Frank founder allegedly defrauded JPMorgan out of $175M hit with federal charges(businessinsider.com) |
Frank founder allegedly defrauded JPMorgan out of $175M hit with federal charges(businessinsider.com) |
How did a financial audit not uncover the dramatic mismatch in actual vs. purported activity? How does a transaction value of $41 per user (x 4.25M users) not translate to an auditable revenue stream?
This doesn't look good on either party.
Not necessarily true. Depending on the type of audit, part of the audit is to cherry pick (or randomly pick) recorded accounts and confirm whether they are backed up by various documents. For example - anyone can put in a receipt for a plane ticket and then have that plane ticket hit the P&L as a journal entry. But an auditor may look at the plan ticket receipt and check for the date, name of person on it, what date they were flying, what was their origin an destination, etc. etc.
Source - currently under audit, and auditors are asking for confirmed records that support what is in an accounting system.
Typically, it's just compliance.
Diligence usually means talking to top customers, but deals get rushed, access is a negotiation point, and liars are hard to detect.
DD guy here. This is the most plausible explanation.
When you're under LOI there is a lot of back and forth, which ultimately guide how the purchase agreement gets formulated. So if this was the case, then they would have made the trade off of "ok she's not letting us see the list, but we'll make sure the SPA is ironclad about this". Ultimately deals then get some money locked into escrow or RWI to soften the blow of the cost implication.
At the end of the day, let's say you're JPMC and the company that you acquired did exactly what Javice did. You have an SPA that binds you legally (meaning, if they caught lying post close, they'll get sued), how on earth would you think someone was dumb enough to try to get through diligence, then operate the company post close, and NOT expect to be found committing fraud.
That’s pretty much what Theranos did. The due diligence people walked away and threw a few hundred million more at Theranos. That’s compares to the due diligence we went through when I worked at a small startup years ago. It was only for a few million but they made us go through hell with all their information request.
Seems if you want to commit fraud it’s best to go really big. The bigger you are the less scrutiny and less consequences.
And it's not like that money is completely gone. JPM will sue and probably recover a very large chunk of it. Say that of the $175 million, they get back $150M, so they are out $25M. It's just not that much money to them. Sure, someone didn't do their job and will probably get fired over this, but Jamie Dimon and the executive suite don't really think about $25M losses.
It's far less about the percentage of JPMC's market cap, and more about the fact that a competent due diligence effort would cost less than $250k, which is insignificant against the cost of the acquisition.
Who are they going to sue? Javice's stake in the company was only worth $21M.
If the rest is held by shareholders who weren't involved in the running of the company, good luck getting it back from them.
Bottom line it's human to trust. It will always be very hard to uncover deceit when it's part of your business to make sure it continues and work hard to cover it up. Looks to me like the auditors never had a chance.
I'm surprised that the founder didn't just grab the money and moved to a country where there's no extradition. Last I read she was still claiming that the business was 100% legitimate.
Anyway, wasn't there some business behind the supposed 4M users? You can fabricate 4M users in a csv file and insert them into your production DB, but shouldn't there be some revenue associated with those users, and couldn't the acquirers have looked to see if that revenue existed?
I have no problem with charges being filed, but seriously... it's not like the buyer was some kind of low-budget mom and pop shop or community bank. I'm just not very sympathetic to JPMorgan for being scammed in a situation where being wary should be standard.
A just question. How much due digilence was done on SBF / FTX by The New-York Times and by the VCs who poured hundreds of millions into a pure fraud?
NYT isn't an investor, so that's a total non sequitur.
VCs on the other hand...VCs dont do much diligence. And who really cares really? They lost their money, not yours.
My immediate reaction to when JPM found out they'd be duped after running an 'email campaign' was, hmmm, maybe well deserved, should have done your homework!
I want to put the blame solely on the executives, lawyers and team that drove the acquisition forward.
Obviously we can open the floodgates of conspiracy theories. Maybe, some from JPM team may have been on this...
“An internal investigation revealed that Javice and Frank chief growth officer Olivier Amar — referred to as "CC-1" in the federal charges — paid a New York data science professor $18,000 to create nearly 4 million fake accounts in order to juice Frank's user numbers, JPMorgan alleged in its lawsuit. Amar later bought a list of student email addresses from a marketing firm for $105,000 in order to make those accounts seem more credible, JPMorgan alleged”.
I guess it’ll be prison?
2. It's perfectly reasonable to ask someone to create a 'test' dataset for you. Just don't tell them that you're going full fraud with it.
3. People working for software firms get paid to create test datasets all the time. 18k for an outside one-time consultancy is not an insane number.
Software People: Ha they paid 18k for fake emails!
