title: Gift cards and the fraud supply chain
author: Complex Systems with Patrick McKenzie (patio11)
contenttype: podcast
publication: Complex Systems with Patrick McKenzie (patio11)
published: 2025-12-26T09:42:07
sourceurl: https://pscrb.fm/rss/p/prfx.byspotify.com/e/media.transistor.fm/f900b660/e8a00478.mp3
word_count: 2900
Welcome to Complex Systems, where we discuss the technical, organizational, and human factors underpinning why the world works the way it does. Hi, Dio, everyone, and Merry Christmas. My name is Patrick McKenzie, better known as patio 11 on the internet. I'm here today in the studio with a topical bits about money you should read, about the gift card accountability sink which we published shortly before Christmas this year. The American Association of Retired People, AARP, an advocacy non-profit for older adults, has paid for ads on podcasts I listen to. The ad made a claim which felt raspberry-worthy in service of an important public service announcement, which they repeat in writing. Asking to be paid by gift card is always a scam. Of course, the dissent gift cards are a payment rail and an enormous business independently of being a payment rail. Hundreds of firms will indeed ask you to pay them on gift cards. They also exist and are marketed explicitly to do the thing that the AARP implicitly asserts no business or government entity will ever do. Provide a method for transacting for people who do not have a banked method of transacting. Here's footnote zero. Indeed, there are entire companies which exist to turn gift cards into an alternate financial services platform, explicitly to give unbanked and underbanked customers a payments rail. Paysafe, for example, is a publicly traded company with thousands of employees. The constellation of regulatory supervision you'd expect, and a subsidiary open box, which is designed to give businesses the ability to embed pay us with a cash voucher in their websites, invoices, and telephone collection workflows. This is exactly the behavior that, quote, never happens in a legitimate business, and quote, except when it does by the tens of billions of dollars. As bits about money has frequently observed, people who write professionally about money, including professional advocates for financial vulnerable populations, often misunderstand alternative financial services, largely because those services are designed to serve a social class that professionals themselves do not belong to, rarely interact with directly, and do not habitually ask how they pay rent, utilities, or phone bills. Back to the main body of the essay. Gift card scams are also enormous. The FBI's Internet Crime Complaints Center received $16.6 billion in reports in 2024 across several payment methods. This is just for those consumers who bothered reporting it. In spite of the extremely real received wisdom that reporting is unlikely to improve one's direct situation. The flavor text of scams vary wildly, but in substance, they'll attempt to convince someone, often someone socially vulnerable, to part with sometimes very large sums of money by buying gift cards and conveying card information, like the card number and pin number, which are both printed on the card, to the scammer. The scammer will then use the fraud supply chain, generally to swap the value on the card to another actor, in return for value unconnected to the card. This can be delivered in many ways. Cash, crypto, products and services in the scamming economy, such as perline credit cards, or even leads lists of vulnerable people to run more scams on, or laundered funds within regulated financial institutions, which obscure the link between the crime and the funds. This is layering in the parlance of anti-money laundering professionals. A huge portion of running a gift card marketplace is tried to prevent yourself from being exploited, or made into an instrumentality and exploiting others. It surprises many people to learn that the United States aggressively defends customers from fraud over some payment methods, via liability transfer to their financial institution, which transfers it to in your mediaries, who largely transfer it to payment accepting businesses. Many people think the US can't manage large, effective, pro-consumer regulatory machines. They're straightforwardly wrong, some of the time. But the AARP, the FBI, and your friendly local payments nerd will all tell you that if you're abused on your debit card, you are quite likely made whole. And if you're abused via purchasing gift cards, it is unlikely any deep pockets will cover for you. The difference in treatment is partly regulatory card routes, partially organized political pressure, and partly a side effect of an accountant ability syncs specific to the industrial organization of gift cards. Most businesses do not run their own gift card programs. There exists an ecosystem of gift card program managers, potentially financial services businesses with a sideline and software. I should probably mention that I previously worked for and am currently an advisor at Stripe, whose self-conception would not be precisely that, but which supports many ways for people to pay money for things and be necessarily endorsed when I say in my personal spaces. Why does the program manager exist? Why not simply have the retailer keep some internal database of who the retailer owes money to, updating this when someone buys or loads a gift card and when they spend their balance out the store? Because this implies many capabilities that retailers do not necessarily have, such as, for example, software development teams. There's also a large regulatory component to running a gift card program, despite gift cards relatively lacks regulatory drag, which will return to in a moment. Card programs are regulated at both the federal and state levels. One frequent requirement in several states is achievement. Essentially all states have