KYC Isn’t Broken — We Just Keep Asking It to Do the Wrong Job

What's up fraud fighters and welcome back to Fraud Forward. Today's episode is going to challenge a belief that sits quietly at the center of a lot of fraud programs and doesn't get questioned nearly enough. KYC. Because somewhere along the way we started treating KYC like a fraud control. And it's not. That doesn't mean KYC is useless. Doesn't mean we should abandon it. And it definitely doesn't mean compliance teams got it wrong. But it does mean we've been asking KYC to do a job it was never designed to do. Passing KYC tells us an identity exists. It does not tell us the person using it owns it. And it definitely doesn't tell us how that identity will be used over time. That distinction matters, especially in a world of synthetic identities, AI enabled fraud, and slow burn abuse that doesn't show up on day one. If you've ever felt like KYC was being blamed for things it was never meant to catch, this episode is for you. And I want to pause here for a second because this is a conversation and a duo I've been waiting to share with you. Today's guest is someone who tells it like it is. No hedging, no buzzwords, no vendor safe framing, just real talk grounded in experience. Steve Linderman is the head of fraud prevention at iSolve and he's one of those voices you need to know because he offers a perspective you can trust and one you should respect. Steve recently put it perfectly in a conversation with me. He said, there's a reason for KYC. We can't abandon it. It's not a fraud control. It's an entry level risk environment.

Thank you.

That statement alone reframes the entire conversation. So today we're going to talk about what KYC was built to do, where it gets misused, why AI and synthetic identity are exposing the cracks, and what fraud teams should actually be focused on after onboarding. This is not a burn it down episode, although we might want it to be, but what it is is a reset. So Steve, welcome to Fraud Forward, and I am so glad that you're finally here.

Thank you.

I've been looking forward to this one for a while now. I appreciate the introduction. I think you're right. If you know who I am, it is pretty much straight out of the mouth. Sometimes good, sometimes bad, but you get what you get. I hope that's refreshing for people, because all too often I think people are guarded sometimes. We need to understand to fight this battle of fraud we just need to be honest with each other. And sometimes that's the hardest part. Let's get into it and have some fun.

I love it. So before we do get into the weeds, I'd love to just first ask how you ended up thinking this way about KYC.

It probably began maybe about eight to 10 years ago. Started building out fraud shops in the fintech space and some smaller organizations and getting this notion from leadership and product teams that we have a robust KYC program, which does our fraud for us. And I was like, maybe it's not a fraud tool. Maybe it's a box checking exercise to be brutally honest. KYC, along with some of the AML stuff. And so this is belief that a lot of organizations started thinking that KYC was their first line of defense. And I just think that's philosophically wrong. People were relying on that. And I started looking at this scenario and it finally got to the point with a leader of mine. And I just said, you do realize that every fraud that takes place passes KYC. So therefore it is not a fraud control. It is actually a terrible concept to use as a fraud control because of that simple concept. Everything that we have fraud on eventually at some point has to pass KYC or you're not doing KYC at all, which is another problem that you might have. But that's where we got to this philosophical concept. It's KYC and that's all it is. It's not a fraud control for sure.

Love that and appreciate that. It is one of those things that they're like, if we can stop them from getting in the door. True. If you could stop them from getting in the door, but KYC is not that answer and not the way that we use it. I think that it's important to start by grounding this conversation. A lot of the confusion around KYC comes from what we expect it to do versus what it was actually built for. So you've established that KYC is not a fraud control because every fraud eventually passed KYC. But I'd love to just start at the beginning. What problem was KYC originally designed to solve?

It's know your customer. We set that stage for anybody who may not know it. And then the second version is KYB, know your business, the commercial side, very similar concepts. But KYC was designed in theory in response to the terror financing after September 11th attacks. It was designed to have banks and organizations understand who their customer was. Collecting essentially a name, date of birth, government identifiers. And that essentially was the concept that now we actually know who our customer is because before you could open an account anywhere, any place, any time, Big Bird, Mickey Mouse names, it didn't matter. And now there's a standard regulation that says you have to know your customer. Again, as you mentioned earlier, it doesn't mean the customer that you're provided is actually, first of all, real, as in synthetic. Second, is the person who's submitting it actually the person submitting it? And that causes a fundamental problem for us where we're using it as that fraud control, when the reality is, it is still important to do that. I don't want to feel like we're saying you shouldn't do it, it's not important. I look at KYC, it gives me the leverage as a fraud fighter to collect the data that I need to actually do a fraud review. Without KYC, we don't collect those identifiers, name, date of birth, socials, which we all use to begin our investigations. To begin our review or due diligence. So it is important to have that KYC requirement to capture that data. But you have to go beyond just saying, that's a name. Okay, that's a date of birth. That's a real social. That's all we're doing with it in the KYC perspective. It needs to go beyond that to truly look deeper into the data itself, not just relying on the data at face value.

