Democratization of Anarchy in Payments

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

Craig Jeffery  00:18

Welcome to the Treasury Update Podcast. This is Craig Jeffery, your host. Today, I’m joined by Ernesto Rolfson, who’s CEO of Finexio. Ernesto, welcome to the podcast.

Ernesto Rolfson  00:28

Hey, Craig, great to be here. Thanks for having me.

Craig Jeffery  00:32

I’m glad you’re here as well. The title of today’s podcast is democratization of anarchy and payments. That’s a mouthful. And just some background for that the the ongoing attack methods that we see attacks on companies that target information that target payment channels has certainly scaled heavily over time. And this is due in large part due to the effective use of technology by criminals. And this includes the use of technology, including generative AI to help create deep fakes. More effective spoofing and compromising companies has been challenging both AP and Treasury groups mightily over the last four or five years, the criminal playbook is becoming enhanced with this technology. And this has resulted in the democratization of anarchy in the payment world. Ernest, I wanted to ask you, Have you have you? Have you used chat? GPT? For anything so far, you played with some of the AI tools? Sure, yeah.

Ernesto Rolfson  01:33

Well, we’ve been using Chat GPT at the company after using Chat GPT in some pretty fun and effective ways in our personal life. So we’ve been pretty active users and you know, passionate followers of technology. So, you know, we’re leveraging here at the company, Chat GPT, around sprucing up our emails internally, externally. We’re using it to generate content as it relates to educating our partners and customers in the broader marketplace. We’re starting to dabble with Chat GPT around data analysis, we’re using other you know, hardcore commercial tools around AI, you know, around data, but Chat GPT has been introducing some new capabilities there. And we’re using it as well to help us internally summarize our meetings and action items and look for trends, as well as for training.

Craig Jeffery  02:32

You know, as I think about Chat GPT, it’s, it can do a better job than an intern much faster, it’s more accurate. Now, it still has problems, you still have to guide it with experts if you’re trying to put together some research. But it’s pretty fast and pretty impressive. And certainly like you said, the criminals are using it and using it quite effectively. And so maybe we can start start there. How is AI bolstering the criminal playbook and toolkit? I know we mentioned the beginning deep fakes, the world of fraud. You can even create code with these these tools. What what are you seeing there from the criminal playbook?

Ernesto Rolfson  03:11

The thing that wer’e paying attention to were ways that businesses looking to deliver payment could be fooled into sending payment information to the wrong place, which is often around a criminal pretending to be someone they’re not, right? And so that involves using technology to impersonate payees or suppliers in the business payment world and that’s around typically that was around email and making the emails look like it’s coming from someone that it’s not. And being crafty around even the verbiage or the word choice to seem like you are that person. However, now with deep fake technology and AI, we have real concerns around using hyper realistic but entirely fake audio and video content to do much more of the same in an even more convincing way to impersonate suppliers as it relates to people. And that would reduce the bar even further around businesses sending money to the wrong place or agreeing to change let’s say an email address or the really the worst culprit is changing that bank account because they think that they know and trust the person. And this technology is now, and has been in fact for some time, completely democratized and available to anybody.

Craig Jeffery  04:41

You know, you think back on some of the earlier attempts at spoofing it was it was very horrible. It was English as a fifth language and typing with your elbows. And we all laughed, and then it got better, and they got people to do it. And it got better and then the business email compromise improved and improved. But now you’re saying yeah, The audio and the video, you think of a lot of the CEOs are on earnings calls, there’s a lot of their voice out there, which can be spoofed.

Ernesto Rolfson  05:08

That is correct. We have gone on and I don’t know that it’s out living on the web yet, they will be soon.  We’ve gone and created our own deep fakes of some of our executives, to educate our team and show everyone how simple quick and effective it is to create this.  Just as we’re starting to get the education and what’s there and the kind of the stat that I think is important to share around why this really matters, I’m sure we’ll get more into that, is that 53 – this is according to AFP, pretty reputable organization around treasury and payment matters – 53% of companies are validating payments and payments security verbally. And that’s what is really shooken us and having us so concerned around the use of other very prevalent commercially available technologies around identity verification, and process verification to help protect against these new imminent threats and b2b payments.

Craig Jeffery  06:09

Do you remember if they, if they identify the different methods, whether it’s verbally or otherwise? I assume that’s all under the category of an out of band validation? Like if you get an email on it, there’s, they’re using a different channel like voice in that case?

Ernesto Rolfson  06:24

Well, that’s just, yeah, no, you’re you’re right on the out of band.  What you’re talking about is a high level of sophistication, Craig.  Not surprising, given your knowledge and experience.  Most of the businesses in the country still, those middle market type clients, certainly down to SMB, where we don’t play, but we have familiarity, right, is what’s driving the 40% plus of paper checks that remain. And the 11 trillion or so of spend that that represents is with businesses that are not using any sophisticated processes at all around managing bank account information and payment information, and are certainly not using software applications like Finexio, or any of the ecosystem partners Finexio’s integrated in, that would meaning using software tools, whereby they would even realize, wait a minute, I’m getting a phone call, this doesn’t sound right to me, I’m gonna go and look at why isn’t this through a process.  Their process today is all phone and some scribbles on, you know, post it note that they have and hope it all works out. So we’re partly educating around that. But even the you know, using a vendor tool around a bank account validator may not be at its really having a multi factor, multi form approach for combating and thinking through the if then then this type scenario, just because the pace of the technology and the attack vectors is is accelerating at such a rapid pace. And this is only over the last, you know, year or so that this has really gone nuts. And we haven’t seen any problems within our customer base yet. However, the phishing and the spoofing and the attempts are, we’re only seeing and hearing and then the data sources we read that it’s only increasing, and we just know it’s just a matter of time, which is why we’re leading, a leading voice around being ahead of this.

Craig Jeffery  08:29

That’s a that’s a good point. It’s it’s supremely easy because it’s available. I mean, that’s why we talk about it as democratization now it’s, it’s available to anyone.  The criminals don’t have to be hyper sophisticated in terms of resources, just using those tools.

Ernesto Rolfson  08:45

It’s basically free. And can you do a few clicks? And do you have a microphone?  That’s the barrier. Now the cost of generating information has gone to zero with this wave of AI. And, you know, all those 1000s of monkeys at the typewriter creating Shakespeare, they’ve now, right, they’ve now bottled that.  It’s instantly available. And you’ve just got to be aware of it, which is why sophisticated enterprise software solutions around payments are the way that most businesses will migrate to. And ones like you know, our company at Finexio that are, you know, aggressively pursuing the state of the art in this area is is, you know, I think what’s going to bring the most solution to bear the fastest for the most companies.

Craig Jeffery  09:33

Well, I want to I want to ask you about the layers of security and why that’s why that’s so important or expand on that discussion. But but using that term layers, but I was thinking when you talked about the video and you using some of your executives, I’ve wasted a little bit of time watching shorts from time to time, right?  They make them addictive and you’re watching, and there was this one that was I don’t know, maybe a month or so ago, it seemed like the telling very bad, like dad jokes, it was, you know.

Ernesto Rolfson  10:02

Oh, I love a good, I love a good dad joke.

Craig Jeffery  10:05

US presidents, you know, Biden, Trump and Obama, you know, they’re telling all these jokes. It’s them. It’s all spoofed and AI driven. Yeah. But they’re telling it, it’s in their voice. The timing’s there.

Ernesto Rolfson  10:20

You can’t even tell, you can’t even tell.

Craig Jeffery  10:22

Yeah, except they never crack up. But you know, that have to crack up at some of the bad jokes. But there’s certainly a lot of a video footage of presidents, you know, even others, you know, you’re on earnings call report, or you’re on Squawk Box or whatever, there’s, there’s your voice. And there’s video in different places where that can be captured. So whether it’s just voice spoofing or video, there’s plenty of opportunities to compromise systems.

Ernesto Rolfson  10:50

Yeah, well, they tell me, it’s, they haven’t been able to get one of me because my voice is just so high and nasally that the AI hasn’t yet figured that out. But, uh, gotten back to the, to the topic, I mean, one thing you can do to avoid a whole lot of this nonsense, is leverage payment methods that are extremely secure. And there’s just a lack of education broadly in the market on what that is. And so it’s really about what methods you’re using, and how you’re using them and why and where even an education level is there amongst your CFO, leadership team, and your bank. But the payment method that we view here is most secure. plus plus is a virtual card. And with virtual cards, right, you’ve got limits on the dollars of spend, that you don’t have with ACH and check, you’ve got randomly generated numbers that can’t be reused. You’ve got no exposure to banking and routing information. And so you’re getting with this payment product and number of these, going back to your question on layers, right? You’re right, it’s many different layers.  Starting with the controls is like, let’s talk about controls that are inherent within a product, before you start going downstream to where humans are involved. Because humans, as we know, are the weakest link in the chain.  We can be fooled, we’re not robots.  We can be fooled, we can be tricked, we can wake up from a bad night’s sleep, and we’re not paying as close attention that day. So it’s like, you know, things where check, you know, or more old school and paper and have inherent risk to some fraud, you can scratch out the numbers, you can white out the name, there’s a lot of crazy things you can do with check fraud, and I’m, you know, maybe another podcast, we can go deep into what all those things are. But with ACH, you make one small change to the account number or you know, something very minor, it could be very quick, you call up somebody, pretend with the voice, what have you, and you could be out a million dollars almost instantly. And the criminals are going and changing that bank account that same day or next day. And, you know, good luck. So that’s where and we can talk more about based on what you want to get into other things you can do in layer, but our view at Finexio, it really has to start with, are you using secure payment methods? And are you promoting those payment methods and really educating even the suppliers and the team in the accounts payable and finance department on why this is secure? Because payments aren’t free. And that, very cheap. You know, look, ACH is, some banks give them away for free.  ACH costs 10 cents, there’s no protection, it’s very cheap for a reason. Virtual card is free to the sender, but the receiver of it is going to have to pay some several 100 basis points. But that’s because the card networks are covering the fees and security there with their version of insurance with the banks are paying into, and you’ve got all these control features that they continue to invest in around the protection. So it’s really that that trade off of what is really free versus not and what is the cost of the overall system. And that that’s really what you have to think about there. Something like I don’t know, 63% of companies last year experienced some type of check fraud, but the ACH fraud in terms of dollars dwarfed the check. So it’s just you know, there’s no you’re not really safe anywhere. But certain electronic methods lend themselves to being more risky, which then require additional layers of checking.

Craig Jeffery  14:59

If you remember are some quotes you may have seen them obviously, I don’t think either of us were alive when he was there. But the bank robber Willie Sutton was asked, Why do you rob banks? And he said, Well, that’s where the money is, right? There’s less, less opportunity on the check front. It’s easy, it’s easiest to do checks. But there’s less money there. So people have moved heavily on to the ACH side, and wires. And, you know, any channel can be compromised to some extent, but like you’re saying there’s, there’s different levels of security, different levels of cost, different levels of efficiency. And those have to be factored in, you know, as you think about the attack methods that criminals are using, as well as the channels that they’re exploiting, what else would you say about how this matters to corporates, AP professional, a treasury professional or treasurer? Is it think first about how criminals attack, and then the security payment channels, take them in together, you know, as different layers? How would you advise people to approach that?

