GM, Welcome Back to the Dead Drop.

This morning, while you were probably checking your bank balance and wincing at those holiday BNPL payments, Fiserv and Affirm announced a partnership to embed buy now, pay later directly into debit cards at community banks and credit unions nationwide.

They're calling it "meeting evolving consumer expectations around greater flexibility."

I call it what it actually is: the final stage of making financial desperation completely frictionless.

Let me show you what just happened, why it matters, and how the $20.2 billion in BNPL spending over the 2025 holiday season didn't just create a debt crisis. It created a fraud playground where desperate consumers make perfect victims for everyone from pig butchering scammers to the "legitimate" financial institutions bleeding them dry.

The Holiday That Ate Your Future

The numbers from the 2025 holiday season tell a story the financial services industry doesn't want you to understand:

Americans spent $20.2 billion using BNPL from November through December. That's an 11% increase from 2024. Cyber Monday alone generated $1.03 billion in BNPL transactions, an all-time high. Black Friday added another $747.5 million. Half of all holiday shoppers used BNPL this year.

Here's where it gets ugly: 60% of those users admit they financed purchases they couldn't otherwise afford. Not "didn't want to afford," couldn't afford. And 38% report feeling MORE financially stressed than they did in 2024.

BNPL users now carry an average of $1,128 MORE in credit card debt than non-users. Habitual BNPL users, the ones financing both essentials and discretionary purchases, hold average balances of $5,181, roughly 60% higher than people who don't use these services.

Nearly a quarter of BNPL users missed payments in 2025, up from 18% in 2023. Over 25% regret using BNPL after realizing how much they actually owed. And 66% are juggling multiple simultaneous BNPL loans, with 33% borrowing from multiple lenders at once.

This isn't people "managing their spending flexibly." This is people drowning, grabbing at anything that keeps them above water one more month.

And 79.4% of these transactions happen on mobile devices: impulse spending with zero deliberation, stacking invisible debt one tap at a time.

The Zero-Percent Lie

Here's what the marketing doesn't tell you about that "0% interest!" promise plastered across every BNPL checkout screen:

The short-term "Pay in 4" plans are indeed interest-free. But that's the hook, not the reality most users experience.

Klarna's longer-term "Pay Monthly" financing carries interest rates from 6.99% to 35.99% APR. Affirm's extended payment plans go up to 36% APR, higher than most credit cards. When you're financing that $800 purchase over 12 months at 30% APR instead of four interest-free payments, you're paying an extra $140 in interest.

But it gets worse. Miss a payment on even the "interest-free" plans and you get hit with late fees: up to $8 per missed payment for Klarna and Afterpay. Those fees are capped at 25% of your total purchase price, meaning a $400 transaction that you miss payments on could generate $100 in penalties.

Nearly 1 in 5 subprime BNPL users, the financially stressed population most likely to need these services, incur late fees. The Consumer Financial Protection Bureau found that 11% of ALL BNPL users were charged late fees in their analysis.

And here's the kicker: Klarna's "junk fees," what they internally call reminder fees, snooze fees (paying to move a payment date), and administrative fees, grew 42% in 2024. That's nearly double their overall revenue growth rate of 24%. Translation: they're making more money from people who can't pay on time than from people who can.

These penalty fees and interest charges contributed over 13% of the entire BNPL industry's revenue in 2021. You're not the customer. You're the product. And if you're struggling financially, you're the premium product.

Two Frauds, Same Victim

Here's the framework I need you to understand: there are two distinct frauds happening simultaneously to the same population, and they're working in perfect coordination even though they're run by completely different actors.

Fraud One, The System: Financial institutions marketing BNPL as "flexibility" when the data shows it's a debt trap optimized to extract maximum revenue from your financial desperation.

Fiserv's press release this morning said the quiet part out loud: they want to "keep customer spend within their ecosystem." Translation: trap you in a cycle where your primary bank also controls your installment debt, your debit card, and every financial decision you make.

Affirm is creating an FDIC-backed bank subsidiary to "scale" these operations. Klarna just faced a securities lawsuit alleging they understated credit loss reserves and obscured risks to investors; their stock dropped 33% from the IPO price because reality caught up with the marketing.

These companies knew exactly how risky their lending was. They knew 24% of users would miss payments. They knew their "junk fees" revenue was growing twice as fast as legitimate revenue. They knew they were targeting subprime borrowers who couldn't afford alternatives. And they optimized for growth anyway, because desperate people generate the highest profit margins.

Fraud Two, The Criminals: External fraudsters targeting the exact same desperate population the BNPL industry just created and catalogued for them.

When you're underwater on five simultaneous BNPL loans, trying to track payment dates across multiple apps, already carrying $1,128 more in credit card debt than your non-BNPL-using peers, and getting hit with late fees and interest you didn't anticipate, you become vulnerable to:

Imposter scams that exploit financial anxiety. When someone calls claiming your bank account is compromised and needs "immediate verification," you're more likely to panic and comply if you're already stressed about money.

Pig butchering schemes. The promise of investment returns that could cover your debt becomes more appealing when you're legitimately desperate for income.

