PayPal is famous for being one of the few dotcom successes that survived the 1999 bubble. It is also famous for the ‘Paypal Mafia’ — the founding group of individuals who left PayPal in the wake of their 2002 eBay acquisition and then spread out to start multiple successful companies in Silicon Valley over the subsequent decade.
A huge part of the PayPal mythos is the story of their battle against fraud. An entire chapter in Jimmy Soni’s book, The Founders, documents the creation of the IGOR transaction monitoring system — as well as the various user interface innovations that the PayPal engineering team came up with over the course of 2000 and 2001. These included new mechanisms that we take for granted today — like the CAPTCHA, and the idea of making two random deposits to confirm bank account access.
An underappreciated element of the PayPal story was the effect that fraud had on the payments industry. At the time, PayPal was the scale leader in the nascent internet payments space. After the X.com-Confinity merger, it was the company with the largest number of transactions, which therefore meant it was the largest target for fraud, and had the largest amounts of fraudulent transactions — transactions that could be studied by PayPal's engineers.
In a 2004 interview at Stanford, Max Levchin and Peter Thiel had the following take on their battle against fraud:
Levchin: What happened in 2000 is we realised that a very major part of our burn was due to fraud. We started the company being extremely naive about fraud specifically, which in a way made us resilient to all the problems. Somebody told us, "You're going to be drowned in charge-backs. You're going to die under all this massive pressure of all these people who are going to be out there just to take your money." Peter and I were going, "What's a charge-back? We never heard of this. Okay, well, we don't have to worry about stuff we don't know." So we just went right along. And six months into it, we still had no charge-backs. So we figured that people are actually fundamentally good. "It's all right. No one is going to charge money back." Of course, the typical credit card adage is that the first charge-backs usually shows up six and a half months into it, I guess with the credit card statement length and the regulations the credit card industry imposes on consumers.
Anyway, we were bleeding something like 12 million (dollars) a month in fraud in June 2000. That's in addition to things like referral bonuses and running the company and… (Thiel interjects: “we had to pay for some salaries, too.”) Yeah, salaries, too. So the burn rate was phenomenal and largely due to fraud. At that time, it basically became clear that we either figure out how to beat the fraudsters or the fraudsters will take us under. And the company more or less refocused itself as a research entity towards figuring out innovative technological ways of destroying fraud on the Internet. And that alone could be the subject of an entire class or a series of classes so I will completely skip over all the cool technology we developed. Some of you might have seen stuff in the news, words like EOR or ELIA, all these tools that we've built. They're as cool as they sound.
I could never tell you about them because they're very secret and they're still in use. But maybe if you want to hang out afterwards, I can tell you a little bit. But they're really cool and we did really figure out how to kill fraud. The highest rate of fraud that we've ever seen as a percentage of the total volume was well above 1%. And I don't know exactly which figure I'm allowed to spill because I think, at one point, we were so high, Visa actually had the right to shut us down from processing credit card payments. At a certain point, once fraud gets —
Thiel interjects: The presumption was that there was so much fraud that we were just ripping people off.
Levchin continues: And we brought it down by the end of 2001 to about 55 basis points which is 0.55%. For comparison, the average losses online at the time were averaging about 1%. Mid-2001, we were at about 0.49. At the end of 2001, we were about 0.37, which was at the time, better and even now, better than anyone else in the industry had ever seen.
Today, the fraud rate at PayPal runs at about 0.27, the last I checked, which as you can see is still decreasing. The work to do that was really fundamental, critical and very, very technological difficult, which leads up to the following summary or the way that I see PayPal.
PayPal is actually a, more or less, commodity business (emphasis added). It sounds very cool and innovative e-mailing money around and moving money in the Internet, but it's really not very difficult. The credit card interface has existed for 20 years. The AFT system existed since the '70s which is the way you move money into bank accounts. It's really not that tough. All we really do is to put a very pretty Web front on it and let people use their email address instead of their account number.
That's really all the risk to the PayPal on the surface. The submerged part of PayPal is this massive and very, very numerically-driven risk management system which allows us to instantaneously tell when you're moving money to someone else, with a very high degree of certainty whether the money you're moving is yours or you got it illegally and we might be on the hook later on to help the authorities investigate or retrieve the money, et cetera, et cetera (emphasis added).
So the underlying business model of PayPal is actually that of a security company, a risk management company, that provides an extremely important yet commodity business on top. And the toll-bridge model which PayPal turned to in August 2000, namely every time someone sends you a little bit of money, we just take a slight bit off the top is really not very novel either. It's how Western Union works. It's how a lot of other transactional processors work all over the world. But this ability to make the costs very, very low because we can almost always certainly tell that the losses are going to be — that we are always going to underwrite the losses. We can always tell if the funds are going to be stolen, stop them, investigate them, on occasion — put the guilty party in front of the law enforcement officers — is very valuable. And that's why we are able to go public at a very healthy valuation. We launched or we priced (our shares) at $13, we closed at $20 and six months later, we sold the company at $1.5 billion to eBay. Since then, the market half of eBay combined with PayPal has grown and do you know what exactly it is today?
Thiel: We were worth $47-48 a share from the $13 IPO price. One other anecdote I would tell before opening it to questions and answers is, basically, one way to describe fraud is that we have a perverse symbiotic relationship with these Russian mobsters who were the primary culprits (emphasis added). Basically, we were in a race to develop new anti-fraud techniques and they were in a race to develop new ways to steal money. The by-product of it was all our competitors got wiped out because as the Russian mobsters got better and better, they got better and better at destroying all of our competitors. And so by the fall of 2000, we started charging people, we found that the price was completely inelastic (emphasis added). As we increased prices, none of our customers could leave. People have said that “we refuse to pay” and they left. And sure enough, there is no other place they could get paid online and so they came back. And so basically, the financial model part of the business is a lot of tricky dials but fundamentally, it turned out that we can raise and raise the price without customer-attrition, which is why the technology plays really have a lot of value and there was incredible pricing and elasticity.
Compare this case with a previous case you've read. What is similar? What is different?
Does this remind you of a similar case? If so, what is different there?
If you have any thoughts, feel free to comment in the member's forum.