Real-Time Fraud Prevention: Zero to Hero w/ Matt Vega

All right, what's up, everybody? And welcome to the first full interview episode of The Saturday Fraud Strategist. And I'm super excited to have a very special guest dear to my heart, Chief Fraud Strategist and Chief of Staff to the CEO at Sardine, the man, the legend, Mr. Matt Vega. Matt, it's super great to have you on the show.

Always a pleasure, man. Super, super excited to be here. I really appreciate it.

No, that's awesome. And I know, I don't know if you are aware, but this, I am having a bit of a closure moment here, because I think my first ever podcast, if you remember that, my first ever podcast I appeared, you were the host. So here we are probably like six or seven years later, and switched roles.

I totally forgot about that. But yeah, that was seven years ago, and I tell you, that was actually a great podcast. We got tons of views. I think we had like 10,000 downloads on that podcast. We pumped on that, to be completely honest.

I don't even remember what we talked about. It was probably machine learning. We probably called it AI.

It was. The most funny, like the best clip of my podcast ever was actually a statement that you made, and like everyone was commenting on it. And basically, we were arguing about how companies were using Equifax data to train models. And you came back, and you were like, “Dude, I can just go in the dark web and train a model for you off the Equifax data, because it had all been breached.” And that one crushed. It was so funny. The way that you said it, like the comeback was so good, was so good.

That's great. A comeback. I have no recollection.

Yeah, great having you on the show. For those listeners that don't know who you are, maybe you can tell us a bit about yourself.

Sure. Yeah. So I have been in the industry for about 17 years. Started off in e-com, primarily by accident. Got a job as an executive assistant, basically, literally started off by accident. But, you know, literally, it's like one of those things where you take a job, but you don't really know what you're getting into. So I fell into fraud. And then I went into military intelligence doing SIGINT cyber DNI, digital network intelligence. Worked with some three-letter agencies, which was a blast. And then I spent many, many years since then, either usually three primary pillars that I usually get brought in. One, it's a new startup, usually a high-risk startup, and I have to build everything, right? Build the tech stack, the team, the operation, the processes, everything. I have to build it from zero to 10. Two, they've had major fraud losses, and they need me to come in and basically rebuild their system, right? Their tech stack, their people, their operation, because whatever they implemented is just not working. Or the latter, which actually happens more often than not, they took some significant losses, they overcorrected, and now their revenue has taken a significant impact, right? And so my job is to actually come in and unwind everything that they've done. So those are really, I would say, the primary, I would say like, you know, the last 10 to 15 years of my career has been in that area. I've worked with a ton of different companies. I've launched Major League Baseball’s sports and collectibles platform as their head of fraud risk, building out from zero to 10, like we talked about. I got to work with the Fanatics and Topps team, which was awesome. I launched SOR Technologies’ fraud team. Worked with Instacart during the pandemic to do what I was telling you about. They had 1,000% growth, but they had 1,000% fraud during the pandemic. From BlueSnap Payments and working with the FTC, which was an interesting story. And then all the way through to Novo Business Banking and building out their entire tech stack and process. And then I was Sardine’s first customer. So that's why I know the Sardine team. When they went to market, I basically worked with Suhas to kind of launch the technology, become a design partner. So a lot of Sardine’s products are kind of near and dear to my heart, because, you know, I was the direct feedback mechanism to improve those products year over year. And so, yeah, that leads me to today.

That is awesome. That is such a journey. I'm sure that you have a lot of very interesting stories to follow. And I think also, Matt, that you're the perfect person to speak to about today's topic, which is real-time fraud prevention. And we titled this topic as like zero to hero. Basically, what do you need to do from, you know, like having nothing in place to, you know, basically crushing it. And, you know, I want to kind of like share how we came about this topic. And I think it was about a month ago or so, where we were both participating in this webinar where we shared our latest report for a minute, and we were kind of like, you know, rushing through the slides and through the talking points, and we had a lot to cover. And I think we really came down to the wire, right? We meant it to be like 45 minutes and 15 minutes of questions. I think we ended up talking about 58 minutes.

Yeah.

And covering a lot of different points, like deepfakes and distributed autonomous campaigns and polymorphic attacks and so on. And then in these last two minutes, there was this guy, and I completely don't remember who it was, so if you're listening, I apologize in advance. And they were, you know, coming up with this question. And I think it was something along the lines of, you know, but you keep talking about real-time fraud detection and fraud prevention, but what does that actually mean? I mean, I already got the chargeback, so how can I do something with it in real time? And I remember that the first thing that was going through my mind at that point was like, what are you talking about? I've been doing it for 16 years now. It's always been real time. I'm not the first person to introduce this concept. So like, where is this coming from? And I was almost starting to kind of like give my answer, which was like, what are you talking about? And luckily, luckily, you started. You kind of like cut in and started giving your answer. And I don't remember exactly what it was. I just remember it was like very, very generous. Just after we finished the webinar, and you know, for me, it was already clear that you were gonna be my first guest. And I said, this is what we need to do, like the zero to hero. How do you go about real-time fraud prevention? And you're the perfect show.

Yeah. Appreciate it. This will be fun.

Absolutely. So maybe to kick things off, let me ask you this, like, you know, when you're thinking about your mental model, and you know, you did it a couple of times, right? You were starting from nothing in a new place. How do you go about it?