Fake debt consolidation services. Scammers specifically targeting people drowning in BNPL payments with offers to "combine everything into one low payment."

Romance scams. Bad actors have learned to identify and target financially stressed users on social media, offering emotional support that evolves into financial exploitation.

Work-from-home MLM schemes. When you need an extra $500 to cover this month's installments plus the late fees you just got hit with, that "be your own boss" pitch starts looking reasonable.

And here's the criminal innovation nobody's talking about: fraudsters are also exploiting BNPL's infrastructure itself. Synthetic identity fraud in BNPL increased 60% in 2024. Account takeover attacks rose 13%. The "Klarna glitch" became a viral TikTok trend teaching teenagers to commit fraud using stolen identities.

First-party fraud, where users intentionally rack up BNPL debt with no intention of repayment, increased at 62% of merchants in the past year. That's not criminals. That's desperate people who've been pushed into unethical behavior by a system designed to extract everything they have.

The Fraudfather Bottom Line

The $20.2 billion in holiday BNPL spending isn't evidence of consumer preference for "flexible payments." It's evidence of economic desperation being packaged, marketed, and sold as convenience while hiding predatory fee structures behind "0% interest!" headlines.

Desperate people make perfect victims, not just for external fraudsters running pig butchering schemes, but for the "legitimate" financial system that designed penalty fees to grow twice as fast as legitimate revenue.

When someone is juggling five BNPL loans, carrying $5,181 in credit card debt, getting hit with late fees they didn't see coming, watching interest rates jump to 36% on longer-term purchases, and trying to track payment dates on a phone while financially stressed and cognitively overloaded, they become vulnerable to every fraud vector simultaneously.

The two frauds aren't separate. They're symbiotic. The financial system creates the conditions: economic stress, hidden fees, shadow debt, cognitive overload. Criminals exploit those exact conditions. And this morning's Fiserv/Affirm announcement shows the system has no intention of stopping.

They're scaling up. Embedding deeper. Making it impossible to escape the cycle they're creating while calling it "flexibility" and "meeting expectations."

Here's what they won't tell you: every new BNPL integration, every "convenient" debit card partnership, every expansion of "0% interest!" payment options creates more fraud victims. Some will be victimized by external scammers. Some will be victimized by 36% APR and late fees buried in the fine print. Many will be victimized by both simultaneously.

And the industry will keep calling it progress.

Monitor your BNPL usage like you monitor fraud attempts, because the line between the two is thinner than the marketing materials suggest.

6,000+ fraud investigators, executives, investors, and skeptics read this newsletter because they refuse to be victims. While most people argue about headlines, we track the institutional fraud that creates rationalization frameworks for crime at every level. The Dead Drop connects monetary policy to your portfolio, political theater to who pays the bill, and systemic theft to why everyone's becoming a scammer. We don't just cover symptoms. We expose the fraud infrastructure that makes honest people feel like suckers. Know an investigator, executive, or operator who needs this intelligence? Forward this.

One Login to Lose Them All: How Universal Identity Protocols Built a Fraud Superhighway

An IAL2 digital credential from ID.me or Login.gov is a digital skeleton key: one login unlocking federal taxes, unemployment benefits, Social Security, VA services, SNAP. Lose control of it, and criminals can access everything simultaneously.

That's not a bug. That's interoperability working exactly as designed.

And this week, the payment industry announced they're scaling a similar architecture across global commerce. Google launched protocols for autonomous AI agents to shop on your behalf. Visa is exposing "network-level intelligence" through standardized interfaces. The global financial system is migrating to ISO 20022, embedding rich data directly into payment messages.

They're calling it the future of frictionless commerce. Here's what they actually built: systematic fraud infrastructure where one exploit works everywhere at once.

The Integration Debt They're Not Mentioning

For two decades, technology progress meant platforms building proprietary stacks and walled gardens. Identity lived in one place, data in another, money somewhere else entirely. Moving value across these domains required translation layers, reconciliation teams, and compliance workarounds that slowed innovation while inflating costs.

The industry calls this "integration debt." Custom APIs, bilateral agreements, and middleware designed to connect systems that were never meant to talk to each other.

That friction was expensive. But, it was also the only thing preventing systematic fraud at scale.

Every bespoke integration meant criminals had to learn each system individually, exploit each platform separately, and couldn't systematize their operations across ecosystems. The fragmentation that cost billions in efficiency also cost criminals billions in scaling their operations.

Now the industry is eliminating that friction. For everyone.

What They're Actually Building

Google's Unified Commerce Protocol and Agent Payments Protocol aren't just about enabling AI assistants to shop on behalf of users. They're about standardizing how autonomous agents discover products, authenticate users, negotiate terms, and complete transactions across platforms.

The protocols only work if identity, product data, and payment rails adhere to shared standards. That's the goal: make identity verifiable, data portable, and money programmable across ecosystems rather than within them.

ISO 20022 is being described as a technical upgrade for cross-border payments. It's better understood as the semantic standardization of money. Payment messages no longer just move funds, they carry purpose, reference data, and compliance context in machine-readable format. A transaction includes why it happened, who authorized it, and what regulatory frameworks apply.

