You thought 2022 was bad? Try 2023. The fintech lender’s leader sounded a downbeat warning to other fintech lenders as rising interest rates squeeze the market.
Upstart reported earnings on Tuesday that missed the mark Wall Street analysts had set.
Upstart is warning that the worst may still be on the way, even as rising interest rates and falling loan volumes have already caused the once high-flying fintech lender’s stock to sink nearly 90% this year and prompted a round of layoffs last week.
The company reported earnings on Tuesday that missed the mark Wall Street analysts had set. Its share price fell more than 20% in after-market trading, recovering only slightly Wednesday. CEO Dave Girouard cautioned analysts that there may be more pain to come.
“We’ve chosen to take a conservative position with respect to the direction of the economy in the coming quarters,” Girouard said on the company’s earnings call. “In other words, we assume the worst is in front of us. We’ll be pleasantly surprised if this turns out not to be the case.”
The San Mateo company reported a 31% annual decrease in revenue for the third quarter and a net loss of $56.2 million, compared to a roughly $29 million profit in the third quarter of 2021.
The company is projecting further drag on its revenue. It expects between $125 million and $145 million in fourth quarter revenue, which at the low end would mark a 58% decrease from the final three months of 2021.
Upstart says it is not a bank, but rather a technology provider for lending that uses artificial intelligence to write productive loans to borrowers overlooked by traditional creditors. It makes most of its money by charging fees for matching financial institutions with borrowers.
Higher interest rates and economic uncertainty have wreaked havoc on that business, often referred to as marketplace lending. Upstart is approving 40% fewer applicants compared to a year ago and at rates 800 basis points higher, according to Girouard.
“Many of our lending partners have reduced their originations, raised their rates, or both,” Girouard said. “This is generally out of an abundance of caution with respect to the economy and despite the fact that their Upstart-powered loan portfolios have met or exceeded expectations since the program began in 2018.”
Consumers are also in growing trouble. CFO Sanjay Datta said on the call that defaults are rising, personal savings rates are declining, and credit card debt is at record levels.
Upstart last quarter warned that the funding for its loans was under pressure as investors shifted away from backing riskier types of consumer debt. It said it would hold more loans on its balance sheet as it sought stable funding.
The company reported holding about $700 million in loans, notes, and residuals at the end of the third quarter, compared to $140 million at the same point last year.
Company officials reiterated to analysts that Upstart does not plan to become a chartered bank, a move that has allowed competitors SoFi and LendingClub to take in deposits and use the low-cost funding source to write loans directly.
“We believe fundamentally in a marketplace structure in the sense that a lot of lenders making independent decisions over the long haul is going to get to the right answer,” Girouard said.
That model did in fact allow Upstart to scale up quickly during the low-interest rate environment of 2021. The company originated nearly $12 billion in loans and its share price soared from $20 at its December 2020 IPO to $400 in October 2021. But analysts expected rising interest rates would challenge Upstart along with a list of other fintechs that thrived one year ago, and that is clearly playing out.
Last week, Upstart laid off 140 hourly employees, blaming “the challenging economy and reduction in the volume of loans on our platform.” Girouard said Tuesday that the company is reducing its marketing spending and limiting new hires.
While saying he was unhappy with the overall results, Girouard said the company added 17 lending partners to its platform last quarter, matching the total for all of 2021. The company has about $830 million in cash on its balance sheet and is reducing advertising costs and slowing hiring in response to the worsening conditions.
Girouard cast the reduction in loan volume as “a feature of our platform, not a bug,” as he said Upstart’s modeling is adjusting to the current conditions.
“Our results in Q3 were certainly not what we wanted them to be,” Girouard said. “But I also believe they reflect the Upstart team making the right decisions in a very challenging economic environment for the long-term success of the company.”
Wall Street does not appear to be buying that view just yet. Upstart’s shares were trading down about 15% midday Wednesday. Wedbush lowered its target price for Upstart’s share from $15 to $10 and noted in a report following earnings that the company, founded in 2012, has never been recession-tested.
“We fear that weakening delinquency and loss trends combined with macro- and geopolitical risks is leading to waning appetite from Upstart’s credit buyers and the securitization market,” wrote analysts David Chiaverini and Brian Violino. “The biggest risk to Upstart, in our view, is its reliance on third-party funding, and this risk tends to become exacerbated during recessions.