a requirement for achievement, many but not all exempt gift cards from it. As previously discussed in bits about money, a major component of the gift card business model is abandonment, which is called breakage industry. Consumer advocates felt that this was unfair to consumers, bordering on fraudulent really. They convinced states to take the money that retailers were keeping for themselves. Many states didn't really take all that much convincing. In theory, and sometimes even in practice, a consumer can convince the state treasurers office of unclamed property. You can see that, an example I linked to at Illinois, that the $24.37 that Target remitted as part of its quarterly achievement payment for an unused gift card 13 years ago was actually theirs. A consumer who succeeds at this, which is neither easy nor particularly inexpensive to do, were received a $24.37 check in the mail. The state keeps the interest income called a fee for service. It also keeps the interest income of the tens of billions of dollars of accumulated unclamed property, which it generally promises to do to fleet a custody awaiting a legitimate claim for as long as the United States shall exist. And so if you are a regional or a national retailer who wants to offer gift cards, you have a choice. You can dedicate a team of internal lawyers and operations specialist to understanding both with the laws of the several states with respect to gift cards, which are a tiny portion of your total operations. Not merely today, but as a result of the next legislative session in Honolulu, because you absolutely must order the software written to calculate the payment to remit accurately several quarters in advance of the legal requirement becoming effective. Or you can make the much more common choice and outsource this to a specialist. I think the acknowledgement of an ad read sounds cooler in Japanese. Konoban-Kumi-Lat Tsugino-Spunson will take your date below Kodishimasu. Cool, right? You might have heard of this podcast that cuts to PEPFAR and USAID were extremely disruptive to health care and some of the world's worst off communities. Private funders ended up picking up part of the slack. How would you decide whether that's the best opportunity for your charitable dollar, particularly if you don't have a team of professionals working for you? Give Well is working for you and everyone else. Give Well is a non-profit. Their team of researchers works in real time to track the impact of foreign aid cuts and they contribute their research to the commons, or free. For example, they've found one of the most effective interventions is paying caregivers in foreign nations directly in cash to take their children for routine childhood vaccinations. This decreases the disease burden on the kids and their families and reduces childhood mortality. Give Well has spent 18 years researching global health and poverty alleviation. This work is funded by donors who think it's useful for directing their charitable giving. Give Well also lets you donate to the causes they think are most effective and will pass 100% of your donation along to their recommended funds. To make a tax deductible donation today, go to givewell.org and pick the podcast and enter Complex Systems at checkout. Make sure they know you heard about Give Well from Complex Systems. Again, that's givewell.org to donate or find out more. I have an engineering degree and code my own websites. It's probably the most irrational choice I make in business. Low leverage, a spiky maintenance burden that always comes with the worst times, and they don't even look good. Don't get advice about design for me. Instead, take it from Framer, a sponsor of today's episode. Framer already built the fastest way to publish beautiful production-ready websites and it's now redefining how we design for the web. With the recent launch of design pages, a free canvas-based design tool, Framer is more than a site builder. It's a true all-in-one design platform. From social assets to campaign visuals, to vectors and icons, all the way to a live site. Framer is where ideas go live, start to finish. Ready to design, iterate and publish all-in-one tool? Start creating for free at framer.com slash design and use code complex systems, all one word, all capital letters. For a free month of framer pro, framer.com slash design, promo code complex systems, rules and restrictions may apply. That specialist, the gift card program manager, will sell you a solution, TM, which integrates across all the surfaces you need. Your point of sale systems, your website, your accounting software, the 1-800 number and website for customers to check balances, ongoing is cheat and calculation or remittance, cash flow management, carefully titrated amounts of attention to other legal obligations like anti-money laundering compliance, etc. Two representative examples, Black Hawk can network and income payments. You've likely never heard of them, even if you have their product on your person right now. Their real customer has the title director of payments at, for example, a Fortune 500 company. And here begins the accountability sink by standard practice and contract. When an unsophisticated customer is abused by being asked to buy a big co-gift card, big co will say, truthfully and unhelpfully, that big code does not issue big co-gift cards. It sells them. It accepts them, but it does not issue them. Your princess is in another castle. Big co may have a very large well-staffed fraud department, but not due to any sort of malfeasance whatsoever, that fraud department may consider big co-gift cards entirely out of their own school. They physically cannot access the database with the cards. Their security teams, sensitive that gif card numbers are dangerous to keep lying around, very likely made it impossible for anyone at big co to reconstruct what happened to a particular gif card between checkout and most