Ernesto Rolfson  16:06

Yeah, well, I think, I think part one is, it really matters a lot, just starting there. I mean, this is based on our knowledge, what we’re seeing what we’re reading, why we’ve invested so much in anti fraud prevention, and identity verification, and bank verification is because it is very real and present danger. And so companies just have to care about this. And in fact, you know, when we talk to our corporate customers, they understand that the fraud is a, just a cost of doing business around running the company, right?  You’re gonna have some fraud, just in accounts payable period. It’s just do they understand how big it could be. And when you’re naturally larger, and you’re dealing in billions of dollars of spend, it’s much more likely that you’re going to have several of those six figure losses and million dollar losses that become a real black eye.  I think, though, that companies largely think that the manual checks and balances, the double verification of let me hop on, it’s usually right, it’s like, okay, we’ll check this, and we’ll have a person or team, we’re gonna have a manual review of all these things.  The thought leadership coming out of Finexio with the democratization of all this anarchy that’s available is that that manual step is no longer possible, that the, hey, okay, you’re gonna get the email in about the change, and I’m going to reconfirm your number. But now, let me hop on the phone with you, and confirm those details with you verbally. And I’m sure you’ve done that with the 100 banks, around your life or even with any company where you may have sensitive information, your health insurance, right, your medical something, we have to get on the phone and confirm some details or a password, you know, the whole your mother’s maiden name or the address you grew up on as a little kid, those kinds of checks with the voice. And that becoming prevalent and instantly available, we’re seeing that no, you now the people process of this is becoming less and less important. And the technology driven, repeatable steps around this is more, if not equally important. And and those categories are around identity verification, using actual documents, and the security features built into the IDs around validating that a person is real and who they say they are leveraging where applicable biometrics, and I think we’ll see that continue to grow as a replacement to dual factor, especially as the AI gets smarter and smarter. You can have AI agents execute commands for you. And you said at the beginning of the podcast, execute code.  We’re almost there. Maybe we’re a few months away from that, right? So leveraging the biometrics look at all that fantastic security work Apple has done around biometrics, both with the face and the fingerprint reading, and that’s why they are now a leader in that area. And then the last is around cross validating, right, it’s confirming that the data provided digitally and validated for accuracy matches the data that’s originally provided, layering in third party services to also correspond to that.  You know, we use something called account verification services, which is brought to us by our partnership with JPMorgan, is another third party bank channel to come in and add that extra layer and you know that they happen to be the largest bank in the United States and the one or two bank in the world. So based on what measure you look at so we think that the scale of that helps, but as with anything, not one thing is going to be a enough and then that’s where you go further downstream pass that around using AI, which JP Morgan does and by extension OS and other third party tools we use around the anomalies in the transactions themselves, right, whether that’s frequency, recency, transaction sizes, unexpected payees, and leveraging various government lists, and do not pay lists at a state level, local level, in addition to the federal list and global lists around, you know, that potential bad actors which are changing on a daily basis.  So, so there’s upstream and downstream things you can do. And our house view here is that it really has to be a mosaic around leveraging these tools in a smart way. And it’s it’s not about, again, if you’re a corporate, you don’t have to be the AI computer science expert. It’s around, Are we working with a partner that is leveraging these things and our benefit? And do we understand the basics of how it works? Or to the extent that you’re a vendor and payment processing company, payment service provider, embedded service company, payments as a service company, like Finexio is, are you, do you have an understanding around this as your culture and in your product strategy and fit that you’ve gone and integrated in embedded in best in class solutions and processes to create a seamless experience for these corporates that want to take advantage? That’s the route that we’ve taken here.

Craig Jeffery  21:30

Yeah, that sounds good. I want to I want to spend a little bit more time on that. But before doing that, I wanted to have people get to know you a little bit more about what you do. So why don’t you just describe what you do at Finexio?

Ernesto Rolfson  21:44

Sure. Finexio is an accounts payable payments as a service company. So we help corporate customers transition to digital forms of payments, and we help them identify, deliver, support, protect, and enroll all of their electronic payments, helping them again, get that transition typically from manual processes with paper checks into a safe and secure and seamless electronic payment environment.

Craig Jeffery  22:15

Great. And in the shownotes, you can see a link to their to their website. And Ernest, what do you what do you do at Finexio?

Ernesto Rolfson  22:25

My card probably says, you know, like, chief bottle washer, you know, floor mopper, but I am, I’m the My day job is the founder and CEO. So my name is on the door, I’m responsible for everything. I am very much focused on working to grow our business, with very large partnership relationships we have with accounts payable and procurement software companies, as well as financial institutions that are looking to deliver best in class embedded payments solution with the things I mentioned in my what does Finexio do comment inside their software package. So they’re looking to basically increase the ROI and investment that their customers are getting out of very complex enterprise software around accounts payable, introducing payments as an extension of that, and ensuring that our company is creating very delightful features and services around the shift and migration to electronic payments, which very much includes enhancements around fraud and safety and security which post pandemic has only accelerated in interest and, and prominence. So something an area I’m passionate about keeping customers and our business safe and secure, but also helping everyone understand how payments can be profitable and efficient and not scary.

