Industry experts estimate synthetic identity fraud costs the financial industry as high as $95 billion a year, and the most damaging attacks pass every verification check without triggering a single alert.

Tedd Huff, CEO of fintech advisory firm Voalyre and founder of Fintech Confidential, brings 25 years of payments and fraud infrastructure experience to a direct conversation with Hal Lonas, Chief Technology Officer of Trulioo, the identity verification platform trusted by Google, JP Morgan Payments, Stripe, Airbnb, and Meta.

Lonas explains why detection rates hide more than they reveal, how fraudsters now add intentional imperfections to AI-generated deepfakes to beat detection systems, and why agentic commerce requires an entirely new verification layer beyond KYC and KYB. The conversation covers Trulioo's Know Your Agent (KYA) framework, the Digital Agent Passport, Google's Agent Payments Protocol (AP2), and the privacy regulation debate most compliance teams have not fully worked through.

Find out more

1️⃣ Ask your identity vendor for their false negative rate, not just their detection rate, and demand specific numbers.

2️⃣ Build continuous monitoring into your post-onboarding workflow so your system is still watching on day 30, 60, and 90.

3️⃣ Audit every automated decision model in your stack and document the logic before your next regulatory exam.

4️⃣ Map your verification flow and tier friction based on real-time risk signals instead of running flat checks on every customer.

5️⃣ Get your compliance and growth teams in the same room with a shared dashboard showing fraud loss rates and abandonment rates side by side.

Guest:

Hal Lonas LinkedIn: https://www.linkedin.com/in/hal-lonas-4555b1

Hal Lonas X: https://x.com/hal_lonas

Company:

Trulioo: https://www.trulioo.com

Fintech Confidential:

Podcast: https://fintechconfidential.com/listen

Notifications: https://fintechconfidential.com/access

LinkedIn: https://www.linkedin.com/company/fintechconfidential

X: https://x.com/FTconfidential

Instagram: https://www.instagram.com/fintechconfidential

Facebook: https://www.facebook.com/fintechconfidential

Supporters:

Under.io streamlines application and underwriting by digitizing PDFs for digital signature: under.io/FTC

Skyflow is a zero trust data privacy vault delivered as an API, covering PCI, CCPA, GDPR, SOC 2, and beyond: skyflowsecure.com

DFNS provides wallets as a service, API first, multi-chain, secured with MPC, used by Stripe, Fidelity, and others: fintechconfidential.com/dfns

Hawk AI offers real-time payment screening, AML monitoring, and dynamic customer risk rating to reduce false positives: gethawk.com

About:

Hal Lonas is the Chief Technology Officer of Trulioo, where he leads technology strategy, product development, and engineering. He co-founded BrightCloud, a cloud-native threat intelligence company, and previously served as CTO at Webroot, Carbonite, and OpenText before joining Trulioo in 2021.

Trulioo is a global identity verification platform operating across 195 countries, covering 14,000+ ID document types, 6,000+ watchlists, and 700 million business entities.

Tedd Huff is CEO of Voalyre and founder of Fintech Confidential. The show is produced by DD3 Media and brings you the people, tech, and companies that change how you pay and get paid.

Chapters:

00:00 Introduction

01:28 Meet Trulioo CTO

02:48 From Space to Security

04:11 Dfns: Wallets as a Service (sponsor)

05:32 Sleeper Accounts Explained

08:33 False Negatives Metric

11:43 Explainable Adaptive ML

13:23 Deepfakes Raise Stakes

15:03 Asymmetric Defense Signals

17:51 Privacy Versus Safety

21:25 Sky Flow: Building Fast and Secure (sponsor)

22:27 Friction Based Risk

24:16 Case Study ConsenSys

26:04 Know Your Agent Future

27:52 Agent Passport Checks

32:43 Open Standards AP2

34:35 Are Defenders Losing

36:05 Leader Advice Wrap

40:37 Final Thoughts and Outro

41:36 Hawk AI - Realtime Fraud Monitoring (sponsor)

42:23 Disclaimer

Disclaimer: The information provided in this episode is for informational purposes only and should not be considered financial, legal, or investment advice.

#syntheticidentityfraud #identityverification #KYC #KYB #agenticcommerce #KnowYourAgent #deepfakedetection #fintechfraud #fraudprevention #AML #trulioo #AP2 #GoogleAP2 #AIfraud #fintechcompliance #fintechconfidential

Picture a fintech, not a big bank.

A lean team, a clean app, customers signing up every day from their phones.

One day, someone applies for an account.

