So, welcome back everybody to the Saturday Fraud Strategist Podcast. And with me today is Holly Sandberg. Holly is someone I got to know a couple of months ago, and we even had a chance to meet in person in London at the MRC. That was, I think, around April. And Holly, correct me if I'm wrong, you've got like around two decades of experience in trust and safety, as well as payment fraud, mainly on the merchant side, but not only. So I'm super excited to have you on the show. We'll get to the topic in a minute, but maybe before that, for those of the listeners who don't know who you are, maybe you can tell us a bit about yourself.
Sure thing. It's good to be here with you. I think you've just solved a mystery for me actually, which is why I often say I stopped counting at 15, because, oof, to hear it characterized as two decades, you just made me feel old right there.
Yes, I just dated you, I'm sorry.
That's okay. It's okay. I'm embracing it. It's just easier for me to say fifteen plus ish. But yes, entirely on the merchant side. Primarily I've worked in risk, fraud, trust and safety in two-sided marketplaces, also quite a bit in event ticketing previously, so around concerts, live music, sports. Working with professional sports teams, college athletics programs, all of which get hit with some pretty interesting types of fraud, particularly the two-sided marketplace experience. A lot of insight into the way that fraud is evolving. And, like you said, it's been a lot of years, and I fell into it sideways, as most people do, and got the bug, the thrill of the hunt, or whatever you want to call it, and have really loved doing it ever since.
That's awesome. And what are you up to these days?
So I most recently was in a two-sided marketplace, as I mentioned, and doing some consulting work right now, back in event ticketing, before I have a reveal coming up pretty soon about what my next role is going to be.
Sounds both exciting and mysterious. Awesome, Holly. I can't wait to dive into our topic today. But actually, just before that, I've got to tell you about the night I just had. Basically, about a year ago I started running. And, like my stupid self, I injured myself, and I didn't take care of it, and I ignored it, and I let it simmer. Until a few weeks ago, I had enough, and I went to a physical therapist who diagnosed whatever thing in my tendon, my Achilles tendon, in my right leg. And I started going to this physical therapist for these weekly checkups. And I was there yesterday. And just before I left, he asked me, are you putting any cream on it? And I'm like, I don't know what you're talking about. We never talked about the cream. So he gave me a prescription for a cream. I got it, came home, took a shower, and just before settling down, I applied this cream to my leg. And after about like 15 minutes, 20 minutes, I started feeling this tingling sensation. And I kind of said, okay, I didn't expect that, but all right. Gave it two hours, at around 11 p.m. I went to bed. And next thing I know, I wake up at 3 a.m. and my leg is on fire. It's on fire. And I probably put too much of it. And, as I'm trying to wake myself up and figure out what to do, I'm kind of asking Claude what's going on, and basically understood that I need to go and take a shower. And then I understood that I probably put too much on, and I just needed to wash it off.
So here I am at 3 a.m. and I'm taking a shower, and obviously I get back to bed, and I cannot fall asleep. And I think I only fell asleep at around 5 a.m. And the entire point of this story is to basically say, good news, my leg is currently okay, and I didn't have to amputate it or anything. But not all of my faculties are with me today. That's basically the bad news. The good news, though, is that the topic that I wanted us to discuss today is actually a topic that, I don't know about you, it gets me going. I get more than excited, get emotional about it. And that is, in general, vendor selection, or fraud vendor selection, and all the happiness and joy that it brings all the involved parties. So, Holly, somewhere between 15 and 20 years of experience, I'm sure, on the merchant side, you've seen a lot of these processes yourself. So let me start by asking, is there a right fraud vendor? When we're thinking about how to pick the right fraud vendor, is there such a thing?
No. And for podcast purposes, you probably want a lot more words than just no. But rule number one that I think is most important to recognize, and I have to say, I'm as fascinated as your telling that story. My mind was going in a very different direction. I thought you were gonna say you used this stuff and had an epiphany and said, where's this stuff been all my life? I feel like I have a brand new leg. Didn't think it was gonna go to my leg's on fire and maybe imperiled, but I'm glad that you still have it, and that you're doing okay.
Okay. Almost every kind of story about something I think going sideways like that, could for you and I, people who've been around for a long time, somehow, I'm sure we could six degrees of separation our way back to it relating to a vendor story. And there's this huge influx of marketing. Like our industry, so to speak, like risk and fraud and chargebacks particularly, where there's a lot of this happening right now, has been pegged.
By folks looking for exits, and as being an underserved industry. And what's super interesting to me is, with an underserved industry, this might be where I sound like a cranky old lady who's about to say get off my lawn, is that sometimes there's a lot more that goes into assessing vendors because there's this huge influx. There's an influx of venture capital, there's an influx of new players, there's an influx of marketing promises.
That you, me, especially being on the merchant side, and others on the merchant side, have to really consider and really do their due diligence as to what is marketing fluff and what is substance. And that gets that much harder when, you know, when I first started doing this, there were a handful of, I think, what we needed was solution partners and solution providers, and there were very few. Now it's a very different story. There are many. And it makes that much more important to do your due diligence. And part of the due diligence, I think, going back to your original point, needs to be, what do I need? What are the challenges specific to my business? If you speak to someone and you get a referral from someone in a very different line of business, what worked for them and what they said, this is exactly what I needed, might not work for you. So knowing what questions you need to ask, and that has to start at home, so to speak, with really understanding your challenges, your business, your data, your resources in terms of engineering, and I could go on and on. So that's the longer answer to the short two-letter with a period, no. There is no such thing as a perfect vendor.
