Introduction to the case
The founder and executives of a fintech startup, Frank, were accused of defrauding JPMorgan Chase & Co (JP Morgan) into acquiring their nascent business for US$175 million.
After the deal closed, JP Morgan alleged that Frank’s customer list, which was a key asset for the acquisition, had been falsified. The bank has initiated a civil suit against the former executives, including founder Charlie Javice and Chief Growth Officer Olivier Amar, and a separate criminal investigation is underway. These allegations have yet to be proven in court.
Details of the fraud
Frank was a fast-growing college financial planning platform where students could navigate the world of loans.
The startup served its customers by facilitating the complex application process for financial aid and accessibility to their catalogue of online college courses.
In August 2021, JP Morgan acquired Frank for US$175 million. A motivation for this transaction was the bank’s desire to access Frank’s purported 4 million customer accounts.
It was later alleged that Frank had grossly inflated its number of customers and accounts.
How did the fraudsters commit the crime?
JP Morgan requested details of Frank’s 4.265 million customer accounts as part of its due diligence. It insisted that the inquiry was critical to their due diligence process. Frank’s executives were hesitant to share the data claiming privacy concerns. JP Morgan agreed to use a third-party data management vendor to validate the list of customer accounts rather than receive and examine the original data directly from Frank.
Javice and Amar are alleged to have had a fictitious customer list created containing four million accounts. This list was provided to the third-party acting on JP Morgan’s behalf. The list included fake names, addresses, birthdays, and other personal information. The customer list was never provided directly to JP Morgan. The third-party provided a validation report to both JP Morgan and Frank and then deleted the data at the latter’s request.
At the same time, Frank purchased a list of 4.5 million student names from a marketing company. This list was used and provided to JP Morgan after the acquisition closed. Importantly, this list contained email addresses for only one-half of the individuals itemized therein. Frank then engaged a data technology company to identify potential emails for incomplete individual data, which were then included in the list provided to JP Morgan.
What was the outcome?
In January 2022, JP Morgan sought to conduct a marketing email campaign to test the customer list. It requested the list, which took three weeks to produce. The list provided was primarily a subset of the student list that Frank had purchased from the marketing company.
The marketing campaign revealed irregularities in Frank’s list when JP Morgan emailed 400,000 unique customers. The results included an email delivery rate of 28% compared to JP Morgan’s benchmark of 99% (indicating a high proportion of invalid emails) and an email open rate of 1.1% compared to their benchmark of 30% (indicating a lower-than-expected engagement rate for active customers).
Subsequently:
- JP Morgan initiated a comprehensive investigation into its acquisition of Frank and the merger in June 2022.
- JP Morgan terminated Amar and Javice following an internal investigation in October and November of 2022.
- JP Morgan filed a complaint with SEC and filed a suit in U.S. District Court in December 2022
- JP Morgan shut down Frank’s website in January 2023.
- In April 2023, Javice was arrested and now faces fraud charges from the SEC and Justice Department, including conspiracy to commit bank and wire fraud, wire fraud affecting a financial institution, bank fraud, and securities fraud.
- In July 2023, Amar was also indicted on wire fraud, bank fraud, securities fraud, and conspiracy charges.
How could this have been prevented?
JP Morgan’s reliance on the third-party to validate the customer listing enabled the fraud. Performing adequate due diligence around the customer listing would have been instrumental in preventing it. Frank’s reluctance to provide the actual data set should have been a red flag.
JP Morgan should have ensured additional procedures were taken to mitigate this risk and ensure the existence, validity, accuracy and ownership of the customer list and accounts data.
This would include ensuring that any third-party validating the data set was engaged by JP Morgan and had a mandate that was responsive to its needs. Specifically:
- Sending emails to a sample of the customer list to determine if the emails are accurate and active.
- Testing to ensure that the customers in the listing were actual customers of Frank, set up in Frank’s system, and reviewing audit logs of the activity for those customer accounts.
- Upon consummation of the acquisition, the listing validated by the third-party is provided directly to JP Morgan.
How BDO can help
Our Forensic Disputes and Investigations team is experienced in identifying potential risks and implementing effective measures to mitigate fraud. We offer a range of services, including forensic accounting, investigations, transaction due diligence, and more. Act today to protect your business from fraud by contacting our team for a comprehensive analysis of your company’s risks and potential vulnerabilities.
Contact our team to help you prevent and detect fraud in your organization: