A confluence of factors has given rise to the growing frequency and sophistication of fraud: a swiftly evolving real-time payments landscape, the emergence of artificial intelligence and machine learning, gaps in digital security, the exploitation of human vulnerabilities, and the unprecedented acceleration of complex, professionalized global fraud. This is creating an urgency for financial institutions and organizations to develop new systems to detect and prevent increasingly sophisticated fraud schemes. Financial institutions are prioritizing fraud orchestration, or the centralization of processes and integration of data from various sources to create a unified defense to fight digital fraud.
LEADERS is a flagship channel that spotlights C-level executives and top experts as they discuss transformative topics for an audience of key decision-makers. We deliver thought leadership on the most pressing issues driving banking and financial services. The LEADERS series is made possible by the support from top industry collaborators including Q2.
Transcription:
Transcripts are generated using a combination of speech recognition software and human transcribers, and may contain errors. Please check the corresponding audio for the authoritative record.
Holly Sraeel (00:21):
Hi, I am Holly ll Senior Vice President of American Banker Live Media. Today for our leaders panel discussion, I'm going to be talking with Valley National Bank, Richard Vital, JP Morgan Sridhar, Kam Raju, and Q two's, Jeff Scott about the professionalization of modern fraud and the factors that are contributing to it. Welcome, gentlemen. I'd like to toss out a few fraud data points for our audience before we get going. The world of fraud is complex, increasing in frequency and sophistication, and it's now being powered by technology like AI fraud. Threats and related losses remain persistent and are growing in areas like check credit card, A CH, DeepFakes and synthetic identity fraud, as well as account takeover and authorized push payment scams and business email compromise schemes. Nearly 60% of US businesses reported higher fraud losses in 2025. Compared to previous years, global companies lost an average of 9.8% of equivalent revenue to fraud. A 46% increase from the previous year. 72% of businesses expect AI generated fraud to be a top challenge on the consumer front. Identity theft and stolen credit card data remained the top concerns for consumers 68% and 61% respectively over a third of consumers were targeted by attempted financial fraud between January, 2024 and January, 2025. Among those targeted, nearly 40% suffered a monetary loss setting the stage. Let's talk about the rise of the professionalized fraud. How has fraud evolved from opportunistic crime to a professionalized organized industry? Rich, let's start with you.
Richard Vitale (02:09):
Sure. Thanks Holly. The advances in technology over the past more than 10 years have laid a foundation for fraud to move from something that used to be more often than not, maybe committed by someone who was familiar or someone took a check out of your checkbook while they were visiting your house, and now we've evolved to the point and so quickly that there are entire frauds evolved to corporate style. It's fraud as a service now with the level of computing technology, the capabilities that AI have brought the internet and specifically the dark web. I'm not going to step too much on your space, Jeff, I promise, but I think all of those elements have created the perfect storm that now allow fraudsters to collaborate and maneuver around the controls that we attempt to put in place. They're lighter, they can pivot faster, and currently I think we're in a mode where we're all playing catch up.
Jeff Scott (03:18):
Yeah, maybe Rich to build off of that, have you think about the last couple of decades that the financial service industry has been fighting new forms of fraud? We all enjoyed the opportunity to wait for batch transactions to be reviewed, so there was a queue at the end of the day for a CH. There's a wire room that's reviewing transactions now with sort of what you talked about on that timeline of you think about magstripe going to chip, you think about the adoption of digital banking. We could throw in COVID to help the ramp of digital banking. At the same time you have new payment factors, so P two PA to A, you've got RTP and those have really been sort of coming online over the last seven to eight years and they're literally real time in nature versus what we were able to stop and take a look at a batch at the end of the day.
(04:16):
At the same time, AI is on the scene in a much more prevalent fashion, and so to your point about it being an organized attack, fraudsters don't have to worry about data privacy. They don't have to worry about things that financial institutions have to live by from a regulatory perspective and just from legacy tech perspective that fraudsters have visibility into. So they don't care about jurisdiction lines, they don't have the same tech implications that we do and they can use these modern tools in a way that we were all sort of playing catch up. To your point,
Holly Sraeel (04:57):
Sridhar, could you weigh in?
Sridhar Kotamraju (04:58):
Just want to add to a couple of points to what Rich and Jeff said, two or three key aspects that I can think of. One is when we say professionalization of fraud, there are multiple threat factors that we can see. There's collusion that we can see that's happening. There's first party fraud vectors that we can see it's happening and these things happen generally where parties are acting together and these are definitely increasing. There's also other element related to synthetic ID getting involved and that percolates into new account frauds, for example. These things are not happening in silos. There is definitely a way where it is being fully very well orchestrated in my opinion. There are multiple threat factors like this, but these are some examples you can see.