It's interesting, because just before we went live, we were talking about how you brought up how trust and safety is a term that can mean completely different things for different people. And then I said that, yeah, the same thing can be said about fraud as a term. And what you just said reminded me of that in the sense that sometimes when we get these referrals, we get it from people who really mean well. And maybe both of us think that we're in the same line of business, or that we have the same problem, or that we're looking for the same type of solution, because we're looking for a trust and safety vendor or for a fraud solution. But actually we mean two very completely different things.
Definitely. And that goes back to, where do you need protection? Where are you? What are your pain points? Where are you protected right now? Are you protected at all? That's a big one. I was, in preparing for having this conversation with you, thinking through some things that, as you have a lot more experience, I think some things just get sort of built into the fiber of the way that you think. And the danger is, you might not even think, if you were talking to someone very new who came to you and said, I really could use the advice of someone experienced in this,
You might just have those things so built into your thought processes that you wouldn't even think to call them out to someone who was a beginner. So understanding where you need to be protected, where you are protected now. One thing that, and you and I definitely use the word rant, and a couple of words probably similar to rant, in talking about having this conversation, is the promises that you see from vendors are often, when they've come in where there was no one else previously, which is fine. I think you really need to understand that as the merchant. When someone says, we reduced fraud by 97%, I would bet you good money that in most cases this is a newer company that either had maybe some in-house processes or some manual processes, and probably didn't have, even if it was a solution provider that they weren't crazy about that they knew they needed to move on from,
It's probably still doing something. So going from something to nothing, and I say this frequently with fraud, if reducing fraud when it's, my gosh, stop the bleeding, is kind of easy. Easy's the wrong word for it, the best one I've got right now. So getting from that "it's on fire" to "it's below one percent" is easier, I would say, than getting it down ten basis points once you've already got something in place. So understanding that sort of what is your landscape, current day, of where you are and are not protected in terms of touch points throughout the user journey, anything from account creation.
No, that's such a good call out. Okay, but let me ask you this. I mean, today's market is pretty much commoditized. If I'm buying for a device fingerprinting solution, there are of course a lot of vendors and they are doing pretty much the same thing. If I'm looking for an IDV, or a doc verification solution, there are a lot of solutions offering the same thing. If I'm looking for a fraud platform, then there are plenty of fraud platforms out there that offer rule engine and machine learning models and so on. So supposedly, if all of that is kind of the same, more or less, if we kind of clean out all of the marketing fluff that you mentioned, supposedly, what's the harm? What can go wrong? How? Why does it matter so much, picking the right vendor?
It matters, well, it matters in terms of what you want to accomplish broadly. In general, if it is that big reduction that I talked about, because maybe you've got some real problems, and obviously that's gonna be focus number one. Even if you don't, I would say if you're in that more optimization sort of mode that I just spoke about, where you've got things relatively under control, but you know you can get better performance, better service, better relationship management, better a deeper integration from the technical side. So I think it matters both in terms of the specifics of the product that you're using, but also uptime and reliability and pricing. I've seen certainly people make decisions where they've really, really wanted something and said, I would love to have this, but I don't have the budget. It's a really expensive vendor that I can't work with. So there are always trade-offs. And I think for anyone to assume that there aren't, they may be going down a little bit of a dangerous road. And it's okay to say maybe if two things are very similar, there are lots of businesses who win. What I would question about that is, are they similar at a 30,000 foot view? When you really get down into a granular, into the weeds view, are they still similar? That's where a lot of the work needs to be done, I think, to understand what you're getting yourself into. But if you made a decision and say went with one where you thought it's gonna perform well enough and it's a lot more affordable, certainly lots of businesses have made that call, or a lot of fraud leaders will tell you they had that call made for them, even if it's maybe not the call that they wanted to make. So that speaks to the why it's important and the what can go wrong. You could have fantastic tech and a terrible customer relationship management team. You can have someone who doesn't answer your calls if
You can have someone who says, yep, we're down and we can't tell you exactly why or how quickly we'll be back up. So these are just a couple of the things that come to mind for me immediately, that either I've experienced or in mentoring folks or talking to other folks in the merchant community, you certainly hear horror stories. The things that go wrong will always travel further than the things that go fantastically well. So anybody who's been around has probably heard some of those stories about being throttled by their fraud vendor. That was one that kind of blew my mind, where I won't name names, but it was, you know, you've got too much fraud for us to fight your fraud. That's a very specific example of something that still I can't say without my head exploding. That is the need to really get into the weeds in terms of speaking to other customers of a particular vendor that you're going to work with, and also really making sure that you go through that contract line by line.
By word, by word. And you understand, hopefully nothing ever goes wrong, but you're prepared if something does, and you need to be.
Well, without naming any names, I'm guessing, you've done, you went through several leadership roles on the merchant side. And I would assume that it did occur that when you stepped into one of these roles, you probably inherited a system that was poorly designed, and maybe to a large extent because of a suboptimal, let's call it like that, vendor selection. And I'm wondering, just without kind of analyzing what led to that decision by your predecessors, I wonder what were the implications? Basically, what would that mean for you as a fraud leader, that you need to work with a vendor with a tool that is not fit for purpose? What's the worst that can happen?