Ten-dollar account bonuses? Sending money to friends? A high-yield savings account? We’ve seen all of these promises before.
Musk has been saying for a while that he wants to turn Twitter into a super app, a do-it-all service that encompasses communication, news, shopping, and payments.
Owen Thomas is a senior editor at Protocol overseeing venture capital and financial technology coverage. He was previously business editor at the San Francisco Chronicle and before that editor-in-chief at ReadWrite, a technology news site. You’re probably going to remind him that he was managing editor at Valleywag, Gawker Media’s Silicon Valley gossip rag. He lives in San Francisco with his husband and Ramona the Love Terrier, whom you should follow on Instagram.
A lesser man would look at the battered fintech landscape and say, “Party over, oops, out of time.” But not Elon Musk! Musk is going to party like it’s 1999, with his new toy called Twitter.
At the start of 1999, Musk was emailing me about his plans to remake banking with a startup called X.com — plans that accelerated when he merged it with another startup that eventually became PayPal. On Wednesday, he talked up strikingly similar ploys in a Twitter Spaces chat.
Musk had been saying for a while that he wanted to turn Twitter into a super app, a do-it-all service called X that encompassed communication, news, shopping, and payments. These apps have been successful in China — think WeChat — but not so much elsewhere, though that hasn’t stopped American tech companies from trying.
There’s a bigger problem, though: Musk’s wannabe super app faces a ton of competitors that didn’t exist two decades ago. One of the chief ones is run by someone close to him.
The biggest challenge Musk’s super app may face is Musk. He has a famously short attention span and he’s already careened from one idea to another in his mission to reinvent Twitter. As PayPal learned, getting people to trust you with their money requires painstaking attention to detail, from the design of a checkout button to fraud-catching algorithms. Musk hasn’t been in that business for decades. There’s a lot he missed the first time, and a lot he has to learn. And there is little sign that he has the patience required.
Owen Thomas is a senior editor at Protocol overseeing venture capital and financial technology coverage. He was previously business editor at the San Francisco Chronicle and before that editor-in-chief at ReadWrite, a technology news site. You’re probably going to remind him that he was managing editor at Valleywag, Gawker Media’s Silicon Valley gossip rag. He lives in San Francisco with his husband and Ramona the Love Terrier, whom you should follow on Instagram.
COVID didn’t really bring new secular technology trends. Instead, the pandemic sped up the progress of changes that were already starting to be made. Businesses reimagined their digital processes. Cloud adoption increased. And security concerns became a higher priority. Each of these changes brings new risks, but the right processes and technology offer businesses significant positive benefits.
It’s easy to get caught up in new technologies and their possibilities. But the core of this shift comes down to the basics of good enterprise security and governance. Businesses need to make sure the right people get the right access to the right technology. On the flip side, they must also make sure that only the right people are accessing the technology at any time.
In the past, security was typically the responsibility of the IT department. But as businesses now understand that threat mitigation and legal complications pose serious risks, security discussions have risen to the C-suite and board of directors level. Organizations realize that the same forces that solve risk and compliance challenges can also improve workforce productivity and reduce complexity.
Identity’s increasingly critical role
Employees are no longer all in the office. Some work from home full time. Others may work hybrid. Organizations are still experimenting with different models to see what works best for both the business and their employees. The future of work will likely continue to evolve over the next several months and years. However, the challenge is determining how to keep the drastically changing hybrid work environment secure.
Organizations are increasingly turning to identity-first security to secure access to their most critical resources. Gartner’s Identity and Access Management (IAM) Magic Quadrant reports that by 2025 converged IAM platforms will be the preferred adoption method for Access Management, Identity Governance and Administration (IGA) and Privileged Access Management (PAM) in over 70% of new deployments, driven by more comprehensive risk mitigation requirements.
With this approach, the foundational level for security is understanding the identity of all users and each of their devices. Whether it’s an employee, a contractor, an endpoint or a server, every entity within an organization needs to be authenticated into systems and gain authorization to perform actions.
Identity has become even more critical to technology executives as the stakes have grown. It’s easy to think of security as simply protecting the organization. But in reality, improving security through identity-first security processes provides many often unseen benefits. With the right level of security, employees have the access they need across the organization, and teams speed up tool and technology adoption. Identity-based security enables the business to grow and innovate as much as it protects.
