SardineCon SF/2026

Learn More
FRAUDFORWARD
#105

The Hidden Infrastructure Behind Modern Money Movement

70 min
Apple Podcasts
Apple Podcasts
YouTube
YouTube
Spotify
Spotify

What’s up fraud fighters, and welcome back to Fraud Forward:

Y’all, this episode is one of those conversations where I found myself taking notes while we were recording. Matt Janiga from Modern Treasury joined me to talk about hidden fraud infrastructure.

We talk all the time about faster payments, one API, better vendor tooling, AI agents, global money movement, and payment modernization. But underneath all of that is a much more complicated reality. There are payment rails, reversibility rules, KYC requirements, digital fingerprints, transaction monitoring decisions, consortium data, fraud operations workflows, and infrastructure choices that determine what fraud teams can actually see and stop.

And here is the thing: fraud does not live in silos, and neither does the infrastructure that moves money.

Matt has worked across regulation, fintech infrastructure, compliance, payments, and risk, with experience touching Dodd-Frank, Square, Stripe, Lithic, and now Modern Treasury. So this conversation gives us a really practical look at how the industry moved from the pre-vendor world, where teams were basically building fraud and compliance tools from scratch, into a world where specialized partners, orchestration layers, and agentic AI are changing what fraud teams can do.

For my credit union and community bank folks especially, this matters because you do not have to build everything alone anymore. A rising tide lifts all boats, and the more we understand the hidden fraud infrastructure behind modern payments, the better we can ask questions, pressure test controls, and protect the people we serve.

What you’ll hear in this episode:

  • How Dodd-Frank and post-crisis regulation helped shape the fintech ecosystem we know today
  • Why banks stepping away from certain customer needs opened the door for fintech growth
  • What the pre-vendor world looked like for fraud and compliance teams building tools from scratch
  • Why fraud vendor infrastructure, orchestration layers, and fraud consortium data changed the way teams manage risk
  • What fraud teams miss when they hear “one API” and assume payment infrastructure is simple
  • How payment rail reversibility, ACH fraud, Reg E fraud, and tokenized credentials create hidden operational risk
  • Why global USD accounts and global money movement require strong digital fingerprinting and risk-based controls
  • How agentic AI fraud tools may reshape investigations, fraud operations, and human review over the next five years
  • Why the “front door” is one of the most important places to invest when building a fraud program

You should listen to this episode if you:

  • Work in fraud operations, payments, fintech, banking, risk, or compliance
  • Want to better understand the hidden fraud infrastructure behind modern payments infrastructure
  • Are evaluating fraud tooling, fraud vendor infrastructure, or payment orchestration partners
  • Need a clearer view of payment rail reversibility, ACH reversibility, Reg E fraud, or global money movement risk
  • Are thinking about agentic AI fraud, AI fraud agents, digital fingerprinting, and where humans should remain in the loop

Episode notes:

Hidden fraud infrastructure is what makes modern payments work

Modern payments can look simple from the outside. A customer clicks a button. Money moves. A ledger updates. A company launches a financial product faster than it ever could have 15 years ago.

But underneath that experience is a whole lot of hidden fraud infrastructure.

In this episode, Matt Janiga walks us through what sits beneath modern payments infrastructure: money center banks, fintech banks, payment rails, reconciliation workflows, ledgers, orchestration layers, timing rules, and risk decisions. For fraud fighters, that matters because one clean customer action may involve multiple systems and partners behind the scenes.

Fraud does not just attack what we can see. Criminals look for the gaps between systems.

Teams need to understand the payment infrastructure underneath the transaction. One API may simplify the product build, but it does not remove the complexity of moving money safely. If we do not understand the infrastructure, we are going to miss where risk is actually entering the system.

Why the pre-vendor world changed fraud operations

I loved this part of the conversation because Matt described the pre-vendor world in a way that a lot of longtime fraud fighters will recognize.

Before modern fraud vendor infrastructure, teams were often building their own fraud and compliance tools from scratch. That meant internal engineering queues, clunky systems, on-prem servers, siloed data, manual workflows, and constant updates every time fraud patterns changed.

That sounds exhausting because it was.

Now, fraud teams can use specialized partners for KYC infrastructure, digital fingerprinting, fraud consortium data, case management, payment orchestration, transaction monitoring, and agentic AI support. That does not mean fraud gets easy. Let me just assure you, it does not. But it does mean smaller teams can start from a much stronger foundation than they could when every company had to build its own tooling alone.

How payment rail reversibility changes the risk model

Reversibility is one of those operational details that can make or break a fraud program.

Fraud teams cannot treat every payment rail like it works the same way. Card disputes, ACH reversibility, Reg E fraud, tokenized account numbers, virtual cards, and bank-to-bank returns all come with different rules. And those rules matter because criminals learn how to use them.

If someone committing fraud understands payment rail reversibility better than the company using that rail, the company is already behind.

Matt explains that ACH does not have the same adjudication model that card networks have. If the receiving institution says a payment needs to be reversed, the originating side may have limited options inside the rail itself. That creates risk for teams that are new to payments or that assume reversibility always works like card disputes.

For my banking folks, this is where the Reg E conversation gets real. Reversibility matters for consumer protection, but if the process does not also account for repeat abuse, disputed intent, tokenized credentials, and rail-specific rules, we create gaps criminals can exploit.

Why digital fingerprinting belongs at the front door

Matt makes a really important point near the end of the conversation: if he were building a fraud program today, he would invest first in the front door.

I 100% agree with that.

The front door is where the customer first enters the product. It is where the company sets expectations, collects information, presents terms, captures consent, and starts building the risk picture. From a fraud prevention standpoint, it is also one of the best places to collect the digital fingerprint that helps teams understand who is entering the system.

That does not mean creating friction just to create friction. It means designing onboarding carefully enough to collect the right signals without making the product painful.

Digital fingerprinting, KYC infrastructure, CIP compliance, device data, account data, behavioral signals, and transaction monitoring all help fraud teams build a stronger view before the transaction happens. And I want every fraud fighter listening to take this back to your team: if you wait until the transaction to think about fraud, you are already late. The front door matters.

Global money movement requires nuance, not broad-brush risk thinking

This episode also gets into global USD accounts and the misconception that international automatically means too risky.

Now, here is the thing. Some markets and use cases are higher risk. We are not pretending otherwise. But that does not mean every global money movement product should be treated the same way.

The work is in understanding the nuance.

Who is the customer? What is the use case? Which country is involved? Which rail is being used? What does the transaction behavior look like? What sanctions expectations apply? What KYC controls are in place? What fraud patterns are we monitoring for?

That is where fraud and compliance infrastructure have to work together. Strong global money movement requires CIP compliance, customer due diligence, enhanced due diligence where appropriate, sanctions controls, digital fingerprinting, transaction monitoring, and thresholds that let the company scale without pretending every customer or market carries the same risk.

The best programs do not ignore risk. They understand it well enough to manage it.

Agentic AI can help fraud teams scale, but humans still matter

Matt talks about agentic AI as one of the biggest capabilities fraud teams will need to evaluate over the next five years. And y’all, I think that is right.

Fraud teams are dealing with more volume, more payment rails, more markets, more complexity, and more sophisticated attacks. AI fraud agents can help with repeatable tasks, queue work, investigations, pattern detection, and surfacing issues human investigators might miss.

But this episode is also clear that AI agents do not fully replace people.

Fraud teams still need judgment. They need escalation. They need quality assurance. They need testing and sampling. They need people who can look for emerging patterns before the system fully understands what it is seeing.

AI can help clear the queue. But humans still need to understand the risk.

Key takeaways:

  • One API payments can hide major payment infrastructure complexity behind a simple customer experience
  • Fraud teams need visibility into payment rails, orchestration layers, reversibility rules, timing rules, and partner dependencies
  • The pre-vendor world forced teams to build fraud and compliance tools manually, which made scaling and adapting much harder
  • Modern fraud vendor infrastructure gives smaller teams access to stronger tooling, fraud consortium data, digital fingerprinting, and orchestration
  • Payment rail reversibility works differently across ACH, cards, virtual cards, tokenized credentials, and bank-to-bank returns
  • ACH fraud and Reg E fraud require different operational thinking than traditional card disputes
  • Digital fingerprinting should start at the front door, where teams can collect signals before fraud reaches the transaction stage
  • Global money movement needs risk-based controls, not blanket assumptions about international activity
  • Agentic AI can support investigations, queue work, and pattern detection, but human in the loop fraud controls still matter for judgment and escalation
  • Fraud teams do not need to become infrastructure engineers, but they do need enough understanding to ask better questions and find hidden risk earlier

Final takeaway:

If I had to boil this episode down, it is this: the future of fraud prevention will depend on how well teams understand the infrastructure underneath the transaction.

Not just the alert.
Not just the customer.
Not just the payment.
The infrastructure.

Because hidden fraud infrastructure is where a lot of the real risk lives. It lives in the rail rules, the reversibility model, the onboarding flow, the digital fingerprint, the vendor stack, the data silos, the global money movement design, and the human decisions around how much automation is safe.