It happens a lot. So before I go to what is the worst that can happen, it's important for me, I've been thinking, because we're in conference season, and sometimes I also will get a little bit ranty about conference season, although I see the value in it, and I've gained a lot of insight, a lot of important connections at conferences over the years, but by necessity, they're talking almost about either what is emerging or what is three ticks past emerging. And that used to get on my nerves a bit from a having-inherited-existing-fraud-tools perspective. You're talking about the next big thing, whatever, back in the day it was big data, then it was machine learning, now it's AI. I have to fight the fraud today. But I think I've come to realize that it serves a purpose, that there needs to be something that drives us forward, and having those conversations that get all of that attention and LinkedIn posts and everything that comes with conferences is necessary. Oftentimes in the hallways and the happy hours, I think is where you'll find the, okay, but I have to fight what's happening today, not what's happening a week from now.
So, in terms of having to basically sort of MacGyver your way through what you've got, it's okay, first of all. I used to, and the reason why I started down the conference road, sorry not to go off on a tangent, was when I was brand new to the industry, I would go and see all these people talking about this and assume they all had it, and go home kind of dejected, like, well, I don't have the budget for this, or I couldn't possibly get this on a product roadmap to get this best in class that everyone is talking about. Then I've come to realize that a lot of the people talking about best in class are doing it for that sort of moving us forward as an entire community that fights fraud, rather than that meaning that everyone has the thing that they're talking about. So first and foremost, I think for your listeners who are newer, I have to say
That if you inherited whatever you inherited, if it was some bubble gum and a paper clip and some tinfoil, you've gotta make that work, and that's perfectly okay. I'm gonna pause for one second just to clear my throat.
And I have been in that situation. And you segued me actually nicely into something that I feel like on your last question I forgot to say, which is, black box. I think a whole episode just on the words proprietary and black box, which was my first experience really with comprehensive fraud tooling, which I inherited. And that was before, one thing that I love actually about the sort of AI world that we're in now, is we're talking so much more about explainability, and explainability has always been something that's been important to me, because going back to your what's the worst that can happen, what can go wrong, I have had black box fraud tooling go rogue. And without getting too specific, this was many years ago. You can track back to where I worked at the time, and it was in live events. It was during a major sale event, and it started canceling, I think it got up at its worst to approaching 90% of all orders. And everything here, I think, is this sort of web of associations that ties back not just to the tech and to the capabilities of the tool, but also to the relationship management, because I needed to get a hold of someone immediately who said, how do we turn this off? We'll deal with, if we have to do post order manual review, whatever the case may be, this is what the fire drill really looks like. And when you're dealing with something black box, and there is no explainability factor, and I have to go to my leadership, or I have to go to a partner in this endeavor where things went the wrong way, it's not an acceptable answer for me to say, well, our fraud partner says that's proprietary. I'm gonna get my head absolutely chewed off in that scenario, and someone's gonna tell me to get immediately out of the room and come back with a much better answer than, they say they can't tell us why they rolled over and died when we needed them most.
Absolutely. I'm so with you on that. I must say I really like the fact that you mentioned MacGyver, because I think honestly, I think that is the right word that I was missing all of these years to think about how fraud and risk leaders in general should perceive their role. Because I think I'm totally with you on that. I think that, by definition, you will never have an ideal state. I don't know any fraud leader that would say, yeah, my team is perfect and my stack is perfect and we're on top of things, and there are never fires, and my life is just sweet. Things are always broken and things always need to be patched up. And you never have, I haven't seen it, at least. You never have the privilege to wait for someone to just kind of tie it up in a bow and present a perfectly working, smooth system. You always need to use gum and a paper clip, as you put it. And I think this is so important. And I'm not sure that all the fraud leaders that I've met throughout my career accept that, that this is actually their job. This is not a bad thing. This doesn't reflect bad on you or your organization or your team. That is the job.
It is absolutely the job. And I was thinking, maybe I'll be a smidgen more optimistic than you and say, maybe you achieve perfect, but you achieve perfect for a day, and then the fraudsters figure out what perfect is, and then tomorrow you're right back in it. So you find out very quickly, I think, in this industry, whether you truly love that, and you're along for the ride and up for the ambiguity, and up for the cat and mouse game, whatever you wanna call it. And I think the very best fraud fighters do
That, where people need to learn, and this also ties back to vendor selection, is how good a partner is your vendor in going on that journey with you, and talking about, here's what we have to stop today, but here's what's coming. There are a lot of questions, and I'm sure we'll get to that, in terms of how you ask them, what they're doing to sort of future proof against what's coming next while protecting you for today. But it is okay wherever you're at. It's shocking to me. Maybe not shocking is the wrong word, but I know some very large companies who still have some processes that people would be surprised. I think the me who was at my first MRC with my notebook thinking I was gonna get all the answers would go, this like Fortune 50 definitely isn't still doing things with spreadsheets. They might be. There's a pretty good chance that there's some process somewhere actually where they actually are doing that. So that is, I think, what makes the job lovable for those of us who love it and want to stay in it. It's where people fall out very quickly. And I used to, once upon a time, manage accounting teams, even though I am not an accountant in any way. No one would want to make me one. But it was interesting, and the way that I would phrase it was, when you're in that line of work and you have that mindset, two plus two is always four. In fraud, two plus two might be four today. It might be 17 tomorrow, and you're either gonna love that, or you're gonna hate it. And if you love it, you're going to say, well, I'm backed up against a wall and I've got a paper clip and some chewing gum, and I've got to make it work. Then maybe you should always have one eye on, what would this be like if I actually, or maybe to move away from the MacGyver reference, I would, if I was driving a Toyota Corolla, and you have to think to yourself, well, I have to get somewhere in this Toyota Corolla, some percentage of your mind should be thinking about what it would be like to get there in a Ferrari. But you've got to balance that. What am I working towards versus what am I working with right now?