Holly Sraeel (05:49):
The thing that I noticed in covering this business and this issue of fraud for the past 20 years in recent times, let's talk about fraud as a service economy. It's immense. The problems, Jeff hit it,
Jeff Scott (06:05):
It's a hundred billion dollars market cap, right? These are real businesses. They recruit highly paid specialized folks. They have teams of teams across the globe. This isn't NEO in the matrix with a hoodie trying to scam you out of money anymore. These are people that go to work in office buildings and the data is for sale on the dark web and Toro's point. It's information that we can about Jeff, information about roar that then somebody is purchasing and putting together as a synthetic id whenever there's a data breach, they'll sit on that information for a couple of years until they have the complete package they buy and sell that on the dark web. There's marketplaces for all of these things, and so it's big business and you can make a lot of money doing it.
Holly Sraeel (06:58):
Rich.
Richard Vitale (06:59):
Yeah, these are not amateurs. These people know accounting, banking, finance. They understand computers and cyber and to Jeff's point, they're not restricted by regulations. So they can take these elements and there is no one thing. You can go on the dark web and you can choose your shopping swim lane. Do I want a synthetic id? Do I want check? Do I want credit card information? Do I want wire account takeover capabilities? And you can shop the aisle of your choice and purchase whatever you want. And I think we've seen recently too, the price just continues to come down. You can buy batches and batches of different pieces of data, whether they be identities, check data, credit card information. You can buy this in batch. It absolutely is fraud as a service. And there are different vendors out there. Jeff tracks them constantly. Shaar sees this continuously too. You can decide or you can become loyal to a brand. I think they can have brand loyalty to fraud.
Sridhar Kotamraju (08:10):
If I can add a point there. There's also, I would agree it's being operated. We have seen fraud rings operate about a decade ago, so it's nothing new. What we can see also is the vectors related to fraud rings getting using SEO optimizations and that leads to phishing attacks. That leads to sites where fraudster cell malware as a service where you can configure the malware so that it actually activates to a specific site and it doesn't need to activate at all, at all URLs or all sites. So you can technically sell those things and we know that these things do exist in the dark web, so it's pretty sophisticated, very well organized, and banks have to play catch up.
Holly Sraeel (08:55):
The irony of all of this to me from where I sit is the impact of AI and automation on both sides for the fraudsters and for financial institutions and technology companies are working in concert with FIS to combat it. So let's talk about how revolutionary that has been for those committing the crime and how banks are responding.
Sridhar Kotamraju (09:20):
Sure. I can go first. I would say a couple of things, right? So the adoption of ai, well, it is still in the early stages in my opinion, but there's a lot of use cases that can be taken advantage. For example, you can have an MCP server and you can also have an agent AI framework. The way I look at it is optimization of workflows is one area for frauds, which rich is more I think in your area that can deal with the other one is the ability to focus more at the channel level using agents using ai. Wherein today in traditional systems, we see that it is more of a rules driven ecosystem from a risk model scoring and fraud detection and so on and so forth. And it takes time for data events to be consumed and then processed. Whereas I think if they flip the switch towards the ai, you can configure the agents in such a way that actually they actually can sniff the channel sitting in the channel, look at the events, and then can take action. Of course, it has to be policy driven. So those are some examples that I can think of.
Jeff Scott (10:29):
Yeah, I think for me, the way that fraudsters have used AI is to create context aware attacks. And so I think so much about fighting fraud now and three years from now and five years from now will be about context, it will be about behavioral signals, it will be about the ingestion of those signals and fraudsters use that to their advantage. So they're consuming signals, they're consuming behavioral pieces of information. So example, I left a conference a couple of weeks ago and I got a LinkedIn message from somebody that said, Hey, Jeff missed you at the show and we didn't get to talk about that white paper. I've attached it here. And it was definitely a spoofing attempt with that link. And so they knew I was at the show
Holly Sraeel (11:19):
And
Jeff Scott (11:20):
They found me on LinkedIn and it was a very context aware attack. So then you sort of imagine where this all could be going. I think we heard what Sam Altman said from OpenAI a couple of weeks ago about just the potential coming onslaught of AI generated fraud attempts with deep fakes voice recognition. It's like I tell my parents, stop saying your name on your voicemail because all those calls that you're getting, they want you to pick up and say, hi, this is Jeff, so that they have the sound of your voice so that they can use that to sound like you, and there's all sorts of attacks and scams that they can perpetrate with that. So for me, what AI has done for the fraud as a service business is created a ton of context,
Richard Vitale (12:07):
No doubt about it. It's that acceleration, right? I've even witnessed the acceleration six months ago, I think I participated in the conference where there was a question about ai, and my answer was ai from my lens, the operational lens of a functional fraud team every single day running the conveyor belt of a financial institution's fraud investigations, ai, I was always hearing about what AI was going to do and what AI one day will do, not what can AI do or what has it done. And in six months that has evolved just so far, right? I've had to warn family members about everybody gets the fraud calls and the scam calls, and so many people treat it as sport, especially some of our older relatives, and to tell them they've moved that down, they can now conduct a voice, an authentic voice fake off of three seconds of your voice. They first went to 30 and now you can't say your name. If you say hello in your name, they've got enough of a voice print that's a phenomenal move forward and we're hemmed in. We just can't what street art was talking about. We can't pivot fast enough. We can't adjust the models, we can't make the changes. The AI is going to help us there. Right now the fraudsters have us. They can move at light speed, we can't. But I believe as the AI gets faster and better, it's going to get faster and better, faster and better, and we eventually will catch up and turn the table.