They have a government-issued ID, a clean photo, an address that checks

out, heck, even seven years of credit history with a few late payments,

just enough imperfection to look real.

Every signal you have says this person is who they say they are.

You approve them, but 30 days later, they're gone, and so

is the $40,000 you lent them.

Here's the part that should bother you.

That person never existed.

The ID was fabricated.

The photo was generated by an algorithm.

The credit history was stitched together from a bunch of fragments of real data

belonging to real people, people who will never know their information was used.

The whole identity was built in about 20 minutes by a piece of software, and it

passed every single check your system ran.

This is called synthetic identity fraud, and it costs the industry

roughly $95 billion each year.

And the attacks that cause the most damage, they are not

the ones that fail onboarding.

They're the ones that pass it.

So here's the question this episode is going to answer.

How do companies that get identity right actually build it?

And what does that mean for everyone building on top of them?

One of the most consequential decisions inside that white space is identity.

Today, I'm sitting down with the CTO of a platform guarding that

gate for Google, JP Morgan, Stripe, Meta, Airbnb, and many others.

His name is Hal Lonas, and before he was doing any of this, he

had his eyes set to the stars.

This is Leaders 101 by Fintech Confidential

Welcome to Fintech Confidential, bringing you the people, tech, and companies

that change how you pay and get paid.

So today's guest is Hal Lunos, the CTO of Trulioo.

Now that's spelled T-R-U-L-I-O-O.

Yes, that's pronounced Trulioo.

And one of the things that is really interesting about them

is that they operate across over 195 different countries.

They cover more than 14,000 document types.

They check against over 6,000 different watch lists and over

700 million business entities.

And just kind of give you an idea, their, their customers include folks

like Google and JP Morgan, Stripe, Airbnb, Meta, and a whole lot more.

Hal, welcome to the show.

Thanks, Tedd.

It's great to be here.

So before we get into the problem, and we're gonna dive pretty deep into

the problem, you've got a degree from MIT in aeronautics and astronautics.

But you went through that path, and it seems like you might have gotten a little

impatient and was like, "I gotta do something that moves a little bit faster."

Help us understand, um, what fueled that pivot and even more so, what is the, the

one thing that you learned from all of that, that you've brought into fintech?

Yeah.

Thanks for asking, Tedd.

Yeah, I got my degree in aeronautics and astronautics, stuff that flies in space

and in the air, and, uh, and my first job was with Northrop Aircraft, and I realized

pretty quickly that, you know, you could work on something for years, and it

would never see the light of day because of funding changes or other things.

Just it took a long time.

Started a little company with a couple other guys named BrightCloud.

Uh, our ambition was to classify the entire internet, which,

uh, I think we were actually pretty good and successful at.

I got into cybersecurity a few years later a-and then went

on to Webroot and now Trulioo.

And you know, the, the takeaway from all that is that, uh,

reliability is king, really.

Whether you're flying in space or whether you develop fintech software,

it has to work all the time, every time.

You're building a fintech product.

You want to offer digital assets, but wallets, that's the hard part.

Security, compliance, key orchestration, blockchain integration.

That's why fintechs, payment platforms, and custodians choose Defense.

They provide wallets as a service that's API first, multi-chain

by design, and secured with MPC.

No single point of failure.

So you can launch across over 50 blockchains, automate policy

controls, and stay audit-ready without managing private keys.

Stripe's Ridge powers crypto payments through Defense.

MoonPay scales wallets securely with Defense.

Sphere grew without compromising on control or compliance.

Even major FIs like Fidelity, ABN AMRO, as well as custodians like

Azodia and Tungsten trust Defense to power their on-chain infrastructure.

Developer-ready, compliance-approved, production-grade from day one.

If you're building in payments, exchanges, OTC desks, market makers, or DeFi, Defense

Wallets work the way you need them to.

Request your demo at fintechconfidential.com/dfns.

Defense, secure wallets built right.

When you start to look at identity verification, you really get into it

because it's that 1%, uh, or the edge use cases that, that maybe you don't think of

is really where the disasters just really

start to happen.

We just have to close the loop on those as, as quickly as possible,

and we have to engineer things just to work, you know, just as close

to 100% reliability as we can.

The stakes are high because, like you said, the, uh, the losses in

financial crime and fraud these days are, are huge, and so getting

it wrong is very, very expensive.

What gets really interesting is we as, as individuals and consumers

feel that gate come into play, and that's where the fraudsters really start

to have their fun, is trying to figure out how to get past that initial gate.

