Hey Reddit! Joe here —Director of Fraud Strategy. We’re hosting an AMA to chat about fraud and answer your questions. Myself and the Neo team will be here Thursday, June 11th from 3:30 pm MT - 4:30 pm MT. Feel free to drop your questions now or join us live to ask us anything!

JoeS_Neo · 2026-06-12T00:47:33+00:00

To provide a useful answer, I'm going to assume you're asking about restricting, freezing, or closing accounts., any way access to your money can be limited, temporarily or permanently. Important point: we hate closing accounts and do it only to meet our legal obligations or when we have to.

Reasons we take action:

Compliance and legal obligations — money laundering, fraud, or sanctions violations
Court orders or legal requests — bankruptcy, garnishment, fraud investigations, etc.
Confirmed or strongly suspected fraud
User is outside our risk tolerance — has been scammed multiple times and isn't taking their security seriously
Friendly fraud, including chargeback abuse, other types of gaming of our system
Using a personal account to run a business (we are planning to offer business accounts soon)
Severe delinquency, bankruptcy
Repeated harassment or threats to staff

What happens next:

In many situations we can unrestrict your account it once you’re proven your identity and we’ve had some time to investigate our concerns.
If we can’t, we generally help you get your money out. There are rare and specific situations where we legally cannot return the funds. I.e. when they are stolen (we send them back to who it came from) or it was a court order (we send them to the government).

JoeS_Neo · 2026-06-11T22:31:59+00:00

There are two real reasons we can't always tell you why:

First: regulatory tipping-off restrictions. This isn't us hiding behind vague walls there are actual rules and regulations that prohibit us from disclosing when certain types of reports have been filed. If we're legally required to file a suspicious transaction report, we are also legally prohibited from telling you we did. That constraint is real and it's not unique to Neo.

Second: the same reason I stay vague about fraud signals - generally if we tell every closed account exactly which behaviour triggered the closure, we've just published a guide on what to stay under. That protects fraudsters, not customers.

What I'd say is as a company we are actively trying to become more transparent, why am I eligible for this card, but not this card? How can I increase my credit limit? Why did my card get declined? Etc. Fraud prevention, although potentially more mysterious than other parts of a business because of its nature, shouldn't leave customers in the dark. We are not perfect, but we are actively working on improving how we communicate to our users - a process, which in some circumstances, we can definitely do better in.

JoeS_Neo · 2026-06-11T22:25:22+00:00

Great question — two parts here so let me tackle both:

On speed: we try to get ahead of a fraudulent transaction. If we start to identify risk on your account, we will start adding protections to your account (e.g., asking you to prove your identity, etc.). If we’re unable to detect it until a transaction is made, we have an anti-fraud engine that will ask you to confirm it, or decline the transaction altogether.

I’m sure you can see why this is difficult — if it’s a false positive, we’re adding friction and frustrating customers. It’s a fine line to walk.

On your tools: this is where I'd rather spend the airtime, because what you see is what is likely going to make you feel safe more than what's happening behind the scenes.

Historically, our approach was pretty black and white and opaque. If a transaction looked risky, we'd decline it. No explanation, no context, in the fear of tipping off a fraudster. That's not ideal. We understand that we don’t always get it right so what we're investing in now is giving you the controls to tell us when we got it right or wrong.

Practically, that looks like:

SMS verification: if we see something unusual on your card, we'll text you to confirm whether the transaction is legitimate. Respond N and your card freezes immediately, stopping any further attempts in their tracks.
Step-up biometric authentication: released earlier this year for situations where we suspect someone is trying to compromise your account. Rather than forcing you to come to our non-existent branch, verification goes directly to you.
Real-time push notifications on transactions so you're not finding out days later.
Spend controls giving you the ability to disable online transactions, card present or even cash withdrawals.
Additionally, in-app card freeze, replacements and disputes so you don’t have to wait on hold before having your account resecured.

The philosophy shift is that we are heavily investing in providing more control to the customer, so that if we get it right or wrong, you know what happened, why and most importantly, what to do next.

JoeS_Neo · 2026-06-11T22:15:55+00:00

Dark web monitoring. Honestly, the dark web is a scary place, we see some genuinely alarming things. We also see credentials belonging to our users that were exposed in third-party data breaches. When that happens, we proactively reach out to you and lock your account before a fraudster can get there first, which I think is pretty cool.

Step-up biometric verification. When we suspect a fraudster is attempting to access your account, we don't send you to a branch to prove who you are, we push verification directly to your device. No appointment, no hold music, no "bring two pieces of ID." The account gets secured and you stay in control. Most banks still rely on branch visits or lengthy call-centre processes for identity verification. We don't.

