What's up, Fraud Fighters? Welcome back to Fraud Forward. I will first address the elephant in the room. Yes, I am not in my normal podcast studio, am I? No, this week I am in Austin, Texas with Marketing Team with Sardine. So we are just having a great week of strategizing and having great conversations for what's to come. Very exciting time there. But obviously, it's still important to bring you an episode. So I'm very excited to have this conversation alone with myself in a room I'm not familiar with. But glad you guys are here. So thank you so much for showing up. Okay, over the last few months, I've probably said the words agentic payments more than any other topic. You know, talk about them in conferences. I've spoken about them on webinars. I've debated them with some of the smartest people in payments and compliance. And I recently had the opportunity to sit down with Matt Vega during an ACAMS webinar alongside Mary Ann Miller to discuss what agentic commerce means for fraud investigations and SAR reporting. Then I had one of my all-time favorite conversations ever on Fraud Forward with Matt Janiga from Modern Treasury. We started talking about, you know, the payment infrastructure, but somehow ended up talking about where payment or fraud operations are headed over the next decade. And here's what I've realized from that, right? Most conversations about agentic payments, I think, are asking the wrong questions. You know, everyone wants to know, will AI be moving the money? I think the more important question is, how do fraud teams investigate transactions when software starts making decisions? Because that's the world that we're headed towards. And frankly, I don't think we're as far away from that as many people believe. So for decades, we built fraud programs around one very simple assumption that a human initiates the payment. You know, someone logged in, someone clicked submit, someone approved the wire, someone entered the the routing number.
You know, everything from fraud monitoring to dispute investigations to SAR reporting starts from that assumption. Even our investigations reflected, right? We reconstruct what the customer did, what device they used, where they logged in from, whether they authenticated, whether they changed information beforehand. But agentic commerce challenges that entire investigative model. Because now the customer may not be the one clicking anything. Instead, they've authorized software to act on their behalf, which is a completely different world. So one thing that Matt Vega emphasized during our webinar was something, I think, that gets confused all the time. And it's that automation isn't new. So we've had those reoccurring ACH payments. Autopay, schedule of wires, payroll, you know, the standing instructions. Those aren't agentic. Those are automated. The customer made the decision once. The system repeats it. Agentic systems are different. So they're making decisions. They are comparing prices, negotiating purchases, choosing the merchants, determining timing, moving funds based on goals instead of fixed instructions. That's a massive shift. Because now the software isn't just executing instructions. It's exercising judgment. So the investigation changes. And again, this is the part that fascinates me. Today, if I investigate fraud, I'm asking who logged in? Who clicked the button? Was the customer manipulated? Was the device compromised? Tomorrow, though, my investigation looks different. Now I'm asking who authorized the agent? What permissions did it have? What information was available when it made that decision? Did it stay within its authority? Has its behavior changed? Notice anything? Like, did something change, right? I'm no longer just investigating a customer. I'm investigating the customer and the software acting on their behalf. That's a completely different investigative framework. And one concern, though, that I hear constantly is, so who's responsible? Honestly, identity doesn't disappear. The customer still owns the account. The customer still granted authority. But attribution gets much harder. Marry Ann Miller framed this perfectly during our webinar when she said that, you know, the challenge isn't proving who owns the account. It's reconstructing the decision path. That's why auditability becomes incredibly important. Investigators may soon need, you know, agent logs, permission history, decision history, data endpoints, input, excuse me, authority changes. Think about it. You know, today's investigators rely heavily on that transaction history. But tomorrow's investigations may rely just as much on software history. [Ad Break (5:03): Finally, I'm so happy to share with you all that the Saturday Fraud Strategist is now a podcast. What? Yeah. On top of my weekly newsletter, you could now listen to and watch me talk about my, and hopefully your, favorite topic, fraud strategy. And from time to time, I'll be hosting operators and founders to discuss where the industry is headed and what we, fraud fighters, should pay attention to. I must say, I'm super excited. And if I'm being honest, a bit nervous about all of this. I've been debating with myself whether to start a podcast for ages, but kept putting it off. But now, this teaser is out, so I guess there's no turning back. So, if you want to join me for the ride, head over to Sardinia's website and subscribe now. Are you ready? Am I ready? We'll find out next Saturday.]