Yeah, so I've had many, many, many lessons learned over the years. And let me say that in order to get to where I am today, I had to fail many times, right? And as fraud fighters and leaders in the industry, you really, like to be a leader, it just means you failed a lot of times, honestly, right? And I have yet to meet anyone that builds a high-performance team without having tons of lessons learned and tons of failures to get to that point. And so luckily, you know, the key is, did you learn from it? And are you able to prevent those landmines from being stepped on again in the future, right? And so that's something that you acquire over the course of a long career. So I would say the first piece, you know, from a mental model standpoint, is I have seen the highest-performing teams that I have come across, and I'm talking best in the industry, best in class, it comes down to simplicity, as crazy as that sounds. So a lot of leaders really lean into, it's almost like because fraud is so complex, and because the attack vectors are so complex these days, they lean into this highly sophisticated tech stack and highly sophisticated operation, just like tons of process and tons of nuance and tons of deep dive. And I have found that to fail almost every time. Eventually, those will start, like they just unweave, right? And things get missed, and that process is extremely hard to follow, right? And there's just so much nuance. And so really, what it comes down to is like old-school business techniques, like the three P’s, right? People, process, product. And focusing on those three pillars is critical to building your foundation, right? And if you have those simple fundamentals, right, you can't build a house on sand, right? So if you have really shaky ground, right, and you have all these weird processes, you have a bunch of bureaucracy, you have a bunch of approvals, right, it's just going to fail. I guarantee you, as you start scaling, you're going to have problems every single time. Like, you know, in the military we say, keep it simple, stupid, right? And you really have to do that. And at the end of the day, the more core foundation that you can build around the simplicity and, call it elegance, of your process and product, the more likely you're going to be to succeed. Because as you go throughout your process of building and scaling, you're going to have to add in new technologies. There are going to be those arguments where you're going to have to change the user journey, and you're going to have to put in step-ups and all these things. And if you already have a really complex process underneath that, you're just adding more complexity and more layers on top, and you're going to fail. But if you have a really simple, elegant process, product team underneath that, then every time you add to it, it's really not a big deal because you've built it on a very strong foundation, if that makes sense. So that's kind of like my initial zero-level mental model.

Super interesting. And I must say that, you know, I very much relate. And it reminds me that I also always say, it's always about the basics, and you always need to go back to basics. That's the only thing that should be interesting, or the only thing that you need to focus on as a fraud leader. I do wonder if, you know, over the past, let's say decade or so, where we've seen a lot of, let's say, trends, and also a lot of development on the fraud side, I do wonder if this simplicity looks different than how it looked 10 years ago, or is it virtually the same things?

No, I think it's different. I think the people are the same. That definitely has not changed, right? And I can kind of give you some examples of those three P’s, right, of how I see it. So on the people side, you want to surround yourself with, you want to focus on two key areas, right? One, you want to get rid of your ego and know that you're not an expert in everything. It just doesn't exist. Anyone that says they're an expert in everything, I start scratching my head, because I guarantee you I could find gaps in their knowledge base, right? So because of that, you want to surround yourself with people that can fill your weaknesses, right? So you may be really strong operationally, but you may not be really strong from a data perspective, or vice versa, right? So as you're building your initial team, you want to surround yourself with people that really supplement your skill set very well, right? Not to mention, you want to find people that you can trust, even at the analyst level, even at the junior level. You want to find people that you can trust, that you can rely on, that are going to make good decisions even when you're not there, right? That's the key. And because if you're one of those leaders that, like, doesn't trust your team or your people, what ends up happening is you end up doing 10x more work, and you just can't scale that, right? And it's like, you know, I've heard people say trust but verify everything, right? And it's like, well, that's great, but like you're leading a team of 50, good luck with that, right? There's just no way to do that, right, as you start scaling and building up bigger teams. So, you know, I can give you an example, like my hiring practice. What I look for is, I look for curiosity above all else. Okay, so at the junior level, especially, right? So I'll give you an example, like I will hire a kid that is asking me a lot of questions and shows curiosity. And like, one of the other data points that I use is, like, video gamers tend to be really good. There's like a bunch of little nuances like that. Gamers are really interesting. People that kind of like tend to go to ask why, right? So there’s like two personalities. Some people are told something, and they just do it, right. And then some people kind of want to push back and ask why. I personally, and I'm not saying this is the right way, I actually prefer the people that want to push back, that want to know why, that are actually trying to apply price, because it's never my way or the highway. Because let me tell you, throughout my career, how many times I put in a process where I've told someone to do something, and they found a much more elegant and faster and cleaner way to do it, and they were much more junior to me, right? So get your ego out of the way. Let people find their own path, right? So the key is giving them the North Star of where they need to go, right, but if they want to take a different route than you to get there, as long as they're arriving at the same finish line, it doesn't really matter, right? As long as they're covering the guardrails, right? You can put in guardrails of like, this is the areas they need to cover. This is what they need to investigate, whatever it may be. At the end of the day, how they arrive there, let them use their own strengths to be able to achieve that, right? And I have built, you know, if you lead with that, right, of that trust, and building out that trust with your team, and giving them the right guidance and making sure that they're key, you'll end up having a situation like where I do, where I have analysts that have followed me from five companies, right? So I have team members. There's one in particular that has been with five companies with me, right? So, like, literally she will follow me from company to company. And I've had managers do the same thing. And so I think that really building that trust is critical. So that's the people side, right? And you really want to lean into, you know, if you're hiring bodies just because you have a need, be careful on that, especially in today's world. Like, I have found that people still weigh education pretty heavily, and I have not found that to be actually valuable in the fraud space. In fact, like some of the best fraud fighters are probably high school dropouts, in my opinion, right? So like I would hire a very curious, very scrappy 18-year-old kid out of high school more than I would a Harvard graduate in many cases for most of the positions. Not saying that the Harvard graduate is not scrappy and super hungry and all that, so that also exists. But in general, in general, you know, focus on what actually matters for the role. Like, what kind of personality traits are you looking for? Not so much of who's checking the boxes in your interview process, right?

I fully agree with you, and I think that, you know, trust on one hand, also looking at curiosity as a lead indicator when hiring is something that I also used very, or leaned into very heavily during my career, and I completely agree with everything that you said. My observation, though, is that, you know, I'm like thinking about a fraud leader that is now, you know, they are required to start this journey of going into real-time fraud prevention, and supposedly they don't have the experience, they don't have the skills. Otherwise, they wouldn't be listening to us. And I think it is very easy in this situation to fall, quote unquote, into this trap of, okay, I have these like scrappy juniors, but what I really need is someone with experience. And what I see happening very often is that in these situations, you tend to hire someone with 15 or 20 years of experience that sounds on paper like exactly what you need. They end up just, you know, dragging their feet and kind of like costing you a lot of very expensive time. So what do you have to say to this? Like, how can we identify these red flags or these misfits, right? It might be like super great in an established organization that is already running, but they're not necessarily the right fit to start things zero to one.