So for fraud fighters, the challenge is not just to react faster. It is to understand the systems deeply enough to know where fraud can move next.

Stay vigilant, stay informed, and keep moving fraud forward.

Connect With Matt Janiga on LinkedIn: https://www.linkedin.com/in/mwjaniga/

Episode transcript
Hailey Windham
Hailey Windham
00:02
What is up, fraud fighters? Welcome back to Fraud Forward, where banking comes together to challenge assumptions, pressure test controls, and move fraud forward. That was such a good one. I, that's for the books. Okay, so for years, fraud teams operated in a world where there was still time to react. We, we kind of like that. You know, payments took days, reviews happened manually. And if you needed fraud controls, compliance tooling, or transaction monitoring, there was a good chance you were building it yourself. Today, though, money moves instantly. APIs connect everything, and companies can launch financial products in days, you know, rather than months. But with faster payments comes faster fraud, new compliance challenges, and a growing need for infrastructure that can scale alongside risk. Today's guest has had a front-row seat to that evolution. Matt Janiga from Modern Treasury has worked across some of the most influential companies in financial services and fintech, including roles touching the Dodd-Frank, Square, Stripe, and Lithic. And today he's helping build the next generation of money movement infrastructure at Modern Treasury. So in this episode, we're talking about what fraud teams don't see inside modern payments, the hidden complexity behind one API, and how the industry evolved from building everything in-house to leveraging specialized partners. So Matt, welcome to the show.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
01:31
Thank you for having me. I'm thrilled to be here. We're very happy Sardine customers, been a big fan of the company for a long time and, and excited to chat about all our topics today.
Hailey Windham
Hailey Windham
01:40
Me too. I will tell you, this was one that I, I didn't know you guys ahead of time. And then they were like, Hailey, I think you're probably going to want to talk to Matt. And of course, from that first conversation, I was like, you're exactly right. So I'm so excited to have you on. And you know, you, you've had a really unique career path that just spans regulation, compliance, and fintech infrastructure. So I want to start by, by looking backward before we look ahead. So you worked on Dodd-Frank early in your career. Looking back, what assumptions from that era no longer hold true today?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
02:20
Yeah, you know, I, I think that's a really good call-out. There's, there's two high-level things that I tell listeners to focus on or think about here. One, and this will sound crazy, but I realize now I'm getting old. So I can think of a pre-digital world, right? Corded phones and you know, even the, the tiny flip cell phones and things like that, right? And fax machines. Yes, yes, absolutely. And, and you had to think twice before texting because it took you longer.
Hailey Windham
Hailey Windham
02:40
Those are the best. You could hang up really quickly.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
02:49
Right, to type all those things out on that nine or ten-digit keypad.
Hailey Windham
Hailey Windham
02:50
And it costs you per text.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
02:49
Cost you per text. That's right. No, there was a lot there going on. You know, when you think back to it, that's the land that Dodd-Frank was created in. And, you know, the, the we talk a lot about the gerontocracy today, you know, in, in older legislators, et cetera, just as old back then. So you had people in their 70s, right, drafting, writing, voting on, approving legislation, thinking about technology like the fax machine and thinking about flip-style cell phones, corded landlines, and human-staffed call centers, right, that were probably onshore and things like that. Stuff that, you know, listeners may be listening to this today and saying, what are you talking about? That sounds like a different language. And it really was a different world. And the laws were kind of rooted around that. So one thing is, you know, I call out that people did not contemplate the technology we'd have today when they're writing Dodd-Frank. And there's a good and a bad to this. One, legislators took this very high-level approach to all the statutes and punted a lot to the regulators, which is why you're able to see now the CFTC go out and engage in things like events, prediction markets and contracts and futures hedging and things like that, which, by the way, just happens to look like sports betting, right? Or enables a similar product experience. Right. And they're able to do that because of the high-level rules of the road that were set by Congress. And Congress didn't give a lot of guardrails around that, right? So some regulators are able to take advantage of this and be technology forward. At the same point in time, as we've seen, right, as I think people would have complaints probably about Gary Gensler and some of the Biden administrators, because of the lack of those, like, anchor points for new technology, regulators have also been able to close doors or keep certain doors closed over time. So one interesting thing, right, is that technology wasn't contemplated well. I think we are due for refresh. We are seeing some of that now, right? Clarity Act, so many other great payments and fintech-related legislation that's sitting somewhere on Capitol Hill may or may not pass, right? The other thing that I'd call out is the regulatory posture temperature. So regulators have been very permissive leading up to Dodd-Frank. That created the great financial crisis. A lot of issues with that. A lot of people lost their homes, a lot of people lost jobs. I know I was one of them, right? I constantly talked about outrunning the layoff ferry was everywhere I went, the business wasn't stable and I had to either hop or, you know, try and find that next thing that was a little bit more stable kind of out there. And, you know, things now are certainly a lot better, right, than they were back then. But regulators were firefighting. And so that was the first thing that happened. And then after firefighting, they kind of went into punitive punishment mode. They were looking to make a point about things or pick fights with people or do enforcement. I think we've had a regulatory window shift since Dodd-Frank. And so, you know, today, you know, regulators will still do policymaking via enforcement, right? Sometimes they will shoot first and ask questions later. Happens at both the federal and the state level. It doesn't matter which political party's in charge or who is driving it, right? Somebody, somebody's going to be out to make a point somewhere. But the interesting thing is if you take a look, by and large, regulators, and I think this includes both the state and the federal level, are looking to be more collaborative. They're asking today, what can be, and how do we help safely enable it and bring, you know, the future to these new segments and areas, particularly financial services, versus asking what do we pick fights with. And the reason I want to hit on this for our listeners is because this will not always be the case. So, I like to talk about these types of things like a regulatory pendulum, and take advantage, enjoy this current framework and environment. It'll probably last the next few years. That would be my guess, or if my board were asking me these questions, right? This is what I would be telling them. But be prepared and think about what happens when that pendulum won't swing back exactly where it used to be. It'll probably swing in a new third direction, right? And be prepared for that change or that shift and what that may do for your business and certain business opportunities that you have. So I think those are probably the two biggest things to call out. One is the widely different technology set, because the laws were written for fax machines and corded landlines and all sorts of things that just don't exist today or aren't used, right? And the other thing is that regulatory pendulum shift because when Dodd-Frank went online, regulators had those powers. They used them differently than they're using them today. And in a few years, they're going to use them differently again. So key things for, for listeners out there to think about.
Hailey Windham
Hailey Windham
07:04
I truly love that perspective that, like, in the beginning, maybe they did underestimate just how quickly payments would evolve, but now they're saying, hey, we get it. We did kind of, you know, underestimate that, but we're asking now for, you know, give the insights. Where do you think it's going? And so that they can then prepare us for going forward. I think that's truly honestly the way that we should be operating anyways. But like you said, we're just going to enjoy it just for this short amount of time and then we're going to have our, our new guardrails. I do, I am curious though, do you think that, like, the Dodd-Frank indirectly helped create the fintech ecosystem that we know today?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
07:48
Yes, absolutely. And I think there's two main drivers of it. So one is the Durbin Amendment, which I know listeners have probably thought about and have heard about ad nauseam, right? So won't spend too much time on this here. But basically the idea of let's cap interchange at the largest banks then allowed smaller banks via partnerships to use fintechs as a marketing layer and, and the whole VC-fueled business of the business doesn't need to be profitable, right? You can think about marketing spend equaling your net retained revenue, right? And if you're spending a dollar and earning a long-term dollar, that's a good trade, right? So you had these businesses that could come in and think about building customer bases in a different way than the traditional industry. And I think that's why you saw the explosion in market share. And you see these large companies today in Cash App from Block and SoFi and Chime. And recognize some of those have become traditional banks, like Block owns an ILC. SoFi has a full bank charter. Chime has talked about exploring a charter in this current environment. You know, and that's not to touch on Venmo, Dave, MoneyLion, right? All these other properties that are out there, even the SMB ones like Novo, Mercury, you know, Brex, Brex owned by Capital One, you know, that are, that are there and, and allowed market share to kind of leave the banking system. And, and part of that really was related to, again, not just Durbin, but also banks, banks being, I'll, I'll say, pardon my language, a little pissy about Durbin. Like, I remember being inside of banking land, working for banks, being outside counsel to banks, and the bankers just being really angry about it. And the business response was, you know, we're going to shut down our rewards programs for checking accounts and debit cards. And I think, you know, the, the talking point was we can't afford them anymore. I don't actually believe that because you look at the revenue lines for these largest banks, they could afford it. They just wanted to keep their margins in a certain profile where everyone was lifting the ladder at the same time, so they did. Right. And they underestimated the Chimes and Cash Apps of the world, but no longer, right? Those, those properties, Cash App, SoFi, Venmo, et cetera, probably over 100 million American adult consumers now using those programs because of the rewards and the other benefits and technology that they offer. And it's something where the banks purposefully pulling out of that market to try and, quote, teach a lesson to regulators, right? We're going to punish consumers, so hopefully they punish you at the voting box. That, that