Yeah. Hey, dreams are always great to have. A man can dream. So tell me, I mean, I'm completely with you. You mentioned the fact that the tech can be very shiny. But one thing that you want to look at is, of course, the kind of service wrapper. The black boxiness, the SLAs, the support, and so on. I also wonder what's your view on the layer that underlines technology, which is data. Because one of the things, for example, that I see is, sometimes organizations would take up a vendor that just doesn't have enough experience in their industry, and is used to manage completely different fraud typologies, or completely different payment methods, or completely different use cases. Maybe fraud is not their main use case. And usually, I don't know why, but they are surprised to see suboptimal results. Let's call it like that. So what's your experience with how to look at the data layer and the experience that the vendor actually has in your industry?
Yeah, and I guess for starting out answering this one, I will say something that's not entirely beating up on the entire vendor community, which is there is a mutual responsibility in the success of these partnerships. And that sometimes gets lost on merchants. If you are putting in a vendor, and I'll get to your sort of the experience of a vendor in a particular vertical in a second, but also, it's not just about, there's a lot of kind of catchy phrases that we talk about. We talk about build versus buy, we talk about build and buy, we talk about layering different solution providers. All of that is really dependent on how well you build it. And a lot of vendors, I think, maybe sometimes shoot themselves in the foot by saying, like, we're a light integration, we're easy, we can be up and running fast. Those are all not to say that those aren't important things and that should be part of your evaluation process. But if given a choice between two more weeks, or a couple more sprints during an integration, and what actually gets built, are we rolling out a minimum viable product for fraud, is always something that gives me some pause. And vendors, I think, sometimes need to push back a little bit more on merchants specifically, and say, we've got the deal signed now. And then say in comes the team that's doing the integration and saying, well, we want to stand it up as quickly as possible. We don't need to send this piece of data. We don't need to send that. We don't need to send something at this particular inflection point in the funnel. Every single one of those things is like, you're starting out with this bright, shiny vision of how great it's going to be, and you're like death by a thousand paper cuts, undermining exactly what that vision is that you've built for yourself along the way. So the data is exceptionally important. What are you sending? When are you sending it? Is it pre-auth, post-auth, is it real time? And a lot of those considerations, the work starts, to me in my mind, when you kick off an implementation, not, okay, we've selected a vendor, and we're gonna wait till we flip the switch and turn that vendor live and everything's gonna be great.
It very seldom, I don't know anyone that it's ever worked out for in that way. So the underlying questions about, how do you understand my business, my vertical, nuances specific to the type of fraud that we get. If you were to take a luxury goods vendor right now versus a subscription streaming service, who's running recurring charges for 15 bucks a month, those things look, that's a material difference in how you fight that fraud, even though all fraud is fraud, and it needs to be a consideration. Not meaning that if you're that luxury goods merchant, you don't talk to that fifteen dollar streaming service. I think you do, but you do it with some caveats and understanding what the business differences are.
Yeah, absolutely. I love it. I mean, I don't love it, I hate it. All of that really reminds me of the times that I was a vendor, and I saw firsthand exactly that dynamic that you just described. And it was always so frustrating. And by the way, I always beat myself up because I was the enabler of this behavior. I always say, no problem, no problem, no worries, just do the most basic integration and we'll take care of the rest. And you find out, like six months down the line, that you're missing some labels, or the labels are not coming in time, and it screws up the entire model training process. And now go explain that to the client. So yeah, I know that I'm gonna have some nightmares tonight. So yeah, definitely with you on that. So okay. So you definitely want to pick the right fraud vendor. I hope no one is surprised by this conclusion at the halftime of this conversation. But why do you think, what are the most common reasons that you've encountered for teams or fraud leaders to pick a suboptimal vendor? And you mentioned pricing, and yeah, pricing is always a good excuse. But what else, what are other pitfalls, or what other considerations would you highlight for our audience to be more aware of when they're going through these processes?