As I was reading in, in one of the papers that has been written by

Trulioo is how these fraudsters are building these profiles.

They're piecing together pieces from multiple credit reports.

They're, they're taking a Social Security number.

They're, they're doing all these different pieces.

The part that I found really, really interesting is, like, they would go

out and get a low, low dollar credit card and buy stuff and pay it off, and

buy stuff and pay it off for a year.

So, like, they're looking really, really far out.

And so what ends up happening is that the, the financial services company will

look at this and go, "Hey, everything looks fine. Everything looks great."

Heck, they'll even miss a couple payments to make it look really, really good.

But then 30 days after they've, they've gotten the product or service, it's…

They're, they're nowhere to be found.

It doesn't exist.

I'm sitting here thinking as a fintech founder or as a financial institution,

I'm like, "Yeah, but my system should catch these things." And, and one of

the interesting numbers that I've, I've found and seen is that 96% of, of the

folks that h- have this problem think that they've got it under control.

But what- is

actually happening in the background for them.

So I think of these companies that we do business with as having two parts.

One is the, the compliance and the fraud prevention people, and the other

one is the, the business people and the product management arm, and they say,

"Hey, I wanna onboard more customers."

And the, and the compliance and the fraud people are saying, "Wait a

minute, are they good customers?" And then sometimes, to your point, the,

the user, the new user, gets let in the door, they get through the gate,

and then they start a sleeper account.

Mm. And everybody takes their eye off the ball, and they

say, "Well, that must be okay.

It, it made it, you know, 10, 20, 30 days." But then, then

the real mayhem starts, right?

And then the money starts flowing out the door, and it's too late.

So, uh, it's just an interesting, uh, kind of yin and yang, you know,

balancing act between these two forces.

Many have tried to figure out how to catch it ahead of time.

Uh, but I think one of the biggest concepts that we'll be talking

about today is detection rates.

Like, everybody likes to talk about how many things that they've

detected, but it's really not a really good way to measure the defense.

The real honest measure of this w- is something that, that I,

I think you and I talked about, was, like, the feedback loop.

Yeah.

How fast can you get that feedback?

Walk me through why the standard metric Doesn't work and why every

vendor likes to lead with it, and then why the compliance teams are

reporting on it even if it is the

wrong number

to be reporting on.

It's this number, it looks really good.

They give examples of, "Here's the bad guys I caught," the synthetic

identities or the bad actors.

And so they show these examples of, "Here's all the bad stuff we caught."

But to your point, the, the false negatives, otherwise, you know, the,

the, uh, the bad actors who get through, those are the false negatives, right?

Nobody wants to talk about that- … because that's where the $95

billion in financial loss comes from.

And so really we should be talking about minimizing those, the f- the

false, you know, negatives, getting through those, that, that pass we gave

people should be what we minimize.

And, and the, the quicker we close the feedback loop on that number, so the

quicker that the financial institution recognizes, admits, and, you know, in

nirvana, would get back to the vendor or their own team and say, "I missed one,"

or, "I missed 10," or, "I missed 20," then the process can start to make that better.

If they don't admit it, if they don't own up to it, if they keep looking at sort of

the, the happy path of how many bad actors we caught, uh, what is the detection rate,

then, then we don't learn from it, right?

We don't get that feedback loop going.

As I talk to clients at Voalyre, like wh- we look at this,

and the question we like to ask is, like, how fast did you respond to it?

Like, i- there are a lot of things that can come in.

You can get… Heck, there was one that we were talking to that

had 20,000 alerts, and they were so proud of their 20,000 alerts.

But when we really dug into it, it was really three or four things that were

causing those alerts, and if we were able to more quickly adjust for those, the

20,000 alerts would've been 200 alerts.

Yeah.

The feedback loop is everything, right, and the response time.

And, you know, going back to one of my favorite subjects, space,

you think about examples- … like, uh, you know, Apollo 13, where

failure was not an option, right?

And, and, uh, you know, they had a huge problem on that mission,

but the speed with which they reacted to it and caught it- Mm-hmm

and, and fixed it s- saved those astronauts' lives, right?

So, um, you know, it's, it's the speed you respond, and s- so true

in financial in, in fintech as well.

So not just letting the problem go on and on, not, not admitting

you have a problem- Mm-hmm … but turning around and fixing it.

And it works across multiple dimensions where that can be

fixed, but y- y- you gotta respond.

You gotta know you had a problem and, and get back and fix it pretty quickly.

You have to structurally have a, have systems and processes

and procedures in place to be able to support that feedback loop.