I think that's such an important point. Whenever we're thinking, and I kind of framed a question like this that I feel like you've answered all my questions for this segment already, but explaining the purpose of KYC to stakeholders who assume verified equals safe. And that's exactly what you're talking about is that we can say this is a real social.

It does belong to this person, but is this person the one that's actually conducting the transaction or participating? Is this the actual person that's standing in front of me? We mentioned that on the first podcast with Karen and when we talk about fraud predictions, but I could walk in with an ID that says Karen Boyer and have her address and my picture on it. The staff's going to think, this is Karen Boyer. But I'm not. But it was verified. But that's not the safe thing to do. So it's looking at it's truly knowing your customer. We can say this is your first attempt or whatever. And we're trying to verify that this person is who they say they are. But you're right. It goes beyond that. How else can we identify? And I guess the question is, why is it so risky for fraud teams to rely too heavily on KYC outcomes versus the holistic understanding of what's going on?

If you're running a fraud shop and you are relying on KYC as your first line of defense in theory, then that's inherently a foundational problem. Again, it should be used as a method to gather the data to do the fraud review. You've heard of these expressions, KYC Lite sometimes, where organizations will do, I would say the regulatory minimum to pass KYC. Other organizations will do a much heavier KYC, which probably dabbles more into actual fraud controls, fraud prevention. And then what we're starting to see a little bit more now is perpetual KYC, which is essentially enhanced due diligence where you're doing these checks all the time. All too often teams make another foundational mistake where assuming that KYC is a fraud tool. And then second, it's the set it and forget it concept, where we ran KYC when he onboarded two years ago and we don't do anything after that until something happens. And then we have a problem and we become reactionary again. A lot of times if you look at the KYC foundation and use it with a little more diligence, you can continually look and monitor your customer or your business and start to look for risk patterns that might happen. And so you become predictive versus reactive. So those things help you from that angle. Fraud shops just need to understand to take the KYC portion of it, ingest it into some of your tools. And that's why I love, not a shameless plug here, but there are several product platforms out there that do this, where the KYC is embedded in some of the fraud stuff and the fraud tools are embedded in some of the KYC. If they're segmented, in my opinion, that's a problem because you're not going to catch anything on either side of the house. So it's just important that we make sure we look at KYC with a fraud lens and not just a box checking exercise. And unfortunately, we all know product teams and marketing teams want to just say, we did our due diligence. We did a KYC. They passed. Okay. But let's just put this nicely. There are a lot of bad people out there who are going to pass KYC who have bad intentions to commit fraud or other things. So we just need to be very careful how much trust we put in KYC.

We can definitely all appreciate that perspective. And you said something that really sticks with me and it's one that we grounded this whole episode on. And it's that passing KYC doesn't mean the person using the identity owns it. So we're talking about identity to ownership and why risk starts after KYC. If KYC is just the entry point, then the real work clearly has to happen after onboarding. So we know what KYC confirms is the identity of the person that information all matches. And then we're talking about ownership, ownership of who actually does that belong to, which is why I love the decentralized idea of identity and where you truly could own it, which Becky Reed and I talked about in one of my first ever episodes on banking on fraudology. But that's another conversation for another day. But for the purpose of this conversation, why is the gap between identity existence and identity ownership where so much fraud lives today?