did not work. And instead, right, competition was allowed to flourish in this space. And so Durbin was really, I think, really interesting. Also interesting a little bit about debit routing. Now, at the end of the day, right, Visa still maintains the lion's share. I think it's 70% of debit card volume runs over Visa or runs on Visa rails. But if you look at it, it did give merchants a choice. And merchants who want to do low-cost routing, the largest of them, you know, Walmart, Amazon, et cetera, have those opportunities. And it's been interesting as you saw, you know, those types of product sets pop up. They're not as prevalent anymore, they're harder to find, but they do exist and they're out there. I think the other interesting thing, which is a driver that people forget about or don't think about with, in addition to Durbin, is the capital rules and the tightening of the regulatory perimeter, right? This goes back to firefighting and then this, like, enforcement and punishment that the regulators kind of extracted, which I don't think was wrong. So I'm not saying that the regulators did anything too heavy-handed. Some of their approaches I might disagree with, but I think the overall direction was right. You know, it caused large traditional banks that might have served certain lower-income consumers or might have served SMBs to look at it and say, I don't want to spend that money anymore, or I don't want to spend that effort. I'm going to redirect to higher-margin things, or I'm going to sell this segment of my business off. And the interesting thing, when that happened, when that ladder got pulled up, right, you had the smartphone come along. You had people looking at that and saying, well, let's push this to cloud, let's push this to mobile, and let's bring some of these services down that you would typically see, or let's modernize some of these services in a way where through new technology we can drive the types of margins that banks are missing and we can partner with banks to drive it. And of course, the big ones I'm talking about here are PayPal, which existed pre-crash, but then I think got bigger, and now sadly is going through some restructuring, but still, still really great product set. There's great people at PayPal. And then obviously Stripe and Square. Right. Two large behemoths. You could put Adyen in this boat as well, but obviously they were more European focused around this time period. Emerging, growing, serving those underserved markets because banks pushed it out, right? Either due to capital profiles or having to heal their balance sheet, they sold off their payments businesses. You know, it's crazy to think about Vantiv or Fifth Third had a version of Stripe or Adyen, right? It was Vantiv and they sold it off, right? And now they're rebuilding it with Newline. So things are kind of cyclical in banking, right? You see people jettison certain business lines or grow value in them, jettison them, sell them off, and then regrow them again, right? Which I think is what we're seeing in some things. And then you do see some folks like, like JPMorgan Chase with Paymentech. Fantastic people over there, really fantastic platform, able to kind of hold their own on capabilities and technology versus the Stripes and Adyens of the world, and obviously has JPMorgan's distribution footprint. But by and large, the other banks got out of it. And that's what led to this rise of fintech. Or if you look around today and say, where all these companies come from? You know, it's from banks deciding we actively don't want to be in this business and somebody launching the right product at the right time to take advantage of their product market fit because the needs didn't go away, right? They just got pushed out of the banking system. So, and then interesting, obviously, of course, that a lot of those companies, Adyen has a bank charter, Stripe has applied for multiple bank charters under its various subsidiary structure as well. We've already touched on Block and their ILC, right? A lot of those companies are coming back in or dipping toes under the banking tent or back into the traditional banking financial system. And I think we'll see that trend continue over the next few years in this current regulatory.
Hailey Windham
Hailey Windham
13:39
I'm obviously a student, right? I, I'm literally sitting here taking notes and that, that's why we bring these conversations to, to Fraud Forward. I love that you, you know, ended that with the needs didn't go away, right? The banks tried to, to push it off or to say, hey, this isn't really something that they're going to want. It's just like the people who didn't believe in, you know, the laptop. Well, now, now we all have one. So it unfortunately, right, for, for the banking world, they just, they missed that boat. But I, I love how you framed it. I absolutely agree that the, the rise of the fintech really did happen because they, they didn't want to. Even now, you know, I look at, you know, my 14-year-old who, she has no want to walk into a brick-and-mortar building and, and, you know, open up an account. But, and I, I'm, I mean, I'm, I kind of hate to admit this out loud, but I also did not want to be inconvenienced with having to walk into the brick-and-mortar bank to open up her account. And so it was much easier for me to use this other fintech provider that literally, I, she's just a piece of my account now. And she got a card with her name on it. And now I can transfer money when she needs it. And I also don't have to worry about her needing cash when she goes to her, you know, local sports game or whatever. She now has money that she can take with her. That's not something that, I mean, that my bank is currently equipped to do unless I walk in and, and do it. So I completely agree and, and love that perspective of, you know, the need was still there. They just, you know, now we've, now we've got fintech companies, which I'm really grateful for. You know, the, the whole innovative concept, I think that unfortunately in some financial institutions, I won't say all, but in some, there is that older mentality of, you know, a lot of CEOs are just waiting on retirement. So they're, they're not going to do anything crazy or innovative. But when we do get that, you know, 30-year-old, 40-year-old CEO, that's where we will start to see some change, at least I think.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
15:40
Absolutely. You know, and, and, and not to paint everyone with, with, with, with an age brush, because obviously I worked at Capital One and, you know, would still hear the stories about what Rich, the CEO, is doing there. And I think even though Rich is one of those older CEOs, just very much has his finger on the pulse of technology, drives his team to do the same. And so, you know, you've got these folks. Jamie Dimon and JPMorgan Chase obviously doing very well. And Fifth Third, right, talking about younger CEOs. When did they start getting into these things like Newline or some of these other new businesses and regrowing the things they had sold off or modernizing the bank? It was when they brought in Tim, right? And Tim started to be able to drive strategy and decision making at the bank. And so, you know, I think you're right. And there, there is an interesting thing, just to springboard off of this, in banking, where I think you do have an older set of CEOs that are looking and saying, I don't have the budget and I don't have the, you know, venture-backed burn money to make money, profile luxury that tech-enabled companies do, or did especially during ZIRP, right? And I need to wait until the cost of creating and ingesting technology comes down so I can compete with them. Now, it's, it's kind of like asking somebody if they're rich and they always point upwards, right, at somebody else who has more money than they do. So the banks will do this as well, right? They make plenty of money at the big technology budgets below and say, but I don't have the budget of JPMorgan Chase. And everybody points upward at them. And Chase probably points at, you know, Google or Meta or others when they talk about those things as well. But today, with the rise of agentic coding, right? And pick your tool, right? You can use Cursor, you know, you can use Devin, you know, Claude, Codex, right? Anything like that, you know, those costs are really coming down. So it will be interesting, and it may take the younger CEO shift, folks who really understand this or are touching this deeply, to come and change that mindset within banking. But the funny thing is that day is here. So it'd be interesting to see how quickly the bank CEOs recognize it or if it does, to your point, take some of that age turnover to kind of drive some of that. But we are, we are way off topic. What, what else should we be chatting about in the world of fraud and payments?
Hailey Windham
Hailey Windham
17:44
I know, I know. I, I tend to go down the, the, the rabbit hole. So I will, I'll shift us to our next segment, which is, you know, the, the pre-vendor world. So you said something during our, our prep call that, that really stuck with me and it's you described the early days of fintech as the, the pre-vendor world and even joked that, you know, teams were basically banging sticks together. I think many fraud fighters would love to hear what that actually looked like. So, you know, what did fraud and compliance infrastructure look like before companies like, you know, shout-out Sardine existed?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
18:14
Yeah, yeah, yeah. No, I, that's a great question, right? And I've seen this both from the bank side and I've seen this from the, you know, kind of the, the early fintech side, you know, at, at Square and at Stripe. So from, from the bank side, we had teams of people in cubicles, right, with some version of landline phones and they had some version of a PC computer, usually a laptop, and they were accessing some type of, it was more likely than not cloud-based, right, and some database type of system. But you had people, you had people doing that, and it, it literally was like banging sticks together. The laptops were slow, the systems were clunky, you did not have a unified view, especially inside of these larger banks, but so many of them have been cobbled together by M&A. And what that meant under the hood was they had different cores, sometimes different providers. You would have a TSYS core, Fiserv core, Jack Henry core, all living within the same large bank, and you may have anywhere from, you know, four to eighteen different instances of that core. You have multiple BINs you need to look across, et cetera. And it wasn't as easy as it is today to develop this bird's-eye view. You know, things like Sardine, you know, other, other glue kind of gap-filling things like Retool, right? Or data lakes were not really a thing, right? You didn't have Snowflake. You couldn't go to Databricks. So if you were trying to knit all those individual data silos together, you had to have these very IT-intensive programs and projects and develop custom software. Sometimes you'd hire in contracting teams, could you just build it and then you'd have some folks maintain it. Other times you'd try and buy something, but there wasn't necessarily a, a magic bullet, right, that you could fire if you were doing some of these things. And shout-out, right, to the folks, because there were a lot of efforts to modernize or transform where you could get those types of bird's-eye view before this tooling existed. There were a lot of people that did Herculean work. I think the other thing is on-prem. And I'm going to jump now both from the banking side and the fintech side. Everything was on-prem. You had server blades maintained by IT staff that were on site somewhere or may have been in an off-site data center, right? If you weren't running your own data center, but you had to maintain your own hardware and you had to power it with your own firmware and