, international entities (persons & businesses)
All of these factors lead to an application process that must be:
Friction-less
Instantaneous decisioning
Without painful documentation uploads or additional requests
Little to no communication
Flexible
Customer profiles & characteristics will be increasingly different, even amongst a very narrowly defined audience
Product terms that fit the customer’s unique needs (optionality)
Queue the Need for Product-Led Risk Management
All of the historical methods used to manage risk pose a number of problems to the needs of customers & growth today:
Collecting information takes time - delaying the application
Collecting external data points is expensive - increasing price or cutting into margins
Historical methods are not flexible - credit worthy customers may be excluded from your product based on archaic assumptions
Historical methods are losing effectiveness at surfacing real risk
Key business metrics are swayed by the impact of risk management strategy. I’ve listed a few below along with some basic ways each can be affected by risk strategy:
Increase customer conversion rates due to frictionless applications & instant decisioning (ie less requests, documentation, & touchpoints)
Improve pricing & margins (traditional risk management can be very expensive)
Increase lifetime value of the customer (less likely to close an account due to false distress or risk signals, less churn due to painful processes )
Improvement to CAC via organic acquisition gains (higher customer satisfaction due to less service disruptions or friction from archaic risk management processes)
Reduction in partner risk - many risk models are built around external parties (which can have their own issues, assumptions, and risks)
So, what exactly is product-led risk management & how can it be applied?
Credit & fraud risk can be managed exclusively from the data your company collects on its platform and products.
This hypothesis has three key components:
All fraud & credit risk follow general patterns
All fraud & credit risk follow patterns that are specific & unique to your platform and customer base
Your platform inherently holds key advantages & insights that cannot be produced or found elsewhere:
Intimate insights of your product’s use and user behaviors
Unique ways tools can be built & leveraged on your platform
Weaknesses and gaps unique to your platform
How to begin leveraging product-led risk management
Invest in your data & data infrastructure. Find a way to capture and cache insights from across the platform from an early age. Early on, capturing data is the key - structuring, optimizing, & analyzing come next.
Invest in someone that knows fraud or credit risk patterns & can identify them. It is difficult to use this risk strategy without a person or team that understands the patterns & schemes
Have a deep understanding of what healthy customer behavior looks like. If you have none of the above, you can analyze trends from your good customers. Any material deviation from these trends should be a signal you can leverage.
Invest in loss to deeply understand it. When you’re starting out, or even at a larger scale - some loss is welcomed. Break down exactly how it happened (timeline, customer characteristics, product flow) & glean insights that can be baked into the product.
Understand your weaknesses. Every platform has a weakness - an area that hasn’t been developed yet, a process that’s inefficient, a team that’s understaffed or junior. Identify those areas - and you’ve identified where you’re likely to be exploited.
Reverse engineer Risk - How would you act if you were a financially distressed customer using your financial product? How would you approach your product if you were a fraudster with malicious intent?
Identify proxies - Gray areas are a fact of life in risk management. Sometimes, it’s really hard to tell what is fraud or financial distress vs what’s just strange behavior. Find these examples and create stories about them.
Find your advantage - You offer a product or service. What is it? How can you extrapolate its specific use case to understand various behaviors and profiles of users? What exactly do you do better than everyone else? Leverage it.
Real World Applications
Product-led risk is not pie-in-the-sky theory. I’ve seen it & used it myself - and have a few simple examples to highlight.
While working in payroll, we used a number of product insights as our key risk signals.
Some primary product insights relied on:
Payroll schedule - we knew exactly when businesses would run payroll. Deviations were strong signals of risk.
Employee wages - salary & hourly details were available. These were trackable throughout an employee’s journey to other companies over time. A sudden jump in wage or payment frequency is an interesting data point.
Payroll type: Salaried vs contractor vs owners draw - each has different tax implications, different predictability profiles - & therefore, different likelihoods of exploitation
Payroll speed: Payroll was ran through the ACH, which takes time. We offered faster speeds as a product - & distressed companies/ fraudsters knew the fastest speeds were best.
While working in Enterprise Spend Management - we used the following.
Every spend instrument (think bill payments, purchase orders, reimbursements) had a Request and an Approval
Velocity of completion of this loop was a sign (fraudsters did this fastest)
Identity of both parties (sometimes - it was the same person that requested & approved. That’s abnormal)
Spend Policy
Each customer (business) had a company spend policy that dictated how each piece of spend was managed
Spend that fell outside of the policy was flagged
Receipts, invoices, and purchase orders
Most customers required documentation for large transactions
Why would a $150k vendor payment have no documentation?
Sometimes - we would catch that a receipt was totally bogus
Natural growth of the customer post onboarding
When a new customer joined, there was always an implementation ramp up time
Deprecating the old spend management software is a massive undertaking for customers - it takes time & a growth in comfort level to fully transition to the new solution
Generally, massive movements of money were not expected within the first 3 months of onboarding - but fraudsters are not patient
FullStory is a software that records a specific user interaction on the platform. When our risk models flagged strange behavior, we could watch the recording. It is shocking how much different fraud or distress looks in comparison to normal platform interaction. Some companies have created algorithms specifically on flagging user behavior (think mouse clicks, typing style, etc)
While these are all very simple depictions of leveraging the product for risk management, when done correctly - this sort of analysis & understanding across your platform can be a completely comprehensive risk management strategy .
Thanks a ton for reading - I’d love to know your thoughts!
