The best fintechs turn risk into leverage



  • Every fintech is in the risk business. Every startup is in the growth business. So fintech startups must walk the razor’s edge of growing fast while managing risk.
  • Most fintechs eventually get “good enough” at risk by capping its downside, but this ultimately caps their upside also. For example, the controls that filter out fraudulent users or minimize credit risk also create unnecessary friction for good users that limits their monetization.
  • Select fintechs develop a “dynamic risk posture,” approaching risk not as something simply to be minimized, but as core IP baked deeply into their product or business model.
  • This posture allows them to achieve greater and healthier growth with less risk than competitors serving the same users. This in turn allows them to grow faster without simply taking on more risk, a significant edge in today’s competitive fintech markets.

Every fintech is in the risk business, whether they want to be or not. That’s because fintech unit economics have a unique factor: downside risk.

The typical SaaS startup focuses on retention and fights churn to retain the net dollar value of a given cohort. Their absolute downside is zero, i.e., everyone in a cohort stops paying. A fintech’s absolute downside is not zero, but negative. They must contend not only with CAC, churn, etc, but also with the fraud and/or credit risk of each cohort. A bad user in fintech can go beyond zero and actually cost money.

Fintechs live or die on their ability to manage fraud and credit risk. Most companies eventually get “good enough” at it or simply die by mismanaging it. “Good enough” means they treat it as an unavoidable cost of doing business and a drag on their margins, internal resources, and user experience.

However, the best fintechs don’t just manage risk, but convert it into core IP and leverage in the business. This means they can achieve superior economics with the same set of users relative to their competitors. There are various ways of doing this, by focusing on upside maximization or downside minimization, focusing on speed or accuracy, etc. We’ll get into all this below.

There’s a massive difference between good and great at risk. And being great does *not* mean simply taking more risk. It’s easy to loosen underwriting and risk controls to accelerate top line growth for a few months. But those weak cohorts will eventually come back with a vengeance.

Before we get to how companies exploit risk, let’s talk about the typical evolution companies go through in dealing with risk.

A toy model for risk

A fintech acquires a cohort of users for its product, whether that’s processing payments or applying for loans or trading crypto. Some are good users who will use the product, stick around, and be profitable. Others are bad users who will cost the company money, because they either engage in fraud or lose money in some other way (e.g., defaulting on a loan).

However, the cohort is a black box at first. The fintech doesn’t know which users are good and which are bad. The challenge is to simultaneously activate and maximize engagement of the good users, while identifying and limiting the downside of the bad actors as quickly as possible.

Each cohort has an expected value, which is the sum of the revenue generated by good users and the (negative) losses created by the bad users. The dotted bars below are the potential upside and downside of a given cohort, while the green and red bars are the actual revenue and losses of that cohort. This results in the net value of the cohort.

The challenge is that anything done to maximize the green bar (actual upside) will likely also increase the red bar (actual downside), and vice versa. Compounding this, companies need to do this sorting as quickly as possible, without creating too many false positives or false negatives.

For example, a payment processor that sets very fast payout schedules for all merchants, even new ones, will attract users on that selling point. This will increase engagement amongst good users, who can get setup and get their funds faster. But this will also make it easier for bad actors to commit fraud. If you set too slow of a payout schedule for new users, it will help catch fraud. But it will also add friction for legitimate users that may turn them to competitors.

It’s an incredibly hard problem to solve. The attack vectors in fraud risk are constantly evolving, along with many factors, like the role of macroeconomics in credit risk. Even mature companies struggle to get and stay “good enough” at this, but they must continually maintain their risk muscle to survive and grow.

Three different ways to manage risk

The toy model above leaves out a key step: the company’s “risk posture”, or its sophistication, attitudes, strategy, tools, and tactics for managing risk.

Think of a risk posture as the sum of a company’s ability to:

  • Sort good and bad users into their respective buckets as quickly as possible
  • Maximize the upside of good users and minimize the downside of bad users
  • Keep the upside maximization from impeding the downside minimization, and vice versa

A company’s risk posture will determine the actual upside and downside of a given cohort, which in turn will determine its unit economics. And unit economics are a company’s destiny.