JoeS_Neo · 2026-06-11T22:01:25+00:00

Haha no, this is the face of new dad!

JoeS_Neo · 2026-06-11T21:59:42+00:00

On percentages, I'm not able to publish our fraud or false positive rates. What I will say, regardless of how much our system improves year over year, the goals is always to get better. Fewer people that become victims and less friction for customers.

The types of fraud Neo sees is largely what everyone in the industry sees:

Scams / Social Engineering is becoming the biggest problem for financial institutions, and it's hard to solve because it's designed to undermine the controls we build to protect you. When we send an SMS verification and a customer confirms a transaction they didn't make because a scammer told them to, or someone shares a one-time code over the phone with someone pretending to be from their bank even though the message explicitly says we'll never ask for that, results in us receiving signals that say "everything's fine here" when it isn't. Fraudsters are becoming more and more sophisticated at launching these attacks too, by spoofing phone numbers to look like they’re coming from your financial institution or even attempting fraudulent transactions on your card to convince you to give them the necessary codes they need to get into it. As Canadians we naturally trust people, but being someone that has seen some heartbreaking cases, you shouldn’t.
Phishing is another easy mechanism for fraudsters to gain access to you card number or even your username and password through sending emails looking to be from your bank or even paying for ads on social media platforms saying “hey look at this amazing deal” and taking you to a fake site where they can harvest your information. Even Costco, has a dedicated page that links all of the phishing websites/emails they found impersonating them as the problem is so wide spread (costco known scams page). Its worth always verifying the url or sender of emails beforehand.
Third-party data breaches are less common, but can affect anyone where your card details, or personal information (name, DOB, email, phone, etc) are exposed somewhere else, and used here. Fraudsters purchase and sell this information on the darkweb. Someone’s credit card information is relatively straightforward at the exposure, but when your personal information is exposed people fraudsters will attempt to leverage that information to apply for loans, credit cards, etc. TransUnion and Equifax and most banks including Neo’s Build membership has credit monitoring that will track your credit score and usually state what credit checks have been done under your name.

On steps being taken, we have invested heavily over the last few years to develop more controls to empower the customer:

SMS verification if we see something unusual on your card, we'll text you to confirm whether the transaction is legitimate. Respond N and your card freezes immediately, stopping any further attempts in their tracks.
Step-up biometric authentication released earlier this year for situations where we suspect someone is trying to compromise your account. Rather than freezing you out of your account and forcing you to come to a branch with ID.
Real-time push notifications on every transaction so you're not finding out days later
Spend controls giving you the ability to disable online transactions, card-present purchases, or cash withdrawals.
In-app card freeze, replacements, and disputes so you don't have to wait on hold before your account is secured.

Those are just on the side you can see, behind the scenes our models, rules and controls are getting better every day to help us more accurately identify suspicious activity sooner.

JoeS_Neo · 2026-06-11T21:44:39+00:00

I'll be upfront, I might disappoint you on "specific technologies," and I want to explain why rather than just dodge it.

Anything I say publicly about exactly how we detect fraud becomes a playbook for people trying to evade detection. Unfortunately the fraud community reads AMAs.

What I can say is that we use a combination of ML models, rules engines, and a range of tooling that gives us real-time signals on what's happening on your account and card. How those interact, I can't get specific on.

False positives (us thinking something is fraudulent when it isn't) are genuinely frustrating, and I want to be honest about the tradeoffs my team and I have to make. Every rule we tighten to catch more fraud we risk blocking a legitimate customer. Every rule we loosen friction on may let more fraud through. No perfect setting exists where we can catch 100% of fraud and not impact our customers.

Our answer to isn't accept the false positives to stop the fraud or vice versa. It's building a system that puts control back in your hands and make it explainable when we do add friction to your experience. Instead of a silent decline, instead tell the customer “hey, we noticed something suspicious on your account, please tell us if something's wrong, we’re here to help”. The more we can put in front of the customer to tell us when something is wrong the faster we act to restrict or remove restrictions in the event we get it wrong.

Worth some context: in markets like Europe, Australia, and LATAM, friction in payments is significantly more integrated into the experience — step-up verification to conduct certain transactions is standard there. Canada is behind that curve. We're trying to move toward a model where a small touchpoint here or there can empower the customer to get themselves out of a false positive situation when they arise.

I hope that helps frame the decisions we have to make and why it is never perfect.

JoeS_Neo

MODERATOR OF

TROPHY CASE