So Let's Talk About Fraud

Hello, and welcome to The Purposeful Banker, the leading commercial banking podcast brought to you by Q2, where we discuss the big topics on the minds of today's best bankers. I'm Dallas Wells. Welcome to the show. 

Today I'm joined by Lou Senko, Q2's senior vice president and chief availability officer. Lou's team is responsible for the availability, performance, and quality of the solutions we deliver, as well as the security and compliance of the environments that those are delivered from. Which basically means that Lou is in charge of all things surrounding the hosting of your digital branch. Uptime, performance, security, and compliance. 

That about cover it, Lou? 

Yeah. That's right, Dallas. Thanks for the intro. It's really one throat to choke. But I have some great partners, with both Beth-Anne and Blair and Hima, around our new CISO, our new chief risk officer, and our new chief development officer. We all have the same stake in delivering quality services. 

The reason we wanted to have Lou is, as you hear from his title and from his background, security and fraud. Any time we walk into a room with a customer, a banker, or a credit union exec and say, "All right, what do y'all want to talk about today?" Inevitably, one of the top probably two things on that list is fraud and security. It's top of mind for everybody. Lou and his team and are in the trenches, helping fight the good fight there. 

A few of the credentials up front, before we jump in, just so you know who you're listening to here. Lou's background, he's been a part of high-growth global companies. He's done 30 mergers. He's moved more than 14 times for his career. He's been recognized as CIO of the Year in 2019, again in 2022 by a couple different industry organizations. 

Lou, your teams were at the forefront of delivering those Q2 critical services to 37 million and growing end users, moving $3.5 trillion of money every year, with some really high expectations. You've seen a lot and done a lot. As I have said a couple times as I do intros, always makes you feel the gray hair a little bit. But anyway, Lou, welcome to the show and look forward to the conversation. 

Yeah. Thank you very much, Dallas. To be clear, it's wonderful teams that actually do all this great work for us. I get the privilege of sitting on podcasts like this, talking with folks like yourself about all the great accomplishments they've done.

Yeah, all right. Let's jump into it. As you just said there, Lou has lots of conversations. Both with Q2 customers, and because Q2 has this award-winning security environment, Lou gets the chance to talk to lots of folks within the digital banking industry and beyond about a lot of the stuff that we're doing here. 

But recently, you were on the stage at our customer conference, CONNECT 24, talking about fraud. Typically, when you're having these conversations, you're talking about security. Those two words, they seem synonymous to lots of folks. But why the slight shift? Maybe if you could break down, what's the difference between security and fraud, and where's the overlap there? 

Yeah, yeah. Great question, great question. As you've said, we've been on stage for the last couple of years talking about security because that was forefront in our customers' minds, as cyber, and moving to the cloud, and different workloads. And just being comfortable that we're ahead of those emerging threats, and thinking about how we can spend for 1,400 customers and bring next-level solutions to this. I think the customers, their IT shops and their security shops, their risk and compliance groups, got very comfortable with Q2 as a partner. We try to be very transparent in how we do things. We're not perfect, but we spend a lot of time and energy on this stuff, and being very transparent in how we do this. 

Well, now the topic has shifted to fraud because fraud is on the rise. Fourteen percent growth year-over-year, $10 billion in fraud losses last year. Some of the specific things, like account takeover, up 380% year-over-year. These are really prevalent issues that the customers are dealing with. It's a different part of the customer, that it's not the typical security, IT, risk and compliance shops. It's a group inside the business dealing with fraud, and answering the calls, and working with the end users, and covering the losses, and trying to understand. To make them feel secure with the business relationship, but trying to also then deal with what the real problem is and stopping it. 

As we continue to try to be our customers' best partner, that digital branch is an honor to host, but there's a lot of responsibility that comes with that. The customers are asking us to lean in more now on the fraud side of the business. Even though most of that fraud is happening outside of Q2, so it's happening with compromise of credentials, or an email, or a device, or something. But the money move is in Q2. We've got joint stake here. They've asked us to lean in. 

When you think about the cyberfraud fusion, the way we think about fraud is that something happens, and it gets in, and it goes and moves money. When you think about security as far as a breach would go, something happens, they get in, there's a trail of breadcrumbs, and then they go do a crime. It's not just about catching that crime and killing that crime, but following the breadcrumbs back up, and trying to follow this kill chain thinking about, "Well, how far up could I have stopped this? What else can I do differently?" 