Pricing is definitely a factor, and one that you probably, if you got a lot of fraud folks in the room, they'd have a lot of opinions about. In terms of other areas to think about, I think oftentimes vendors come to fraud leaders, maybe, they're not, the fraud leader is not the initiator of the conversation with a particular vendor. Maybe that particular vendor has very aggressive salespeople who will reach out directly to your C-suite, and that filters its way down to you, and you find yourself as the fraud person having a conversation about something you're pretty sure right off the bat that you don't want. And I have to tell a story here that I think hopefully will do someone some good. A CEO of one of the companies that I've worked for, who is a super smart, fantastic leader, one of the best folks that I've ever worked with, passed along to me, And this was when I was relatively more senior, and I think I fielded it in a very different way than I would have once upon a time. Sent me an email and said, hey Holly, met with X, they're interested in talking to us about their fraud solutions. Do with this what you will. The fifteen-years-ago me would have freaked out and said, my gosh, the CEO definitely wants us to work with this person. This is probably their, I don't know, their best friend from college, their startup, or whatever the case may be. They definitely want it, I'm feeling this pressure. Now I want to have a good relationship with my leadership. I want to do what they want me to do. And I probably would have leaned more into working with that vendor, and in this instance, it was someone I don't have a particularly great opinion of. And come to find out afterwards, and, to his credit, he just said, I'm just passing this along, have the, you know, it's your decision to make, have the conversation, and I understand. I will never ever take that for granted, because I know a lot of leaders who've not been in that position, where they've just had their fate dictated to them, and then they had to make it work, going back to what we talked about before. What I found out later, which still cracks me up to this day, is this referral came because our CEO had stayed at an Airbnb that was owned by the cousin of someone who works at this vendor. He did not care at all. He literally, he meant it truly when he said, Holly, I don't care what you do with this, it's your decision. I'm just forwarding the email. But
Had I not said, I have some reservations about them, and really took him at face value in saying, like, I am not pressuring you in any way, and imagined pressure where there was none, I would never have thought, I could never have predicted that the way that referral came to be was because he happened to be standing outside near a koi pond on a Tuesday and struck up a conversation with someone and said, yeah, I can make an introduction. That's one thing I think also to think about, is how these conversations happen. Did you go out for a formal RFP? Did you go out for a more structured process to evaluate vendors? Are you kicking tires? Are you visiting booths at a conference? How did the conversation come to be, is also a part of how these things sometimes tend to happen, and can also go wrong. Pricing, I think, and the biggest one, going back to other sort of bullet points on an answer to your question, I would say the other big one besides cost, probably, is integration speed. And when you get other teams involved, those would be the big two that I hear the most stories from other merchants About. It's in terms of, they're not just pitching to you as the fraud leader when they come in and talk to you about their solutions. They're also talking to your engineering team, who have different priorities. They're talking to your product team, who have different priorities. Maybe they're talking to your finance team, who's thinking mostly about cost. Your engineering team is thinking mostly about how much work do we have to delay to do the work, or how do we slot this into a roadmap, so to speak. So it gets pretty nuanced pretty quickly, as far as the reasons why those decisions are made. And I think your job, if for those who are listening who are leaders in fraud, is to stick to your guns to some extent, really, and going back to the two-way street also, when you're in those, let's say you've made a vendor selection, you're now in integration, you've got the project management team from whichever vendor you've selected on a call with your technical team, as you're working through the integration, what data we're gonna send, how are we going to set this up. Oftentimes you're in the door already, right? You've closed the deal. The fraud team is rooting for you as the vendor to say, don't do that, that's dumb. Maybe not that way. You really don't want to make that trade-off. And I think sometimes not all solution providers will do that. They just go into
You know, yes man mode, and just say, okay, if that's the way that you want to integrate it, we'll work with that, we'll work with that. And between the fraud leadership and the people who work for the company who know fraud best, and the solution provider who's been selected who knows their product best, I think there's a real responsibility to speak up and say, you could do that, but I have to really strongly advise you against it, because it's gonna undercut the performance of the partnership.
Yeah. It's interesting, because my experience is that in a lot of organizations, the real buyer, meaning the function that in the end would approve the budget, is many times not the fraud team or the fraud leader themselves. And while the vendor believes the fraud team is the buyer, they are actually the champion. They are the, you definitely want to convince them so they would recommend you. But they are actually usually more a champion in the organization. Once they chose you, they really want you to succeed. And I think a lot of vendors don't understand that, and continue to try to prove their worth to the wrong party.
Agree. And that champion really, really wants an ally, which is, I think, at that point in the process, what you need to be if you're on the solution provider side. Understanding that there will still always be trade-offs, but to not just go, uh-huh, okay, okay, okay, and not push back on anything. Sometimes I think the very best working partnerships that I've had with vendors have been when there's some serious pushback, as there should be. I'm at the table because I understand the business that I work for, and the nuances, and what we need, and how our sales process, our checkout process works, how all of those different things. You, as the vendor, I think, are on the other side of the table because I can come to you and hopefully accurately depict to you what I need, and what I have available to give to you in terms of resources, to get the best use out of your product. You're at the table because you know the best way to use your product to get to the destination that I'm telling you that I need to get to. And I want you to tell me if I'm about to turn off on some dirt road full of potholes that's gonna leave me stranded.
That is so true. It is so true. I agree. And if there are any vendors listening, I don't know how much vendors realize that doing exactly what you just described, how much trust it instills into the buyer. And whenever, instead of trying to satisfy and please, you actually provide guidance, and you provide, let's say, not red flags but warning signs, this is something that would position you exactly as you kind of said, this would position you as an ally rather than, you know, a salesperson or kind of a sales function. Yeah, definitely. One hundred percent agree. Okay. So any more pitfalls, common pitfalls that we should know about?
I think, I'm still amazed at how many stories get back to me of folks not doing their due diligence, putting aside everything you and I just talked about, is the fraud leader truly the decision maker? Are they a decision influencer rather than a decision maker, which there's a big distinction between the two. There are still a lot of people who, there are vendors that I see who spend, and this is changing quite a bit with AI, but who spent a lot of money on SEO. And you're a newer leader who's just been sort of put in charge of the risk function, say at a company that you work for, and you've got a chargeback problem, for instance. And so the very first thing you do, you're sitting there alone in a room with no one else to talk to, you're gonna do some searching on the internet. You're gonna come across maybe a vendor who's put a lot of money into the impression that you have of them in that moment. And that's fine. Nobody ever started out on a journey towards vendor selection and didn't do some Googling. I'm not saying I'm against that. What I would say, where I've seen it go wrong, is where it stops there.