Holly Sraeel (13:49):
It's a perfect lead into my next question. What are the biggest misconceptions about modern fraud within traditional banking leadership teams? I know you guys have good answers for this,
Sridhar Kotamraju (14:02):
You want to take that?
Richard Vitale (14:03):
You want to take?
Sridhar Kotamraju (14:08):
What I could think of is one or two key elements that I've seen. The first one is in terms of where do we want to focus more? Is that the aspect of preventative controls more when we scale an application launch or extend a product or a service, or do we want to accept, do we want to strike the balance between go to market and then risk accept certain challenges in the upfront while we figure out a way to handle the detection process? In my view, I think the two key aspects is one, when we make these decisions at the product level or the detection level, it's going to take enormously long time to respond to a threat once it emerges. And banks have generally been more focused on detection, and I think eventually this will lead into a resolution spike, which will be unsustainable. So I think one recommendation or something that I would focus on is more to look into the upfront enablement or upfront onboarding processes and get that intel or telemetry data and then focus less on resolution. Because if the more we focus on preventative and detection, the less we need to focus on the resolution. That's what I would recommend. That's the key decision point in my opinion.
Jeff Scott (15:32):
I'll take a little different spin on the question. I had an opportunity to sit with the board and an executive team at one of our customers talking about what they were up against and fraud. And I think one of the misconceptions that folks have right now is that it doesn't have to just be doom and gloom. It doesn't have to just be the answer is to shut everything off. I know we were joking earlier about we could just stop transactions and that would sort of solve the problem. And we were joking with this financial institution where we were trying to sort of talk to them about additional tools that they could bring to bear for their customers to help with fraud mitigation. And their fraud numbers were high. And over the course of a couple months, they came down and we're like, wow, how'd you do that? And they're like, well, we just shut everything off. It was like the conversation was around friction. It was how do we introduce the right speed bumps? And what we said was, what if we could flip that conversation and what if we could have such sophisticated signals and such good risk scoring that we could allow you to do more things for your customers versus
Holly Sraeel (16:41):
Shutting off?
Jeff Scott (16:41):
Correct. And so we sort of see fraud into the future. We've got to fix what we're up against right now, and there's this confluence of things that have happened. We've got to fight fire with fire. I think we're catching up to the fraudsters, but then it can be a growth lever. And so how do you have a modern fraud stack that gives you the dynamic tools that allows you to say, this is a good customer. We want them to be able to do all the things that we want them to do in the digital experience and more.
Holly Sraeel (17:09):
And it'll be increasingly important as customers that are younger or complete digital natives and demand that
Jeff Scott (17:16):
Correct. You can't have, I mean, it's the old adage. You don't want to catch a good customer in a bad fraud trap, but the Gen Z generation is used to, they're growing up with digital native tools. Some of them are going to grow up with AI native and they're going to expect that there's modern sophisticated fraud mitigation tools available verse every time I log in, I just get stepped up to the OTP code.
Richard Vitale (17:42):
And that's the challenge that for us daily operationally, we feel like we're continuously tuning the radio. You have to remember fraud teams. We can never win an Oscar for a leading actor. The only thing we can ever aspire to be is win best supporting role. Much like the joke or the comment that I had actually made about, I was once asked, Hey Rich, how do we just stop all fraud? Can you do it? Oh yeah, I can do it. How do you do that? No transactions, no debits, no credits. There will be no fraud. And I said it to be preposterous, right? Because we must have speed to market. We are running a business. The business must always be the leading actor. We can only serve in a supporting role and where we're tuning those dials, we're waiting for the confluence of the three areas that the three of us represent to figure out how to capture that modern customer.
(18:40):
Certainly the younger customer will not tolerate high friction fraud controls, but we can't lose our shirt while trying to run the business either and trying to find that balance. And I think that the computing power in the AI will eventually become the thing that will turn the corner for us. But in the meantime, there is this daily ebb and flow or this seesaw of it feels like dial it up, dial it down, dial it up. Well, now friction feels too much. Our customers just dial it down. Fraud losses go up. And so what is it that you hear from the tone above? I think a whole lot of that, and it is completely and totally understandable, and I think for so many in the fraud space, we have to remind ourselves. Sometimes I have to tell my team, Hey, hey, remember we're only seeing the 2% of the bad people in the world. 98% of our customers in street's, customers and the banks you interact with, everybody's fine. Nobody's ripping each other off. There's no fraud occurring when you live in this space of negativity. You occasionally have to, I'll call it rebalance or recenter to remember what it is that you're trying to fight for and what is it that you're fighting against.