Craig Jeffery  23:58

Yeah. So So getting back to the discussion you talked about the people component can be perhaps the greatest weakness in leveraging technology like ID verification, cross validation. What other are there other items that we should be thinking about here? I think you described them as a mosaic, like a bunch of different, I don’t want to call it validation services, whether it’s a mosaic or layers, any other layers and other pieces that fit into the mosaic that we need to think about. And I want to come back to the reason for the corporate treasurer and AP professional.

Ernesto Rolfson  24:35

This is kind of upstream from Finexio, but having a really good formal vendor onboarding, sort of KYC type process, we don’t even see that existing most of the time with a lot of businesses as well.  As we go and work with many more, this is over the last few years, we’ve done enterprise customers and work with some of these very large, as I mentioned, enterprise software companies, they’re providing those services or doing that. But that’s a component for sure. You’ve got identity verification, you’ve got bank account validation and verification. Typically, there’s a variety of tools that you need to use for that, because there’s different types of businesses or entities and accounts that need to be verified, whether that’s a consumer, let’s say that it may, right it’s a it’s a small “B” business, because, say you’re a university trying to pay a vendor, but that vendor is a visiting professor who’s just a guy with an LLC and he needs to be paid $5,000 For that one day lecture he gave the university he’s gonna have a different different profile as well as sophistication, then, right, paying, gonna use them as an example Apple Corporation that you’ve bought all your computers from for the university, right? So it’s a different level there. That’s a component to, again, using third party databases and datasets, we actually I referenced account verification services, we’re actually using a number of third party tools and services around identifying and validating what a business is.  Another large, well known company I might reference would be like a LexisNexis as well.  We’re leveraging and appending data from another major player is Zoom Info to help correspond and match. So it’s, it’s a number of steps that you have to do across the whole board up front.  What information do I have? Is it clean? Is it good? Do I know what it is? Is it stored someplace safely and securely? Is it encrypted, and the relevant information around PII or account info, is that encrypted someplace? Can anybody access it? Can Gene in the accounts payable department just stumble upon it? Or if Gene decides he’s going to be a bad actor, can you go in and just make the change and and there’s no audit trail? So that’s another component.  Is it in a system where you can track who changed what, when, and how, and then applying all these tools, and having software and technology to match that against what was previously entered, again, with the audit trail and letting every no everyone know what happened, and that they’re good to go. That is a kind of a bit of more of a process overview as well as some of the steps of where the technology would interact. And, you know, absent using technology, that’s where you have a person, that you just have to trust that they’re doing some of that, and are completely perfect 100% of the time. And I think the unfair reality is around the treasury department, and within accounts payable is very few organizations that I’ve seen in my 15 plus year, you know, b2b payments, accounts payable career, which I didn’t mention earlier, but I’ve been in this space for most of my career, back office stuff can be fun and sexy, if you make it, is that these folks have pretty demanding, complex jobs with a lot of moving pieces where the payment delivery or bank account piece where the fraud vector is happening, right, it’s around that change. That’s just one small component of the right, they’ve got to get vendors in the system, they’ve got to get invoices in, they got to approve those invoices, they’ve got to validate the all that, they’ve got to manage it all for routing.  Maybe they’ve got some complex coding and accounting they need to do.  There’s this three way match process. So it’s just the overwhelming scale of growth in an expanding business environment with a very tight with very tight over the last few years until today, labor market conditions were CFOs, finance folks, treasures are being asked to do more with less. While the risk is increasing, the technology is expanding. And if you’re still doing this manually, you’re just asking for a very bad day, right? A very bad weekend that’s going to be coming up at some undisclosed date in the future, when you realize you have a problem. Or you discover that problem that has been occurring for months, right under your nosd. But because everything was on scraps of paper and an Excel spreadsheet on someone’s hard drive, you just couldn’t identify. And this isn’t even assuming there’s a bad actor in your shop, which is what’s really scary.