The reality is, again, most of regulations, including KYC, are outdated. It's the concept that we have identifiers, again, name, date of birth, social, things of that nature, are, let's be honest, static. They shouldn't change, and they've become our identity. But the reality is, in today's environment, your identity is not those identifiers. Your identity is other things like these magic things we call phones, but they're not phones. They're basically computers. But your digital footprint essentially now is your identity to most organizations. The way we behave, behavioral, is also becoming part of our identity. There are things that we do uniquely as individuals that identify us. We all have certain patterns that we do things. It's how you log in in the morning. It's your steps of things. It's how you work on or manage this device or your laptops. Those are now what identity is. And that is a huge shift from a date of birth, a social. Because those things can all be stolen and used. Again, every identity theft is going to pass KYC because the identity information is all the same. It's the other identifiers that are different that we're not checking. And then we mentioned earlier, like synthetics, that's a whole other crazy topic we can jump into a little later. But again, I've created three synthetic identities I manage and they all pass KYC because I created the data. I created it and I pushed it into the systems and the systems now believe it's real. And now you're running my synthetic through a KYC and it's gonna validate even though it doesn't exist. There's nothing there, it's a digital ghost. So it's this reliance on data that I think has shifted and how we have to look at that data as an identity now versus some of the static pieces that we always looked at in the past. Huge shift, we have to get there. And I think a lot of orgs are trying to make that transition there. But unfortunately, there are a lot of tier twos and tier threes, whether they're banking and insurance, telcos, or even government. State and local governments are so far behind with this stuff. And it just opens the doors, like you said, for all the bad guys to do things. The company is doing well with fraud prevention or just unfortunately redirecting the fraud to lower hanging fruit. It's just much easier to go somewhere else. We'll do it there.

I truly love the idea or the response of KYC can only tell us who could be behind the account, which is that static data you talked about. And then what tells us who actually is behind the account is that behavior. And it's funny, I love real world examples, so I'll give you this one. But it's like whenever I'm driving my kids to school or something and a text message comes in and I get my 14 year old to text for me. She texts with her little abbreviations and she doesn't spell words all the way out. Like if you get a text message from me and it's the letters OK and it's not OKAY, I didn't text that, she did. So that's like a behavior thing that obviously, we're not talking about text messaging, but it's just a behavior form of being able to tell who's actually behind the text message. So if you get any abbreviations, guys, just know it's not me, it's somebody else.

Yeah.

I don't know if they've taken over my phone or if it's my 14 year old, but one or the other. So I love that idea. And the same thing with understanding the behavior of if they use an iPhone or an Android or if they normally log in between the hours of seven and nine PM and now they're logging in at two and three AM, like that's a different behavior. And those are things that we can use and signals that we can try to understand in regards to behavior. So I do want to ask, what are the most important behavioral or contextual signals fraud teams should be watching after onboarding?

It goes back to this perpetual KYC, monitoring the identity for changes. And in order to identify the behavior of the true individual, you have to look at it from start to current time. And so you have to understand what does Hailey's, what is Hailey's morning routine with her laptop or her phone? What is Steve's routine? Like I said, we all have creatures of habit. And it's hard to break those habits and the bad guys can mimic a lot of things but mimicking our habits is just not the same thing. And so there's things from a behavioral perspective like how I open my login pages, how much time I spend on login pages, am I using a password manager? Am I using two screens, one screen? Am I using a laptop? These are things that are there that show that it could be me, is Steve. Or if I'm on my phone in the morning, like, let's be honest, we all wake up, the first thing you do is look at your phone, that's what happens. So I'm holding my phone a certain way every morning at a particular time because that's when the alarm goes off and that's what I do. Or in the evening. So it's looking at that view of the customer. There's a fine line of some privacy issues people talk about here and there. Keeping in mind, like, we're not able to see what's on the phone. It's just how the phone behaves essentially or how you behave on that phone are important indicators that I think fraud shops have to start to look at. We're getting away from that and getting away from the rules, these type stuff, the static rules around static identifiers. With, it wouldn't be a podcast or presentation without the words AI and Karen Boyer, shout out there as well. But now with the ability to ingest large amounts of data at scale and with ease, we now can look at behavioral data over the course of time, which we just couldn't do in the past. We can now look at logs. Now we're ingesting Cloudflare logs. We're ingesting time on pages from a marketing app. All the stuff we couldn't ingest before because we didn't have the energy or the bandwidth now can come in. And now we know what this identity looks like, how they behave across the entire ecosystem and get, I call it the 360 view of the customer. In a fraud space, we only get the risk view of the customer, but there's so much more to the customer journey than just what they might do bad. There's so much more that we don't incorporate and we can do that now. Again, building the identity of the customer that makes much more sense. And not just fraud prevention. It can be used for scam prevention as well. In a scammer, I'm being scammed, everything about my identifiers is me, but my behavior changes because I'm being stressed in a different way. So it's not just fraud, it can be used for scams as well.