Yeah, so first off, like 100% aligned, and that's why I always say that I started my answer with finding people that fill your weaknesses, not the latter. And I think so definitely 100% aligned. I think the key is don't be too worried about total time in career. So, like, that's a trap. Like someone that has 30 years of experience isn't necessarily better than someone with five years experience. Someone with five years experience, from what I've gone through, I would say also understand the org that they have been brought up in and trained on. So, for example, someone that comes from Chase, they're going to be much more, you know, very process-heavy, very bureaucratic, right? There's going to be a lot of approving authorities. There's going to be a really long tail. It's going to take two years to bring in any technology, right? So that's going to take a different type of skill set, and that skill, by the way, can be insanely valuable in the right org. However, if you're trying to move fast and you're trying to be scrappy and you're trying to spin something up because you're trying to be like a real-time payment rail, right, that's probably not the resume I would go after, right? I would go after someone that knows how to wear multiple hats, that can really step in. And most importantly, you want people that don't stay within their vertical. You want people that, even if their job is just fraud analyst, I want them to also be a data analyst, an operations analyst, a fraud analyst. They might even be customer service at some point, right? So I want someone that has the flexibility to be able to understand the needs of the business exceed the needs of their position, right? And you really have to hire for that. I would also say for, like, when you get into the more management level, et cetera, you know, you want to look for people, and I just want to actually have one caveat, that if someone has spent time in banking in their career, that's actually really beneficial, but you don't necessarily want someone that spent their entire career there.

Yeah.

Right. So, like, there's actually really a lot of value in people that have both sides of the fence, and the reason for it is they understand what does an effective process look like, right? Because there's no way that Chase is moving $100 trillion and all these crazy things without a pretty effective process, right? So I'm just using that as an example. But, you know, at the same time, leaning into kind of the more startup vibe of how they scale, right? And understanding, you know, really, and the questions that you ask them, by the way, I think, like when we're talking about the red flags, is make sure you dive into the how when they describe something. So if they say, you know, I'll give you an example. I was doing an interview not that long ago, and the person was like, “Yeah, I saved the company $65 million over the course of a year by reducing fraud losses,” et cetera, you know, the kind of the standard. And I was like, “Okay, now, how did you do that?” Right? And you just keep asking, “How did you do that? How did you do that?” Right? And make them go deeper and deeper and deeper. And I very quickly came to the realization that they didn't do that, like their team did that, right? And they actually really were not in the weeds and actually understand what needed to get done to achieve that. And that's okay. But like, when people are taking credit for other work, that happens a lot, right? Like, “I am responsible for saving $100 million.” And it's like, is that true, or was that like a data scientist that spun up a really sick model, right? And like you were just sitting back and maybe adjusting some thresholds, right? And that's like a little bit different, right? That's a different mentality. And that's actually a trick I stole from Elon Musk, actually. So that's one of his interview tricks. He doesn't really care as much, at least what he claims, he doesn't care much about some of the stuff that we talked about and where you came from, et cetera. He wants to know, like, if you achieve a certain benchmark, he dives really in depth into how you actually solved it. And you can figure out really quickly, and it works. I've been using it for years now. You can figure out really quickly if they actually were the ones that drove those pillars, right, and really actually understand the problem and solution, right? And then the other thing is, like, give me a complex fraud case or an interesting fraud attack and walk me through the full lifecycle, right? So you had a major attack. And if someone says, like, “We haven't really had any attacks because our system has been so good,” that's obviously a major red flag.

Yeah.

So, yeah, that's like an immediate no-go. But you want them to walk you through, like, what is the actual process of how did you respond? How did you identify it, right? How did you mitigate it? How did you detect where it was coming from? What was the source, right? And really leaning into that, you can get some amazing insights into the person and how they actually, like their mental model of how they think through things. And that's where curiosity will really stand out in questions.

Love it. I'm gonna report you to Elon, of course, but awesome. So you were just mentioning process, how to speak to candidates about processes, and how to kind of like think about your team and the makeup of your team in terms of, you know, do they know how to run and build and maintain the right processes? So what is the right process?