Craig Jeffery  29:13

Someone gains control of credentials, you know, Ernest, when you were you mentioned a few things like some organizations spending more time on the vendor setup and onboarding process. You know, we’ve seen that that level of care go way up, particularly with banks, and then insurance companies, and a few other types of industries. But that level of effort is not something that most firms can do the overheads just too, too much. And so I wanted to just hear just your comment briefly on how does the wide range of companies achieve those benefits?  And this is not a an opportunity for a sales pitch, of course, but the democratization of anarchy and payments is an issue that matters to corporates like accounts payables professionals, treasures. What’s the big risk if they don’t do it? Or what are the risks if they don’t do it? I know there’s losses. How would you position that as a as a reasoned warning considering the ongoing increased threat?

Ernesto Rolfson  30:13

Yeah. Risk number one is significant financial loss.  You’ve got serious reputational risk and harm to the extent that critical supply chain vendors and suppliers, and I’ll take a step back.  You know, there’s an 80/20 rule in accounts payable where 80% of your spend is going to go to 20% of your suppliers. The bad guys know this and are targeting the highest volume type ones as well and are typically monitoring folks and looking for an entry point around the email. So they’re usually waiting and watching.  You’re missing now, you gotta you got a problem, you’ve got a fraud, you got a breach, you’ve got an issue. Now you’re at a million dollars, you got to scramble to figure out what’s going on. Meanwhile, payments that aren’t being rendered for services being delivered. Now you’re having stoppage of service. Right now you’re having electricity shut off. Now you’re having phone shut off. Now you’re having your trucks shut down, critical vendors not being paid. Now your customers hate you. Now you’ve got a bigger explaining to do as well. So it gets into the reputational component, but it’s a critical business function shut down around these areas combined with again, not stopping people from getting into your systems. They could shut down the whole finance department, hold your accounts hostage, needing you to have to open a Bitcoin wallet someplace to send these guys money to unlock your stuff, right, we’ve seen that happen a number of times go into cold storage to try to unlock access to your accounts. And we’ve seen one, I won’t mention any names, but we’ve seen one major accounts payable software company. And I think twice in the last 18 months get hit with data breaches around this. So back to your point on, you know, I rob banks, because that’s where the money is. These folks are not dumb. They’re smarter than us. And we’re just trying to here bang the drum and say, Look, this technology is, is going nuts right now it’s available to anybody there. It’s smarter than, again, that back office worker that they’re just not trained and ready for this yet. And not dumb. They’re not smart. They’re not bad people highly motivated, but they don’t have the tools to combat it this thing.

Craig Jeffery  32:31

Excellent point. Well, Ernest, as we as we wrap up, I wanted to give you a chance for any final thoughts. It could be a re-emphasis of a point, or it could be something new, what would you want to leave the audience with?

Ernesto Rolfson  32:45

The key point here is that this technology around artificial intelligence, generative AI, deep fakes, video generation technology is here, it’s real, it’s only going to accelerate, as is electronic payments. That’s very real. That’s only increasing in interest and attention and is in fact, in high demand by suppliers and payees, and businesses and CFOs are looking to take advantage of this. But how can you deliver all this safely, securely and very profitably?  Our view is that leveraging the safest and most secure digital payment methods like card, virtual card is powerful and compelling and should be leveraged with organizations like Finexio that can help guide the way there. But that’s not a panacea, because that payment method won’t work for everybody. And even though new payment methods are coming out, you still got to support all the old ones. And the old ones have fraud, the old ones have problems, and the criminals know that and they will attack the weakest link. Because that’s where if you want to get through the fence, you would go and attack. So you’ve got you’ve got to have a comprehensive strategy around this. And I think partners, technology and thought leadership to help you think through how to do that in a safe, secure and easy way while servicing the needs of customers and vendors, right, that are also pulling it pulling out these businesses saying hey, we want to get paid faster, we want to get paid cheaper, the checks are costing us time and money too.  I’ve got George over here is manually going to the bank every week to go deposit these checks. We don’t want to be doing that.  We want to be paid electronically, right? When improve our cash flow.

Craig Jeffery  34:30

I like it.  Attacking the weakest link or every link that’s weak, where there can be a fruitful theft. Yeah, it’s a big issue. Thank you so much, Ernest for for your time today on the Treasury Update Podcast.

Ernesto Rolfson  34:44

Thanks for having me. Really fun conversation.

Announcer  34:50

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice>  For more information, visit and bookmark StrategicTreasurer.com.