I love that and I love that it's like trying to truly understand holistically who this person is that's conducting the transaction, looking outside of your four walls.

Okay, so this is where things really start to break down, especially with synthetic identity fraud, where everything looks legitimate on the surface. And while AI gets blamed for breaking KYC, I'm not convinced that's what actually happened. And Steve, you've talked about synthetic identities. I love following what you're doing in that space. But I wanna ask, in your opinion, why are synthetic identities so effective at passing traditional KYC in the first place?

That extra data, that's all they are. In the past, again, dating myself and looking at green screens and looking at names and addresses and phone numbers and socials, those are just pieces of data that again became our identity. So once we take a physical identity and make it into a data identity, which is what happens at almost every organization, especially the financial sector, with big tier one banks or credit cards, for example, you never meet your customer, it's just somebody on a screen. And so that concept opened our doors to synthetics because I can create an individual or even a business and, synthetic identity or synthetic entity, easily with the data sources and because KYC is just checking a data source against data, against a data source, I can manipulate that data relatively easy. Most of our KYC tools that are out there are pulling data from different aggregators. And they're getting things together and they're looking at that data and trying to build those relationships and say, hey, this is Steve or Hailey because we've seen this email address, we've seen this phone, we've seen this address, we've seen this date of birth. But I can mix and match that data as well. I can create Frankenstein synthetics using bits and pieces of real information, creating completely new synthetics, relatively easy to do now because it takes some work to do that. My first two synthetics took me several months if not years to create and build into where they are now. I have a third synthetic which is a child who's now almost 17. That'll be fun. They'll mature into the financial sector from that perspective. We'll of course go to the best virtual college possible. But I was playing around using some of the LLM tools that are available. Not the good ones, the bad ones. And building an identity now that is relatively functional is six minutes or less. And I'm an old dude. I'm not that creative as you can tell. Like it was hard for me to even think of like a synthetic name. Now I just literally go into these LLMs and I can just say, create me a synthetic identity with this type of name, demographic, this age group, this geographic area, this profession. And it creates almost all of it for me instantly. And then I can use it where I want to. And so it's almost too easy now to do it and once I have that identity, then I can use again tools to disseminate that information into the aggregators. So it's creating the Google accounts, it's creating Amazon accounts, it's creating LinkedIn profiles, all these things that we as humans do to build our identity. It's getting more complicated around this, again, not very technical savvy, but I can now, I have now used the LLMs to create bots that just allow me to have my synthetics essentially post on LinkedIn, post on Facebook, like things. They do things like we do as humans. That's the behavioral concept there. And so it's been interesting to see how you can take this data of synthetics, create these things, get them out into the wild and then let them mature from that perspective. A lot of synthetics now are not going after the big tier one banks. There's a lot of other areas to get into. A lot of FinTechs are a plethora of playground for synthetics. Your world, the credit unions, like brutally honest, have no idea what they're doing, like zero. And it scares me when they wanna get into new markets. Credit unions were based around a business or an organization or something, and now we see them moving into new markets. And I'm like, you should not go to Southern California. You are a Credit Union in South Carolina, stay there. Because you have no idea what you're doing and you're going to rely on KYC to vet your customers in an area that you have no idea what's going on and you are going to lose your assets. So put it nicely. Again, relying on KYC, we can tie it all back to that concept. They think it's a fraud control and it's not. So that will pass all day, every day.

Yeah.

Which is the reason for fraud forward. We're gonna bring this conversation to light and hopefully the credit unions, regional banks will understand that this is a problem that needs to be addressed now and not one that you can keep passing off. So I do think that we can get there to the point where we know what we're doing, but I do think that there is a knowledge gap right now. It's not with every credit union, it's not with every regional bank, but it is definitely there and it is something that I'm hoping that conversations like these will help to again push that conversation forward. So I appreciate you calling that out. But it also brings up another point that I wanted to ask and it is, did AI create a new problem here or did it simply accelerate weaknesses that already existed?

