3 weeks ago, I woke up to a pissed off customer telling me her payments were broken. My startup uses Stripe Connect to accept payments on behalf of our clients, and when I looked into it, I found that Stripe had decided to deactivate her account. Reason listed: 'Other'.
Great.
I contact Stripe via chat, and I learn nothing. Frontline support says "we'll look into it." Days go by, still nothing. Meanwhile, this customer is losing a massive amount of business and suffering.
After a few days, my team and I go at them from as many angles as possible. We're on the phone, we're on Twitter, we're reaching out to connections who work there / used to work there, and of course, we reach out to patio11. All of these support channels give us nothing except "we've got a team looking into it". But Stripe's frontline seems to be prohibited from offering any other info, I assume for liability reasons. "We wouldn't want to accidentally tell you the reason this happened, and have it be a bad one."
We ask: 1. Why was this account flagged? "I don't have that information" 2. What can we do to get this fixed? "I don't have access to that information. 3. Who does? "I don't have access to that information" 4. What can you do about this? "I've escalated your case. It's being reviewed."
I should mention at this point that I've been running this business since 2016, my customers have been more or less the same since then, and I've had (back when it was apparently possible) several phone conversations with Stripe staff about my business model. They know exactly who our customers are and what services we offer, and have approved it as such.
After a week of templated email responses and endless anxiety, we finally got an email from Stripe letting us know that they had reviewed the account and reactivated it. We never got a reason for why any of this had happened, despite asking for one multiple times. Oh well, still good news right? Except nope, this was only the beginning.
This morning I woke up to an email that about 35% of my client accounts had been deactivated and were "Under review", the kicker here being that one of those accounts is the same one they already reviewed last week! This is either the work of incompetent staff or (more likely) a bad algorithm. No reasonable human could make this mistake after last week's drama.
So currently, my product doesn't work for 35% of my customers. Cue torrent of pissed off customer emails.
And the best part is, this time I have an email from Stripe this time: Apparently these accounts are being flagged, despite the notes on our file, and despite the review completed literally last week, as not in compliance with Stripe's ToS. They suggest that if I believe this was done in error, I should reach out to customer support. Oh, you mean the same customer support that can't give me literally any information at all other than "We have a team looking into it"? The same customer support that won't give me any estimates as to how long it's going to take to put this fire out? The same customer support that literally looked into this a week ago and found no issues!?
I feel like I'm going crazy over here. These accounts have hundreds of thousands of dollars in them being held hostage by an utterly incompetent team / algorithm that seems to lack any and all empathy for the havoc they wreak on businesses when they pull the rug out from under them with no warning, nor for the impact they have on customers when they all of a sudden lose all ability to make money. And all that for an account that has been using Stripe for nearly 7 years without issue!
This goes so far beyond "customer support declining at scale." If lack of customer support means that critical integrations start to fail, that's not a customer support failure, that's a fundamental business failure.
It's an arms race with fraudsters that eventually sucks in legitimate businesses.
As much as I hate government intervention in business, it really seems like there needs to be a way to force companies to actually be direct, accessible, and reactive in cases like this. I went through something similar with Venmo randomly locking my account after I received a large-ish payment, and not getting any real action or sense of urgency on their side.
Even if it is government under the hood you have to know what you're accused of. Not American so I doubt the US political system is interested in hearing from me, but I agree that's the only way of solving the deeper AML problems.
But in all seriousness, being a YCombinator startup is now a big red flag outside of the VC-funded bubble. My current employer, and the previous one, have strict no-YC policy for SaaS due to numerous issues with previous YC companies. And these are both tech-friendly/tech-adjacent companies.
It's even worse at stodgier companies; an executive sees "Stripe froze my payments" and that's what they remember when a Stripe salesman tries to pitch them on using stripe for their online store. Stripe is quickly becoming Google, in the bad way: it's a name people are learning to avoid, and if that hits critical mass they're dead.
I still love them. That issue aside they allow me to have a personal and business account in multiple currencies, and don't screw me on the exchange rates.
As executives and purchasing managers get more tech-aware I think we're going to see an increase in due diligence into who is running companies, who their investors are, what other companies they've invested in, etc. Brands like YC will end up getting punished (and all their portfolio companies, by extension) for the bad actors.
What law do you think forbids this? In my experience running global payments through multiple rails, on an OFAC/risk ping you typically get a request for enhanced due diligence, which normally looks to the payee like “send me a picture of your drivers license”.
The most common result is that O Bin Laden (matching the OFAC list) is actually Oscar bin Laden; with further info you disambiguate the payee from the OFAC listed entity and are allowed to transact.
I have never encountered a reg that says you are obliged to ghost your customer.
This is exactly why the whole process is suspect. The government farms out the policing of certain financial crimes onto the financial institutions as a prerequisite for operating the business. If the government came along and froze your bank account you’d have a right to ask why and a right to get some answers. But instead the government pawns the responsibility off onto businesses and then prohibits those businesses from telling you why.
And so the BSA and Patriot Act effectively allow the government to take your property and take away your right to confront the government about why they took your property. And it’s all on merely a vague suspicion of misconduct. No proof whatsoever.