recent use. Your privacy is important to us, they will say, and they are not cynically invoking it in this case. Gif cards are not regulated like other electronic payments instruments. As mentioned above, regulation E is the primary driver for the private enforcement edifice that makes scarily smart professionals and their attached balance sheets, swinging into action on behalf of customers. Reggie has a carve-out for certain prepaid payments. Per most recent guidance, that includes prepaid gif cards, gift certificates, and similar. And so, if you call your bank and say, I was defrauded, someone called me and pretended to be the IRS, and then I read the my debit card number, and now I've lost money. The state machine obligates the financial institution to have the customer service representative click a very prominent button on their interface. This will restore your funds very quickly and have some side effects, which you probably care about much less keenly. One of those is an investigation, which is not really an investigation in the commanding majority of cases. And if you call the program manager and say, I was defrauded, someone called me and pretended to be the IRS, and I read them a gif card number, and now I've lost money. There is no state machine. There is no legal requirement to respond with the liquidity, no statutory imposed deadline, no button for a CS rep to push, and no investigation to launch. You will likely be told by a low paid employee that this is unfortunate, and that you should file a police report. The dominant reason for this is that suggesting a concrete action gets you off the phone faster. The call center aggressively minimizes time to resolution of calls and recidivism, where you call back because your problem is not solved. Finally, the police report will, in most cases, not restore your money. But if it causes you to not call the 1-800 number again, then from the card program manager's perspective, this issue has been closed successfully. Why do we choose this difference in regulation? The people of the United States, through their elected representatives and the civil servants who labor on their behalf, intentionally exempt gif cards from the reggae regime and the interest of facilitating commerce. It is the ordinary and appropriate work of democracy to include input firm citizens and the rulemaking process. The Retail Industry Leaders Association participated, I link to their letter, explaining to FinSEN financial crimes enforcement network that would be quite burdensome for retailers to fall into KYC scope, etc., etc. Many other lobbyists in the industry associations made directionally similar comments. FinSEN, for example, has an explicit carve-out in its regulations, while FinSEN will aggressively police rogue bodegas. It has no interest in you if you sell closed-loop gif cards of less than $2,000 space value. This is explicitly to balance the state's interest in law enforcement against, quote, preserving innovation and the many legitimate uses and societal benefits offered by prepaid access, end quote. FinSEN's rules clarify that higher value activity, such as selling more than $10,000 in gif cards to a single individual in a day, brings sellers back into scope. Given the relatively lax enforcement environment for selling a $500 gif card, you very likely might not build out systems or successfully track customer identities and determine that the same customer has purchased $21,500 gif cards in three transactions. That likely doesn't rate as a hugely important priority in Q3. And so the fraud supply chain comes to learn which firms haven't done that investment and preferentially suggest those gif cards to their laundromers, mules, brick movers, and scam victims. You might have heard of the term money mule before. A third party who, wittingly or unwittingly, is convinced to move money on behalf of a scamming operation. A brick mover is an evocative phrase taken from Chinese where the industrial organization of these money laundering scams has telegram groups and other communities where there's a great essay about it. I link this in the original essay and I'll link it on the show notes. But essentially, there are brokers who interface with scam operators. When the scam operator has live fish on the line, they talk to a broker and say, okay, I think I will have money coming in from a particular customer and the money is coming in shaped like this. It's going to be US dollars and ACH payment. And then the broker will interface with someone on the other end of the transaction for the purpose of moving bricks, which means doing very boring repetitive work. And the person who is moving bricks maintains the network of, in this example, the US bank accounts that can receive an ACH transaction. And then part of the job of the broker is a speech-mediation process so that if the person who is sending the ACH, the scam victim, realizes this, then cancels the ACH for their financial institution cancels the ACH in such a way that the scam operator does not receive the money. The scam operator can distinguish that from the brick mover defrauding the scam operator. This is a high trust environment when you are running international money laundering, returning to the essay. And that's why the AARP tells Phibs about gift cards. We have, with largely positive intentions and for good reasons, expose them to less regulation than most formal payment systems in the United States received. That decision has a cost. Grandma sometimes pays it. And that's it for today. Thanks very much for listening to Bits About Money on Complex Systems. And we will see you again next week on Complex Systems. Thanks for tuning in to this week's episode of Complex Systems. If you have comments, drop me an email or hit me up at patio 11 on Twitter. Ratings and reviews are the lightblood of new podcasts for SEO reasons. And also because they let me know what you like.