Heck, even now you look at it, and, like, there's- There's a lot of

softwares that will auto learn based upon decisions that you've made.

Is it, you know, why did you do it?

And this is a conversation we've been having with some BSA officers as well is,

"Hey, now we gotta make it explainable." So when the OCC or the FDIC or, or other

regulatory bodies come in, the state bodies come in, they're wanting to know,

"Well, how did you make the decision?

What did you do to make the decision?" So the idea of being

a black box just really doesn't

work anymore.

That doesn't fly anymore, right.

One of the things we do at Trulioo is, you know, we have this very rapid feedback

loop with machine learning and, uh, what we call adaptive machine learning.

So we think about how to apply the feedback loop to our machine

learning models that they get trained and retrained very often.

But, you know, I think one question to ask your, your people, your vendors,

your, your technology specialists is how often do they update their models?

Mm. Because to your point, that can be very hard and, um, you know, maintaining

explainability and an audit trail and how you trained your models, uh, but

also being able to update them very quickly because y- you know, you can

have the best models in the world, but if you don't adapt to today's attack

and get that redeployed pretty quickly, y- you're just, you know, open for

further attacks until you get that done.

So you really need the feedback loop and then the, like you said, the remediation

steps have to be in place and not, uh, by committee, not six months from now.

That has to, has to happen quickly.

They were using AI to create videos, and the one that

always comes to mind, everybody, everybody looks at is the Will Smith

one where he's eating spaghetti.

And then just a few weeks ago, they released one using Deep Seed

where, where it- It looked real.

Like, it looked super real.

They showed a movie clip that wasn't even a movie clip.

So it's, it's gotten really, really good.

And so the fraudsters are up, as, as we look at it, right?

So if you think you can see it, and a lot of times you can still, but the,

the way that we're identifying that it's not real is exactly the way that the

fraudsters are going back and saying, "Okay, well, I need to tweak it."

Like, if, if you really think about it, like, early on, the

skin was just too perfect.

The lighting was just too wonderful.

Like- Yeah … I know we spent a lot of time putting the lighting

in here to try and make it look as good as we could, but the software

would just, just make it happen.

Then we look at the other route where they said, "Okay, well, if it's too perfect,

they're gonna see, and they're gonna realize, and they're gonna go, 'Ah.'"

So they started adding all the imperfections in, right?

Mm-hmm.

Mm-hmm.

So I, I think when you look at it that way, there's, there's a

lot of things that go in that.

I want to understand from you, like, all these detection models, all these

different pieces, especially with the technology getting better, right?

How do you win at a race that your competitors are using the same technology

as you're using to try and stop them?

Yeah.

It, it's tough.

It's really tough, and you bring up some really good examples.

And, you know, I think, uh, you know, we kind of describe this i-

internally as, uh, it's a bit of asymmetric warfare here, right?

So it's not fair.

The old, you know, the old school was, you know, you kind of had a level playing

field, and, uh, you know, the, the bad guys had the same tools as the good

guys back when they were, uh, cutting up, uh, government-issued documents

and pasting new pictures on them.

You know, now it's all computer-generated.

The computer can learn very, very quickly, uh, and, and take advantage

of, of, uh, weaknesses in the systems.

And the systems are set up to let, uh, you know- real people in, and so they've

exploited the things we're looking for to learn how to defeat the systems.

So, so y- you know, you have to deploy those models faster.

You have to look at lots of variables.

Uh, you know, we look at hundreds of signals coming in all the time.

We look at, uh, the, you know, behavioral aspects of what the person's doing.

We look at how long it's taking them to do it.

We look at injection attacks on the signal to try to stop it.

You know, we, we, we even look at, uh, device information about the

device they're sending it from.

We say, "Have we ever seen this device before? That's weird. You know, how

could Tedd and Hal have the same device, you know, and be logging

in separately to different banks?" So we can make all those behind the

scenes connections, but it, it's very sophisticated and very difficult.

We have to look at what the, you know, these nuances that

the bad guys didn't think of.

Um, because to your point, human beings are on the verge of not being able to

detect it now, and in the future, just flat out will not be able to detect it.

So the human, you know, we call them analysts, that look at the data that we

see come in, and they try to identify these, these synthetic identities and,

and fraudulent attacks and the fake, you know, uh, stuff that comes in.

Th- they're getting to the point where they can't see it.

But it turns out that the computer can actually still

pick out, uh, these, these fakes through … Sometimes they're too good.

Sometimes they miss something.