That's the way security thinks, and security has a lot of hygiene, and a lot of things like compliance, and regulations, and certifications that they do to be really good at their craft. Well, we can bring all that same thinking to fraud now. There's a technology play there, there's a hygiene and process play, there's a people and skills play. Bringing the security and fraud together in that cyberfraud fusion is the next hill to climb here, as we tackle fraud. 

I know as you were describing that, it made me think of the evolution of the industry. Once upon a time, the security was a little easier to wrap your mind around. It was literally the vault door for a long time. Then once we did start building some systems, they were all on-prem, and you could build this strong perimeter. There weren't a lot of pipes going in and out. You could contain that pretty well. But as we've moved toward this much more open finance approach, that's an inevitability. That's not a trend that any financial institution out there can fight against, nor do their customers want them to. But as we've had to open that perimeter to offer so many valuable services, it's made this much harder. That's interesting that now your team goes from defending the wall, now operating on both sides. 

Right.

Because the fraud's happening all over the place. 

When you think about infrastructure, it used to be physical things, and now it's really software. That's really blended into the application and it's all just software. You think about protecting the money, it used to be from a breach into the infrastructure. I won't say we have that covered, but we've done a lot of work there. 

Yeah. 

Now the easiest path is misuse of the application. Stealing someone's login and password is much easier than trying to get through the 25 layers of defense we have around an infrastructure attack. 

Yeah. One of the elements we've talked about on this podcast a couple times is even though the fraud has gotten much more sophisticated, there's much more of a technological bent to it, it's still a human element. The weak point is still the human beings using that. As you talk about that, stealing somebody's username and password, that's rarely, or at least not as often, a hacker in a hoodie cracking somebody's password. It's usually some form of social engineering, or somebody's got a password taped to a keyboard, or those very simple things that then allow them to bypass all the millions of dollars’ worth of things that y'all put in place. 

Right. 

Yeah. Let's talk a little bit about, you mentioned there's some of the trend in fraud losses. What are some of the biggest culprits there? Especially when we look at the commercial angle of it, where do we see the big exposures for financial institutions? 

Yeah. The two big ones, and there's probably six that ... If I think about all the categories, there's probably six categories. The two big ones are account takeover, meaning someone is impersonating that person with a login and password, and how they get by their multifactor, and all that stuff. The other one is account opening. Opening accounts, it's deemed now that 25% of those are for fraudulent purposes. We got really good during COVID, when all the branches were moving all the services to online, opening accounts now is the thing. 

But then you have your typical check fraud, and your credit card fraud is an evergreen standing too, that happens. Then dealing with instant payments, and that's not so much commercial, that's more the retail side of the thing. 

Yeah.

But instant payments have become a real challenge because, again, me paying my neighbor's kid 10 bucks for mowing the lawn, that's a very difficult transaction to understand. Is this normal? There's no payment history. We don't really know the end point. It becomes much more of a very difficult needle in a stack of needles to understand if that one's legitimate or not. The fraud, normally that's small dollars. 

On the commercial side, it's really about people getting in, and then moving big chunks of money in ways that are trying to defeat what abnormal looks like. 

You touched on it a little bit there, the instant payments, all the P2P services that are out there. What we end up with is this daisy chain of payment processors and providers, and different rails. The risks that financial institutions got, frankly, pretty good at managing was things like wires. Once a wire is gone, the pattern was it's gone and then it scatters really quickly. This ecosystem that we have now is scattered by nature. Once that money does leave, it's really hard to track. 

That's the interesting balance that I think financial institutions have to face is that ability to quickly get that money out with as little friction as possible. That's the point. 

Right.

That's the products that people are asking for. But then, those are the most susceptible to fraud and the hardest to track down. It's not just that there's instances of fraud, but that the loss rates on that fraud are really high because it's hard to ever recoup it. 

With those challenges, what do banks and credit unions do about this? As you're talking to customers, "Look, fraud's up. Feel like we got to offer these things. We feel like we're fighting an uphill battle." What are some of the tangible things that we try to put in place? 

Well, again, great question. Almost 50% of financial institutions are implementing some sort of new technology to go fight fraud. If you're like me, you're waking up every morning, there's five new emails from companies you've never heard of with what sounds like pretty interesting solutions to new fraud angles, new fraud services.

Yeah. 

The challenge is to sort through all that, and figure out which ones are keepers, which ones actually really have some muster here, which ones are different. The stats show about two-thirds of the financial institutions that have $5 billion or more under assets are implementing technologies that use things like machine learning and AI.