Business People: .. (nothing, they think nothing of spending 18k to push through a 175MM deal.)
The Frank founder went to work for them after this closed. It doesn't look like she thought she did anything wrong here otherwise you'd think she'd get as far away from the mark as possible.
When fake it until you make it and hustle culture goes horribly wrong.
She probably thought they would just be subsumed into a massive corporation, that JPM had shitty metrics and monitoring on their marketing campaign, and nobody would notice most of their emails were going nowhere.
A key piece of evidence is around whether Frank had 4.25 million users or 300k. Javice (Frank's CEO) alleges JPMorgan Chase (JPMC) is misrepresenting what she provided, saying she merely anonymized the data by making it "synthetic" to a third party for verification to avoid sending PII to JPMC before the deal closed.
Here's the problem though: it (allegedly) wasn't anonymized data - it was fake data, and later when JPMC asked for the real data after the company was bought, Javice bought data for ~4 million students from a third party vendor for ~$100k, combined the data to build the "final database," and JPMC very quickly realized that most of the data was no good.
And it is a wild story! It's probably going to get the miniseries treatment. The Uber/Theranos/WeWork shows were pretty popular, after all, so I'd bet that a second batch is coming with FTX, Frank, and that Korean guy who went on the lam in Montenegro. Hah.
"Frankly fradulent"
"When Frank tanked"
"Frank robs the Bank"
This seems entirely inevitable since the emails were largely not actual customers…
Very strange.
Maybe a fancier scam would be parsing for links and randomly fetching them with headless chrome. But I doubt that’d be required.
You don't think it would be at all suspicious that most of the emails in the customer list are using weird custom domains rather than the popular ones like gmail.com or outlook.com?
I made 10K fake users for testing the app I'm developing now. I used thispersondoesnotexist.com, and about a half hour's worth of PHP programming, to make an open-ended user generator.
I only need 10K users, and it takes about an hour or so to generate them, but I'm sure that this type of thing could be easily scaled.
"Hey, ChatGPT, can you give me the SQL for five million users, with the schema published here?"
You describe an idea and get very realistic users that you can chat with. Hooking that up to an email account could have been very convincing...
Typing in Frank's elevator pitch:
"Frank is a financial platform that helps college students manage their financial aid and student debt. Frank offers a free solution that allows you to streamline your FAFSA application, educates you about what FAFSA does and what parts of the application are important, and helps you potentially get additional money."
Gives some cool results
100% Fake business, fake customers. $175M valuation. What I don't get is why JPM didn't realize that this company had no revenue, unless they completely cooked the books.
Its unfair and awkward but ventures which heavily push the mission like this one should be pushed harder on their fundamentals by the investor / startup community.
One of the issues was that "she could not share her customer list due to privacy concerns". So maybe JPM could have pushed back against that more?
"""Javice also cited privacy concerns in sharing Frank’s customer data directly with JPMC. After numerous internal conversations, and in order to allay Javice’s concerns, JPMC agreed to use a third-party data management vendor, Acxiom, to validate Frank’s customer information rather than providing the personal identifying information directly to JPMC."""
The gap here was _huge_. If I was the JPM diligence team, I might have asked them for read-only access to their product analytics. They claimed something like 10K FAFSA applications/day. This should show up nicely in their analytics tools. Yes, they could fake these visits--but it would be much harder to fake that you're getting 10K visits from appropriate regions, at appropriate times of day, with appropriate dwell times, with appropriate distribution of completion rates.
Credit card processor revenue reports over prior months may have shown startingly small revenue. Match that with bank statements.
The real due diligence is their networks and reputations. If the people in charge say yes, then the paperwork will support whatever they said already.
This is a poster-child example for confirmation bias. You don't hear about all the DD that doesn't result in a fraudulent company being purchased.
I went through this as an exec at a startup for a deal in the "few 10's of millions" range and the level of effort for the due diligence process was astounding. I'm pretty sure that by the end of the process, the acquiring company knew more about us than we did ourselves.
But what we are uncovering is that DD is not the boss or the final decision maker.
People in power can arbitrarily choose to ignore DD.
That’s what we are seeing.
Actually opening the emails without triggering Google is a bit more difficult, but I imagine a good residential proxy service (either legitimate or botnet) and a bit of scripting can solve that for another couple thousand USD.
Of course doing all of this makes you look more criminal and JPM look less dumb, so I'm not sure if this is actually a good idea even if you start off with the idea of defrauding the buyer.
DD = due diligence
LOI = letter of intent
SPA = stock purchase agreement
RWI = reps & warranties insurance
That was in answer to someone earlier asking about those acronyms, but in a rude way that got their comment flagged to death, which also hides replies. I tried vouching for it to revive it so people could see the reply with that explained the acronyms, but it did not help.