Yeah, so there is no right process. That's the answer, right? There is no, like, this process is the industry standard, right? And so I'll give you a perfect example. So I've been to companies where they put a lot of weight and value on a verified customer. Okay? So, for example, the process is completely different if it's a verified, let's just say IDV, doc verified customer versus a net new customer. Okay, and those are the kinds of things that are immediate red flags to me, because let me tell you that the majority of fraud comes from verified customers or verified accounts, right? So it's, you know, a huge percentage of fraud out there now, especially nowadays. So like, it doesn't really add any value that they're verified, to be honest. And like the age of the account, we need to get rid of that. Like the entire industry should just remove that. “Oh, there’s a net-new account is not necessarily higher risk than an account that's been under property for a year,” right? But they equally will commit fraud, right? So you need to focus on their data points. But anyways, when you're trying to build out a process, the key is you want to focus on efficiency and simplicity, right? So now lack of process is just as big of a major problem in an org when you scale, okay? So there is this mentality, and I think a lot of people will disagree with me on this, actually, and I think that's totally great. I love having people disagree with me, is I think that, especially in the startup vibe, startup world, their argument that you shouldn't put in process at all because it can stifle innovation, and you want to kind of give everyone the freedom to wear multiple hats and just figure things out and dive in and figure things out. And I think that's okay. I think you can actually do both, because my opinion and what I have seen over the years is that you, like, process, sometimes you have to slow down just a little bit to speed up. And what will happen is you will start having multiple team members kind of cross lanes and be duplicating work because of that lack of process, right? So sometimes the goal is to just get them a rail, right? Like give them their pathway with the North Stars, right? So, like, here are the North Star benchmarks that we're trying to achieve, right? Like, if you're doing an investigation, what should be the outcome of that investigation, right? It should be, do we want to accept the customer on our platform? Do we want to reject a payment? Whatever it may be, whatever the type of investigation is, right? And so I think, like at a startup level, you can still give them some freedom to kind of move within that guardrail, as long as they're achieving the same result. Now, the other thing that you want to do is you want to set like kind of benchmarks to peers. So, for example, what you don't want is someone that's so curious where they're spending an hour looking at one account, and I've had that happen tons of times throughout my career, right, where they just like deep dive in. Fraud fighters are infamous for this, right? We go down these rabbit holes, and the next thing you know, you find some North Korean-backed hacker that's moving $5 on your platform. And it's like, dude, it doesn't add value. It doesn't matter, right? So I think that sometimes you need to set, put in those guardrails to make sure that they're not going down those deep rabbit holes. And I think the other thing is, give, allocate a percentage of time so that they actually can do that. So I have found that the best way, because almost every team is reactive. Almost everyone in the industry is reactive. Like, anyone that says they're proactive, you really got to question it, because you have to be proactive, by the way, in today's, which we'll talk about, especially in your technology. But most operational teams are reactive, right? They're waiting for the indicators. They're waiting for the dispute to come in. They're waiting for the customer escalation to come in. And then they initiate their investigations. So allocating a percentage of your team's time, like let's just say at the analyst level, let's just say I want 15% of your time on a daily basis to just investigate, just go down a rabbit hole and have fun, right? I want you to just find something interesting. And it may just be a trend that you see, and maybe it's not even a fraud trend, but like those lessons learned. So like I stepped into an org, I can't call out the org, but I stepped into a company as an advisor, and I spent like five hours with the leadership team, and they couldn't really tell me what's going on. And we went around and around and around, and then I ended up basically pulling one of the junior, someone with six months of experience, off to the side. And I was like, what do you see? And we solved it in like 10 minutes, right? And so sometimes your team and your boots on the ground, your junior people, will likely see things much faster than the head of frauds or the fraud managers, et cetera. And so making sure you're giving them a little bit of flexibility and freedom to stretch their investigative legs is really key. So I don't think there's, you know, to bring it full circle, I don't think there's a process that is like, here's the industry benchmark. You have to build it based on efficiency. You do not want to over-engineer it. Do not over-engineer. Like, full stop. You over-engineer it, it's going to fail, and it will not scale 100% of the time. If you keep it simple, have checks and balances. Make sure there's guardrails in your process. Make sure there's benchmarks to prevent spending hours on something versus spending five minutes on something, right? So you kind of base them based on the average of their peers, right? And also competition is very good in teams, right? Like competition, humans are very good. Even the ones that say they don't like to compete, it drives performance. So, you know, making games of it is really interesting, right? Like, I built, for example, what we call it, like State of the Union, where it's just like a dashboard, and it says like, you know, total investigations for the day, or whatever it may be, and total time spent on X, Y, and Z. And they end up trying to compete with their peers, and it just drives more performance. And there's no negative outside, like if someone doesn't show up on the board, it's not like they're doing bad, right? But it's just like that subconscious, like, oh, I really want to perform well today, right? I want to be in my home, my name on the board, right? And so those are the kind of things that I think add the most value.

Yeah. I mean, interesting that you say that there's no right process, because, you know, I have these five rules, and they go with me whatever company I’m at, and they crush fraud, right? So.

Yeah, exactly, exactly. It's only five rules.

Yeah. I want to pull on two threads because there's a lot to unpack in what you said. And I want you to kind of like maybe expand more on how it translates, like in teams that deal with real-time fraud prevention, because you said two things. You said one that, you know, let me start over. What is it that you said?

Are you talking about when I was talking about, you're talking about the initial part when I was saying, shoot, did you miss something?

It was definitely the proactive and reactive. There was one more thing. I think I know it was more general. I wrote, there is no right process. Focus on simplicity and efficiency. Let's take that. Okay, so I 100% agree with everything that you said. There are two threads that I want to kind of like pull on, and maybe to be more specific, when it comes to how this might look like when it comes to teams that manage fraud in real time. And one, you talked about the fact that the process needs to be simple. And two, you also mentioned that, and by the way, I totally agree with that, that your process needs, at least to start with, needs to be much more reactive in how you model your operations than proactive. Because proactive is, if you're a world-class team and super mature, maybe you can start thinking about it, so it's a long-term goal.

Yeah.

Yeah. But I would guess that, you know, some of our listeners that are thinking about real-time fraud prevention, they would say, okay, but if I'm doing that in real time, but at the same time, I'm reactive, so how does that come together?

Yeah. So basically, I think the best way to think of this is in the difference between traditional, call it like payment rails, right, where there's more reaction time, is at the time of payment, for example, or at the time of escalation, or at the time of customer, you know, whatever it may be, right? At the time of escalation, regardless of where that sits, you have a window of opportunity to take action, right? So that's kind of the traditional path. Now in real-time payments, right, just like, you know, money is moving near instantly, right? And so the time of payment is now too late, right? The time of escalation is now too late. It's very similar to wire transfers. Once the money has been executed out, right, you're done. There's no clawback process. It doesn't matter if your fraud team is able to investigate it at that point, right? So you have to kind of treat every payment as like a wire transfer, or the best way to describe it is like someone is about to hand cash to someone else, and when they do that, they cannot get it back, right? So if you're handing cash off, should you focus your efforts the second that they're handing the cash to someone else, or should you focus your efforts on the drive to reach that person, right? And so you have to change your mental model to move upstream. So the key is a perfect example. Let's just say that you have a customer that, you know, let's just say they transact an average of $900 a month. Let's just say this person's from Ohio, right? And pretty similar spend patterns, pretty similar behaviors. And then you randomly see a new device logged in, getting authenticated, let's just say went through a step-up process, so it was added as a trusted device. And then it adds a new payee, and then it attempts to move $10,000, right? Let's just use that as an example, right? But if you're looking at it at the time of moving $10,000, you're too late, right? So that money movement time, that's your final last gut check that you have to be able to take action. So what you kind of have done is you can decide, for example, wait a minute, new device logging in, followed by a new payee, like that is enough of a red flag right there to start putting in significant friction. Okay? And what we have found, which is really interesting, is that it used to be, especially back when you and I started, it used to be like friction was so much the enemy that companies were willing to take significant losses to not touch friction. And what we have seen time and time again, and I've done studies on this, even at Novo, where we actually did a study on this, and what we have found is actually friction can increase spend and usability on your product. So I'll give you an example. We tested like, okay, how many times can we actually do a step-up, for example, a customer on a debit card before they just get so frustrated? And so what we found is, if we step someone up two times a month, we saw an 11% increase in card spend. And we were like, how is this humanly possible? Like we're stopping more money, right? We're stopping the transactions, adding friction, but they're spending more, right? And what it came down to when we did customer interviews on this is that they felt like they had more trust in the product, right?

