A Frank look at a fake user base
When due diligence fails the data quality test
In 2021, when fintech consumer apps were all the rage, JPMorgan Chase (JPMC) paid $175 million for Frank, a platform that helped college students more easily secure financial aid. At the time of acquisition, Frank claimed to have 4.265 million users, but when the bank asked for verification, Frank's young founder and CEO got creative. JPMC alleges that Frank’s senior executives built a list of fake users with the help of a data science professor and a separate data set of 4.5 million student email addresses purchased from a data vendor. In reality, Frank only had 300,000 users at the time, according to a JPMC lawsuit filed against Frank.
The other shoe dropped when JPMC sent marketing emails to some of Frank's customers after the acquisition. The messages couldn't be delivered to about 75 percent of the 400,000 email addresses, an unusually high email bounce rate. Only 1 percent of the promotional emails that reached valid addresses were opened, JPMC said. While the email open rate varies by industry, a good rule of thumb is that it should be at least somewhere in the 20 percent neighborhood.
The lawsuit naturally sparked lots of conversation and reflection, with some questioning the thoroughness of JPMC’s due diligence process. Others have wondered whether JPMC’s due diligence team had any experience with college financial aid themselves and if such first-hand experience could have helped raise red flags. But first-hand experience isn't a requirement for a good due diligence process, and even the best vetting may be challenged by someone who is very intentionally cooking the books to juice a sale.
While due diligence varies from acquirer to acquirer, there is a general approach and process that is followed by internal and external teams working on vetting a potential acquisition.
While we personally don't have specific insight into how JPMC conducted its due diligence, we have run our fair share of these types of projects and can perhaps shed some light on how the company ended up in court.
Two tracks
When Sparrow performs due diligence, we separate the process into two streams — business and technical — which can be run independently of one another. We tackle these separately because they may require different types of resources to perform well.
Track No. 1: Business due diligence focuses on answering the central question — does this business make sense? The team will investigate whether the company being acquired is operationally sound or will run into challenges meeting its revenue goals. Will it plateau? How will its costs to acquire new customers change over time?
Track No. 2: Technical due diligence comes into play if the company has technical or software assets. The due diligence team will examine the processes being used to build the software and whether the company adheres to common best practices in software development. The team will also consider if the company uses any unusual tools or patented technology. Extending someone's patent could be costly over the long term compared to IP created internally, which may have more value. What is the structure of their technical-facing teams, and are they using any languages or approaches that would complicate the hiring of key resources?
Who’s who on the diligence team
When conducting the business due diligence stream, it's critical that the team includes someone with industry expertise that is ideally as close as possible to the industry of the company being acquired. On the technology side, it's important for the due diligence team to understand companies of a similar size and stage, even if across different industries, since there will be many commonalities.
A good team will identify the questions the vetting is meant to answer, design tests and probing hypotheses they’ll conduct, perform key interviews along with independent analysis, and finally recommend whether or not, and under which circumstances, to proceed. This is often referred to as the "go/no-go decision," although it's not necessarily binary, since moving forward may proceed under specific conditions. For example, a company may decide that it will invest in another company, but only if its sales team grows 3x in size to hit revenue goals for 2024, requiring a path to that level of scaling post-acquisition.
Getting to know you
Long before the formal due diligence process begins, multiple conversations have likely already occurred between companies and potential acquirers at various stages of the corp dev lifecycle. Acquirers would start to internally form theories on whether such an acquisition would make sense and prepare some type of investment brief that would help to make the internal argument for a deal and include a potential valuation, budget, and strategic imperative. For public companies, the potential acquirer would also forecast how an acquisition would impact shareholder value and other financial projections.
This getting-to-know-you process varies from company to company and acquiring team to acquiring team, and everybody has their own set of preferences and how they operate. But further down the path there would come a point when formal due diligence would begin, usually when the acquirer has expressed intent to buy and perhaps a formal letter of intent (LOI) to proceed is in place.
A quick process
Once the due diligence process begins, it may only last anywhere from a few days to a couple of weeks; if it's a competitive process with multiple companies interested in buying, usually the timeline for due diligence is compressed with clear milestones for recommendations and decisions.
There is usually a secure data room, where the company being acquired would submit various business-related documents such as employment and client contracts and profit-and-loss statements.
The due diligence team will also typically conduct multiple sessions with the senior executive team of the company being acquired. Clients could also be interviewed under the strictest of confidentiality (should the deal fall apart).
