Koho Financial Inc. processed more than $1-million in allegedly fraudulent transactions after users exploited a glitch in the Power Corp.-backed mobile banking startup, according to sources familiar with the situation and internal company documentation.
The transactions took place between July, 2019, and early March, 2020. In all, there were more than 1,000 transactions totalling $1.049-million that the company labelled as “fraudulent,” the document shows.
Sources told The Globe and Mail that the transactions were enabled by a technical glitch during the transfer of money between accounts that deposited the value into the accounts of both the sender and the receiver. The Globe is not identifying the sources because they were not authorized to discuss the situation publicly.
In a statement, Koho acknowledged that its system had been exploited, which it said was the result of a cyberattack that was discovered on March 5 and that no customer funds or data were affected.
“The issue was fixed within hours of its discovery, and external auditors were brought in to validate our findings. They found that no customer funds or data were impacted,” the company said in response to written questions from The Globe. “Koho processes billions of dollars a year and is committed to maintaining the highest security standards to keep our customers safe against new threats.”
There are no allegations of wrongdoing on the part of anyone at Koho.
Koho lets clients use a proprietary app and prepaid Visa credit cards as a kind of hybrid bank account, with built-in budget tracking and cash-back perks. Its revenue comes largely from interchange fees that credit card companies earn from retailers and premium accounts. The company says it has more than 175,000 Canadian users.
According to the documentation and sources, more than 30 Koho users exploited the glitch, which could be triggered when the sender cancelled and the receiver accepted within milliseconds of each other.
Some of the users appeared to perform the transaction many times – sometimes on a daily basis – and sometimes claimed thousands of dollars a day, according to the document.
The company declined to describe the nature of the transactions, but said on March 5, ″We were improving our internal financial controls and discovered a failure to reconcile on operational capital."
Koho said the transactions only affected its own operational capital and not user funds, for which “we did already have procedures and redundancies in place.”
Koho added that such a system, with multiple safeguards, has since been added to protect its corporate funds. The company said it immediately notified its board and investors upon learning of the alleged cyberattack on March 5.
In response to The Globe’s questions, Koho also sent a 2019 research paper from the Federal Reserve Bank of Kansas City that found that the total rate of payment card fraud in the United States varied from about 0.08 per cent in 2012 to about 0.12 per cent in 2016. Koho said that its fraud rate was “a fraction” of such industry averages.
The allegedly fraudulent transactions took place at a moment in which fintech companies seek a greater role in everyday banking and well-known investors buy up stakes in the sector.
Koho, based in Toronto, has raised about $60-million in venture financing, much of it from Portag3 Ventures, a division of Power’s alternative-investing arm Sagard Holdings ULC, as well as National Bank of Canada and U.S. venture firm Drive Capital.
Portag3 was the lead investor in both Koho’s $8-million early-stage Series A financing round in 2017 and its $42-million Series B growth-financing round in 2019. The firm declined to comment.
Koho’s board of directors includes chief executive officer Daniel Eberhard; executive chair Adam Felesky, who is also Portag3′s CEO; Power senior vice-president and Portag3 executive chair Paul Desmarais III; Michael Katchen, the CEO of Canadian fintech Wealthsimple Inc.; and Drive Capital partner Chris Olsen.
Koho has 107 employees, according to LinkedIn. Many of them learned of the allegedly fraudulent transactions at an emergency meeting last spring, the sources said.
Because it’s not a federally regulated bank, Koho has partnered with Peoples Trust Co., which is federally regulated, to hold clients' money. Peoples Trust did not respond to multiple requests for comment Sunday and Monday.
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.