So friction done right increases trust. Friction badly reduces trust.

100%. And I think that's where, you know, that's why I always lean into, I call it tactical friction, right? Where if you can apply friction at a point where it's reasonable, right, then it is not a bad thing. It'll likely be a good thing. You'll actually build trust with that customer. I'll give you an example. If a new device logs into my account, adds a payee, and is attempting to move money, like you better believe I want my bank to add friction. I want my bank to challenge me. I want my bank, if I'm moving $25,000, I want my bank to verify that I want to authorize this, right? If they don't, it's not a user experience plan at that point. It's just like unnecessary risk. And let me tell you, everyone's like, oh, well, like friction causes churn of customers. Let me tell you, nothing causes churn more than your account getting taken over or losing money on the platform, right? So you actually look at it. And by the way, most of the time when I hear people talk about churn, it's usually like a growth team, where it's like someone outside of fraud that's applying pressure, saying like, no user experience, right? Or it's going to impact user experience, et cetera. But they haven't come to that conclusion because of actually testing. They have come to that conclusion because that's just been the industry standard for a long time. But if you actually stress test those arguments and actually put in some process, so like, for example, you could say like, hey, let's add 5% of our traffic to a new friction process, right, and see what happens, right? And again, if you're doing it tactically and you're applying friction at the right time and when it actually matters to where you want it to be, to where your customer says, okay, I get why my bank or my fintech, or whatever it may be, like I get why Instacart or whoever it is, right, is asking me to verify this, right? If it's like I'm buying a $5 item and they're blocking me, and I'm having to go through this process and I'm standing in line at 7-Eleven, that's a different conversation. That's like frustration, right? Now, like I'm spending $1,000 at Target, for example, and I normally only spend $100, it makes sense that they would say, hey, just want to make sure you're good with this, right? I'm not going to be like, oh, I'm going to spend a month changing my platform and going to a different bank, though, because like, God forbid, they asked me if I want to verify. It's just not true, right? It does not happen in real life. And so I would say, as a fraud fighter, challenge that status quo, especially with product people and growth people, and force them to realize that, like, okay, let's prove that your theory is right. And let's actually do like an A/B test. Let's do like a champion challenger, right? Let's allocate a percentage of our traffic to a process that I want, like let's just say friction steps or step-ups throughout the process for certain high-risk data points. And then we'll allocate the rest of the traffic to something else, like let's just say the current process. And about nine times out of 10, you're going to find that you're actually going to probably have less churn and make this. Because, again, like almost guaranteed churn when you have, especially on cards, if you have more than two fraud events on a card, like two fraud events, is like the kiss of death. Now, it could be over a period of time and you're okay. But if you have like two fraud events within, let's just say six months, you got a serious problem on your hands. That's like a high risk of churn at that point.

Absolutely. So let me see if I kind of like got your thoughts here, because I think that proactive versus reactive, especially in real time, is where a lot of teams fail, at least fail to grasp what it really means. And I think that, you know, your example of friction as kind of like an extension of how much trust we put in you, the customer, but also how much trust the customer is putting into you as my provider. And I think what you describe is two things. On one hand, you want to be proactive in the sense you want, because you are operating in real time, because if you have loss leakage, you don't have a lot to do with or to do about it. You need to go upstream. And this is the way to be proactive, meaning you need to kind of like start thinking about building multiple lines of defenses before the monetization or the accident happens. But on the flip side, the learning, you mentioned that through kind of like the A/B test, the learning is done reactively, because you need to kind of like watch the population, whether this is like the fraudsters or how normal legitimate users behave when you introduce friction, and based on these learnings, you know how to tweak the system. Did I get it right?

You're spot on. Yeah, move upstream. And you're exactly right. That's how I would delineate proactivity versus reactivity, right? I think that proactive is like proactively moving out, right, out from the blast radius, right? Go to the farther rings, right, and start. The best way to think of it is like a castle, right? You're trying to protect the king, and let's just say the king is the real-time payment in this case, right? You want to put multiple walls around, and maybe right outside of that. Now, there should be pathways where the drawbridge drops down, and it's just a straight shot right to the king. That's okay, right? You need to make sure that they are vetted multiple times throughout that process. And that's where tracking that user journey is so critical, right? It's like what is happening in order to get to that payment is way more important than the payment itself nowadays, right? And so I would say, like again, the payment is actually the last point in time that, like, if you're only focusing on the payment, you're really behind the curve right now. Because you have to move upstream into these attack vectors in order to be able to, like, that's like your proactivity right now, is moving upstream and approaching it from a user journey perspective. And I think that, like that, I would agree with you on that delineation between proactivity and reactivity.

Awesome. So should we move on to your last P, the product, or do we have more things that we want to cover? Okay, then product-wise, what does that actually mean?