Holly Sraeel (19:57):
Okay, so now this is going to be a tricky question. You only get one answer. On a scale of one to 10, 10 being the best, top 50 banks are banks keeping pace with the sophistication of adversaries, top 50 banks, scale one to 10, 10 being the best.
Sridhar Kotamraju (20:18):
I'm going to go. I would say four. I was going to say five. I was going to say three or four.
Holly Sraeel (20:24):
Okay. Now let's talk about the rest of the banking universe. What score would you give them? Everybody below the top 50?
Sridhar Kotamraju (20:32):
Oh, rest of the, I would say three. I'd stay with five. Okay.
Richard Vitale (20:37):
Well that's an interesting perspective we're going to talk about that would guess slower. I would think it would go down to
Jeff Scott (20:42):
Two or three. So from our perspective, so we have 1300 customers that represent a huge swath of the financial institutions in the United States. What we see, and Sridhar and I were talking about this, what we see is that via a shared intelligence layer across those financial institutions, the fact that in some of those tech stacks for those financial institutions, they're not as siloed as some others because it's a smaller financial institution or it's a mid-size financial institution and they've got less source systems, they actually have an advantage.
Holly Sraeel (21:21):
It's a good point. Yeah, that's a good
Jeff Scott (21:23):
Point. We can get their data into a shared intelligence layer that they can build models and tools on top of, and then we can share that data across and get metadata. So if there's a mule ring in North Carolina and we know this account is attached to a mule ring, we can surface that at a bank in Texas. And so we think that it's an even playing field from that regard. Now, I think the question becomes how much can you invest in ai? How much can you invest in the tools? But we believe that the investment that you need to make in that infrastructure has to be right sized for ROI, right? The amount of fraud that you're seeing can't get to a place where the cost of a transaction is to fight. Fraud is so high that nobody can stomach it. So a JP Morgan is going to balance that.
(22:17):
A Valley national is going to be able to balance that. And we think that AI and that tech infrastructure is a great equalizer, and that's always sort of been Q two's belief and why the company was founded was to create equity across financial institutions by allowing them to compete digitally. That was the founder's vision when he came up with this in the late nineties and early two thousands. And he was right about that. And so we think that a fraud intelligence platform that can be shared across those 1300 financial institutions gives a mid-size financial institution just an amazing opportunity. But I mean we're also working with some of the largest financial institutions in the country as well. Sort of the same. We sort of see the same problem when we show up at the front door. They're like, we have all these source systems, we have data trapped in all of these places. Jeff is in all of these source systems. We need to get that identity into one spot so that we can consume signals about is this really Jeff navigating in the digital session and can we get that signal to our interdiction layers? And so we see that it can be sort of equitable across that.
Holly Sraeel (23:21):
And Rich, I was surprised. Rich was surprised.
Richard Vitale (23:24):
Yeah, but I think what you're saying is that so while the top 50 have the capital to invest, they're smaller size while they're limited in the capital, their smaller size is giving them an agility, an ability to pivot. And this game is all about speed right now. And so the agility is more of an advantage than the gold bars that Shridhar and I are sitting on to invest, right? So
Holly Sraeel (23:51):
I see a headline tomorrow, small banks crushing it in Fraud matters up against the big guys. I five, I still said five. Okay. Alright, so let's move on. How can banks better leverage behavioral analytics and network intelligence to detect emerging fraud patterns? This is key.
Sridhar Kotamraju (24:09):
Absolutely. So I can go. So if you look at the fraud patterns, it's oftentimes there are disparate events that we see across multiple channels, right? Let's start with parameter controls. You have the perimeter controls and there's a bunch of tools out there which is more cyber related as the user comes into the channel and starts to log in and then perform some activity. Those evens are handled separately and evaluated separately by the fraud systems. So I would say convergence of these two layers, whether it is identity related, transaction related, login related, even traffic related, like a bot activity. If you're able to tie those events in a time series and then look at in the context that Jeff were mentioning, I think there's a lot of value right there and there's a lot of opportunity that FIS can take advantage of in this particular area because today a lot of such domains are being handled independently and there's a great opportunity to combine the data in my opinion and take advantage of,
Jeff Scott (25:13):
Yeah, I sort of think about it, identity is who the transaction is, what, and the thing that we've all been trying to get to and we've been missing is the behavioral, which is how am I navigating through this session? Is this really me holding my phone into my dominant hand walking at a gate that's normal for Jeff inside this digital session? And can we know that in 27 seconds because that's all the time you have before a bad actor can log into the system and do something. We don't want them to do change. PI generate a transaction and so am I using my mouse in a natural way? Am I on screens inside the digital channel in a temporal nature that's normal for me? Or does this clearly speak to account takeover because somebody's clunky and going in a weird way that they normally wouldn't do because they don't know the system.