DD - disk destructor, double-down (a tire sidewall specification) SPA - single page application, specific purchase agreement, etc
and the list goes on.
""" After the August 3, 2021 Zoom meeting, the Data Science Professor returned a signed version of Frank’s NDA. The Data Science Professor’s usual hourly rate was $300. Javice unilaterally doubled the Data Science Professor’s rate to $600.
[...]
Specifically, on August 5, 2021 at 11:05 a.m., the Data Science Professor provided Javice an invoice for $13,300, documenting 22.17 hours of work over just three days. The invoice entries show that the bulk of his time was spent on the main task that Javice retained the Data Science Professor to perform – making up customer data. The Data Science Professor’s invoice indicated that he performed “college major generation” and “generation of all features except for the financials” while creating “first names, last names, emails, phone numbers” and “looking into whitepages.”
In response to the initial invoice, Javice demanded that he remove all the details admitting to how they had created fake customers – and added a $4,700 bonus. In an email to the Data Science Professor at 12:39 p.m. on August 5, 2021, Javice wrote: “send the invoice back at $18k and just one line item for data analysis.” In total, Javice paid the Data Science Professor over $800 per hour for his work creating the Fake Customer List, which is 270% of his usual hourly rate.
The Data Science Professor provided Javice the revised invoice via email seven minutes later at 12:46 p.m., commenting “Wow. Thank you. Here is the new invoice.” """
https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rNlNVTl....
[1]https://www.bloomberg.com/opinion/articles/2023-01-12/jpmorg...
You need to follow at least some threads all the way down to the ground truth.
First, ask for 20 references of successful happy customers, talk to all of them, and do some verification. Then demand to see all the "real" data and select a random sample of 50 emails and track them all down to real people (or not), and ask the people at those endpoints what is going on.
Yes, this would take a week for a handful of interns/junior employees and one senior staffer. But you are about to invest $175 million. It is worth a bit of actual effort, not just a bunch of handwaving over expensed dinners.
This should be a career-ending move for anyone involved at Chase.
( Remember: should =/= is )
Apart from the privacy/compliance/legal reasons that make this very difficult. A very low proportion of 50 real paying corporate customers are likely to respond to an email from a seemingly random source, change that to 50 students you’d hardly get any.
Not sure how much VCs coinvest in their own funds but I'm willing to bet most of their retirement funds are not in VC investments.
Then take this up with your local government then. There is a quantitative risk versus reward they take, and you should be glad that they take this bet. FYI - their portfolio mix for VC assets is usually like less than 5~10%. If a GP makes one bad bet, they hardly feel this.
> Not sure how much VCs coinvest in their own funds but I'm willing to bet most of their retirement funds are not in VC investments.
(1) most co-invest (2) no one in their right mind would put all of their assets in one VC fund. (3) if you're a partner a firm like Sequioa, you likely have a family office setup, which would follow a similar model to that of a pension fund.
Since huge frauds propped up by VCs seem to collapse several times a year, it doesn't seem like losing their money is incentive not to invest in frauds. It seems like they've just priced it in.
Granted, this might be yesterday's war, money might be tight in the next few years and that might better align incentives.
No one made you buy crypto on FTX. You have to do your own diligence.
> It seems like they've just priced it in
Ding. Ding.
Even if you don't get responses & interviews, you can also use the profiles to do verification - just find correlated data in the wild showing that these people exist -or don't. Check the physical addresses - is the same family name resident? Check school records, does the student exist? Etc. Etc. Etc. Sure, you'll find a few failures, but when they all turn uo bad, you will have saved your team $175 million - worth a weeks effort.
> it creates an externality we all have to deal with - we're basically subsidizing their credulousness by getting defrauded.
and I commented on why I thought it was wrong (e.g. "you don't have to deal with these externalities unless YOU choose to"). How is that not a discussion?
> That's not really what I'm here for, so take care.
Yet, you still responded...hence, discussion.
Sheesh, tough crowd.
They were totally complicit allegedly.
JAVICE told Scientist-1 [...] that she had a database of approximately 4 million
people and wanted to create a database of anonymized data that mirrored the
statistical properties of the original database (the “Synthetic Data Set”).
[After JAVICE sends Scientist-1 the data], Scientist-1 understood that the data
available via the Access Link Email -
**a data set of approximately 142,000 people** (emphasis added) -
was a random sample of a larger database which contained data for approximately
4 million people. In fact, that data represented every Frank user who had at
least started a FAFSA.
[1]: https://www.justice.gov/usao-sdny/press-release/file/1577861...