you had to run your own kind of networking and other things. And you go buy this right from Cisco or Oracle or some of these other folks and you'd put these pieces together and get this going. But on-prem was a big thing. And I remember one of the big shifts for me going from Square to Stripe, I think it took me about three months to fully realize because I eventually, I asked people, like, so where are the server blades? And I, while I'm walking around in Stripe. And they're like, no, no, we're entirely in the cloud. And it was such a new and novel concept at the time that I think my, my, blame my brain was literally blown. And I had a freak-out for about, like, five minutes of how am I going to explain this to the regulators? Because I got brought in to help deal with money transmission stuff, right? And so you have to talk to the regulators and explain to them your stack and they're used to seeing on-prem. And the first question is going to be, well, how, how did you get comfortable with this? Like, how do you know it's safe? Right. And now it's silly because you look and everybody's in the cloud, right? The US government is in the cloud, right? So it's interesting to see that kind of shift. Down to the individual tooling, right? If you think about what did that look like, everything was built from scratch. So today, anyone building has this luxury, right? They can contact a company like Sardine and they get this amazing battle-tested tooling that's already been developed for, you know, hundreds, if not thousands, of features and use cases. And the bugs have been worked out of it. And it's cloud-based. So you can do multiplayer, you can have multiple people in there at a time, right, influencing things and driving things forward. And you have sandbox, and you have production, and everything works beautifully. What it used to be was you would kind of do this iteration model. So for those of listeners out there that work in product land, right, and you're used to shipping, what's your beta, what's your alpha, what's your MVP, right? Now what's your V1? What's your V2? What's your ship train cadence? You were having to do that with your compliance and fraud tooling. And, you know, compliance is relatively easy. It's kind of like baking a cake, in my mind, at least setting up the framework and what the, the things need to be. Although, God, I never want, I never want to have to be at a company that's investing resources to build our own compliance tooling again, because it's just silly. You should just go get that from a vendor. But you know, you, you, you think about what do you have to collect for KYC? If you're doing a consumer use case, you know the basic elements. You can set up your tooling and go and you can kind of run it. And then you can find the edge cases and develop some tooling, you know, for your internal teams to work with manual case intervention or to re-KYC things or other things like that. But if you think about fraud, fraud is ever evolving. And so it's something where you would build your system and the team would develop, you know, or, or figure out these new patterns. And if you didn't have the right tools to address the patterns, you'd have to grab engineering resources, bring them on, bring them into the fold and ask, hey, how quickly can you get something shipped here? Right. Well, how quickly can we push something to update or fix this gap or address the system, et cetera? And then the other thing when you're thinking about these types of businesses, right, you have these microservices that generally would live within the stack somewhere. And something else happening may impact and cause the microservice to break. So your microservice might be completely fine, but if something else was happening upstream or somewhere else in your technology stack in your product set, you know, you'd have to figure out, is it this team or that team? And you have to have them all talk to each other. Now, what's fantastic about these cloud-based vendors, right, and why we like using Sardine is you have already seen and thought of literally every use case we could possibly think of. So it's really about, hey, how do we turn that tool on, right? I think the other thing is the data set is so much richer. Like, yes, you can go direct to some of these data providers like LexisNexis, right? And there's a lot of great KYC companies out there that can help provide data sets like Trulioo, right? And data sets are great, but one of the things you didn't have back in this older world that I grew up in was the consortium data. Banks had it. Banks had consortium data for themselves and Early Warning. And on a limited basis, they would get selective access to certain fintechs. And, and that access was pendulum swingy. It would come and go. You could have it this cycle, sorry, we're taking your contract away. So you couldn't treat it as the bedrock foundation of your program. And I think one of the amazing things is now, I know I had a team member walk me through something the other day to say, what do you think about this? We're seeing this pop up. What we saw was we were getting fantastic fraud data off of Sardine's consortium. And that's something that in the past, you'd have to start small and build your own internal consortium. And you would never think of, you know, I always had this pipe dream. Hey, we should have a fintech version of EWS. And there's got to be somebody to call PayPal and somebody at Square, but I could never figure it out and move the right needles. And it was never my core project. So it just never got done, right? At least not for me. But now it's amazing where, if you think about it, you don't have to have the size or the scale of a Cash App or a PayPal to get the fraud consortium power because you can, you can use Sardine, right? You can get that from the kind of network-wide effects and recognize there's other vendors out there as well that do that. But we're very happy and I think we're seeing great results with, with what you all provide today.
Hailey Windham
Hailey Windham
25:11
I, I appreciate that perspective. And, you know, I, I love that you've mentioned also that, you know, the wishing that there was an EWS for fintech. And then I know at the same time that from the banking perspective, we wanted that same insight because we, we could share, you know, especially like I, I think specifically about my practitioner days, the X9 files. When those came in, we could look and determine, hey, this was sent back, this was returned for whatever reason, and we would use that in our, you know, whenever checks would come through on the teller line, we could tell the tellers in real time, hey, don't, don't accept this check. And here's why. I, and I loved that. But if we could do that same thing when we're looking at debit card transactions at a merchant that, hey, we've had several vendors that have popped up and said that there's a lot of fraud happening here. You might want to, you know, do a push notification or something to your customers. Like, we would have loved to have that information. But, but we just didn't. And, and I think that you've answered, you know, several of the questions that I had all in your, your answer, which is phenomenal. You know, thinking of bespoke fraud systems that you're creating yourself and also just how long it would take to launch products like that back in those days. So I guess I'll, I'll sum it up with this question, which is, you know, what do fraud teams today take for granted that simply didn't exist 15 years ago?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
26:32
Yeah, I think honestly one of the biggest things is that orchestration layer. You know, one of the things we're seeing on the vendor side now is a lot of the vendors recognize their limits, or they recognize where another vendor partner may have a better superpower. And so we're seeing a lot of marketplaces or we're seeing the ability to plug in orchestration. And so I think that that's something that day-to-day fraud teams, maybe even some fraud managers or more recent fraud executives that didn't live in this old world. Obviously, you know, folks like Soups did, right? We did. Where those folks, I think, take that for granted. And I see it now and I'm amazed, right? Because I've been seeing this now over, gosh, I think about six different fintechs and viewing all the different ways people did it. At one point, one fintech I was at was running everything through Salesforce, right? Because that was just the best bird's-eye orchestration view to do it, which today sounds silly, right? Why would you pay $1,800 for a seat for all your fraud team, right, when you can go get a much better orchestration layer and a vendor that can take you deep on any capability you need in your stack or you need to supplement that you don't have natively, right, using something like a Sardine. And so I think that I would say orchestration and then the ability to pop at these other things by marketplaces. And then I'll take us a step further. I think something that people will take for granted, let's say three years from now, is going to be the ability of wrapping in agents and agent tooling. Right. Like, I see some of the features in my Sardine dashboard when I'm in there. And I know it's early days, right, for all of us on this, but I'm very excited about what you guys have today. It's very helpful for us, but also very excited about where this is going to go in the future, right? In terms of thinking about investigations, aiding and speeding up human investigators, right, or making judgment calls, right? Finding those needles in the haystack and being able to see this overarching view that one human might miss, or a heuristic forest, right, trying to sniff out certain patterns, right, may also miss. And now you've got this other way to go kind of tackle this and dig in on certain things.
Hailey Windham
Hailey Windham
28:32
So true. And we also are very excited about our new agents that are coming out. I, I will say there's one thing that you mentioned that I was looking back through my notes a second ago, but about the, the new fraud person coming in, right? We're not thinking about all the things that could potentially happen because they maybe haven't happened yet to, to our organization. So being able to have a, a vendor or a solution that you can depend on that's like, hey, we've, we've seen it all. I, I like to use the, the Farmers Insurance. We know a thing or two because we've seen a thing or two. I think it's a, you know, great little gimmick, but I feel like it's kind of in that same wheelhouse that when you finally have that partner solution that has seen it and they can prepare you for it, it leaves for great, you know, organizations who maybe haven't even had a fraud department at all and they're trying to establish one now. A lot of times they're pulling up a frontline employee who just happen to be really good at disputes to now head up a fraud program. Well, they don't know every aspect of it. So being able to rely on these vendors just gives us a different leg up than what we would have had several years ago.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
29:37
Absolutely, you know, and one other thing I'll add is that, you know, what, what we're talking about, or certainly I live in non-bank land, right? Payments land, fintech land, these tools are for everybody. So if you are seeing fraud because you're moving high-dollar consumer devices like phones, right, or Birkin bags, right, or something else along those lines, right? If you have a secondhand goods marketplace, just because you're not a fintech by nature, right, or even if you, if you, if you happen to be a bank and you're trying to figure out how do I compete with a company like a Square's, right? The answer now is you can go buy these vendor tools, right? You can bring this technology into your bank and or into your marketplace, right? Or into your other commerce platform, and it'll help give you some of those superpowers, right? Which I think is really, really amazing thing, right, that I think not everyone has fully woken up to, right? That, that, like, anyone can have these superpowers. You just need to go work with these vendors.