The proof is in the pudding here, in that those folks that used AI, only 28% of them saw a significant increase in fraud or fraud losses. Compared to ones who didn't, 38% of those saw it. There's a marked difference in what those solutions were able to do for folks that successfully implemented them. 

When you think about Q2's approach of how we can help our financial institutions find the right solution for them, the right third-party vendors to partner with and solve these problems, make some bets but be flexible in that they can take advantage and stay agile. If the market changes, new threats come on board, they can adopt that, and drop the old ones, and change. We want to really empower choice. When you think about Q2's position here, with 1,400 customers, we have a $200 million credit union, and we have a $200 billion commercial bank. 

Yeah. 

For us to create a solution that would be the right solution for all those different use cases is impossible. Rather than force one solution trying to cover all these different surfaces, what we wanted to do is really provide a place where they can use the power of our platform, but leverage this huge ecosystem of fraud tech. 

Yeah. 

That ecosystem, every day is just growing bigger and wider, and new things come in. I'm sure, in six months, it'll look very different. 

The way we're trying to do that is really bring them into this marketplace concept that we've been very successful at bringing different solutions available to our financial institutions. Yet, fill in with fraud tech, different ones to solve different problems. Solve the check problem, solve the account opening problem. Solve the account takeover problem. There's different philosophies and different technologies that are used in different vendors. What we want is our customers to get comfortable with the vendor of their choice and the solutions that make sense to them, the way this technology works. Once they find that one, again, like the typical marketplace experience, it's an app store. You click on bit, boom, and wait. It comes pre-integrated and pre-wired into the Q2 platform. 

That then reduces this friction around, "OK, now I bought this solution. Either it has to operate separately from Q2 and the rest of it, and I have to find ways to get the information in, make decisions, and somehow, real-time interaction with the transaction in flight. Or I could leverage the power of this platform where things are already pre-integrated, pre-wired, and pre-go.” The way we're thinking about this then, is basically offer all the Q2 products creating signals around the user, around the transaction, around the endpoint, around the things that they're doing on the platform, behaviors, traits that they have—those signals are going into an orchestration hub. Then we're going to open up that hub to allow third parties, those solutions, to plug into that same hub.

Basically, this hub then is the one place where your employees, the financial institution employees go to set up the decisions. "Hey, signals, this risk rating is letting me know about. This risk rating is low enough, let it go through. This risk rating is dangerous enough, I want you to block it." As all the different third parties come up with their own different ways of coming up with the risk statement, that goes into the hub. Then the hub, you have one place where you can create the decisions, one place where you can work the cases. Out of that comes, then, this ability to say, "OK, I've got the signals from the various pieces. I've made a decision." I'm then either going to block it, allow it, or cause in interdiction. That interdiction can be things like have them MFA again, have a dual multifactor authentication. I can do a bunch of different things, just to go from this warning to this block. 

Take the best of the solutions that meet your needs today. If in six months, there's new ones, you can plug them in, you can dump other ones. It doesn't change where you're working. You work in the hub. The last thing we want to do is have people have to log into 20 different solutions, try to orchestrate commonality between them. The complexity becomes its own security problem. This way, it all comes to one spot, you work in one spot, and you can plug-and-play with the third party settings you want. 

Yeah. 

A big, long answer to what was a simple question. 

There's a couple threads I'd love to pull on there. First of all, that concept of a platform approach, and opening that up to the broader ecosystem. As you've said, we've seen great success across the rest of the platform with that concept. We're doing the same thing on go-forward strategy around data, too. 

Right. 

It's got to be accessible. It's got to be in a place where you can extend it to the rest of your business and make use of it. 

For fraud in particular, that surface area has gotten so broad that a lot of financial institutions were finding themselves, "I've got 25 different point solutions. This one for this kind of check fraud, and this one for dispute tracking. This one for, now, Zelle fraud." There's got to be some place for us to consolidate that. 

One interesting thing that's come up as a part of headlines, though, this mess with Synapse and Evolve. That's just one of the latest ones. There's these sorts of things all the time, of a data breach, so maybe playing a little bit loose from some of the fintechs. That they're sort of in the banking ecosystem, and sort of under the regulatory scrutiny, but not exactly the same as the banks and credit unions are. That's a tricky thing for especially a smaller institution with some limited resources to try to navigate. 

I know both of us have some of these conversations with our customers. Where they're like, "Look, how do I know who to trust and who not to?" Can you talk about that a little bit? Of what's the right way to approach, "Yeah, we need that sophistication, we need that breadth of tools. How do we not get scared of the weak link in the chain there?" 