(26:04):
And so you've got to have that behavioral context and in order to get that, you have to have a sophisticated set of signals. So we were talking before about network security perimeter, cybersecurity tools have become so sophisticated and there's really rich information in those headers. So can we consume that data into a modern orchestration layer within seconds such that then that orchestration layer can produce the risk score and say this is a good guy or a bad guy and then interdict inside the workflows. But without behavioral, you really only have the login model, which is this a geolocation that we recognize and is this IP address good, which is all great, but doesn't help with account takeover. And then from there, all we would have is at the time of transaction to say, does this endpoint look normal for this business to be sending this a CH transaction? And it's just way too late. And
Richard Vitale (26:58):
I'm a fan of the behavioral components. That's a target rich environment for data points to capture. And they're virtually, they're business friendly, they're frictionless, the customer just behaves the way the customer behaves. Our younger generation that wants to do everything on a phone and wants to have everything done in three seconds, well, in those three seconds, there are so many data points that we can capture there that can tip that scale to the, is this good and there's nothing to be concerned about here or is that bad? And it's occurring at literally light speed and with no perceived friction. I think one of the challenges
Jeff Scott (27:40):
We were discussing and we've been discussing with some of our customers over the last six months as the fraud tech ecosystem sort of has matured over the last 18 months. We sort of see what we're dealing with with AI fraudsters is all of those components that are required signals orchestration layer, the interdiction layer. How do we make that affordable for each of the transactions and not overpay for the signal because you could have a hundred percent coverage on really amazing signals, but it would be more than the cost of the transaction or half the cost of the transaction. And so the key I think over the next 18 months is going to be what is the right amount of signal and how do we make that affordable? Just think about all the API calls that could happen in milliseconds for every single login. You just can't sustain that. And so while we've got great signal, we have to choose the right signal, the right ROI for each financial institution based on the threat vectors that they're up against.
Holly Sraeel (28:41):
Okay, let's move along. We got a lot of stuff to plow through. What's the best way to integrate first party data, device data and external threat intelligence into a unified view? We start with you, rich.
Richard Vitale (28:54):
I was going to kick that one to Jeff, his wheel, but how am I going to do that? I'm going to call Jeff. We get back to the office and say, Hey Jeff, how are we going to work this out? Give me the seamless piece for it. Okay.
Jeff Scott (29:07):
Yeah, I mean I think it really takes I a modern tech stack that is a shared intelligence layer that would be able to consume those pieces and be able to be orchestrated, which sounds hard. And I think 18 months ago it was really hard and that's where we needed all of these pieces and parts in order to pull that off. I really believe that with a agentic ai modern MCP servers with an agentic ecosystem, instead of us saying, look, we've got to have all this data in one spot, like the old data lake problem that we all have where it's all siloed now we'll be able to say, okay, for the investigation that your team wants to do, what are the key data elements we need to know about who this is? So the identity, what they're doing, the transaction and how they move through the system, the behavioral, and can that agent go find those pieces of information along that shared intelligence layer such that they can surface them and allow you to do something with it in an organized way? So I think you've got to have sort of all those pieces like your application sitting on top, a modern orchestration infrastructure and then that shared data layer, how you'll be able to build agents that can go help you across all those applications and move investigations along faster without you having to go research them, et cetera.
Sridhar Kotamraju (30:29):
I'd like to add a point or two please. What I also noticed is it'll be great if we can connect the dots right from the point of onboarding a user, look at their attributes, and then oftentimes I see that when we onboard a user to the applications that data system and system resides elsewhere, and then when they come back have their digital footprint established for the first time that data rec resides elsewhere. If we can tie those, then we have a reasonable degree to identify who the actual user is, make sure we have the right verification processes and apply the right level of authentication. Of course, all these would require a great deal of orchestration, Jeff, that you alluded to, but I think those are valuable inputs to understand the telemetry that is associated with a given user, in my opinion.
Holly Sraeel (31:17):
Okay, so this is a crucial point. I want to talk about the role that shared intelligence consortium data cross bank collaboration will play in fighting organized fraud going forward. I would imagine it's going to be greater.
Jeff Scott (31:31):
Yeah, I can take that one. So I think what we're talking about is signals, right? We're talking about if there's a mule ring in a part of the country, we need to know about it in another part of the country. The only way you're going to get there is through data collaboration and sharing. I think we have a regulatory hurdle there with just how the privacy of consumer data is constructed and Graham bleach, Lilly and all the sort of regulatory frameworks that exist, and we're going to have to advance those in order to be able to take advantage of some of these AI tools. So I think there is some regulatory hurdles we'll have to overcome, but we believe that you can share metadata across in such a way that that would be a publishable signal. So Valley National could sit on top of a shared intelligence platform such as Q2 and have a base of their fraud data that you could build models on top of, or just think about applications that help you fight fraud. So maybe it's a transaction monitoring application, it's a dispute management application Today, the data for each of those applications and each of those point solutions lives within itself. And so in the future we can say, alright, a transaction that was disputed here should now be a signal into Valley National's shared intelligence layer that can be consumed again by the transaction monitoring. Then you take that and you multiply it across 1300 financial institutions, you should be able to say, Jeff is part of a mule ring. We can surface that in another part.