I'm going to give a pretty simple answer. It simply lower the barrier of entry and made it easier. The frauds that we're seeing are nothing new. It's the same frauds for the last millennial, to put it nicely. It's just now that it's been turbocharged by technology. And that technology is AI. Five years ago, or 10 years ago, the technology changed. You're making checks with better laser printers. So just technology always moves in. And AI is gonna be the next technology that moves things dramatically to the right. The speed is insane. Like I said, I'm using AI to build bots to manage my synthetics. I can't do that. I am not that smart. Like not even close to do that. And that's what scares me. Again, it took me a while to build synthetics and I only built them for research purposes, because that's the space that I worked in. I'm like, if I'm gonna fight synthetics, I gotta understand how they work. I don't have to understand how they work now. I just go create one in six minutes on one of the bad LLMs and then I can go use it. It's almost like unfair. Like at least you have to work a little bit to commit fraud. Now you don't have to work much at all because it makes it so easy to do. AI is definitely not creating new ones. It's just accelerating and making the barrier of entry much lower to do.

True, very true. So I have a two part question, because I think when I asked the one, it's a sub question. My question is, why does one time verification struggle in an AI enabled fraud environment? But then the second part of that is, what does AI reveal about the limitations of static controls?

Okay, very formatted question there. So one time verification again is reliant on the data. And now that I can again create that data and do it now at scale and at speed, the one time isn't enough. We see that it's not. And going back again to this scale and ability, creating synthetics took work and time to do. And now I can not just create one in six minutes. I can create hundreds if not thousands. That's what we're seeing now. We're seeing synthetics in mass that are being created and used in these spaces. And so that one time, okay, you cleared the hurdle. Now we're gonna let this go to what they wanna do. And that's the worst thing for synthetics because once they sit into an organization and they mature, the more they sit in the organization, the more they look real. And so the one time validation is absolutely critical to actually have because once you're in the door, you are now actually part of the problem. You are now authenticating them as legitimate. And I can talk about it from like a payroll space. And that's what we're learning now. If you add a synthetic to a fake business and then you run a payroll, what are most organizations asked for when they ask for loans? Show us a pay stub. Well, here's a legitimate pay stub. It's a legitimate document, but all the data on the document is garbage. And again, so that's the one-time validation. It's a pay stub, yep, checkbox. Doesn't work. You've got to look deeper into that. I think I answered the first part of your question around the one time that it just doesn't work. Can you reprise the second question again for me?

Yeah, of course. No problem. So the question was, what does AI reveal about the limitations of our static controls?

It basically tells us that it doesn't work. It can't keep up. I think as we all know, as the speed of fraud has moved and the scale of the fraud has moved too, we need to move that needle as well. I think I did another podcast at some point and whether it's quoted or not is funny or not. I think as fraud practitioners, fraud prevention practitioners, I think we are playing checkers and the bad guys are playing chess. Very one move at a time. Maybe if you're good, you can do a double jump. But with chess, it's calculated moves, three or four moves in advance. Very rarely are organizations thinking like that. It's, we have a problem, fire off a control, the control solves the problem. Where the bad guys already said, okay, we know you're gonna put a control in. So we already know where the next step is gonna be, because we've already mapped out your entire process with AI and bots. And so a lot of organizations are always looking at their perimeter defenses, Cloudflare, Shape, whatever you're using to see if your controls are being tested. You're looking at, hey, we did a good job. We blocked all these accounts. Okay. That's great. But there's a reason that they were blocked. And then the bad guys know, you blocked it here. Okay. Let's try here. They constantly change their data and figure out where to get to. So AI is absolutely doing that for sure. And we have to keep up with that. We can't keep playing checkers. We're just not going to win.

So, question, did you ever watch Harry Potter?

I have not. I feel like I'm the only person in world who has not watched it. I'm just not into that one. I'm sorry. I watch war documentaries. I'm old, what do you expect?

It's cutting me down.

Okay, so anyways, you won't get this reference, but other people will. And I'm going to New York next week to watch it on Broadway. So that's why it's top of mind. But I was going to say instead of the bad guys playing chess, they're playing wizard chess, which is really violent. Like the knights come to life and they spear the other pawns or whatever. So I'm thinking the fraudsters are actually playing wizard chess. It feels like it's just a violent attack against these organizations because we are taking such a big loss. So, but you don't get the reference, but just know other people will. Okay, so one of the biggest challenges with KYC isn't technical at all. That's what I'm understanding. It's organizational. This isn't about abandoning KYC. We've said that multiple times, but it is about putting it in the right place and making sure everyone in the organization understands what it can and can't do. And I think that goes back to our other point about are these regional smaller organizations ready? Do they understand it? So, my question to you, and a lot of times too, we have fraud fighters that get it, but maybe their executive team doesn't. So, my question is, how should fraud teams reframe KYC internally so it supports fraud prevention without creating that false confidence?