Compliance and security tools need to improve
In the past, compliance-focused industries like identity and access governance had to make some tough tradeoffs. They were tasked with keeping the business secure and compliant with regulations. But that often meant making it tough for employees to get their jobs done. At the same time, this approach often added more work and a greater burden on IT professionals trying to keep systems up and running.
Legacy compliance and security tools were often the problem. They lacked the ability to easily integrate with modern applications and were challenging to implement. Not to mention, the technology was miserable for users, which made it hard to get buy-in for broad adoption.
But now, cloud technologies have democratized access and adoption. With governance and privileged access solutions, more users within an organization can compliantly engage with applications either as an end user or as an authorizer. When all employees have access to data, applications and infrastructure to do their job in an efficient manner, the entire business grows and moves forward.
How the world should work
Modern solutions must work with today’s speed of innovation and adoption. Otherwise, the business wastes time and loses momentum. Organizations need tools to be up and running within days, not weeks or months. Employees expect the tools to be easy to use, and the IT team needs the technology to be easy to maintain. When the technology delivers a seamless and frictionless experience, productivity and agility increases. Most importantly, the benefits happen without sacrificing security.
As the first independent born-in-the-cloud identity provider, Okta applied its modern approach to identity and access management to IGA with Okta Identity Governance, which is now generally available. Okta Identity Governance, which is part of Okta’s broader workforce identity vision, unifies IAM and IGA to improve enterprises’ security posture. Additionally, the Okta technology mitigates modern security risks, improves IT efficiency and meets today’s productivity and compliance challenges.
Technology needs to meet employees and the IT team where they are. Deeply integrated into Okta’s existing IAM solutions, Okta Identity Governance provides an unparalleled comprehensive view of every user’s access patterns. With enriched user context, reviewers can simplify the access certification process while making informed decisions that ensure only the right people have access to resources. At the same time, employees can access easy-to-use self-service access request capabilities. Because the technology is tightly integrated with collaboration tools built on a converged IAM and governance solution, organizations can automate access provisioning of both the enterprise’s applications and cloud resources.
Moving forward with identity-first security
Security tools should accelerate technology adoption. But often, the tools actually disrupt and slow down forward movement. With Okta tools, organizations have the compliance and security protection to grow while still protecting themselves from risk.
Businesses are more secure and protected with technology that gets the right users the right level of access for the right amount of time. When a business embraces technology it is more secure and productive but using a cloud-based platform takes it to a new level — the IT teams are more efficient while reducing significant complexity. And instead of focusing on security and access, the organization can focus on what it does best: serving customers and growing the business through innovative solutions.
Sam Bankman-Fried was angling to be a major player in Washington. Now his firm and his reputation are in tatters, and even crypto’s D.C. allies are asking questions.
Sam Bankman-Fried, CEO of FTX, has played a prominent role representing crypto in Washington. The collapse of his empire will undoubtedly hurt the industry, experts say.
Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at [email protected] or via Google Voice at (925) 307-9342.
Election Day featured an unexpected loser: crypto.
Voters were trooping to the polls Tuesday as news broke that Binance was offering to buy FTX. The rescue deal — nonbinding, and itself shaky — came in the wake of a growing scandal over FTX’s opaque finances and a market sell-off sparked by growing uncertainty across the industry.
Kristin Smith, executive director of the influential crypto lobby group Blockchain Association, said she “forgot it was Election Day.” The rapid-fire tweets revealing the deal were “absolutely mind-blowing,” she said.
“I don’t think I’ve ever experienced anything like this,” said Smith. “This was the most remarkable day I’ve had in my career working in crypto.”
For the crypto lobby, the Binance-FTX deal — and its apparent collapse Wednesday — reignited fears about the industry, likely setting back recent efforts to change regulators’ and policymakers’ perception of the young, fast-growing market.
“This is a step backwards in terms of the advocacy in Washington,” Smith said.
Gabriella Kusz, CEO of the Global Digital Asset & Cryptocurrency Association, agreed: What happened with Binance and FTX “will most definitely impact the ability of FTX and the organizations they support to work in good faith with legislators and regulators,” she told Protocol.
“D.C. is not a very forgiving town and people tend to have long memories,” she added. “Integrity is very hard to build and very easy to lose.”
Crypto has been building up its presence in Washington over the past year, as the industry faced heightened regulatory scrutiny and challenges.