Hailey Windham
Hailey Windham
30:30
So true. So I'll, I'll move us over to our, our next segment because you kind of teed it up perfectly. You know, one of the phrases we hear constantly in fintech is one API. It, it sounds simple on the surface, but fraud teams know there is rarely anything simple about moving money. So Modern Treasury is now directly in the flow of funds. What changes when you're actually moving money rather than enabling it?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
30:57
I'm going to have a funny answer here, which is I'm going to say not much. And I can explain that for people who are watching or, or listening to this. So not much because if you look at what the core of our software is, we sit today like a payments enablement and orchestration layer over money center banks, fintech banks, right? Any bank you could possibly think of. You know, we've got dozens of bank connections into every bank that works with other customers, other platforms for payments purposes. And people use our software to track, interact with, engage, and move funds today. But the, the difference is when they do that API call to us, it's poking their bank and telling their bank, right, if it's a JPMorgan or if it's a Coastal, right, or if it's someone else on those lines, it's telling their bank what to do. And the interesting thing, right, if you think about what have we done, and we're moving, you know, we've moved over 400 billion lifetime for customers to that software product. Right. And help them track and ledger it and reconcile it. And we're doing now over a billion dollars a day in money movement just through the software platform. So, you know, it used to be historically we'd done the 400 billion, and some people go, well, is that over our eight years? You know, the answer is, well, yes, it is over our eight years. Recently celebrated our eighth birthday on Modern Treasury. But the answer is we're going to do, you know, likely in the order of, you know, 350 to 370 billion in money movement just this year through the software. So if you think about it, you're getting this battle-tested software. And what we changed was rather than you go out and have to find your own bank, because some of the banks sometimes will say, we like your business, you're too small, or we like your business, you need a regulatory license. We were able to bring our bank partner along. And so if you don't have your own bank, you can start on the PSP. So you get all the same software superpowers, you get all the same battle testing, right? And we're used by several publicly traded companies, including many I'd love to name, but we don't have logo rights. But they close their books, they do SEC reporting off of this, right? And they support millions of customers, millions of small businesses, right, off of this. They are regulated, right? And they use Modern Treasury software to track all that. Customers who come to us can get all that same superpower rolled up in one API, right? So the other thing for us is that we can give you multiple rails. We don't touch cards, but we will do ACH debits and credits, we'll do RTP, we can do FedNow, we can do wire, we've added check capabilities. So there's a lot of things under the hood, and obviously, and stable coins, right? And we're still expanding the platform. And by stable coins, right, we can do on and off ramps. We will introduce you to custody partners, right? We have other products coming soon, which we're very excited about. But I think my marketing team would kill me if I spoiled them and talked about them now. But lots of fun stuff, right? Would love to come back. I think honestly we should send Dan Mottice back, who's our, who's our, our stablecoin guru here at Modern Treasury. But you know, for us, you know, that's the reason why not much has changed because we've already been doing this for customers, including we do some stablecoin orchestration for our software customers today, right? Or we're working with some of those custody providers and other things in a software capacity. They're buying software from us. So it's something where we've seen so much of the industry and we've mined very much just like Sardine has mined all the edge cases in fraud and is always on the cutting edge, you know, and is just as fast, if not faster, developing capabilities against new fraud patterns and rings and things like that. We're doing the same thing for nuts and bolts payments. How does this move here? How do these banks connect? How does this bank connect to this, you know, crypto provider, et cetera? How do these markets connect? And, and that's what folks can get when they come to the PSP.
Hailey Windham
Hailey Windham
34:34
Love that. So again, just talking about that one API, you know, when people hear one API, what complexity are they missing?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
34:44
There, so there's a couple different things. One is there's a lot of complexity to stitch all of these different features together or products, right? Because some of them are products, some of them are just features. We have customers who come to us and say, I'm working with another company in your space, but they're making me add one or two other companies to use their product. And we go, you can just use us for all two or three or four of those functions, right? So you can just come in and just get everything. We, you know, I think people also who haven't worked in this space will underestimate the complexity around sometimes the software isn't good. Or there is in sometimes you do the API call and the thing doesn't happen. Like, that doesn't, again, that doesn't happen with us. You don't move a billion dollars a day through your payment software unless it's good, right? Because people aren't going to keep showing up and moving funds through those rails. I, I think the other thing is sometimes the underlying rail choice isn't there, right? So that's kind of what the one API complexity abstracts away. It allows you to have access to multiple different rails, multiple different timing options, multiple different markets and geos, and multiple partners, right, under the hood. And we are abstracting away that complexity, right? You're not going to need a bank partnership manager or the team to manage that because we've got you covered with that, right? We want customers to do their own fraud screening. We're very happy if they also work with Sardine, but we're going to have a goaltender back there, right, trying to, trying to catch those things and keep, keep the ball out of the net when it comes to fraud and fraudsters. You know, and that, that's what we're building on our platform. So we're going to have that extra layer of protection and bird's-eye view. And I think that those are some of the elements of complexity, right, that people don't think about or take for granted in part because you can go to a provider, turnkey it, hit an API call, and output happens, right?
Hailey Windham
Hailey Windham
36:44
That's when you're like, really? That, that it's as simple as that? So I'd, I'd love to ask just, you know, just to double-click about the, the operational realities that, you know, that fraud teams often don't see that are maybe behind the scenes. And one in particular is maybe even like the reversibility rules that change during fraud operations. So we'd just love your thoughts there.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
37:11
Yeah, and, and you know, it's important too to talk about that each, so each rail has its own rules around how do you adjudicate reversibility, right? Because that's another big thing that, you know, folks who've worked in this space know well. But if you've just worked in one rail type, you know, you might think everything kind of works like Visa, Mastercard. And then because of that, everything has its own rules. Rules end up being able to be gamed. And they can be gamed by fraudsters or they can be optimized, right? I wouldn't call it gaming, but optimized by companies. And so you do see companies under the hood develop these superpowers. I'm thinking actually of Lithic, where we were, you know, card focused. But we had a couple of employees that were very good and their chargeback win rates were above market and above anybody else. You know, if the average chargeback win rate on a card issuer side might be, you know, the average win rate you could get if you, if you outsource this to one of the networks or one of the other providers might be somewhere in the neighborhood of 50 or 60%. These folks were winning 80% of their chargebacks. And it wasn't because they were lying or submitting faulty documentation. They knew all the rules so well that they could optimize for it. And so I think that's one thing to call out. If you are new to payments, you don't have a fraud background, you're going to want to investigate the rail type, the reversibility, and then the rules around reversibility. And the reason I keep hammering this is because then you look at something like ACH and there is no adjudication really in ACH. It's bank wins. So if the bank wants to say, I got a call from Matt as my customer, he's, you know, diamond, platinum, whatever status, Matt doesn't lie to us, and we're just reversing the payment, the bank on the other side that originated that ACH debit has to refund. And then what NACHA says is you settle it out of band with the bank. So if you really wanted to, bank one could sue bank two, but it just doesn't happen, right? Or if it was large enough, I suppose you might see something along those lines. Usually what happens is the third-party sender goes and sues the person they took the debit from and shows up with the authorization. But you can submit documentation until you're blue in the face. My experience with that is that the bank says, we don't care. We're not interested in it. And because there's no central network, NACHA doesn't play that role that Visa or Mastercard would play. There's no third-party arbiter that can take a neutral view and look at just the facts. And so I think again, it goes back to your question around reversibility. What do people need to know? I think one is what are the rules of the road or really rules of the rail. The other thing then, right, is how that ties into it, is depending upon the rules of the rail, now you have to treat those customers more skeptically. And you can really get granular with this, right? You can look at it and say, I am seeing a lot of fraud from these institutions, right? There were certain fintechs that were labeled as kind of fraud, fraud magnets or fraud factories. So you saw some, some counterparties on the other side just say, I will not accept the transaction from this fintech, right? And kind of turn that off. I think those fintechs have largely cleaned up those issues. And it's something that obviously over time you want to do because fraud may be a quick drug in terms of boosting your revenue because you're going to see that transaction volume go through, but it's not sustainable long term. Right, you yourself are going to have to turn these fraudsters or eventually they're going to rip you off and it'll eat into that revenue that you're building. So most fintechs end up cleaning that up. I think the other thing is sometimes some banks are so large and they turn a blind eye to fraud that there will be certain banks that have big fraudster populations. And then there's another complexity to it too, depending upon what, what is the payment device or the payment credential that you're getting. Because not only can the rail be reversible sometimes, but you think about it like a virtual card. Or in open banking, there's this concept called a tokenized account number. Some tokenized account numbers can be canceled by the consumer. Good consumers don't cancel them. They don't realize this can be done, but fraudsters know. And fraudsters cancel them and fraudsters will use it to hammer the counterparty on the other side to get out of the payment. Because they can do it without having to do an unauthorized transaction claim to their bank. They can just kill the token and then the debit never occurs. And then it's the, it's the counterparty on their side left holding the bag. So there's a lot of complexity when it comes to reversibility. And I think too, the other thing around reversibility is people need to think about the durability or how stable is that credential that's being presented. Again, going back to the virtual card, I'm sure most listeners, if they've worked with virtual cards, have used it to get a free trial and then not have to pay afterwards. I know I've done that. Right. And, and I'm sure lots of, lots of listeners have done that as well. And I think that's a fairly innocent practice to do because people set these things up and you're just guarding your bank account from it. And it keeps you from having to go in and officially cancel. Right. But folks who do it not just for the free trial, but to skip out on payment because they're canceling the virtual card before the payment comes due, or they're canceling the tokenized account number before the payment comes due, right? That is fraud and I think that is problematic.