Most fintechs start with a “static risk posture”. They have basic, hardcoded rules that treat all users the same. Whether deliberate or not, this is a one-size-fits-all approach tries to split the difference between maximizing good usage and minimizing bad.

Because early stage startups are, well, early stage and thus small, they’re unlikely to have the scale that exposes them to significant losses in the early days. This can create a false sense of security. These companies think their basic rules are actually stopping losses, when in fact there are few losses to stop yet. They don’t know what they don’t know about their risk, and so aren’t aware of the trade offs they’re making and the exposure they have.

A simple way of thinking about risk posture is as a risk-return graph. The many decisions a company makes about risk – the type of customers they acquire, onboarding they require, limits and incentives they provide, etc – all boil down to some trade off between estimated risk and expected reward.

A company with a static risk posture is somewhere in the shaded box below. They don’t know exactly where because they don’t have the sophistication to diagnose their actual exposure. However, their actual risk/return posture is a fixed point, because their rules are static. And they’re likely taking more risk than they’re getting in return, but aren’t seeing the negative consequences of that yet because of their scale.

An example of such a posture is a platform that allows its merchants to accept payments, and puts all new merchants on a default 2-day payout schedule, or a lending platform that starts all users with the same low and arbitrary limits.

Some companies never make it past the static posture. That can be what ultimately kills them. The losses dragging on their unit economics may make it difficult to justify further investment, or it may simply bankrupt them.

However, if a company finds product-market fit despite its static risk posture, it will develop “flexible risk posture”. This means it not only understands its risk exposure, but can proactively manage that exposure along a rough risk-return curve. Often this means implementing basic tooling to make different risk decisions at different times for different users. An example of this is if the same payment platform above offered different payout schedules based on a user’s approximate risk profile upfront as well as its ongoing behavior.

Most Series B+ fintechs end up in a flexible posture. They have sufficient visibility into and control over their risk and know the rough upside and downside of each cohort. This still requires constant monitoring and investment, but it’s unlikely to blow up the business. They’ve capped the downside, but they’ve likely also capped the upside.

A select group of fintechs achieve “dynamic risk posture”. This is not something they stumble into or crudely iterate their way to. It’s often the result of deliberate, foundational decisions about the business model, product, and/or growth channels. Often these decisions can seem counterintuitive if viewed on a standalone basis.

This means they can have something closer to a one-unique-size-for-every-user approach to risk, rather than a one-size-fits-all or one-size-fits-most approach. This means they can do some combination of the following:

  • Determine who is a good user and who is a bad user more accurately and/or faster than their competitors
  • Determine this without hindering the upside of the good users or allowing the bad users to generate too much downside
  • Adjust their risk posture as the market and their individual business evolve

A dynamic risk posture is powerful because it allows a company to generate better unit economics from a given cohort of users than a competitor with a simpler risk posture would. For example, say Companies A and B both monetize small business payments. Company A has a dynamic risk posture while Company B has a flexible posture. The same new user may be worth $100 to Company B but $150 to Company A, since it can activate good customers faster and minimize losses from bad ones. This means that Company A can pay the same CAC as Company B to acquire that customer and generate more revenue, OR it can outspend Company B on CAC without damaging its relative unit economics.

It’s important to note that the optimal amount of fraud (or losses) is greater than zero. The goal of a dynamic or even flexible structure is not to get losses to zero or even to blindly minimize the absolute amount of losses. Instead, the goal is to have a better ratio of upside to downside, and grow upside while keeping the downside in a comfortable enough ratio (relative to competition, customer experience, expectations of partners like bank sponsors, capital providers, regulators, etc).

Building a dynamic risk posture

Companies with flexible risk postures are all generally alike, while companies with dynamic risk postures are dynamic in their own ways.

Most fintechs can attain a flexible posture. It simply requires hiring the people who have done it before, investing in tooling and best practices upfront, and continuing to invest as the company’s risk profile evolves.

However, a company cannot simply decide it wants a dynamic risk posture. This requires thinking about risk as a key part of the business model and/or product early on. It requires making tradeoffs that may seem non-obvious or sub-optimal at first, but that develop into an edge over time.