Richard Vitale (33:07):
So to Sridhar point, only if we capture the correct points at onboarding and our KYC is correct, but the consortium data, I think that that's the brass ring. That's where we need to get, but we have multiple obstacles to getting there and if we don't solve for that, we're not going to win or we're going to greatly delay the time to run.
Holly Sraeel (33:35):
What are the obstacles?
Richard Vitale (33:36):
Well, the regulatory obstacles are there for sure that how we, we've got to come up with either a way to get the regulations augmented so that they allow us to work together for the purposes of good or we need to come up with a way to make the information or the signal become so generic that it's not, there can be a way to take those different data points, maybe make them generic enough that Shridhar and I can both see 'em at an operational level and no regulation has been violated. We're going to need cooperation though from others. We need cooperation from telecom cooperation, from law enforcement, buy-ins, from other parties and entities in the marketplace. We're going to have to agree to shift somehow to shift from our America as a privacy. We take a lot of pride and joy in privacy in America. And the question is going to be how do we right size that without sliding down some slippery slope? How do we get it just right? But to bring all of those elements together, that's where the win is. The question is how do we do it? And the sequencing, we were talking about it before we sat down, knowing what element, what Lego block gets put down first, which one has to be third if we can get the sequencing right, because we also have to keep the cost down.
Jeff Scott (35:03):
Yeah, we've been talking to a lot of the consortiums around the country about how we collaborate on those things. I'm optimistic about how we can do so, but that'll be key and I think we're closer than ever to be able to leverage those signals.
Holly Sraeel (35:16):
Do you agree, sridhar?
Sridhar Kotamraju (35:18):
Yeah. Actually this is one area where I would strongly increase. I think there's much more needed to be done where there should be a framework where identified fraud information can be shared securely and in the digital age. I'd like to carefully use the word anonymous, but there's no such concept. And then I think if we can figure out a framework where we actually look at the signals and not about where the signals originate or to whom the signals are associated with and share that information, that's one way. And then there's also this concept around scams that we keep seeing on the rise on the net. If a scam is identified at one particular place, there should be a much easier way for that particular threat vector to be disseminated to the entire ecosystem so that they can put up effective controls. I think these are some examples where we can do a better job as an industry to come together and share signals,
Jeff Scott (36:19):
And we do it in other industries when it's for the sake of security, right? It's like you do it with TSA, like everyone expects information to be shared to find bad actors, and so we should be able to do it, do it here.
Holly Sraeel (36:32):
Okay, so moving along, staying in this theme, can you guys share what you think a multi-layered fraud defense looks like in 2026 and beyond across identity transactions and behavior?
Sridhar Kotamraju (36:47):
Yeah, I can take that. So I think it starts with identity in my opinion. If there's various concepts, of course there are pretty good standards out there in terms of the level of identity, the level of authentication assurances out there. NTA is pretty standard publications around that. And then if we get to the identity triad where we know who the individual is, who the entity is, and then we have a good way of continuous verification that we enable, that's the first layer of control I would think of. The second is related to the login and then the right level of authentication that we apply. There's also pretty good technologies out there, which is there's three levels of authentication that can be deployed. For most part, the banks have been, or a lot of fis or a lot of institutions have been relying on OTPs, and we all know that they're on the deprecated track, but we still rely on OTPs and it's a monumental task in some places to move to a level two or level three authentication.
(37:49):
So that's the second layer of defense. The third is behavior, which we just talked about. I think it's super important. We all trying to understand the behavior aspect of it, which is if we understand our client's customer's behavior well then it's probably relatively easy to understand the anomaly in terms of a fraudster in the session and that associated activity. So a layered structure like this, in my opinion would be pretty valuable. But again, all these would take a very, very good orchestration layer that can tie these disparate signals or events and then make what I'd like to call is interdiction that. Jeff, you mentioned possible, right?
Jeff Scott (38:30):
Yeah. I think the way I'm starting to look at it is you've got to, to ADA's point, you got to have signals. So the who and the how and the what, and then you have to have the ability to interdict real time. So those signals need to be ingested into something that then can interdict real time. And so the question is can you get those signals into an interdiction layer inside the workflows in a fast enough fashion to be able to pull the trigger or put the gate up? And so the question is if you're thinking about it from a tech stack standpoint, is what signals do you need to ingest? And then what is your ability to interdict using those signals and how sophisticated of orchestration layer do you need or not? And so some of the things that we've been talking about with customers and partners is the market will sort of prove that out over the next couple of years. Do you need that orchestration piece to be super robust or can you consume 80% of the signal you need directly into your workflows such that you can put the gate up and how do you simplify it?
Holly Sraeel (39:38):
Okay, next question. Moving along on the risk orchestration platform theme, how can risk orchestration platforms help unify, excuse me, fraud compliance and trust decisions in a bank enterprise
Richard Vitale (39:56):
Fraud, compliance and trust? Well, I almost feel like we get a little bit circular, right? Well, if we put those layers in place and then we add in the transactional component and then we have the ability through the consortium data to know both ends, both the debit side and the credit side of that transaction, we can avoid or interdict or stop. I mean, compliance can be thrilled because we're not going to have really very many issues. We're going to identify it before it even occurs and be able to step in and halt the transaction from occurring. And that's going to work for first party fraud. It's going to work for third party fraud, it's going to protect people from scams. It's a beautiful harmonious garden if we can get there.