The session format may include the executive team presenting in sharing mode, or it could be more of an open discussion, but the due diligence team will use these opportunities to work through a very targeted list of questions and scenarios.
Spotting red flags
Right. That’s all nice in theory, so what went wrong here? From what's been reported, it seems as if JPMC asked the right questions before Frank produced its bogus results. And in this day and age, it's unfortunately not a given that you can verify whether or not someone is, in fact, submitting real information. But there are some ways to get a better sense of accuracy. Here are two things we would have specifically probed (at the risk of appearing wise after the battle, as all generals do):
Since Frank is a consumer-facing business, it presumably would have some type of customer service (CS) function. In software companies that serve consumers directly, a CS team in charge of maintaining the platform would likely have a super user login or other tool to view user accounts in the same way that users would see them. A due diligence team could use the login to spot-check a random sample of accounts from the user database to look for geographic location abnormalities, such as all users registering on similar dates being in the same small set of zip codes. They could also assess the accounts for any user activity to see when users last logged in or performed other actions on the app. This spot-check isn't foolproof, since some of those samples could have included real accounts, which would have made it more difficult to detect nefarious intent.
If the company experienced rapid user growth as Frank claimed, the due diligence team could also study its user analytics to look for abnormal patterns. For example, if an unusually high number of new users signed up on a single day, the team would look for any milestone campaigns or financial aid deadlines that would have driven such a drastic increase.
Paving the way for better due diligence
It's possible that the due diligence team did surface some of these issues and ran out of time to further vet them. JPMC may have looked at the company, acquisition price, and potential and balanced that view with the need to perform additional due diligence. If JPMC had no reason to suspect fraudulent intent, maybe it made a judgment call to move forward knowing that if something went wrong, it could recoup any losses after the fact, which is what's happening now.
Some observers have focused on the deal's price tag, but we don't think the size is particularly concerning considering how much it would cost a company like JPMC to invest in building comparable functionality itself, prove that it's attractive enough to gain some initial customers, and take it through the go-to-market lifecycle in any kind of timely manner. It's not always cheap and easy to develop tools like this in house.
We are a little confused about how the Frank executives didn't seem to think that this alleged scheme would come to light. If true, doctoring your numbers to appear attractive to a potential acquirer is an extremely ill-advised short-term tactic, to say the least. It's just not even worth it to try, especially considering that Frank seemed to have some genuine potential upside. Instead of falsely claiming 4 million users, it could have created a bona-fide plan to get to that 4 million if it was smart about who it targeted, where it got its leads, and how it would take its plan to market post-acquisition. This kind of strategy and 300,000 users would have resulted in a lower valuation, but Frank could have also become a larger legitimate business.
We expect that vetting the quality of consumer accounts and marketing lists that companies claim as unique assets will become the norm for due diligence teams. Ultimately, cases like Frank may serve to make everyone’s due diligence processes better.
One question
How would you approach vetting whether a large number or user accounts are real or fake?
Dig deeper
JP Morgan Says Startup Founder Used Millions Of Fake Customers To Dupe It Into An Acquisition
How Charlie Javice Got JPMorgan to Pay $175 Million for … What Exactly?
Thanks for reading,
Ana, Maja, and the Sparrow team
Enjoyed this piece? Share it, like it, and send us comments (you can reply to this email).
Who we are: Sparrow Advisers
We’re a results oriented management consultancy bringing deep operational expertise to solve strategic and tactical objectives of companies in and around the ad tech and mar tech space.
Our unique perspective rooted deeply in AdTech, MarTech, SaaS, media, entertainment, commerce, software, technology, and services allows us to accelerate your business from strategy to day-to-day execution.
Founded in 2015 by Ana and Maja Milicevic, principals & industry veterans who combined their product, strategy, sales, marketing, and company scaling chops and built the type of consultancy they wish existed when they were in operational roles at industry-leading adtech, martech, and software companies. Now a global team, Sparrow Advisers help solve the most pressing commercial challenges and connect all the necessary dots across people, process, and technology to simplify paths to revenue from strategic vision down to execution. We believe that expertise with fast-changing, emerging technologies at the crossroads of media, technology, creativity, innovation, and commerce are a differentiator and that every company should have access to wise Sherpas who’ve solved complex cross-sectional problems before. Contact us here.