Visa's Commerce Enablement Data Platform exposes network-level intelligence: risk signals, transaction context, merchant attributes. They're making the surveillance infrastructure that took decades to build available through documented APIs that anyone can integrate.

The pitch is compelling: eliminate the translation layers, reduce reconciliation overhead, enable real-time compliance. Stop treating data as an afterthought. Make systems that can actually talk to each other instead of requiring human middleware to bridge the gaps.

Here's what they're not saying: you just created a universal attack surface where exploits are portable, synthetic identities work everywhere simultaneously, and criminal reconnaissance became systematized.

When Standards Become Criminal Infrastructure

Let me show you exactly what happens when payment protocols standardize fraud opportunities:

Portable synthetic identities. Creating fake identities used to require customizing them for each platform's quirks. Name formatting here, address validation there, SSN verification somewhere else. Now? Build one synthetic identity that complies with the protocol standard, and it works across every integrated platform. The fragmentation that made synthetic identity fraud expensive to scale just disappeared.

Cross-platform exploitation. Discover a vulnerability in how one institution implements ISO 20022 messaging? That vulnerability likely exists across hundreds of financial institutions using the same standard. The exploit that took months to develop and test against one target now works everywhere simultaneously. Criminal R&D costs just dropped to near zero while the addressable market expanded exponentially.

Autonomous agent manipulation. Google's agentic commerce protocols enable AI to negotiate and complete transactions without human confirmation. That's not a feature with a vulnerability. That's a vulnerability marketed as a feature. Criminals can create agents that impersonate legitimate users, exploit machine-to-machine trust protocols, and complete fraudulent transactions faster than human victims can detect them. Social engineering at machine speed, scaled across platforms.

Semantic intelligence harvesting. ISO 20022's "rich, structured data" embedded in payment messages means criminals can now extract compliance context, reference information, and transaction purpose directly from payment streams. What used to require infiltrating multiple systems and piecing together fragments is now standardized, documented, and flowing in real-time through every transaction.

The Accountability Gap Nobody's Discussing

The source material I'm analyzing says "composition may scale better than control" when describing protocol adoption. Here's what that means in fraud terms: nobody owns security.

When protocols are "neutral," when no single actor controls the standard, every participant assumes someone else is handling authentication, fraud prevention, compliance monitoring. The distributed architecture is also distributed accountability.

That's not a technical limitation. It's a design choice. And criminals understand the implications better than the architects.

Google pushing protocols for agentic commerce isn't about interoperability. It's about defining how value creation, data access, and monetization work downstream. Visa exposing network intelligence isn't about enabling innovation. It's about concentrating surveillance infrastructure while distributing the liability for its misuse.

The article frames protocols as "neutral plumbing." But protocols are instruments of power. Whoever defines the standard sets the constraints for everyone building on top of it, including constraints on security, verification, and fraud prevention.

The Two Frauds

Fraud One, The System: Payment giants selling "interoperability" while building concentration points that systematize vulnerability. When identity verification becomes portable, nobody verifies it properly because everyone assumes someone else already did. When compliance data flows through standardized messages, institutions stop checking it because the protocol theoretically guarantees accuracy. When autonomous agents transact on behalf of users, humans stop monitoring because machines supposedly handle authentication.

The efficiency gains are real. So are the systematic security failures baked into the architecture.

Fraud Two, Criminal Systematization: External fraudsters exploiting the exact portability being marketed as progress. Every protocol integration creates an attack vector. Every standardized interface enables reconnaissance. Every autonomous capability becomes an impersonation opportunity.

And here's the critical insight: criminals adapt faster than standards bodies. By the time institutions finish implementing these protocols and compliance teams understand the new attack surface, fraudsters have already systematized the exploits and moved to the next vulnerability.

The Fraudfather Bottom Line

The payment industry just built highways for identity, data, and money to flow freely across platforms. They marketed it as solving integration debt. They sold it as enabling innovation and reducing friction.

What they actually built was systematic fraud infrastructure at scale.

When identity becomes portable, synthetic identities become portable. When data flows freely through standardized protocols, criminal intelligence harvesting becomes systematized. When autonomous agents can transact without human confirmation, fraud operates at machine speed across platforms simultaneously.

The fragmentation that cost the industry billions in efficiency also cost criminals billions in scaling their operations. That friction is gone. For everyone.

And the protocol evangelists celebrating "interoperability" are ignoring one fundamental reality: composition doesn't just scale better than control for legitimate commerce. It scales better for systematic fraud.

They built the highways. They forgot the checkpoints. And criminals are already driving.

6,000+ fraud investigators, executives, investors, and skeptics read this newsletter because they refuse to be victims. While most people argue about headlines, we track the institutional fraud that creates rationalization frameworks for crime at every level. The Dead Drop connects monetary policy to your portfolio, political theater to who pays the bill, and systemic theft to why everyone's becoming a scammer. We don't just cover symptoms. We expose the fraud infrastructure that makes honest people feel like suckers. Know an investigator, executive, or operator who needs this intelligence? Forward this.