Jeff Scott (40:50):
In that sense, an orchestration hub is exactly that, right? It's a hub and then you've got spokes. So you've got signals that come in from the digital channel. You might have signals coming in from a ML and you might have signals going out to those teams. And so if you've got one spot where you're looking at, okay, how do I want to have a fraud journey orchestrated from ingesting that signal, ingesting the A ML signal, ingesting the onboarding signal, and then what am I going to do with it? How's it going to get scored? How's it going to interdict inside the platform that gives you one central place that all these teams can go to and say, okay, now we have an event, we have a fraud investigation and we need one single source of truth. And so that's where I think those orchestration hubs can become really valuable because it's a single pane of glass for the organization. It's not just the technology of being able to ingest signal in a fast fashion. It's how can you have a single pane of glass for each of those organizations because right now it's a clunky handoff.
Richard Vitale (41:52):
And then once we're connected, now we're no longer shridhar team isn't working in a vacuum or a silo, and I'm doing the same work on the other side of town and we're starting from square. We're all able to see that we can build off of each other's work and we suddenly can make an exponential leap forward in the effectiveness of all fraud team.
Holly Sraeel (42:14):
Alright, stay right there. What does a modern fraud operations team look like now? How are the skill sets evolving?
Richard Vitale (42:22):
Oh, the tech tech is up. Absolutely have to understand. And we were having this conversation before, right? All three of us that required level of tech skill keeps climbing and climbing and climbing, but you have to balance it against, you have to have some traditional skills. So just an ability to sniff out a fraud, an understanding of the discipline of conducting an investigation. I think. So every day we come to work, we live in that 2%, that 2% that is the chaos and the tumult of customers being victimized, customers being scammed, the bank being attacked by a first party fraud. And there's all this chaos evolving and you have to be able to look at it and define, make order out of the chaos and develop a standardized process to be able to address it. Otherwise you'll constantly be jumping, it'll be whack-a-mole all day long. You won't get any wins, you won't move the ball forward. And so I think that it's a blend of the tech yet the ability to work in crisis and then collaborate.
Holly Sraeel (43:35):
Yeah. Sridhar, what about you? How do you see it?
Sridhar Kotamraju (43:38):
I would say it really depends in, we have to have a strategy related to where we see spikes in the type of fraud threats and then focus. Of course we all do that, but I think the point I'm trying to get to is all of these strategies based on the threat factors have the effect of either you're preventing something or you couldn't prevent something, and therefore now you have to resolve, which basically reserves into an alert or an outsource volume spike. And it really comes down to how wide you're casting the net and then from in the area and why you're deciding where to cast the net and how much you actually caught the fraud within that. And so the level of automation that a lot of institutions have been trying, there's still significant opportunities in that space when it comes to out sorts and how we apply the dispositions around that.
(44:27):
So that is one area. And then the second thing is I think Rich and I were talking earlier, and Jeff as well, we have to figure out a good operating model in general related to operational resources in terms of responding to the investigations where it says the detection strategies and there's always a delicate balance because there's risk versus where do you want to apply more rigor versus where do you want to not apply a straight posture because it might be deemed as a friction to the clients in their activity. So that's always a challenge. I would say that is one area I consistently see that there's a lot of opportunity and maybe you have a different opinion.
Jeff Scott (45:11):
I mean you guys know best, right? All I was going to say is you can't throw bodies at this. And so you've
Holly Sraeel (45:17):
Got, tell me more
Jeff Scott (45:19):
At the speed with which where we opened with frauds using ai, they've got these modern tools. They don't have bureaucracy, they don't have organizational structures that they have to worry about. They don't have jurisdictions that they have to care about. They're just going to use the best of breed tools, the speed with which that's ramping up. You can't just have more people go investigate and more people available in fraud operations or in investigations to be able to go do those things. So you've got to fight fire with fire, with automated tools, with ai, with this modern stack. I think it also, going back to sort of the orchestration and bringing these different parts of financial institutions organization together to have one sort of common set of KPIs.
Holly Sraeel (46:02):
It's
Jeff Scott (46:03):
Like, what are we trying to do? It's not a zero sum game, unfortunately. There'll be some level of loss. And then how are we handling customer experience? How are we handling the impact? How are we getting the business, what they want? And all those things have to come together with a shared understanding of what policies and friction do we want to add to the front end, and then how are we going to deal with it on the back end so that your CX and your customer experience is what you want it to be, and the experience inside the digital channel is fulfilling the mission that you sort of set out to go fulfill in the first place.
Holly Sraeel (46:40):
Okay. Do you guys think current budget allocations, are they aligned yet with the scale of professionalized fraud threats?