I can’t help but laugh at the irony— the federal government laundering their otherwise unconstitutional activities through the banks.
I do some payments that are ridiculously suspect but legal.
I have never been completely blackholed and given robot responses, any time a problem comes up.
Stripe is lower margin than other banks/payment providers, so they don't look very hard.
They have a very strong incentive to throw away troublesome customers, which they do.
I don't think it's right to say Stripe's "hands are tied".
They could spend more to identify false positives, but they don't.
If I used Stripe for all of my transactions I would be blocked. I know this because I have 100% confirmed this from an inside source at Stripe and at a countries central bank.
Yet somehow I have and continue to maintain accounts with other banks without breaking the law.
You think AML/KYC laws, as they currently exist, are unconstitutional?
edit:
That's a fine position to have, but it's a fringe one, and I don't think you should be offering it as a reason why Stripe does what it does that's generally accepted by everyone else.
It is like this with virtually any security system. Adding feedback you can use for debugging also makes the system much easier to compromise.
edit: As I re-read the thread I see that I am thinking more of onboarding KYC, as opposed to this case which would be ongoing-activity investigation. So that would explain the difference in expectations here. Still interested in learning more about the regs for ongoing investigations if you have time to share!
See https://www.lawsociety.org.uk/topics/anti-money-laundering/t...
This. This is a common tune to about 100% of "BigSomething killed my business" stories that appear on HN almost weekly. If you go to BigSomething, you get a polished, automated, convenient, cheap service that would not hesitate to kill you account the moment something looks wrong to any of the robots watching it, and the customer support (the non-robotic kind, I don't count "we are working on it" auto-replies) is not part of the package because it doesn't scale. You have to either accept this as the risk for doing business, or not use BigSomething as you primary or critical vendor.
Government has made entry to this space hard which is why there aren't enough competitors, so they're really the source of the problem.
(Obviously it’s quite difficult to know the ratio of cases like these involving government investigations and those involving their own internal risk procedures.)
I assume the government didn't want to put all the work in of making sure the currency they've societally coerced the world to use isn't being used for fraudulent transactions, they'd rather pawn it off onto the banks because it's easier for the government to not do anything about it.
Now the banks have been shooting anything and everything that has even a semblance of fraud with account locks/funds freezing/etc., because if they don't the government will go after them.
How does this system make any sense to anybody? So frustrating. Let me exchange currency with anybody for any reason at any time.
Stripe and other companies are doing their best, but they are in an arms race with more and more elaborate fraudsters. At planet scale.
Others (adult services) are not due to government regulations, they are there simply there because banks don't want to deal with chargebacks.
Except the operationalization of those rules is: here are some vague guidelines that you have to follow, and if we don't like you we'll retroactively decide you were committing a crime even if you followed those guidelines to the letter. See HSBC for a case in point.
I would bet that 99.9% of the Stripe (and Paypal) horror stories that get posted almost weekly are _not_ federal money laundering or terrorism financing investigations with legal secrecy provisions imposed on the payment processor.
One of the attacks that fraudsters have developed is to buy businesses to use their accounts for fraud. That going out with a fraudulent bang is better than trying to run a marginal business.
I'm curious as to why you think that? Is this a way way more common thing than I expect? Or is "My startup uses Stripe Connect to accept payments on behalf of our clients" a raging red AML flag I don't recognise (I've never done that, so it could easily be)?
The issue most people in this thread are talking about exists in the almost. If it was always guaranteed, then there would not be so much evidence to the contrary.
If anything, I would bet that regulators would be concerned about the fact that companies such as Stripe have triggered a race to the bottom whereby underwriting has become an after-the-fact exercise that can severely damage and/or kill a high-growth SME. The old way, where you filled out a ton of paperwork, provided every bit of information possible about you and your business, and then went back and forth with a human to get approval, was a much more stable way to business. But alas, when you've got former bank governors on your payroll and political mega-PAC donors on your cap table, people don't scrutinize very much.
This would be the same as saying: I want zero car accidents on the road, so I'll scale the police headcount linearly with the number of reckless drivers.
The thing with SARs is that they tend to be cascading as OP described. So if I (innocently and totally coincidentally) do a transaction with someone who has been flagged for suspicious activity my account might now be flagged as “higher risk” for suspicious activity and will be monitored more closely.
And, if they decide they’ve found suspicious activity in my account then everyone who does business with me is at risk of having their accounts flagged as “higher risk” for closer monitoring and so on.
And the bank isn’t allowed to tip anyone off because if any of those accounts are actually laundering money they might suddenly withdraw it and then the “lead” from the SAR is moot. It’s actually a crime to notify someone about the suspicious transaction(s). Which is why you get stonewalled.
No, that's wrong. Firstly, as others have pointed out, society long predates any such notions.
Secondly, determining what is illegal activity, and putting a stop to it, is ostensibly the job of law enforcement and the courts, not the bank.
For anyone following along, text at https://www.fincen.gov/resources/statutes-and-regulations/ba... > https://www.govinfo.gov/content/pkg/USCODE-2020-title31/pdf/....
This is for SARs (Suspicious Activity Reports). (At least, that's the one I've encountered before, there may be other forms too).