Yeah. So it means a couple things, right? It depends on the company. It depends on the way that you're building your team. But in general, I actually, and I may consider this uniquely, but in general, in fraud in particular, when we talk about the three P’s, I want to talk about the product from a fraud prevention technology stack standpoint, and also the product as like what is the business that you're working for selling, right? So I include both in my product, right? And you have to build your, so it's like, for example, if you're at a fintech that's building some sort of RTP payment rail, right? That RTP payment rail is obviously the product, but so is your tech stack, your mitigation tech stack, your fraud prevention tech stack, right? And so when we talk about building that initial guardrail, there's a couple approaches that I've seen, okay, and some are very effective. Some are not effective. One is like, let's put in five layers. Let's just say, like we're talking about that castle doctrine, right? Let's put in five layers from account creation to identity verification to login protection to whatever it may be, right, as you're going through these layers, right? And some will use one platform that offers those different layers, right? Some will just integrate five vendors to plug in. And I don't necessarily, at this point in my career, think that there is necessarily a right or wrong way on that one. I actually think the key is, are they communicating? So you need to have the, you know, I think what's so critical is making sure that you have one centralized location to be able to understand and synthesize the findings of those layers, right? So you want to be able to see like, okay, wait a minute, this is a high-risk login, okay? And then we see, like, okay, this is an unusual behavioral biometric compared to what we normally see. And then you say, okay, this is like a high-risk new payee that we've never seen before, and this person has never interacted with, right? And okay, now there's like, they're trying to initiate a much larger dollar amount than their general spend. But if those are different vendors, right, and those vendors are not communicating effectively, right, in your tech stack, you're going to miss it. It's really, really hard, right? And then you end up having to, and I see this all the time, then you have fraud teams that just focus on each one, right? And then you end up having like five fraud teams, because you've got like an onboarding fraud team, a KYC fraud team, and then you got, right, and that's not really necessary if they're all communicating effectively, right? And so I think especially early days, if you have the capability to do that, and that's where the value of going into one platform approach to where that you can do that is where it's pretty close to guaranteed to communicate, but it's not necessarily required, as long as you're building it effectively, and as long as you can speak with your vendors, for example. Have those conversations of like, I want to make sure that vendor X can communicate with vendor Y, and they'll tell you how to do it. They'll say, like, yeah, well, like our SDK is pretty much data agnostic, so you can just plug it in and feed that as like a custom field for the API, right? And so, like, you know, we do that at Sardine all the time, right? And I know there's tons of vendors that do this where you can say, like, if you have signals that you want to pipe in as a part of your risk stack, just plug it in as a custom field or a user-defined field in the API, and just send us those signals, right? So I think making sure that everything is communicating effectively is critical. And then also, I think that, so I guess that's like the lesson learned, is that if you build in a tech stack that's not effectively communicating, you're going to have problems with scaling. You're going to miss things, to fine tune each layer, and it's really hard to do that. It takes a lot of time. And the problem with that is you can get caught in this trap of like, I'm going to build, and here's like, I would say, my next token of wisdom for everyone, is that if you want to build a best-in-class tech stack, right, from the product side, going out and getting the best vendor for each layer will not lead to the best process or product. Okay? So if I were to go out and say, okay, I'm going to get the best vendor on the market for IDV, then I get the best vendor on the market for account security, then I'm going to get the best vendor on the market for KYC, then I'm going to get, right, you just keep going down that process. Nine out of 10 times, that's not going to lead into a best-in-class tech stack. And so sometimes you want to sacrifice, right? You have to have some sacrifice in your tech stack if it means that you're going to gain some sort of value for the greater good, right? So like, let's just say that maybe the best-in-class vendors, because they're so competitive, maybe they don't play nice together, and maybe the communication lanes are really challenging. You're going to have to build a pretty sophisticated internal dashboard or model to be able to synthesize all these signals, right? You may be better off maybe going to like one tier down, right, and focusing on someone that actually is more data agnostic, right, or that has more flexibility to kind of work with other technologies. And so I would say, like, I've seen that many times again where fraud fighters, like, “Yeah, I'm going to build the best-in-class tech stack, and I'm doing that by just getting the best-in-class vendors of each category.” And like, I've never seen that actually work, as crazy as that sounds, you know.

I don't think it's crazy at all. I think, I mean, I'd say first of all, I think it is such an important point that actually teams that go from manual operations to automated operations can easily miss, because when you only have a fraud ops team and they have their own like four different tools, like an admin and this vendor’s portal and SEON’s portal and whatever, and they just copy paste data fields between them, that’s something that is like very easy to think would work also in real-time fraud detection. And it doesn't. It breaks immediately, obviously. And I also think that, you know, the last point that you made about a best-in-class collection, eclectic collection of vendors, doesn't necessarily mean best-in-class stack, to me actually goes back to what you started with, and that is to keep it simple. And many times by doing exactly what you described, by going to five different vendors that don't talk to one another just because they're the best, actually you're creating a very complex system, and a very complex system is also very fragile.

100%. And let me tell you, I want to double tap on what you just said because that's so important. Not only is it fragile and very complex, but actually the vulnerabilities will start expanding substantially. So the exploits that you can actually get in those weeds, right? So like the best-in-class vendor doesn't necessarily protect you best in class, right? Because it's based on how you're actually integrating and using that across your platform, and are they communicating effectively? So the best way to think of it is, if I have five best-in-class vendors, but I'm not linking them together effectively, those chains are weak. And when those chains are weak, those are exploitable chains to fraudsters, right? They're going to penetrate those weaknesses all day long, right? So you want to have really strong bridges between those vendors if you're going to use the multi-vendor approach instead of a platform approach, because otherwise, those vulnerabilities are just going to each.

Absolutely. Yeah, I've seen it with so many clients. It's honestly, it's a bit depressing. Yeah, yeah, yeah. Okay, so we want to keep the tech stack cohesive. We want to have a central hub. What else, like when it comes to real-time fraud prevention, what else would you say is important to think about when you're starting out this journey?

Yeah. So one thing that I would say is some of the traditional signals. There's two approaches. So first off, sometimes the most sophisticated attack vectors and the most sophisticated fraud, let's just call them exploits, can be solved with, okay, I have seen time and time again where, because it's a really new like polymorphic agents show up in the market, and some of the banks, like I was just talking to the head of banking at Google, and she was telling me that she has multiple financial institutions that are kind of pulling their hair out as they're starting to see this down with her. And, you know, we were talking about this. At the end of the day, sometimes going back is actually far more effective than spinning up some new AI machine learning model to solve it. Wow, wow, right? And so I think that that's one mentality that you have to always pay attention to, is don't get caught up so much in the hype. And just because something is super complex doesn't mean a simple mitigation step won't be just as effective. So like when you're building your tech stack, I would say like a good rules engine can knock out a huge portion of your fraud, right? And people are always like, oh, we want AI and machine learning, and we want all this stuff. And it's like, that's great, but a rules engine will get you 70 to 80, maybe even 90% there. The machine learning model will squeeze out that last 10%, right? Or the AI, right? Where AI comes in is AI will supercharge your team to be able to focus on higher ROI things. It'll basically compile data more effectively. It'll help you. It's like giving your team a steroid injection to be able to perform better. So that's where we can talk a little bit about the agentic side. But that's just, I think, like the key takeaway here is just because the fraud trends are adapting and becoming faster and becoming more aggressive doesn't mean that simple solutions no longer work.

