The Frank Illusion That Fooled JPMorgan

Oops... we did it again! This or something similar could probably be the title of a fictitious meeting at Forbes magazine about another spectacular case of fraud by its supposed superstars in the ranking of the best company founders and companies.
The latest case is that of the start-up Frank. It is probably one of the craziest FinTech fraud cases since FTX. Financial technology startup Frank was launched in 2016 as a financial platform that helps college students manage their financial aid and student debt.

Frank founder Charlie Javice had the lofty goal of developing the startup into an "Amazon for higher education." A proud member of Forbes' "Top 30 Under 30" list, Javice once said that her biggest challenge at Frank was scale. How true this was – and in the end, it was the starting point for the scam!

High criminal energy

This element can be found in almost all major fraud cases. In the case of Frank, founder Javice first asked one of Frank's top engineers, Patrick Vovor, to create the fake customer list. When he refused, she turned to a professor of data science (Amit J. K.) to generate synthetic data. According to U.S. law enforcement and U.S. Securities and Exchange Commission (SEC) investigations, his job was to generate millions of fake customer records to make it appear that the Frank financial aid platform had more than four million active users. The synthetically generated data had to appear credible and be "plausibly statistically distributed" to withstand due diligence. 

Using the data of some people who were already using Frank, he created four million fake customer accounts, for which Javice paid him 18,000 dollars. In reality, the company "only" had around 300,000 customers. According to the indictment, Javice later tried to delete the communication with Amit J. K., which the investigators interpreted as an attempt at a cover-up.
On paper, it all looked like the next big thing, and banking giant JP Morgan became aware of the company and eventually acquired it for 175 million US dollars. In the end, it was 175 million US dollars for a giant Potemkin village!

Commissioner coincidence & amateurish due diligence

JP Morgan did not notice the irregularities as part of a careful due diligence process or through systematic warning signs, but rather by chance. An employee noticed that one list contained exactly 1,048,576 lines - the maximum allowed by Microsoft Excel. It was at this point that the company's ears pricked up.

The case shows that JPMorgan's due diligence apparently did not drill deep enough to independently verify the user numbers:

• There was no systematic verification of email addresses or user interaction.
• The audit relied on the data provided instead of actively drawing its own conclusions from user behavior, login data or database access.
• Data analytics methods, such as Benford's Law tests, cluster analyses, time series and activity analyses or cross-validation with external data sources, were not carried out sufficiently or at all.

Only after the takeover was completed did JPMorgan attempt to exploit Frank's user potential with the help of cross-marketing offers. The bank sent emails to the more than four million registered users that Frank was supposed to have according to the data provided. A large proportion of the emails could not be delivered - the addresses simply did not exist. This was the first concrete indication of possible data manipulation. JPMorgan then launched an internal investigation, which revealed that many of the user data records were synthetic or fictitious. JP Morgan Chase shut down the website and immediately sued the 30-year-old founder of Frank.

Conviction on several charges

JP Morgan paid Javice around 21 million US dollars for her shares in Frank and promised an additional bonus of 20 million US dollars (although this was never paid out). She was also appointed managing director of JP Morgan with an annual salary of 300,000 US dollars. 

There were already inconsistencies here: Even before the falsified user data was discovered, Javice was dismissed in November 2022 due to credit card misuse of company credit cards for personal expenses and other violations of internal bank regulations.
A few days ago, Javice and co-defendant Olivier Amar, who was Frank's Chief Growth Officer, were convicted on all four counts: Securities Fraud, Wire Fraud, Bank Fraud and Conspiracy. Both now face up to 30 years in prison.

The curse of the Forbes list

Charlie Javice was quickly elevated to star status. She joins the unflattering ranks of grandiose failed individuals and companies in the Forbes rankings, including:

• Elizabeth Holmes, founder of the laboratory company Theranos. In November 2022, she was sentenced to over 11 years in prison for investment fraud. 
• Sam Bankman-Fried, founder and former CEO of FTX, a now insolvent cryptocurrency exchange. In November 2023, he was sentenced to 25 years in prison for fraud and money laundering. 
• Silicon Valley Bank, which went bankrupt in March 2023 due to numerous fundamental failures in risk management. 

Fig. 01 Curse of the Forbes list

Reverse engineering the lie: data analysis against data manipulation

The authenticity of large data sets can be verified quite easily using data analysis methods. Startups whose valuation is heavily based on user numbers are particularly susceptible to manipulation by synthetically generated data sets. Such data is generated algorithmically, often with the help of random distributions, name lists or structure-like patterns. They appear plausible at first glance, but often differ from real user data in terms of their statistical structure and inherent inconsistency.