Hailey Windham
Hailey Windham
41:54
One hundred percent. I, I wish that we could get some updated Reg E. I, I did a, I, you know, reversibility is great, but also, you know, I, I did a presentation a couple of years ago and I was like, with Reg E, are we protecting consumers or enabling the fraudsters? I, I don't know here.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
42:16
No, that you, no, it's, it's absolutely true. And unfortunately I think that is something where if you're going to mandate reversibility, you probably need to set up some kind of adjudication process. So that way you can catch fraudsters or some type of, you know, you can think of maybe a federally mandated fraud database or something like that. I know people get, people get skittish about that, especially because then you start to involve privacy advocates who say, well, we shouldn't be doing this. And there, there can be false positives, but I mean, we've worked in this space. I know listeners have worked in this space. Fraudsters have some of the biggest moxie, right, you'll ever see. I remember being at places where we would get regulatory complaints because we had money transmission licenses, and we go look into it, and lo and behold, it was a fraudster. The fraudster who'd ripped us off, and we had all the facts to prove it, but we just, you know, didn't have anybody to that cared to listen, went to the regulator to try and get us into trouble. And we go back to the regulator and be like, this is a fraudster, here's the five reasons why, here's all the data that proves it. And they'd be like, works for us, we're going to consider this closed, right? So it, you know, it is one of those funny things where fraudsters have absolutely gamed the system and we probably do need a refresh on some of those things. And I, I don't, unfortunately I don't think we'll get them with Clarity or some of these other areas, but maybe that's something as Congress starts to get a little bit younger, a little more tech forward, they can think about those things.
Hailey Windham
Hailey Windham
43:33
Fingers crossed.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
43:34
Yeah.
Hailey Windham
Hailey Windham
43:36
I'm going to pause here for just one second to ask, do you have a hard stop at three?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
43:40
I can keep going.
Hailey Windham
Hailey Windham
43:41
Okay. I, I won't, I'll try not to go over too long. I just wanted to make sure that we were able to cover both. Okay, great. Thank you so much.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
43:44
No, it's okay. Yeah, I was late, so I'm happy, happy to keep going. Yeah.
Hailey Windham
Hailey Windham
43:50
Okay, so one of the, the phrases we, we hear constantly in fintech, or actually I already did that one. Hold on, sorry. Let me start back over. So I, I appreciate all of that, the insights there truly, but I also want to make sure that we really highlight something that it's pretty cool that was recently announced. So Modern Treasury recently announced global USD accounts spanning dozens of countries. That's an incredible opportunity. But from fraud and compliance perspective, it, it's also incredibly complex. Would love for you to, to speak on that for a second.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
44:28
Yeah, you know, it's, we owe it to really great partners and the partners come, you know, on our KYC and fraud side, so folks like Sardine, you know, we're, we're really grateful for the capabilities that you have all been able to help us with and, and deliver. The other thing is it goes to our great banking partners. And I will not name them just because we have not cleared this with their, with their marketing teams, but if folks want to find me online, happy to say who they are or other things. It's the usual suspects of folks. But we do have some really thoughtful banking partners that are willing to look at us and say, hey, what's possible here? And then the question is, okay, we've decided what's possible. How do we make it safe? And we're able to come to them and say, here's what we think makes this safe and why we think this is reasonable. And they evaluate it on the merits. Right. Without any bias or preconceived notions, et cetera. And they obviously have their own frameworks, their own guardrails, their own walls of the house, right, that we need to operate within. But I think it's, it's given us a lot of interesting capabilities to go launch these products. And for folks who are wondering how, how would you do this at home, right? The simple answer is you should, or the starting point is you should get a Delaware corporation. Don't ever start any of these companies at home because that'll make you a sole prop. That's a legal joke, by the way. But the, you know, once you have that aside, right, you can tackle these things by thinking about what is legally required, what's my foundational footprint? And when you look at it, you know, there ends, you come back to something that centers around CIP, which is the basis of KYC. So CIP is customer identification program for listeners who aren't into the legal jargon or don't have to be. God bless you if you don't have to be. I've been trying to get out of it for 20 years, but here I am. And, you know, CIP is a part of your KYC foundation. Because knowing your customer is more than just grabbing the customer identification information out. It's also understanding what the customer does, right? So then you'll have customer due diligence around it. You may have enhanced due diligence, which is especially when you're talking about all these countries and bringing all these people in, right, you're going to be looking at other different signals. Now one of the things that I also like to wrap into this, and it's not part of the CIP rules, but can help inform KYC, is digital fingerprint, right? Which is something that obviously partners like Sardine are really able to help us with. And this is where the consortium data is also very valuable. Digital fingerprint in my mind can be broken down a couple different ways. Yeah, I tend to think of it as hard elements and soft elements. And the hard elements are important because you want to take a hard action against a customer, like freeze their funds. You want to file a SAR. If you want to, you know, turn off an account and kick them off your platform and blacklist them, you don't want to do that against a soft element. You want to do that against a hard element. The hard elements in my mind are things like an SSN, not necessarily a digital fingerprint, but something that is, you should be unique. Now can be purchased. I've been part of several data breaches myself because I used to work for the government. Thanks, OPM. But you know, they're, they're out there. But when you combine my SSN with my cell phone number, and okay, you can SIM swap me, right? But now you start to get into my device ID. Right, people who have seen me before, and I'm sure Sardine has me in the consortium somewhere because I bet I've interacted with, with other services. You know, you'll start to form this picture of Matt that gets harder to change. Or now you're going to layer in my ACH number or a PAN, right? A card number. And so now you have enough elements that are starting to build up where fraudster may be able to get one, but not all five of them. Right. And you can layer in some other things around, for example, what type of device do I typically use? I typically bias towards one device set, right? I'm not going to give it away. I don't want fraudsters to completely eat my lunch here. But if you're seeing me and I pop up on the other device type, it's probably not me, right? 99.9% odds that's not me. And you know, those are the types of things in the digital fingerprint that you can look at. Now those, those factors around device, IP, et cetera, can be soft factors. Because if I'm home or I'm out, I'm on the Starbucks Wi-Fi, right, I'm going to get an IP address that could be used by somebody else. My IP is likely rotated home, so my wife and I are probably sharing them. We both work from home. And, you know, my kids now are on the, are on their iPad, right? Or other things like that. So you could be seeing some of that. So, you know, you need to kind of break those things down. But as you think about the digital fingerprint, that also helps you layer in some levels of safety, including some bare-bones blocking and tackling. So some, some, some, some free advice for folks, right, is there's an expectation that you will block IP addresses from fully sanctioned countries. You should never have anyone natively accessing from North Korea, Cuba, et cetera. There will be lots of companies that aren't aware of that or forget about that. So that's why I want to call that out. But those are the, you know, some of the things you can look at and why getting that digital fingerprint can be really important, right? So work with a post hoc or another type of vendor like that to help grab that out. Make sure you're surfacing the proper privacy policies on your website or app, right, or binding customers to it if you're bringing them into an official front door or funnel. But those are things that can help. And then as you're thinking about it, right, you can start with CIP, what's legally required. You can think about how do you contain risk. You can feed in digital fingerprint. And then also, too, some of your controls can be on the back end around transaction monitoring. Some of them can be threshold-based, right? I think those of us that have worked in this space know there's a lot of tourists. There's a lot of looky-loos that come in and try a product once or twice. One of my, one of my funny favorite examples of this is every time we'd launch something new at Lithic, the Stripe issuing team would spin up a bunch of accounts from their Gmail address. And I used to work at Stripe with the Stripe issuing team. So I knew who they all were and we'd all chuckle about it. Like, it's really nice that 40 people from Stripe signed up for Lithic's product today. Hopefully we'll get some real customers too, right? And you'd see them come in and run a few dollars through. But, and I should imagine most fintechs who have competitors, right, would see that, see that dynamic as well. But the, you know, those folks aren't going to be long term, so you don't need to strangle them and process. They're not a risk for you. They're looky-loos. They're going to come in, try a product once, you know, end up effectively churning, right, or going dormant. So I think it's, folks wonder what does it take to run these accounts or to open up to this many markets. I think it's really great partners, right? Both on your reg tech, compliance tech, fraud tech side, but also from the institutional side. So making sure you're working with someone who understands what's possible and is up for exploring what's reasonable. And then taking a reasonable package around the controls necessary to enable these types of products and services.