And understanding, and I sometimes feel like I come across a bit too harshly to folks on the solution provider side, and I don't mean to. There are some I have a tremendous amount of respect for, and I think really know their stuff and really do their jobs exceptionally well. But these are people who are in sales positions, whose job is to tell you that they're gonna solve your problems, and it's on you to do more than go beyond glossy marketing. Or go beyond hearing things anecdotally from people. I would say it's important to talk to other merchants, but also to maybe ask some questions of the impressions that they're giving you. If they say, X is terrible, don't work with them, well why? Do you have direct experience with them? Did you hear about it third hand from someone's dog groomer's mailman's cousin who said they're terrible? So there's a weighting of the information that you get, and there's a journey, I think, that you need to go on and trying to get that information, both the specs and the technical information about what a potential partner can and cannot do, but also how they manage their relationships, how are they transparent?
At 11 o'clock Friday night. So I've definitely seen both the good and the bad of that. So leaning too much into, or not doing more digging, I would say, against those marketing claims, however you come across them, whether it's by word of mouth, whether it's by Google search, whether it's by someone schmoozing you at a conference and taking you out for a nice dinner or inviting you to a party. I still see a lot of people who say, I made the decision because I really liked that guy. And at the end of the day, if it goes badly, that's not an acceptable answer. And I think you should have some understanding of your responsibility as a leader, that you championed a particular selection. You own that if it goes really well, you also own it if it doesn't.
That is so true. Yeah, I think distinguishing between what is marketing fluff, as you put it earlier, and what claims can be backed up by real experience, real results, that is definitely an important part. So I was just about to say an important part of the process. So okay, there are all of these pitfalls. We heard all of these horror stories. By the way, I must say, I've seen, in my career, as a buyer, as a seller, and as a consultant, I've seen a lot of vendor procurement processes. And honestly, when I was thinking about it, before recording this episode, I honestly think that most of them went bad. Like I would say at least 50%, the buyer wasn't happy. And maybe it took two months, and maybe it took two years, but I think most deals, in my experience, don't, and they don't hold for many times. I see very little cases where teams are happy with their vendors three, four, five years in a row. So, as Claude says, the pain is real. So what is the right way to do that, and how can we mitigate the risk that we will choose the wrong vendor? What's your playbook? What's the process that you run when you go into such a process? And obviously, I know it's a difficult question, procuring a new IDV provider versus a new fraud platform, It's completely different processes. And there are a lot of different, whether these are the specific questions or the dimensions that you look at, but still, high level, how should we go about it?
It's a lot more challenging than it used to be, first of all. And this is, we've now arrived at the portion of the conversation where we're required to say AI every 15th word. And it was difficult before that. It's so much more difficult now, I think, with the speed with which things are going. So I use the term future-proofing quite a bit, and I think the best way to go about it, probably, is to pull your stakeholders together internally to have those conversations in advance. Prepare them for the moment where you're gonna arrive at an intersection where there's a trade-off, it'll take an extra sprint if we send the data at this point. And if we send these additional pieces of data, or if we choose one model over the next, if you're dealing with a vendor who's actually got kind of multiple options for what would be best for you, and you're considering both the quality of that solution, probably you're considering cost, you're considering a lot of things. Everyone is invested, maybe they have different priorities and different reasons entirely, sort of in-house on the merchant side. Have those conversations before you're in integration. Even before you've selected a vendor, if you've got really good partners within the business, if you don't, go out and make it happen that you get really good partners within the business, so that everyone sort of understands, we want to set this up for success as much as possible. Have as many of those conversations before something goes wrong. I used to have a team, and this is with a vendor that we had particularly really good experience with in a very strong partnership. One of the rarities that's different from what you're talking about, and we would get on recurring calls with them every once in a while. And sometimes there was nothing to talk about. And we just get on and say, hey, how was your kids' softball game, or how was your trip to Aruba? Or this is the concert that I went to last weekend, or, you know, I'm a football fanatic, so inevitably I feel like I end up talking
About football with anyone who was willing to talk football with me. So there'd be some talk about the horrible performance of the offensive line in last weekend's game, whatever the case may be. But there's nothing of substance, so to speak, to talk about on that call. And I had a member of my team ask, why don't we just cancel those? Rather than what we would often do is get on them and say, okay, say it's a 30 minute call, and we'd go, okay, we're giving you back 15 minutes. But I would always say, no, we don't cancel those, because it's important to have the relationship, so that when something goes wrong, I am not a net new entity to the person that I'm dealing with when I need to handle the challenge of what is suboptimal that I need to fix. And the same thing for them, going back towards me. We have an existing relationship. We're not strangers to each other.
Yeah. And something will go wrong, right? It's just a matter of time.
Yes. It will. And learn to feel comfortable saying that. I think that's another thing that I've learned over time, is so many people are just afraid that it reflects on them if they talk about that reality in the moment, and what you and I are saying is what the reality is. I think you position yourself better as a leader, both to your team, to your leadership within your company, in your vendor partnerships, just sort of holistically all around, if you're having pragmatic conversations about the reality, and not fantasy conversations about ideal things that are just never going to be the reality.
Absolutely. Okay, so first step in the process is, get your in-house stakeholders ready, aligned, prepared for this. Okay, so I've done that. What's next?
I think aligned and prepared then leads into really good, robust documentation, which can sound like not the sexiest, most exciting thing, but that is maybe a part of the first step that you were talking about, or the logical next step, is you need to have a structured process around this entirely. If you feel as if you're a passenger on a bus, so to speak, and you're not driving.