Yeah, another great question. It is a dichotomy of trying to figure out the right solutions and the innovation that needs to happen at the speed of innovation, yet manage risk. All companies are looking for ways to be more efficient, and that typically means global talent. Or third parties help you do a thing that you used to do, but they can do it better or cheaper. That third party could be in a different country than you are. The data is everywhere. As much as we do our due diligence, as much as we try to understand it, I think everybody ... As you know, there's a new one in the headlines every day. Everybody's susceptible to nation state actors. Everyone's susceptible to a change management issue. We have a lot of process, we have a lot of technology, we have a lot of people, but there's still opportunity for mistakes. 

Then once that data is out, and someone's got an account login and a password, and they get creative with social engineering to get the multifactor codes, and how they do that. Sometimes it's super technical how they steal the token. Sometimes they just talked to a person on the phone and tricked them. 

What we end up doing is just expecting the fact that's out there and that's going to happen. It's no different than the way we treat phishing emails. Our company trains our employees not to click on those emails, and we test them all the time. Random samples, very well-crafted emails. We're so happy when only six people clicked it.

Six exposures, yeah. 

All it took is one.

Yeah.

We've got to expect that whatever we do, it is not going to be perfect, and someone's going to try something. That's where these tools then matter. Our solutions and the signals, the third parties that have some unique ways to define that. Sometimes it's obvious, and sometimes it's behavioral. They're just doing something not quite normal for this user, and that could be a risk signal. 

The way you define your strategy around what are the types of fraud we're seeing, what are the things that we're least protected against, how can we create this ecosystem of partners, build different building blocks to plug the holes and gaps that we have. You can't do everything at once, so you've got to pick the most obvious things first. Put the puzzle together with the different pieces. Try it out. If it doesn't work, you can swap these things in and out. That's the whole beauty of this marketplace sensibility thing. 

Yeah, good point. 

We encourage great hygiene, due diligence, but we know that whatever we do, no one in the chain is perfect. Everyone is going to experience one of these breaches eventually. When that happens, just knowing that all that information's out there to be used against us the next time someone tries to log in, we just have to expect it. That's where these kind of tools will help. 

Yeah. If I can say that back to you, maybe. Across, in our case, tens of millions of users, billions of logins, trillions of dollars of money movement, the math says no matter how good you are, there is exposure there across some part of that ecosystem. I think the right approach is to, one, expect it to happen. Two, we try to limit the severity. Part of the messiness of the particular Evolve data breach wasn't that there was a data breach. It was that they had, in plain text files, all the PII, all together in one spot. 

Right.

Those are the things, that's what the due diligence is for, is make sure that isn't how they're handling some of that information. Those are the things that we try to help with, is some of that diligence around we know the questions to ask and where there might be some red flags. If we come across a partner that is not up to standards, as you said, it gets swapped out for another provider. 

I think that then leads to the other thread I wanted to pull on there, which is given that we know it's going to happen, and even if we try to limit it, what we then look for is changes in that behavior pattern. We look for anomalies. That's something that, it used to, it was a human being looking through transaction reports. Now that's something that is much more automated. That's where the machine learning and AI starts to really make a difference. For all the excitement, and in all honesty maybe parlor tricks that we see around AI these days, this is the real use cases. This is the places where we're actually seeing financial institutions buy real production-ready tools, put them in place, and actually start to see some real savings. 

Can you talk about any, and you don't have to name names, but maybe just conceptually, some of the things that you're seeing there that are in place and working in the real world? 

To your point, the technology's fantastic.

Yeah. 

When you think about, there's 34,000 logins to a Q2 product every minute. To be able to, real time, take that login and then understand that user, what they're doing on the platform is normal or not normal, and then to risk rate it and interdict that transaction in real time, 34,000 logins a second, is pretty cool. There's some really cool technology underneath it that makes that all possible. 

Some of the ways we're seeing third parties help solve this problem is looking at the endpoint and going, "Look, this is normal for this user to behave this way.” If they start acting abnormal, and that's on our platform and off of our platform, if it's not normal, then the risk of that is obviously much higher. Q2 does a bunch of things internally with the user, and the session, and the transaction. We try to determine is this normal behavior for this user? If not, we change the risk rating as well. 

If they do something that is maybe not about a transaction, but it's a high-risk event—for example, changing the target for secure access codes—that's a high risk event. Maybe that's something we should care about. In concert with other changes, maybe that increases the risk of what that user's doing. 