100%. It's funny because I keep saying exactly what you just said, keep repeating myself, and it feels like it always very weird. And, you know, especially when I was a CTO of an AI company, it was always very weird to say, look, maybe like a couple of fraud rules in place and that will solve. And it feels like the more experience you have in the industry, the more you understand that also your solutions, by being very simple, that also means that they're, you know, it's easier to monitor them. It's easier to make sure that they are not misbehaving. It's easier to tweak them if they need some tweaking. A very sophisticated machine learning model, that's all great and dandy, but retraining it, or making sure that it is fresh, or that now, perfect also for this new payment method that you have, or this new region where you deploy, that now means to basically retrain the model. And that's a whole lot of work. That's not a half a day of an analyst, right? That's a completely different scale of work. So I am completely with you on this.

Yeah. And one other thing that you just said that I didn't think about, but you're spot on, is like with machine learning, it's really challenging, even AI in some cases, but mostly on the machine learning side, both supervised and unsupervised. It's really hard to have like a plug-and-play model, like even at the vendor side, right? I'll give you a perfect example. In issuing, you know, when I was working with Sardine as a design partner on some of the machine learning models, we could not, for example, take, so Brex was a similar company, or Mercury, or some of these others, right, where it's business banking, okay? A machine learning model trained on, let's just say, Mercury’s data or Brex’s data to stop business banking exploits would not work on Novo, which has the same business banking exploits. And the reason for it is your customer risk is different, right? Your user journey, there's just too many known unknowns in that funnel to where it's just not a one-to-one plug-in. And so what ends up happening is, when you get these out-of-the-box models, is that you end up having to set the threshold so high to where like it has to have a 99.9% confidence before I'm actually going to consider it very high risk. And by that point, like, you probably should just build some really cool rules, and that would have probably done the trick far more effectively.

Absolutely. I think this traces back exactly to the point that you started with, where product is first and foremost the product company, right? Because that basically dictates what are the threat vectors, what are the use cases, how they manifest, and so on. Completely agree. Just because you mentioned that, and, you know, I can't hold myself. It’s such a huge topic, and we can go into a lot of different routes, but zero real-time fraud prevention. I'm starting from zero. Do I need to consider agentic, or is it something for year two?

Great question. So the best way I could describe it is as follows. In order to have a very high-performing agentic layer in your tech stack, right, you have to have a really, let's just call it AI-friendly ecosystem. And so what happens is the companies that are building, let's just say they have gone the traditional route first, it's much harder to then pivot to agentic and AI than it is if you build everything from the beginning to actually get to that path, right? So I would say you have to make a decision. Like, are we, even if we don't do it now, in the next three years, for example, are we likely going to pivot? And that's something like, I promise you, your CEO is going to say, yes, you better believe we're going to pivot to AI. I've yet to see a CEO be like, no, I don't want anything to do with it, right? Because they see that, like, okay, wait a minute, if we can squeeze out more performance and reduce headcount, maybe, like these are all kind of things that seem like the no-brainer for an executive. So building up front is going to be really critical, right? And that's also where, again, it falls back to keeping your processes simple and elegant. Because if you have these really complex processes, and you have these multiple teams working on different things, on the agentic side, you're gonna have to build agentic agents like each of these, and that's going to really squeeze the ROI of that agent down substantially, versus having an entire rail to focus on. So at the end of the day, this is what we're seeing in the industry. First off, let's set the benchmark. We are not seeing agentic AI replacing units in fraud prevention. In fraud prevention in particular, I have not seen it once yet. In compliance, I have not seen it once yet. Now, don't get me wrong, there are absolutely leaders out there that have terminated people or laid people off for AI. But if I was a betting man, I would bet my entire salary that there was some other reason, and AI was like a good argument to go down that route. I know there's a Fortune 500 company that recently said, like, hey, you know, we were implementing AI and we laid off either 10 or 20% of our workforce because of it. My bullshit indicator went up instantly. And I was like, no, no, this is post-pandemic bad hiring practices, and they're using AI as their cover story, right? So let's just be very clear on that. So now that we have that as like a benchmark, right, I think there's two things. One, to protect yourself in an AI future, you don't have to be a data scientist. You just have to be a world-class user of AI. And I think that like that's where, you know, see how you can improve even your daily life. How do you be more efficient on things, right? Your work, right? Even if you're just self-prompting stuff, those are all really good ways to start learning how to interact and engage. And you'll find there's different tricks and techniques that you can use to squeeze out performance. And, you know, like your prompt instructions, how you actually write those to actually get to where you want, right? And you want to like prompt out, like, you know, sometimes what will happen is you can get down this layer within large language models where, like Frank McKenna and I went down this rabbit hole. It was so funny. So Karisse Hendrick reached out to us, was like, “Hey, have you guys heard of spider web fraud?” And I was like, spider web fraud. Like, I'm thinking maybe some sort of network graph type thing that they're talking about. And so both Frank and I were like, no, we haven't heard of it. And then I went on Google spider web fraud, and the AI response was like, it's this new trend of fraudsters using Halloween spider webs to commit fraud. Then I'm thinking in my head, like, dude, there's no way this is real. And then Frank went online and was like, what is hamburger fraud? And what was happening is the model was just reinforcing our prompts, right? And it was connecting the bridges between us. So you got to be really careful on how you do it. And so we went down this rabbit hole for like five hours laughing about all these new fraud trends. I think even Frank posted on this. So I remember, you know what I'm kind of talking about. So, you know, I think that you have to be really careful and understand how to effectively prompt. So there's something called prompt instructions in the settings of your large language model. Almost all of them have this, not at the business level, but they definitely on the personal level will have it. Basically, you give instructions in the settings of your account to basically tell the large language model how you want it to interact with you. Okay? And by the way, you can use large language models to help you write that prompt anyways. But what you want is you want something that's going to challenge you. You want the model to challenge you. You want it to say, like, don't reinforce my biases. Like, stop me if I'm going down a rabbit hole that's wrong. If my question is leading to a false answer, challenge it, right? You want it to say, basically, poke holes in my logic, right? And that is a far more effective approach to start using AI. Because, for example, like I'm going into a board meeting, right, and I want to make sure that I am fully prepped on every challenge that I could possibly get on this proposal, right? And these are the things that AI is very good at. It's very good at finding these new arguments and logic, right? But you just got to be careful not to just reinforce yourself and go down this thing of, like, I want this outcome, and so I'm going to prompt it to give me this outcome. And that's what I see the mistake every time is, like, help me, guide me to the outcome that I already want. Like, make it guide you to the outcome you don't want, right? So I think that that's a key piece of like, we're talking about becoming a world-class user of AI. Now on the agentic side, so first off, it's not replacing jobs, but what we are seeing is it is supercharging the analyst performance. So every operational fraud analyst is now a data analyst, almost full stop. And so what we're seeing is we're seeing this trend where people that are not data scientists or are not data-forward experts, right, or data-forward analysts, they now have the ability to make data-based decisions versus intuition. And, you know, probably 50% or more of fraud fighting is intuition, right? It's a huge percentage of it. But when you don't have the data to back up your intuition is where you start getting into the traps. And so where agentic agents can be incredibly powerful is they can provide you the reinforcement data to help your intuition kind of guide you to the correct answer and have a much higher confidence and certainty that your answer is correct, versus before you're going off like gut feeling and like whether or not I get goosebumps when I read this account, right? That's not a very effective way to do it. That's kind of the traditional way to do it. So it can be incredibly effective. I think that there's some really interesting stuff happening. So right now, there's like, I would say there's a lot happening on the regulatory side on this as well. But let me tell you that the OCC, FDIC, CFPB, all of these financial agencies, they are all in on AI. They are improving AI use cases right now in financial use at the fintech layer, at the sponsor bank level, and at the regular banks, right, credit unions. So now is like 2026 is probably the best time, especially with some of the natural world changes that are happening that can give you some firepower to push on your org, push on your leaders, to start adopting more agentic framework. And then also, I think that there's going to be some interesting things happening on the Reg E side, right, that liability shift side. And then you're also starting to see like, even on the agentic commerce side. I have a difference of opinion on agentic commerce than most, but from utilizing it in your team, like to me, if I was building a new team, if I were to start tomorrow and build a new team, I would 100%, every single time, I would build my team, my process, my product, to be able to be highly effective for the use of agentic agents.