The industry found itself in a major battle last year when crypto companies and lobby groups including the Blockchain Association tried to block provisions that would have required miners and node operators to report crypto transactions like brokerages.
While the campaign failed, the issue helped galvanize the industry and its allies in Washington. Over the summer, Sens. Cynthia Lummis and Kirsten Gillibrand introduced the Responsible Financial Innovation Act, which seeks to clarify regulations for crypto. The bill largely endorses the industry view that many cryptocurrencies should not be regulated as securities.
Another bill introduced before the Senate Agriculture Committee, the Digital Commodities Consumer Protection Act, would grant the CFTC greater authority in regulating digital assets, effectively minimizing the role of the SEC.
The industry had high hopes for the DCCPA, which had a chance of getting marked up before the end of the year.
But the FTX collapse has probably derailed that, Smith said. “I think Congress is going to want to incorporate anything they learned from this incident into any regulation going forward,” she said. Perianne Boring, founder of the Chamber of Digital Commerce, said she expects policymakers “will want to take a wait-and-see approach to better understand the FTX-Binance deal.”
Cathy Yoon, chief legal officer at MPCH, said she expects the work of lawyers who have been part of the markup and negotiation process for the different crypto legislation will continue. “But I also think there will be more skepticism from Congress whether there will be another rug-pull-type event where some participants lose credibility overnight,” she told Protocol.
Smith cited another key reason why the push for the DCCPA could lose steam in Washington: Sam Bankman-Fried had been “one of the biggest backers of that legislation,” she said.
In fact, Bankman-Fried has played a critical role in the crypto lobby in Washington. Dubbed the “crypto prince,” Bankman-Fried became famous for saying that he planned to spend $1 billion on political campaigns through the 2024 presidential race, though he subsequently called the statement a “dumb quote.”
Bankman-Fried played such a prominent role representing crypto in Washington that the collapse of his empire will undoubtedly hurt the industry, said crypto critic Molly White.
“SBF was just spending a lot of time in D.C. schmoozing with lawmakers,” she told Protocol. “If I were those legislators, I would be questioning a lot of his suggestions after seeing what was happening behind the scenes at FTX.”
But Smith said Bankman-Fried “was not the only voice in Washington working on these issues.”
“He was a very effective advocate and built a lot of relationships, but there are a lot of us that are working to build the next generation of financial services,” she said.
Crypto still has allies in Washington, some of whom expressed support for the industry in the wake of the FTX collapse. Sen. Lummis said what happened provides “the clearest example yet of why we need clear rules of the road for digital asset exchanges in the United States.”
Mark Hays, a senior policy analyst at the Americans for Financial Reform, said the FTX collapse and the uncertainty it triggered “strike a blow for the credibility of the industry, and for calls to advance regulatory legislation quickly in the name of fostering crypto innovation.”
“We should be prioritizing protecting consumers and investors, not creating safe spaces for crypto magnates to play fast and loose with investors’ assets,” he told Protocol.
Smith said the FTX crisis unfolded so suddenly that it left the crypto community “in shock.” Given what has happened, “I don’t think there’s any chance of legislation at all” this year, and the focus will be “on hitting the reset button and starting over.”
Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at [email protected] or via Google Voice at (925) 307-9342.
Open-source software projects hosted on the repository will now be able to receive vulnerability disclosures from researchers through a new private channel.
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at [email protected].
GitHub wants to avoid surprise disclosures of zero-day vulnerabilities in open-source software projects with the debut of private vulnerability reporting on the platform.
The service, announced on Wednesday, aims to make it more straightforward for a security researcher who finds an open-source vulnerability to report the issue to the project’s maintainers, according to Justin Hutchings, director of product management at GitHub.
And for maintainers of open-source projects hosted on the repository, “we want to really take those barriers down so that those developers aren’t surprised about the security problems on their own project,” Hutchings told Protocol.
“One of the worst things that we hear about from developers is that they’ll find out through Twitter that somebody reported a [vulnerability] on a project of theirs, and they never heard about it,” he said.
“They then have their users coming to them and asking, ‘Do you have a fix for this problem?’ And they say, ‘What problem?'” Hutchings said. “And that is just not a good day for anybody involved in open source.”