Yeah, I fully agree, and it's interesting because I think the details, almost, I think the details matter ten percent when you compare it to just having that structured process that lets you first of all own the decision, of course, and B, also make sure that the decision that you make is clean and isn't easily influenced by the cousin of the Airbnb owner where your CEO stayed. This is exactly the way, this is exactly not the way to solve, but at least to mitigate the risk of external influence. One hundred percent. So I got my ducks in a row, I got some sort of an RFI, RFP process that I'm ready to go about. And what's then? Do I just call the first five vendors that I find on Google? Or what else do I wanna make sure that I'm ticking before I make a decision?
There are considerations, and they're not considerations that everyone can make. Do you have the wherewithal, the ability to do a head-to-head POC? Not every merchant can. That's the reality of it. But I think that's the best possible scenario, if you've got the resources, both in terms of engineering resources, technical resources, and the time. You might have the resources in one respect, but you don't have the luxury of time to be able to do a POC. Sometimes that's also the reality of it, is there's an ideal way to do something, and then there's the moment where the ideal way to do it clashes with the reality of what the need is today. And you've got to make, if those trade-offs were easy, everybody in the world would be doing this job and wouldn't have as many horror stories to tell about it. Understanding sort of what your capabilities are. If you can do a head-to-head POC, wonderful. Do it if you can. If not, then the due diligence that I've talked about quite a bit throughout this conversation becomes that much more important, because you're rolling the dice to some extent, and you need to make that as much of an informed bet as you possibly can before you make that selection. And then I think the next step that follows, obviously, is your
Gonna, you're gonna go into contract negotiations. And if you've ever needed to be a stickler for details in your life, that is the moment when you need to find your inner extremely type A vibe and apply it with all your might to that contract process, because the devil is really in the details.
Double click on that, because I think this is interesting. I think it also goes to the point that you highlighted back at the beginning of the conversation, where many times we are obsessed with the technology, and this is kind of what we're testing in the POC stage. But what gets neglected many times is kind of the servicing wrapper. And I'm guessing that this is what you refer to when you're talking about contracts.
It is. And oftentimes, and this is I think a relatively new development in the industry, that a lot of vendors have a model where they make particular promises around performance, or around guarantees, around coverage if they get it wrong. The fine print on that, and that also speaks to stories that merchants tell each other at happy hours of conferences, is well, they say that if they approve an order that turns out to be fraud, they'll pay for it. But there's
There's a whenever there's a "but," or a "however," or "in case of," that's where, you know, previously you've leaned into your technical relationships internally, this is where you really need to lean into hopefully your good relationship with legal. And the way that I would look at any of those promises, SLAs, uptime, what are our potential payments if that SLA is not met, or potential redress if that SLA is not met, those are all important things. And the way to approach it, I think, and this is an area actually where our generative AI friends can help us quite a bit, is how would you attack this? How would you, if there was a lot of fraud getting through, let's say you're dealing with a vendor who's making specific promises around a pegged reduction in fraud rate, and that fraud rate is not happening. What is the recourse? And you can run sort of hypothetical scenarios now with a considerable bit of speed. I would not recommend doing this solely with AI. This is an area where AI is a booster and an assist and an amplifier, but not the whole ball game, but can lead to maybe some better informed conversations with legal around, if this went wrong. We always say, hopefully it doesn't, but if it does, and you have to have that "if" conversation, I think that's your job in a nutshell. If you're on the merchant side and you're making a decision like this, how would they come back and say, actually, we don't have to honor that? Or, sure, it says that we'll do this if we don't do that, but it's dependent on you running 3DS on transactions, or it's dependent on you having protection upstream that maybe you don't have. So I think it's
Incumbent on you, when you're in that part of the process, to go looking for the gotchas. And the best way that I found to do that is to kind of attack it almost like an incident planning scenario, so that you're prepared, and you maybe still go down the road, you don't walk away from that partnership with that vendor, but you probably come away with some red lines in that contract. And it will tell you a lot if they push back on them, or if they go, okay, yeah, that makes sense, we'll accept those and we'll incorporate them into the agreement. I would argue that the way a vendor responds to that will tell me a lot about what your future performance and your future relationship with that vendor is going to be like.