It's funny you asked that question, because we are going through that exact same scenario here at iSolve. Again, we're a payroll company, human capital management, and we are regulated here and there, but we're not a bank. So in theory, KYC is not technically a requirement, but obviously, every organization out there is doing some version of it because no one wants to say they're not doing anything, because that would be bad. And so for me, it's trying to work with leadership and our marketing team and our sales team and product to make sure we're doing more than KYC light, because if we let them in the door again, we open Pandora's box to all kinds of other fun things that are out there. And so how do I frame this to leadership to drive the point that we need to capture certain pieces of information and it's more than just the bare minimum? So the best way that I've always learned this from a prior leader is to make them think it's their idea. And so I spun the KYC or I'm spinning the KYC into, hey, you could use this data that we're collecting for marketing. You can use this to sell them more products. So I'm trying to get them to think of it as more of a revenue generation or an enhancement for customer experience versus what everybody thinks when fraud comes to the table. It's like, oh, it's the no guy. Every time we ask a question, the answer is no. So I wanna make sure we come to the table with yes answers. And it's a little bit of a sleight of hand. But we wanna be at the point where if we collect this information, we are gonna reduce other things with this data. And they tend to have the buy-in from that perspective. Now, we are fighting a little bit of a, it's a classic child versus adult scenario. We do block accounts because they failed KYC, which means they really failed a fraud control. But I don't need to tell our sales teams everything like why it failed. But they're always asking the questions. Well, everything is legitimate. I'm like, nah, not really. Just tell them they don't qualify for our business. And it's a hard no. And that's one of the hardest things was communicating that back to the front lines because the sales teams want to sell. That's what they do inherently. And I'm taking money out of their pockets by blocking their accounts. And so it's important to get the KYC in this proper place. Before my arrival, when I say BS, before Steve, we were doing KYC very late in the onboarding process. It was because sales wanted to gather everything. And then very end of the process, like 90 % there, we would run KYC and then we would tell the salesperson, sorry. All that work you did and all the time energy that the organization spent is basically for nothing. So now we've moved KYC to the very beginning. It's at onboarding. It's the very first interaction. We are essentially approving an account for progress to move forward right away. So if it's not good, the salesperson, doesn't even see it. We eliminated it from their queue altogether. Now we will apply a risk score. That's again, around fraud controls and credit controls as well. And as that client moves through the journey and they get closer to money movement, which is for all of us the pain point, we apply more and more friction. And at some point I had to explain to our sales teams, like if we're applying this much friction this late in the game, do we really want this customer? And the answer is typically they say no, unless it's the end of quarter, and maybe it's a yes. And we can do some things there. But that's how we changed it, worked with leadership, made it a positive thing for them. We actually eliminate a lot of what we call no starts because no starts are bad. We are putting work in front of the sales teams that is actually closeable. That they can actually sell. And we're actually seeing sales numbers go up because they're more effective and efficient and actually closing stuff they can work on. All because we put KYC, versions of KYC, much further left in the process versus at the very end of the process. So moral of the story is that it worked. And now I have the trust of those teams. And when we'd want to do additional things, the trust factor is there because I came with a yes versus a no.

So would you say you have a robust KYC program now?

I would say we have a robust onboarding process. KYC is part of that process. It is a very small percentage to put it nicely, under 5%. I'm using KYC as leverage to gather the data I need to do actual vetting.

I think that's great. I love whenever we can turn a no man into a yes man and give scenarios where we are, and which is what the fraud fighters are supposed to be anyways. We're supposed to be the partners. We're supposed to be the ones that the other business unit owners can come to us and say, we're seeing a problem. We have a lot of fraud, we've got a lot of this going on that we just don't understand it. Can you help us understand it and help us decipher what needs to change or what parameters or adjustments need to be made so that we can be more successful? But oftentimes it does take that proactive fraud leader that goes, okay, let me try to identify exactly what this problem is in this particular area, then take it back and see what we can do to make it right. And I think truly what you've just shown is exactly how to do that. Take it, understand where the issue is, move a test or a parameter or KYC process to the beginning and then figure out how to get just good things in the queue. And so I think that that just speaks not only to you as a fraud fighter, but you as a leader in an organization for how you can strategically place the fraud controls as a positive. I think that's phenomenal.