Richard Vitale (46:50):
I say no. No. I say no. I think we're unanimous in that.
Sridhar Kotamraju (46:54):
Yeah, I say P
Richard Vitale (46:54):
Morgan,
Sridhar Kotamraju (46:56):
There's always scope to invest more in this particular area, given that we have consistently seen spike in fraud losses across in the industry. We have also seen a spike in threat vectors like frauds like Jeff was mentioning, and Rich becoming very sophisticated. They're using latest in greatest tools to AI and that they don't have to deal with regulations and so therefore more needs to be invested in this space. Absolutely.
Jeff Scott (47:26):
I was just going to add that I say no, and partly out of empathy, we don't know yet what that right sort of investment needs to be because there's so many tools emerging. There's so many ways we could attack this. And like I said, we can't go over rotate on what we're spending on API calls to get signal for the threat vectors that we're trying to guard against. And so I think the market over the next 18 to 24 months, we'll probably smooth that out and we'll sort of figure out what's the right level of investment to go do so for boards and elts and folks making these budget decisions, it's super, super tough right now to solve that. It's
Richard Vitale (48:03):
Going to spike and then it'll come back down. And while we can't just throw bodies at it, we can't just throw tech at it. What everybody's going to wrestle with is where is the balance? There's got to be some human, there has to be a human element involved in it. Some human has to decide what those data points and computers are saying and then what is the next step? I think you're both absolutely right. I think we're going to see that the spending is going to increase, it's going to increase both on both the human side people process technology. It's going to go up, probably go too far on a cost per transaction basis. And then I think the market will level some of that back out and we'll start to get it right.
Holly Sraeel (48:52):
Okay, two more questions. Sridhar, I'm going to hit you first. Looking ahead, what will the next wave of professionalized fraud look like and how should banks prepare?
Sridhar Kotamraju (49:04):
I would definitely think AI will lead a new wave of attacks. I don't think a lot of entities are prepared properly to deal with deep fakes. There's a lot of reliance today on biometrics, and while it is deemed as a strong level of authentication, there are ways to circumvent those. There are clear publications that are out there or guidances in terms of how to increase the level of authentication. So that's one area. And then the second is the social engineering is definitely on an uptake, so we have to look into that aspect as well. Account takeovers as an example. In general, we see a spike happening across the industry. So those are some of the three key areas that I can think of. And the last thing from add, one more thing is digital identity. There's a lot of synthetic ID out there, and if we can authenticate somebody, but we don't know whom we are really authenticating, we need to know whom we are authenticating. In order to do that, you need to first understand who the end user is from an identity perspective. So those are some of the challenges. Yeah,
Jeff Scott (50:13):
I mean for me, I think the thing I'm the most worried about is agent and commerce and what are the tools that we will have to have in place in order to deal with that. I'm also thinking about new payment vectors, whether it's stablecoin or it's open banking, but I tend to think that the way that we're going to probably deal with those threat vectors is what we're talking about here with signal, with orchestration, the 27 seconds that you have in order to deal with a bad actor and sort of identify the risk. But ag agentic commerce is the place that I think I'm probably the most worried about.
Richard Vitale (50:52):
The speed's going to increase, the value's going to increase, and it's going to make it more difficult for us too. And then as the speed and the value increase and the AI and the agentic and everything else moves up, we're going to see more exploitation of the weakest link sridhar, the human in the equation, the social engineering with the goal of account takeover.
Jeff Scott (51:12):
Well, I think with agentic too, this is your sweet spot. It's going to come back to who is this person and is this their agent? And can we fingerprint that agent to know that that agent is allowed to make this transaction on behalf of Sridhar, and it's going to come back to identity.
Holly Sraeel (51:28):
Okay, final question. If you could fix one thing about the current fraud defense ecosystem tomorrow, what would it be?
Sridhar Kotamraju (51:37):
I would say strong authentication and identity.
Holly Sraeel (51:39):
Okay. Jeff?
Sridhar Kotamraju (51:42):
Checks.
Jeff Scott (51:43):
Checks. Okay. Still the single largest threat vector. True.
Holly Sraeel (51:47):
Totally.
Jeff Scott (51:48):
All the, we're talking about here with
Holly Sraeel (51:50):
Digital
Jeff Scott (51:50):
Modern digital tools, it's like we're still dealing with, this is the empathy we have for our customers and for y'all. It's like at the same time, we're dealing with new and emerging threat vectors. You're dealing with the old,
Richard Vitale (52:00):
Okay, rich check fraud is still king. Absolutely positively, no doubt, but one thing, one silver bullet data sharing consumer YU data gathered and share, because I can hit a bite out of check fraud with that, I can take a bite out of synthetic id. I can hit every single one of those transaction channels if we're all able to openly communicate rapidly.
Jeff Scott (52:26):
Well said.
Holly Sraeel (52:27):
Well, that's it for today. I'd like to thank Sridhar, Jeff and Rich for joining us. I'm Holly Rael, and we'll see you soon on another Leader's Live.