Hailey Windham
Hailey Windham
50:46
What would you say are the biggest misconceptions people have about global money movement?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
50:52
I think I see a lot of people, particularly in the compliance space, and I suspect this is in the fraud space as well, and then in banking, right? So you kind of have this triangle that overlaps or these Venn diagrams where people, there's a bunch of people that sit in the middle. Around international is risky. And yes, by default, especially looking at some of the AML principles, et cetera, or the country ratings and things like that, you'll want to put certain things at higher risk, and that could be driven either by money laundering or by fraud. Right. They're both, they're both dual drivers there of that. But if you look at a lot of these consumer use cases, and if you zoom out, like, wait a minute, you know, companies like Western Union are multinational, if not as global as you can get, and they move money, right? You know, there are banks that are in multiple geos and footprints. Or you look at somebody like a Nubank, right, coming up through LatAm, people would consider LatAm high risk, fraudy, money laundering, but here's Nubank doing very well, doing it safely, right, and entering the US market as well. So, you know, I think there's, there's some interesting misconceptions or there's a broad brush people paint with. And, you know, what I would say is if you're building in this space, you want to be able to help the folks who have a broad brush put it down and understand the nuance in this. There are high-risk markets, right? I'm not blind to that. There are high-risk use cases. And there are things where you're going to want enhanced due diligence, right? Extra information about folks. Ideally, you can get some of that up front, you can make it thresholds-based, or you could do it on an RFI basis, right? But it's understanding the nuance there and the complexity that I think can help drive some of these things forward as you're building in these spaces.
Hailey Windham
Hailey Windham
52:40
So true. I, I can remember in my early practitioner days when I was sitting at the ACH desk manually reviewing the IAT report, like any international transactions that were ACH, I had to review, make sure they were usually like two or three dollars. They were small, one to two transactions per day. And so I, I remember thinking, like, why am I doing this? This is so, first of all, manual. But second of all, like, what's the big deal? And just remembering that that was just part of the process and now knowing. And even now in my, you know, day to day, you know, with podcast and editing and things like that, I needed to send payment. And in order to send payment, which was, you know, overseas, I had, it took, you know, a week for my wire to get there. That was crazy to me that I, that I had to wait that long. So the fact that that, you know, this is now an opportunity where this is instant that can happen and it's being done safely, I, I think it's a service that honestly, is, is been well overdue.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
53:43
Absolutely. You know, and there is some, some folks will call it regulatory arbitrage, but I think, especially when it comes to IATs, they call it regulatory cruft, where OFAC realized, hey, we have this, especially after the 2001 attacks. OFAC said, my God, we can have people in foreign countries landing payments and we don't have great visibility, we don't have a great way to block it, we're not sure how banks are tracking this, et cetera. And they went to NACHA and said, fix it. And there was this consultative process kind of back and forth. And so they stood up the IAT framework. And then everybody said, okay, we're done. And so the IAT framework hasn't really been touched. It's been expanded to capture more permutations. But the actual nuts and bolts of it haven't been touched in almost 20 years, I feel like. Because I think it was like the late 2000s when the IAT stuff really got baked, maybe around 2011, but the core of it really got baked, I think, in that, in that, like, early 2000s. And there's been an expansion of what is an IAT. And it's fascinating because if you look at it, right, card networks don't have these same limitations. Private networks, right, like cross-border networks, don't have these same limitations. At the end of the day, they will comply with the travel rule, which is helpful. But you're adding this complexity in where you, since you touched on IATs, right, where the, if you think about it, the sender is going to be running its own screening. And then the bank is going to be running its own screening. And because of the way fuzzy matching can work, you can have something hit on the front end but not hit on the back end, or vice versa. And now you're introducing another layer where if there's another bank involved in the clearing of it or pushing it out, they're also obligated to run their own screening. And then the funny thing is the Fed runs screening, but they don't block anything. So you have this extra layer of screening that's just screening for screening's sake. And it's something where back in the day, I think it makes a ton of sense of why, like, the Fed doesn't block, why you have all these different parties doing things. Because it was so manual, right? Your point around looking at the IAT transactions coming through. But the, you know, the silly thing is now you think about the advancements in technology, or you think about how this doesn't apply to a cross-border transaction that's funded with push to card, right? Or funded by a credit card. They don't have the IAT rules around it, but you can still move money overseas. Or stablecoins. There's no NACHA-like body. I guess, I guess OFAC could go to the issuers the way they went to NACHA. But there isn't really a NACHA-type network adjudicating body. It's just the blockchain, right, to go to, to say, do IATs now. So it's kind of interesting where these, these, these say it's kind of set and forget, and the forget is regrettable in this case, right? Because then it's, it's kind of choking ACH from being an interesting factor. And I think it'll be interesting to see, you know, what happens with stablecoins, because it may, it, it probably won't be IAT-related, cross-border, et cetera. But there will be things as regulators are setting the rules in Genius Act that are set and forget and that don't age well. And, you know, it's interesting because the card networks have by and large been able to navigate that or keep that from happening. They have fantastic people on the regulatory side of the card networks and really good lobbyists, not to imply anything unseemly about it, but they do a good job educating regulators and keeping a clear path for the ecosystem. It's not just for the networks themselves, but it's for merchants and consumers, right? Which is really important. And banks as issuers, because they're obviously part of that equation. But it's something where the rest of the industry hasn't organized or developed that muscle yet. And, you know, sorry, IATs is one of my favorite topics to, like, hate on. Because I think again, no, the, the rules are crusty and silly and they, I think, are impacting interesting products and lower-cost services that could be developed. And unfortunately, we're likely to see similar things happen with stablecoins, right, with other payment rails, these faster payment rails, et cetera, as they come up.
Hailey Windham
Hailey Windham
57:04
I'm glad. I'm glad. I, I, I appreciate that and I think it's a great lead-in again to, to the next segment that I have for us, which is and our final one, but the future of fraud infrastructure. So when we look ahead, you know, fraud teams aren't just adapting to new payment rails, they're adapting to entirely new infrastructure models. So what capabilities will every fraud team need over the next five years, do you think?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
57:50
Yeah, I think I would say agentic capabilities are going to be really key. And that's going to evolve rapidly. I think every six months for the next three years, people probably need to pick their head up and think, have we sized this right? Do we have the right platform, et cetera? Like one of the things, for example, we did at Lithic, and we're happy to use the agentic capabilities that come embedded with our partners and service providers. You know, obviously Sardine's one. I'll give Notion another shout-out. They have some really great agent capabilities in there. We have also built kind of a what I'll call an AI spinal column. So we've taken, you know, software tooling and created, like, a central connective tissue, and we can plug data sets in, company data sets in over here. And we can plug agentic tooling or agentic, you know, AI workflows in over here. And if we find that, you know, hey, you know, because I think people were on Codex and then they were like, I like Claude better. So if you've got to do that, that, that rip and switch kind of piece, it's easier for us now because of that kind of AI spinal column that we've set up. And now you can tell I'm not very technical, so I'm probably calling it all the wrong things. But the way the, when the team explained it to, like, it's like an AI spinal column. You're plugging in different nerve centers and it controls different parts of the company or allows you to enable certain functions. And obviously you can create controls around that. You know, so I think today, like we don't have, you know, our Claude agents touching our Sardine layer, you know, but something in the future we're going to evaluate. Right. Or we're going to look at some of those things and think about what our back office looks like, how do we contain it, make it safe? You know, it's not on-prem anymore, but it might be in our cloud bucket on a model that we roll or that we contain and doesn't feed back to a mainland model system, right, or something else like that. So I think AI agents are probably one of the biggest things. And the reason I bring it up is because, you know, fraud will always be there. It'll always be finding the cracks and seams in your products. It'll always be finding the cracks and seams in your processes. Fraud is going to get better with deepfakes and things like that. We're B2B distributed at Lithic. So we don't have to think too much about deepfakes, et cetera, but our customers do. And because fraud is ever evolving, and especially too, I think for the US market, you'll see fraud overseas, which means it'll happen when you're sleeping. Or if it's really smart, it'll walk in through the front door during daylight hours, but it'll happen overseas in other markets, you know, as you're trying to track traffic or, or pound out fraud rings and things like that. Where the, the agentic capabilities and being able to identify weak points in your defenses and plug them with agents that don't sleep, right? That don't, don't require overhead and benefits and office space. Maybe you, maybe you roll your own and get a Mac Mini, but a Mac Mini is a lot cheaper either than offshore or full-time FTE. It's going to give superpowers to the teams that stay on top of this. And also too, I think having a vendor that can support with, facilitate, and work with those agents is also pretty key. You know, and, and we, that's one of the superpowers we appreciate about Sardine.
Hailey Windham
Hailey Windham
60:50