We have folks that have done some really cool things around MFA, where, "Hey, even if you get my login and you get my password, and you figured out some way to get the SAC code, so you've answered the three things that should let you get in. If it's not coming from the device that I personally registered, it won't pass.” 

Yeah. 

Those kinds of things, when you think about, hey, that really helps lock down even the ones where ... I hate to say this, but 48% of the fraud is targeted at the 60-plus age group. They account for 72% of the losses.

Oh, wow. 

They have the money and they also are maybe least sophisticated with technology, so this becomes the surface that gets exposed the most. If you can find solutions that allow you to be sloppy and it still doesn't get you what you want, that's really the coupe de gras there. 

This is a topic we've covered here before, too. There becomes a customer experience element to this as well. We're adding some friction, and especially for that particular cohort, they're not maybe all that technically savvy. We have to find the right ways to put that friction in place.

This is one of those things where the financial institutions that we see do this well, in that last mile, you've escalated all the friction up, they're still trying to do the transaction, eventually you might just have to have a human being call that human being. Verbally talk through it, verify, do what you can to then help them complete that if it's really them. Or help stop the fraud, if that's not the case. It's one of those things that there's only so much efficiency we can squeeze out of digital if you want to do it right, and that includes this fraud and security element. I just think that's an interesting twist, as we try to move all things digital. But there still, at the end, comes a point where we may have to have some people intervene here to make this go right. 

Right, right, right. 

Let's get maybe one more question in here. Let's just have you switch sides of the table, and maybe put yourself in a banker or credit union executive's shoes. New job, and now you're in charge of, for a bank or a credit union, these same topics. What's your starting point? What do you do to tackle fraud and security? What's the basic elements that you want to make sure are in place? Maybe what's the pecking order of those few things, of these are the things I know I've got to quickly get my arms around and make sure are in place? 

Yeah. Again, great question. Think about a building a roadmap of what good looks like. We're never there.

Yeah. 

We're always someplace else. Then we build our roadmap to get to where we want to be. It's all about allowing intentional choices. You can't solve it all tomorrow, but you build on, you build on, you build on. It's a capabilities things that you're trying to enable. You empower it with technology, processes, and people, and staff, and roles. This is the way we solve any of these business-type problems. 

In the fraud space, because it's still emerging and there's changes happening all the time, we want to make sure that our choices don't pigeonhole us into commitments that become irrelevant pretty quickly.

Yeah. 

This ability to bag a vendor after six months because it was the right choice at the time. But then, there's a new surface happening and we want to change that out to this new capability.

Yeah. 

That plug-and-play, and in-and-out, and adding new vendors that maybe do one thing really well, but it doesn't do all the other things. When you have to make a choice, you go, "Well, I don't have to make a choice, I can just add them and add that capability. Then a year, if that's no longer a need, I can unplug it.” This building block architecture is really, I think, a key strategy because it doesn't force you into having to make commitments that you wish you could undo as you get more information, or the criteria around making that decision changes over time. 

Yeah. That's interesting, because I think bankers are used to, in most of their business, reacting to cycles. Credit cycles change, interest rate cycles change. You morph accordingly. You try to not pour concrete around one particular strategy, because you may need to very quickly adjust as things change around you. But in terms of fraud and security, that hasn't always been the case.

Right. 

It's like, "This is our vendor and who we've used for the last 20 years, so whatever they have is what we have." I like that idea of maybe approaching in a way where not everything has to be like a heart transplant if you want to swap things around. 

Exactly. 

It's going to be a little more modular, a little more nimble, which is interesting. 

To your point, I think the IT capabilities were like infrastructure, were like the building. You built it once, and then everything ran on it. That's not the way we think about it anymore. We want to think about it more as very solution-focused. If there's a particular solution we need, a problem we have, a solution we need, we enable that. Then the problem changes, goes away, morphs, we can change our solution to it. Again, it's about the power of extending and taking on options. Not waiting on Q2 to think of every option, but Q2 as the ability to empower you for your choice.

Yeah, good stuff. Well, we'll wrap it there, Lou. I appreciate you making the time for this today, and given the relevance of this topic, I doubt it's our last conversation on it. Thanks for joining. 

Awesome. Well, thanks for having me, Dallas. 

All right. That's it for this week's episode of The Purposeful Banker. If you want to catch more episodes, please subscribe to the show wherever you listen to podcasts, including Apple Podcasts, Spotify, Stitcher, and iHeart Radio. Let us know what you think in the comments. You can learn more about the company behind the content by visiting q2.com. Until next time, this is Dallas Wells. You've been listening to The Purposeful Banker.