Absolutely. Well, folks, you heard it first here. You want to double down on AI, so make sure you do it tactically. Matt, this has been like, you know, we have a lot to cover here. Or actually, we covered a lot. We have a lot to summarize here. So let me kind of like collect all the takeaways that we covered in the last hour or so. So we talked about fraud prevention in real time, zero to hero, how to get started. And I think the red line throughout this entire conversation was, keep it simple, stupid. That is my takeaway from this conversation. You worked your mental model of people, process, and product. On the people side, we talked about hire people for curiosity, hire people for trust. For the people side, we talked about hiring people for curiosity, we talked about hiring people for trust, and we talked about how we want to prefer flexibility over experience. We talked about processes and the fact that there is actually no right process in the industry, even though a lot of teams think that there is and they expect that there is the right process. Actually, there is no such thing. Again, we talked about focusing on simplicity and efficiency, not to over-engineer, at least not at first. We talked about the balance that you need to strike between being proactive and being reactive, and we talked about that in real-time fraud detection, real-time fraud being proactive means that you want to layer your defenses and make sure that when it comes to the monetization, to the loss event where you can experience leakage, you want to make sure that by then, the user underwent some risk checks where you already have a clue. But on the other hand, also that in the end, learning, relearning, whether this is about new fraud attacks or whether this is about how legitimate users behave, almost sorry, not almost always, happens retroactively. And you gave a very good example about friction. We talked about friction and the fact that friction done right can increase trust. And lastly, we talked about product. Two things. A, you need to consider the product of the company and what kind of surface of attack it creates, what kind of fraud threats it brings to the fore, and of course, also to consider your tech stack, your fraud prevention tech stack. We talked about the fact that it's okay to have different vendors, as long as you have one central hub where you can have all the data and all the reporting and all the monitoring, and that these vendors can communicate between one another, whether this is through vendor partnerships or a certain platform, or whether these are pipelines that you built yourself. We talked about that having the best vendor doesn't necessarily mean that you would have the best fraud prevention stack, because you can create a lot of complexity. And here again, we return to the theme of keeping things simple. We talked about not getting too much caught up in the hype, because sometimes, or actually very often, our experience as fraud fighters is that sometimes you can prevent, or not prevent, let's say mitigate, very sophisticated fraud attacks with one simple rule instead of trying out to spin up a complete machine learning model from scratch. And lastly, we touched some bonus material when we talked about agentic AI, and you said that while AI is not a must right now in terms of combining it within your fraud stack, you put a lot of emphasis on the fact that this is the time right now to become a world-class user, to become literate, to upskill not only yourself, but also your team in the usage of AI. And lastly, you also mentioned the fact that already today, agentic AI can be very helpful in taking folks who are maybe domain experts, or at least, I would say, fraud specialists that don't necessarily have the data background, and give them the tools, the capabilities to back their intuition, back their experience, their gut feelings, with data through the use of agentic AI. Hopefully, I got everything and I didn't leave anything out.

No, you nailed it. I think at the end of the day, keep it simple, stupid. Focus on the three P’s, right? And really, don't over-engineer things. Make sure things are communicating effectively. And that's off to a really good start, right? That'll help you achieve what you want to achieve. It'll allow you to scale. Don't over-engineer, right? And absolutely, if you're not using AI today, you really need to, because the technology is going to improve, right? So even if you're a non-believer right now, I assure you, the technology is doubling, right? So by the time you get to the point where you become a believer, it's already too late. So you need to start building the framework and the fundamentals to make sure that you're going to be ready when you are ready.

Matt, it's been awesome. Thank you very much for sharing your experience with us. For you folks, sorry, let's do it again. I want to give you actually. Matt, thank you very much for sharing your experience with us. It's been a blast.

I really appreciate you. Yeah, this has been a lot of fun, and it's always fun jamming with you, because I know you and I come from similar backgrounds and different similar mentalities of the way that we approach things, so it's fun to bounce ideas off you.

Wow. 100%. Folks, hopefully you enjoyed our first full interview episode. There's a lot of things cooking and more to come. In the meantime, you know the drill. Smash the like button, comment, subscribe, save, download, send it to your mother, send it to your grandmother. Leave a review and see you next Saturday.