A common issue is that security researchers do attempt to contact open-source maintainers to disclose vulnerabilities, but often the reports end up going to individuals that weren’t prepared to receive the reports and hadn’t developed a process to respond to them, Hutchings said.
As a result, “oftentimes they get ignored,” he said. “It’s not malice. It’s just the process isn’t built for success.”
The problem is particularly acute outside of the most high-profile open-source projects, Hutchings noted.
In response, GitHub’s new private channel will allow open-source maintainers and researchers to privately discuss vulnerabilities within the bounds of the platform. The Microsoft-owned code repository reports having more than 90 million users.
Private vulnerability reporting will be free on GitHub, Hutchings said, and it’s now available as a public beta with plans to make it generally available in early 2023.
The goal is to “really make a difference in reducing how many times we have zero-days where the entire open-source community ended up surprised, and has to scramble to create patches,” he said.
The service was announced Wednesday in connection with the GitHub Universe 2022 conference, and comes amid growing concerns in enterprise and government about the security risks posed by open-source software components. GitHub has been tackling the issue in a variety of ways, from making it easier for developers to use its database of known vulnerabilities to announcing a forthcoming two-factor authentication requirement.
On Wednesday, GitHub also disclosed other security-related updates including general availability for support of the Ruby programming language.
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at [email protected].
A new capability for Okta passwordless authentication seeks to ensure that even if login data related to fingerprints or facial scans is intercepted by a malicious actor, “it’s no use to them,” according to CEO Todd McKinnon.
Todd McKinnon, chief executive officer of Okta, spoke exclusively with Protocol about its next moves.
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at [email protected].
Okta has developed a new capability for its passwordless authentication system aimed at countering the illegitimate use of biometric login data, a move meant to head off a potential route for malicious actors who are becoming increasingly sneaky in their phishing attempts.
“Threat actors are getting better and more sophisticated, and this is kind of a quest to make sure we stay one step ahead of them,” Okta co-founder and CEO Todd McKinnon said in an exclusive interview with Protocol.
The new capability for Okta’s passwordless authentication product, FastPass, is now in an early access preview, and is expected to be generally available in early 2023.
Biometric data is considered an inherently more secure method of authentication given the unique nature of each person’s fingerprint or facial scan. But a series of high-profile cases of thwarted multifactor authentication, including the interception of one-time passcodes, shows that login data tied to biometrics could very well become a bigger target for phishing going forward too, according to Okta.
The company’s answer to the looming threat, McKinnon said, is “to make even the biometric authenticators more anti-phishing” by default.
The method that Okta is implementing involves binding biometric login information to a user’s device so that only that device can use that information for authentication.
“What that means is if someone puts up a fake phishing site and tricks you into pushing your fingerprint into the fake page, it’s no use to them,” McKinnon said. “They can’t use that to then log in as you.”
Specifically, the new capability prevents the reuse of the login keys that are generated in response to a user’s biometric data rather than protecting the biometric data itself, according to Okta. The actual biometrics are already protected since they do not leave the user’s device as part of the FastPass system, the company said.
The new capability, Advanced Phishing Resistance for FastPass, comes amid research showing that identity-based attacks are now the largest source of breaches by far. The capability was announced among several Okta product updates Wednesday in connection with the company’s Oktane conference.
Another update that is “coming soon” to FastPass, Okta said, will make the service available to an organization’s external partners in addition to its direct employees.
Other product updates announced by Okta include another forthcoming anti-phishing service, focused on the use of WebAuthn authenticators such as biometrics or hardware security keys. The new feature will provide organizations with better controls over WebAuthn enrollment in order to prevent phishing attempts, Okta said. It’s planned for early access release in the first quarter of 2023.
Meanwhile, Okta also announced several new features meant to enable automated responses to security issues as part of its no-code Okta Workflows product.
The new features include a set of pre-built security templates meant to demonstrate how workflows can be used, which security teams can then tweak to their specific needs. Okta also announced a tool that enables the no-code creation of connectors to additional data feeds in Workflows, such as threat intelligence feeds.
Ultimately, for all organizations, “you want to be able to have a simple way to automatically respond to attacks,” McKinnon said. “Having an automated workflow to respond to what’s going on — that’s what your security operations center really wants.”
Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at [email protected].
To give you the best possible experience, this site uses cookies. If you continue browsing. you accept our use of cookies. You can review our privacy policy to find out more about the cookies we use.