It's the same, truly. It's, it's one of those really cool and for the record, Fraud Forward appreciates you talking in practical, non-technical terms, because I also am not a technical person. So I totally could visualize the, the spinal column and I was like, yeah, that makes total sense. So I appreciate that. And I think you made a very valid point that I want to make sure that we, you know, touch on here is that, you know, where should humans remain in the loop though of all this really cool tech that, that, you know, we're hopefully onboarding and we'll be able to use?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
61:22
Yeah, so you, there's a couple different models that we think about at Modern Treasury, and I think will continue to be deployed. And it'll make sense for folks who've been in this space and have thought about human in the loop. Because one of, one of the things people get excited about AI, but, like, we've had AI, especially in fraud and risk, and compliance, for, like, well over 20 years, right? We've been using heuristics, we've been using machine learning, and that is a form of AI, but it's just not sexy, right? It's not the, it's not the LLMs or agents, right, that people have come to think about. And they do slightly different jobs. So I think you still need both. We've been using human in the loops with these machine learning models for a while. So I think I would, you know, what we're thinking about and what generally would recommend for folks until somebody comes up with a better model is to roll that forward. You keep that human in the loop. Then you can do some after-the-fact, and this is something that'll be familiar for QA teams or audit teams, or really compliance teams or audit teams. You can do the quality assurance or quality control. You can do the testing and sampling and go in and check things. And if you're having an independent assessment done on your AML piece, you might stretch it out over your fraud systems as well, if you're using some of these agents and you want to catch some stuff. Now, what I would recommend if you do that is to have a separate report just on fraud so it doesn't blur into or confuse folks who are looking for just that AML independent assessment, if you share that or when you share that with external audiences. But if you think about it, the teams that are going to run those assessments are looking at workflows that probably will be pretty similar to your fraud workflows. So they're used to testing this type of input, output, result, right? Type of, type of thing and looking for failures in systems and consequences. So that's something I think to call out for folks. The other way that I think about it is I have this really great team of experts that I'm privileged to work with at Modern Treasury, and some of them report directly to me. So I really appreciate all of them. I view it as in, hey, rather than us hire six FTEs underneath them, we can start with agents and see what we can do with the agents. And I am fully aware, I know there's a lot of CEOs who say we're cutting X percent of our people, or, you know, Klarna was like, we're going to get rid of our customer support staff, replace it all with agents. And then they kind of reverse course. So we're aware at Modern Treasury that agents don't fully replace humans. But if you think about augmenting a manager and making it where this manager just makes decisions now, because that's really what management is. You're making decisions that need escalation over certain things. You can have the AI do those rote repeatable tasks that you look and you go, yeah, this is a no-brainer. And we just don't have a good tool to handle it. And unfortunately, we have this output coming out of the system that needs clearing. You can have AI go in and do those things. Things you used to hire maybe an offshore team, a contractor, right? Something else like that, absorb. And I think more and more we'll see AI absorb more of the queue work coming from FTEs. And that will free people up to be managers. Now there is, there we today can benefit from taking high-performing individual contributor key workers or managers out of other companies. In the future, we'll have to balance this. Right. With how do we make sure we're training folks and we're putting them into the right things. Also, how do we make sure if the queue and, and the agents are spotting one thing that they're spotting the emerging thing as well? And part of that is a good, a good vendor structure or a good partner structure. So again, Sardine helps us with that. And we appreciate all of that. Part of that is going to be humans going into that haystack and looking for potential needles before the company gets stung.
Hailey Windham
Hailey Windham
64:43
It's such an interesting perspective. And I love that you mentioned the part about training folks. One of the things that concerns me, you know, in, for my own sake, my own thoughts, is the, I do fear that any new people that we are bringing on, if we're getting rid of the older, senior people who have been a part of banking before it was so technologically advanced, we're missing that industry knowledge and it's, like, going out without first being, you know, told to the next generation. I, I was trained by someone who today, I think if technology fails, right, she's literally going to be able to put us back on, on the map. Get Check 21, she can, you know, do all the, the scans. She, she did the mailing of every check. I mean, it was crazy. But she's the one that gave me that firsthand knowledge that I think that holistic understanding of payments made me the fraud fighter I am today. So I, I do worry though that that industry knowledge is going to leave with that generation and we're not, you know, educating the next, the next generation effectively. So hopefully, hopefully we'll, we'll, we'll cross that bridge the right way.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
65:48
Yeah. I, no, I, I think that's very, I'm, I'm optimistic that we will still have, especially as companies scale, because we're, we're not like, hey, we're never going to hire heads. We have open roles right now at Modern Treasury. We'd love for listeners to come join us if, if they're, if they're interested in that. And we'll continue to hire. We're going to continue to hire in sales, fraud, risk, compliance, engineering, marketing, right? All the functions, finance, across the board. I think, you know, rather than see a 30-person team, we may see a 10-person team, if that makes any sense. And so it, the pressure is on us to, to be a little more selective, but there will still be growth and pathway opportunities. And I expect too, if we reach the same scale that, or when we reach the same scale, right, that an Adyen, a Stripe, or a Square has, you know, then it won't just be a 10-person team, it'd probably be closer to 100 or maybe even a, you know, a thousand or so. So, that I think, I'm optimistic that we still will have those training opportunities. I'm with you though. I hope we don't lose all that great knowledge as folks get ready to enjoy the next phases of their life.
Hailey Windham
Hailey Windham
66:49
Very true, very true. Okay, my final question for you. What infrastructure investment would you make first if you were building a fraud program today?
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
66:58
I think I would invest in my front door. And I really want to call out the front door because I've worked with so many product people now that I have taken for granted, because I've worked with a lot of folks that are very experienced and tenured, and they naturally think about the front door. How do you introduce your product to your customers? And that front door, right, is important and legal because we want to make sure it has the right terms, conditions, privacy policies. Because then everything you do once you're in the house, right, you're down the hallway or you're in the building, is wrapped with legal safety and we've given you the rules of the road, right? So it lines up with UDAP, it lines up with privacy expectations, and then also answers some of the questions later when the business comes to you and says, can we use the data for X? Well, what do we tell the customer at the front door? I'm going to tease the front door not for legal reasons, but for a different reason, which is the front door is the best time to capture information about your customer. And obviously how you do it is a dance, because you need to balance friction versus want. Customers that really want your product will sit through a lot of friction. There are some really fantastic products. One of my favorite ones, if I can name them, is Current. I did the onboarding flow for one of Current's products. It felt like I was just being naturally pulled through the funnel. I couldn't stop myself from entering the information. And they weren't doing anything sneaky or stealing anything from me. It was just such an easy experience that I was done and out the other side. And they had full CIP. I'm sure they had my full digital fingerprint. You know, I'm sure they had other information like my employer, how much money do I make in a year, or whatever, because they asked me some banking-related questions like that that you might see if you're opening a bank account. You know, and, and I didn't mind it, right? And it was a very quick and easy and painless experience. And I'm well banked, so it wasn't that I necessarily needed Current's product or really wanted. And I love, I love it. It's a great product. But something where the experience was joyful, right? And that's something where as, as people are thinking about their front door, the important thing when you're building your infrastructure is to get your front door right. And make sure you have something that can collect that customer's digital fingerprint, right? Have them take their shoes off before they come in and then look at their shoes, see what they've been, right? What are they doing, et cetera. Obviously have a privacy policy when you do that. So you're not creating expectations or exposure, right, for you or for your company. But the, I think front door is really the most important thing and digital fingerprint is the thing that people who haven't worked in this space or haven't had to encounter fraud before, I think forget about. So those are the, the two key magic words I would say folks should invest in as they're thinking about starting infrastructure from scratch.
Hailey Windham
Hailey Windham
69:34
I totally agree. Have no, no other comments. So Matt, I just want to thank you so much for, for coming on the podcast and, and sharing your insights with us. This has truly been such an incredible conversation.
A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
69:48
Hailey, it was so much fun. I hope we get to catch up soon in person and happy to come back anytime.
Hailey Windham
Hailey Windham
69:53
Absolutely. Thank you so much. So I think for our listeners today, you know, one of my big, biggest takeaways is that the evolution of fraud hasn't just been about faster payments or newer technologies. It's been about infrastructure. The systems, vendors, and partnerships that exist today have fundamentally changed how financial institutions build, scale, and secure money movement. You know, for fraud fighters listening, understanding what's happening beneath the surface of modern payments isn't just helpful, it's becoming essential. And you know, to everyone else out there, whether you're building controls, investigating fraud, or designing the next generation of payment experiences, remember that the infrastructure behind the scenes often determines what is possible on the front lines. Stay vigilant, stay informed, and keep moving fraud forward.
View full transcript
Host
Hailey Windham
Hailey Windham
Fraud Forward, Sardine

Guests

A smiling man in a purple shirt holds an arrow-shaped sign that reads "1st DAY at PRIVACY."
Matt Janiga
General Counsel and RIHC at Modern Treasury