That is excellent. I really love it. It's so good. I must say that, for those listeners who don't have experience with these kinds of models, I will just highlight the fact that this can also be huge in terms of financial repercussions. These are not just nice to have. These are really, really good points around contract negotiations. Awesome. Cool. Holly, wow, we covered so much. So let me see if I can kind of summarize the takeaways that I got throughout our conversation. So let's start with, answering the question, is there a right fraud vendor? The answer is no. Enough said. I think also, before we deep dive into the why don't we have a right fraud vendor, and what's the process about finding out and deciding on the one that is right for you, we also talked about the fact that there are two different worlds that you want to consider, and also to consider in which world you are currently living. The world of zero to one, everything is currently burning, and anything, or at least most of what you are going to do, will probably be very, very helpful. Versus kind of business as usual optimization mode, where you're trying to go from the 95th percentile to the 99th percentile. And that is, as you say, much harder, requires much more effort, and also might impact how you think about things and how you think about your vendor decisions. Another point that we covered before we got into vendor selection, is also internal expectation management. And we talked about the MacGyver mode, or as you said, you need to MacGyver it sometimes, and with which I fully agree. And I think that fraud leaders, in my mind, I
For whatever reason, I thought a lot about it in the past few weeks. Fraud leaders are measured by their ability to make decisions without data, without the privilege of having data. We always talk about the fact that we want to make data-driven decisions. And yes, obviously we want to opt for that. And fraud leaders need to be very good at making data-driven decisions, how to get the data and so on. But also, fraud leaders are measured by their ability to make bold decisions when the shit hits the fan. And this MacGyver mode, both being able to decide as well as being able to execute with whatever you have on the table right now, that is so important. And I think this is truly, if there's one thing that I would impart on a fraud leader in terms of what would make you successful, it is that. Fully agree with that. Really like that call out. Vendor selection. So we talked, super high level, about the pitfalls. We talked about the fact that it's very easy to get attracted to shiny technology, but actually we also need to consider the servicing around it. And we just talked about it's both the SLAs, how fast would the vendor react when something goes wrong? How do they react when something goes wrong? Can they explain their decisions on an individual level? In general, the black boxiness of the thing. Tech isn't everything. It's many times what the vendor would put at the front, in their marketing and sales pitches. But it's definitely not everything, at least not in our space. We also talked about the fact that, I liked how you framed that success is a mutual effort. And it is up to the fraud leader and their organization to make sure that this is a success,
Or a successful kind of relationship, as much as it is on the vendor to do so. And I think you kind of really hit the nail on the head when you said the decision is actually the easy part. The hard part is what happens from the moment that you've made a decision, and you basically go into implementation mode. The fact of how you implement the decision is probably going to be as influential, if not more influential, than your vendor decision on your performance at the end.
Yeah, no worries. I continued. It should be completely fine.
Okay. I figured you were, so I was trying to keep my face neutral as if I was still listening to you talking. I was nodding, going mm-hmm.
Yeah, yeah. Good. Sorry about that. Let me see where I start. Integration. Okay. Yeah. You also mentioned the fact that in the end, there's a lot of homework to do, and especially nowadays when the space is very competitive and very crowded, it's
Hard part, I think, yeah, we should try to make the decision.
Sometimes it can take quite a lot of digging to bypass all the marketing and sales materials, claims, and promises that are being thrown around, and to actually get to real established results. That is not easy. And whether these results are relevant to you and to your case. And we also mentioned that one other factor that, of course, is always there when it comes to what sinks ships, what makes organizations pick the wrong fraud vendors, is pricing. Which is, again, as Claude said, an uncomfortable truth, but it is also something that is a bit, I think, hard to manage. And maybe my only tip here would be to fraud leaders, is also to try and see whether you can, especially if you have concerns about the budget of your first pick, also to have a second runner-up that is cheaper, and you don't need to position it like that, definitely not to your leadership, because then it's very clear what they would choose. But at least for you, It's very, very clear what happens if your budget is not approved, what is your fallback plan. And finally, we got to the playbook, how do you actually make sure that, as much as you can, you clean out all of the biases and mitigate all of the pitfalls that we just talked about? So you talked about four stages. The first one, which I love, is actually before you even start. Get your ducks in a row. And this can mean a lot of different things, and really depends contextually about who's the stakeholders that you need with you in order for this effort, for this integration, to succeed. And sometimes it can be that you would need to provide a very convincing business case for finance to approve. Sometimes it would be to talk in advance with engineering or with product,
And making sure that you have an alignment about how many resources you actually get for integration and testing and pre-testing and so on, and when you get these resources. So you can also plan your process, basically, so you don't get into the situation that you described, that sometimes you basically need to choose between how do I spend my engineering resources, do I do a POC or do I actually do the integration. And sometimes that's a very hard decision to make. And obviously, it's very clear what you would choose, and that puts you at risk, not having a POC. Second stage is basically to run through your RFI, RFP process. And I think this is also my experience, more important than which questions you ask and what boxes the vendors need to tick, It's just the fact that you have a solid grasp of what is the process, what are the different stages, and what do you check in each stage. And that helps with the cases of all sorts of vendors coming through the woodwork. And I've seen many cases where you have mutual investors, or the CEO is a friend of a board member, and as you said, it's sometimes very, very hard to avoid a lot of bias here in these processes. So having a structured, documented process is important. Testing, of course, make sure this is so important, that you are able to, let's say, validate some of the claims, some of the promises, through a POC before you commit. I hope that's a very clear point where I don't need to elaborate more than that. And finally, contract, and especially this is less about pricing and more about SLAs, and even more specifically about the SLAs when it comes to services where you get specific guarantees and specific kind of performance goals that are being promised.
And here I think I really loved your advice about, to an extent, war-gaming it, and kind of coming up with worst case scenarios, and trying to understand what those scenarios would mean to your business and how you can protect yourself, and also to raise these as questions to the vendor. And I fully agree. I've never done that, by the way, but I'm sure that this would probably reveal a lot about the experience that these vendors have and how they react to worst case scenarios. Better to find it out before you sign a contract. Awesome, Holly. I think it was a respectable discussion. I don't think it was a very hidden rant. I'm very proud of us too. I think when we had our couple of prep calls, I think I was concerned that it would be more heated than that, but we managed to keep it civil. But more than that, I thank you, because I think there are so many takeaways that our listeners can take with them, and hopefully make better decisions the next time that they would need to choose a new fraud vendor, which is unfortunately probably sooner than they are thinking at the moment. Holly, thank you very much. It was a pleasure having you on the show.
Thank you. It was fun. It wasn't, it was a lot of fun. I'm glad you're doing this.
Awesome. Glad to hear it. Thank you very much, folks, for joining us on this episode, and I will see you next Saturday.