I honestly cannot fault him. While online fraud prevention is a massive industry that touches almost every major website we use, you don't exactly have people giving talks about how serious the problem is or how advanced the detection tooling is because the nature of the industry requires you to keep your methods secret.
Heck, I have a friend who's working on a non-finance web app with <20k MRR, and even at that size he's starting to encounter fraud problems that require tooling to mitigate.
If your app stores any data that may be sellable on the dark web, you are a target.