I appreciate it. It's not an easy task, but it is beneficial. It makes a big impact on things. Even in our world, we have new account fraud, essentially, where somebody opens a payroll account and they run payroll, blah, blah. And we end up finding out it's bad. And so the very first question of leadership is, did it pass KYC? And I'm like, now I have them asking, did it pass our fraud controls? Well, the answer is obviously it did at some point because we now have a problem. But most of these that we're seeing now, going back through old defaults, are I would say BS again before Steve and before we changed the process. And now we're much further left than we were before. So, there is a line in the sand. Go to leadership like, hey, this is before this is going to be after. And so far so good. Got to find something to knock on. But the new controls are working well and sales are up. And it's much more efficient. So, and there's no customer friction. That's the other beauty of it. And we were able to change KYC data collection into pre-filling some pieces of applications that people used to do before. Which as a client, I love that. Wait, all my information is already there. I don't have to enter all this stuff in. No, we already know what it is because you gave us a few pieces of data. We use other tools to pre-fill and the experience is better for the customer.

I think that you are somebody that I have, which I mentioned this in the beginning, it's obviously a voice that you want to listen to and is someone that you respect. I think that your perspective on this particular topic, which I'd love to have you back on any other time to talk about any other fraud topic obviously, but I love the confidence that you give with this topic. I love how you learned both sides of it so that you could have that holistic understanding to what's needed and what needs to change, especially in your organization, but also that you've shared that with others. So my final question for you is, obviously you are one that is confident in this subject. You are very well-spoken and you're somebody that anybody can have a conversation with. But there are those of us in the industry that maybe don't have the confidence to walk into a room full of executives and say, there's a problem and this is how we need to fix it. But if you could give advice or just a thought or something for a fraud leader to take away for them that if a fraud leader is listening, if they could change just one internal mindset about KYC, what should it be and how should they go about the conversation?

First, thank you for all the compliments. I appreciate it. And obviously mutual respect as well for what you're doing. From my perspective, like it doesn't happen overnight. Listen, I've been doing this quite a while. You can tell probably the color of the hair. 26 years doing this and it does take some time. But the one thing I would always say is learn from other leaders, learn from other mentors. And I think I mentioned earlier, one of the tidbits I learned was, make them think it's their idea. And that usually helps get them there. But how do you get them there with that situation? And it does go back to some data. A lot of senior leaders are driven by data. Don't put a spreadsheet with 10,000 rows in front of them, because the old ad, your picture speaks a thousand words. So come and prepare with one or two slides around the data that visualize what your vision looks like and the data that supports that. I think if you go with that attitude there and some confidence, I think as fraud professionals, we're inherently pessimistic, just the way we are, we're always wired that way. And it's been very difficult for me to turn that switch over into being optimistic, especially around fraud leaders, around senior leaders, because they don't wanna come in and listen to me whine and complain. The answer is okay. I use the analogy STP. How did you solve the problem? Don't bring me the problem and bring me the solution. So those are the, I would think again, come with data in a visual perspective, come in positive and have a solution. I can't say KYC sucks. I mean, it does. What I'm going to say is we're going to enhance KYC because I can't call everybody's baby ugly. You just can't do that. Not too early in the relationship at least. So just to make sure those things are helpful, I think, in understanding that. And then once you have one success, that trust factor extends to builds. And then I think from there, you're in a position to be successful because there is that relationship, there is that trust, and you can move with that quite rapidly.

100 % agree. Steve, I'm so grateful that you came on and had the conversation. This was such an important conversation and honestly one I think a lot of fraud teams have been waiting to hear out loud because the takeaway isn't that KYC failed us, it's that we've been treating it as an entry requirement like a finish line. KYC tells us an identity can get through the door. Fraud happens when we stop paying attention once it does. And in a world where identities can be manufactured, aged, and activated over time, one-time verification will never be enough, no matter how sophisticated it looks. Fraud is behavioral, risk is contextual, and ownership isn't proven at onboarding. If this episode made you rethink how your organization talks about KYC, good! That discomfort usually means you're asking better questions. So Steve, again, thank you for bringing clarity instead of hype, nuance instead of noise, and for reminding us that good fraud programs don't rely on check boxes, they rely on judgment.

It's been a pleasure as always.

Yep. And so for everyone listening, stay vigilant, stay informed and keep moving fraud forward.

Thank you.