• Univariate and multivariate distribution analysis: Real user data often exhibits non-normal, heterogeneous distributions (e.g. power-law for login frequencies, bimodal age distributions). Synthetic data, on the other hand, is often overly smooth or evenly distributed.
• Benford's Law test: Benford's Law describes the expected frequency of initial digits in naturally occurring numerical series (e.g. telephone numbers, user IDs, sales). Deviations indicate manual manipulation or machine generation.
• Analysis of duplicates and patterns: Synthetic data often exhibits regular repetitions or deterministic patterns (e.g. name-birthdate combinations, domains in email addresses).
• Cluster analysis and dimension reduction: t-SNE, PCA or k-means can be used to visualize homogeneity or artificially generated clusters that are atypical for real user data.
• Time series and activity analysis: Realistic user interactions are asynchronous and non-linear. Synthetically generated activity data, on the other hand, is often distributed symmetrically or statistically evenly over time.
• Cross-validation with external data sources: Random verification of email addresses, domains, location data or mobile phone numbers against publicly available databases can provide evidence of synthetic generation.

The following methods could have provided indications of forgery in a thorough due diligence by Frank:

• Unusually evenly distributed email domains (for example, many randomly generated addresses with educational domains)
• Artificially homogeneous age range among users
• Missing correlations between variables (e.g. university vs. zip code)
• Missing activity data compared to the claimed user base
• Consistency of date fields (e.g. registration and last login on exactly the same day)

Key takeaways for risk management

The fraud case surrounding the startup Frank and its takeover by JPMorgan Chase provides important lessons for effective risk management - especially in the area of startup investments and data-driven business models.

• Transparency: Transparency is an important success factor, especially when it comes to success stories that have shot into orbit particularly quickly. Non-transparent decisions and small decision-making circles are often particularly susceptible to cronyism and fraudulent activities without effective controls.
• Due diligence: A company takeover for USD 175 million and yet rather stepmotherly due diligence processes? What sounds crazy was apparently common practice at JP Morgan. Javice already claimed that the takeover documents contained no information on the company's user base and that JP Morgan had not carried out a really thorough review. A data validation carried out for the bank by an external provider was allegedly very superficial; the costs alone - allegedly only 1,695 US dollars - would prove this. Sound due diligence is particularly important for young, technology-driven start-ups, where business models are heavily dependent on user data, scalability and growth potential. Key figures such as "active users" or "engagement rates" are easy to manipulate if they are not actively verified. A random check of user contacts would have ensured transparency. A technically supported data analysis of usage data would have revealed anomalies. Historical communication histories would have shown that a lot of user data was generated synthetically. 
  Particularly embarrassing for JP Morgan may be the fact that Leslie Wims Morris, who led the acquisition, sent a message to her team highlighting passages from CEO Jamie Dimon's annual letter and noting that sometimes no analysis was needed. In court, her lawyers portrayed this as a joke, but it does not reflect well on JP Morgan's internal processes.
• Governance structures: The internal control system (ICS) of Frank (and also JP Morgan) had failed mercilessly and had not been developed in step with the (supposed) growth of the company. It is likely to be the subject of further investigations as to why the top engineer Patrick Vovor, to whom Javice had first turned for help with the data manipulation, did not report it or to what extent he was perhaps even kept quiet. All factors of weak internal governance! 
  What is also very surprising is that, based on the available evidence, the due diligence process as an essential part of the governance structure of Wall Street giant JP Morgan was at best stepmotherly, if not dilettantish. 
  If it is true that less than USD 2,000 was spent on data validation, this is a serious shortcoming in a company takeover worth USD 175 million.
• Greed eats brains: another classic of the biggest scams! The reputation that surrounded Charlie Javice and her star company should not be underestimated. Rather, they probably saw the most colorful potential for success and completely ignored the risks - if there is no solid risk management, risk blindness dominates! 
  Javice was prepared to go to great lengths and make ethically questionable decisions in order to impress investors and make her success story appear even bigger.
• Early detection instead of damage limitation: The fraud was only uncovered after the takeover was completed. Greater attention to realistic testing (e.g. contacting users) could have prevented the damage at an early stage.
• Data does not equal truth: A large amount of data does not automatically mean valid substance. User numbers, engagement rates and customer data should be verified technically and statistically - for example through random samples, data analyses and plausibility checks. Risk management must be based on objective, comprehensible criteria (factfulness) - even in the face of resistance. A solid verification of the data would probably have saved JP Morgan well over USD 150 million in damages and a lot of reputational damage!