Let’s look at two examples of how companies can do this. These are later-stage examples, because the power and efficacy of a dynamic risk posture becomes most obvious at scale. (Although if you’re an early stage company building this posture, or the tools for companies to develop such a posture, I’d love to talk to you!)

Dynamic risk through business model design

Afterpay, the Matrix-backed buy-now-pay-later acquired by Block, is one great example of this. It offers installment payments for low value ecommerce purchases (<$150), primarily via fashion and beauty merchants. By focusing on low value, high frequency purchases, with the first 25% paid upfront, Afterpay could offer a product that was both immediately valuable to its users and had a downside capped at 75% of the already small order value.

Low-value fashion and beauty products are also inefficient to sell on the secondary market—unlike, say, higher priced fashion items (collectible sneakers, designer handbags) or consumer electronics. Users typically could not make a second purchase until the first one was fully or mostly paid back. So Afterpay was an unattractive product for fraudulent usage.

As consumers demonstrated good repayment behavior, Afterpay could gradually increase the limits of individual purchases and their overall balance. Each order had a very short duration (6 weeks), which meant that Afterpay could quickly adjust its underwriting based on overall macro conditions and the behavior of individual consumers.

The power of this tight feedback loop is evident in the graph below of Afterpay’s loss rate over time. The loss rate not only declines as cohorts mature, but recovers quickly from exogenous shocks like COVID, as new underwriting approaches can be applied to new cohorts quickly.


Dynamic risk through distribution

Some innovations in the design or distribution of a product can substantially benefit risk, even if that isn’t its primary intention. One example is the broad category of fintech embedded in software companies (a.k.a., vertical ERPs). This means payments companies like Toast or Square bundling software like scheduling and order management, and then further bundling financial products like lending. SMB lending is typically risky because of the unstable nature of these businesses. However, being a VERP allows these platforms to underwrite using proprietary data as well as use underwriting methods and offer financial products specifically tailored to the customer type they serve.

For example, Toast can evaluate years of a restaurant’s bookings, payments, payroll, etc for underwriting – data that is siloed on its platform and is not easily accessible to traditional lenders. Also, because Toast sits in the restaurant's flow of funds by processing its payments, Toast can de-risk its repayment by taking an incremental cut of every transaction.

This is a clear example of how a company with dynamic risk posture can treat the same customer differently, extracting premium economics at a lower cost and risk. A traditional lender’s primary underwriting may look at generic financial statements, while Toast has a wealth of additional data that enriches the financial statements and is real time. Last, Toast has the benefit of building more accurate underwriting models by focusing on a specific segment, compared to more traditional and horizontal lenders.

Another non-obvious benefit of embedded fintech: by combining high-margin software revenue with financial revenue, such as interchange or lending, these VERPs can accept a slightly higher loss rate because they see that customer as having a higher LTV through the full bundle of software and financial products, compared to a traditional financial institution which is likely evaluating the profitability of a credit product alone.

These are just some examples of dynamic risk postures. There are many more out there. It’s a fun challenge to try to identify which companies are simply good at risk and which have taken it to an entirely different level.


Any company with a financial product is in the business of risk. Startups are in the business of growing fast. So fintech startups must walk the razor’s edge of growing fast while managing risk.

Hemingway wrote that bankruptcy happens “gradually, then suddenly.” The same can be said of the pains and downsides of mismanaging risk. Some fintechs chase growth by taking a deliberately lax approach to risk.  But trading risk for growth is like picking up pennies in front of a steam roller. This generally worked in an era where top-line growth is all that mattered and losses were tolerated as long as growth continued. Today’s tighter capital environment is changing that.

Smart fintechs learn to measure and control their risk. The smartest fintechs find ways to turn that risk into core IP and leverage for the business. They not only cap the downside of losses, but do so without capping the upside potential of good users. They even go further in identifying and engaging those good users to maximize their upside. This leaves them with more options to trade off risk and return, so they can grow faster without taking on more risk. And that’s how great businesses are built.

If you’re building something that helps companies build better risk postures, or are working on a novel risk posture, I’d love to hear from you. mb at

This post was originally published here.