One of my favorite parts of the ACAM's discussion was talking about SARS. You know, current SAR guidance assumes human actors. So, what happens when software becomes part of the story? I don't necessarily think that we, you know, need brand new SAR forms, but I do think that the narratives will evolve. So, imagine writing a SAR that includes an AI agent initiated payment activity, authority granted, scope of permissions, decision path, human review performed, evidence reviewed, known limitations. There's a much richer story there for law enforcement. And honestly, it becomes, you know, it may become necessary because another question emerges then is, who's the suspect? Who's the customer, the fraudster, the person that's manipulating the customer? Or did the agent simply operate exactly as instructed? Those aren't theoretical questions anymore. They are operational questions. So, I will say, though, that Matt Janiga changed the way I think about this. When he came on to Fraud Forward, we actually weren't planning to spend much time talking about AI. We, you know, we started talking about payment infrastructure, modern treasury, APIs, cloud-native banking. Then he said something that I just truly, I can't stop thinking about.
He reminded me that, you know, Dodd-Frank was written in a world of fax machines, corded telephones and human-staffed call centers. Think about that. You know, our regulatory frameworks, our investigative assumptions, our operational playbooks were built for an entirely different payments ecosystem. Today, money moves instantly. Infrastructure lives in the cloud. Fraud happens in milliseconds. And increasingly, software participates in financial decisions. The infrastructure changed. Now investigations have to also. There's one thing that I appreciated hearing from both Matt Vega and Matt Janiga, the two Matts, and it's that regulators aren't asking, how do we stop innovation? Increasingly, you know, they're asking, how do we enable it safely? Which is encouraging because fraud teams shouldn't wait for that perfect guidance. We already know what good governance looks like. You know, it's documentation, it's explainability, audit trails, authority, management, monitoring. Those principles don't change, right? Only the technology does. So, for those of you that are taking away anything from this or would want to know, like, where to start, I'd begin with three questions. Who authorized the action? What authority was granted? And did the activity remain within those boundaries? Those three questions will matter, whether you're filing a SAR, investigating fraud, answering an examiner, or simply just trying to understand what happened. I honestly think that those three questions become the foundation of fraud investigations over the next decade. So, in closing, right, for this short episode, solo episode, where I just kind of reiterate what I've learned over the last couple of weeks with agentic payments, is that agentic payments aren't replacing, you know, the fraud investigators and how we do things. They're changing what fraud investigators investigate. It's a very important distinction. The customer relationships still exist. Identity still matters. Fraudsters aren't disappearing, but the story behind every transaction is becoming more complex. And institutions that prepare now by, you know, improving documentation, thinking about attribution, and building those stronger audit trails, these are going to be the ones that are in a much better position than the ones waiting for regulators to hand them a playbook of, show me how to do it. And, you know, that's because if there's one thing that we've learned throughout the history of payments, innovation always arrives before the rulebook. Our job isn't to predict every answer. It's to start asking better questions. So, that's it in a nutshell for this week and my thoughts on that. I really just, I felt like it was an important conversation that if I was a newbie fraud person and you started talking to me about agentic payments, I would look at you and say, that's not going to happen anytime soon. But it is. We need to be ready for it and we need to make sure that our institutions are as well. So, that's my food for thought. I am again, sorry for my boring background. Don't worry, we'll get back to our regularly scheduled episodes, right, where I'm in the office. And actually, next week I will be at the ACFE Boston. So, if you're hearing this on Wednesday, come find me and love to have a conversation with you, love to get a picture, love to, you know, just have a nice chit-chat. Excited for that opportunity again for my first ever time at the ACFE Global Conference. I've attended virtually before but never in person. So, this is a real treat for me. Super, super thankful for starting, for setting this up. So, that's it for today. Thanks for joining me for another riveting episode of Fraud Forward. Oh, and please, if you love me, why don't you hit that subscribe button, like the video, do all the things on YouTube that all the podcasters normally say that I'm supposed to say. So, hit that subscribe button because you want to and you want to support me and the show and the efforts. So, anyways, stay vigilant, stay informed, keep moving Fraud Forward. Thanks for listening to Fraud Forward.
Remember, every conversation, every connection and every insight moves our industry one step closer to stronger fraud defenses. If today's episode sparked an idea, share it with your team or tag me on LinkedIn. I love hearing how you're moving Fraud Forward in your own organization. Until next time, stay curious, stay resilient, keep moving Fraud Forward.