Sometimes it's something as simple as, you know, the background of a driver's

license isn't what it's supposed to be for the, the state of Nevada.

You know, it's- Mm-hmm … it, it, it just, uh, there's nuances there

that you have to just pick up on.

Yeah.

And

I was, I was looking at, uh, an article the other day

where they were, they, they put four different documents on the screen.

They're, they're paper checks.

And they're like, "Can you pick the fake one?" And you're looking at it, and you're

looking at it, and you're looking at it, and they all look real until you look

really, really, really close and you see that the line for the dollar amount, the

dollar symbol is not a full dollar symbol.

It's got, like, uh, breaks in it- Mm-hmm … and all the diff- like- Mm-hmm … just

very minor … One of the things that you also mention in there is, like,

being able to identify the, the device.

Yes, for most of us, we realize that privacy is limited is really

making the consumers less safe.

Help, help me make that case because that, that sounds

counterintuitive.

It, it's interesting.

There's a trade-off there for sure.

So one of the things we hear about in the news all the time is, uh,

you know, some company has lost a bunch of personal information-

Mm … about, about you and me.

Um, and then we get free credit reports for a while, right?

Or something.

And, and so there's a question on how that information's being used by the bad guys.

Uh, they might try to impersonate us or do an account takeover

based on our information.

They might even use that information to create better synthetic identities,

uh, that might have, uh, be you or me, but with one thing changed.

Um, but y- you know, I would argue that, um, those losses and breaches

are actually, uh, less impactful than having sort of the security companies

and the i- the folks that are trying to prot- protect us from identity

mismanagement and identity theft from actually being able to, to use that

information, to keep the information, cross-check the information, create

consortiums that to protect each other.

It's sorta like the FBI has the, the top 10 most wanted, right?

And then suddenly we go along and say like, "Ah, we're gonna protect, uh, the

identity of these folks by taking down their pictures in the post offices." Now,

that technology isn't being used much anymore, but my point is that, you know,

we used to be pretty open about sharing, uh, sort of the bad actor information

a- and now we've really tightened down.

And I appreciate more than anybody, uh, protecting people's identities and, and,

uh, you know, protecting, um, privacy.

But I do think that we- we're sorta operating with one arm tied behind

our back here sometimes in terms of being able to protect people because

of, uh, privacy and, and because of, uh, concerns about anonymity.

But every time one of these breaches happens, it gives the attackers

so much more raw data to work with.

They can build better identities.

They can really, like you mentioned, make that one little tweak that isn't

discernible by, by some of the systems.

Does… Would, and why would it not, like reduce the data?

If the data's not being collected, the data can't be used.

Like- How does that not help?

Like, if you, if you're not collecting the data or you're

deleting the data, how does that

not help?

I- if, if you don't collect the data, um, you know, then there's,

there's no data to be breached.

If, if you do collect the data, I think it's all about how it's gonna be used

and, and what the, um, you know, kind of, kind of what's the use case for that.

Uh, certainly we need to allow people to, like, log back into their bank.

The bank needs to track certain information about that person.

I think a lot of this comes down to how, you know, and maybe better

controls around how data is managed, how it's used, how it's governed.

And, and maybe also something that would be helpful in the future would be,

uh, some legislation around companies that want to use the information

for the good, for the public good.

And so differentiate between, "Hey, I, I, I want this information because I want

to advertise to people more effectively.

I think there's a market out there," versus, you know, "I, I want to use

this information to protect people and protect financial institutions." So

maybe there could be some kind of a, you know, certification you could get for

somebody like TrulyYou that says, "Hey, I'm trying to do the right thing here.

I want to help people out." But, but yeah, you're, you're, you're right in a way.

Anytime you kind of increase that surface area for the attack, then, uh,

you know, it… you're taking a risk.

Support provided by Skyflow.

What if you could build fast but not break privacy?

What if you could ensure data privacy, governance, and compliance

with just a few API calls?

What if you could worry less about PCI requirements while actually

improving privacy and security?

How much more time would your team have to truly innovate?

How much faster could you build and ship new features?

How much more powerful could your app be?

Skyflow is a zero trust data privacy vault delivered as an API.

Skyflow's radically simple design lets you collect, secure, and

tokenize personal information like card data and payment details.

And with built-in features like encrypted data analysis and sharing,

anonymization, and advanced governance, your days of choosing between data

security and data usability are over.

Whether you're just concerned with PCI compliance or need to go further

to include CCPA, GDPR, SOC 2, and beyond, Skyflow has you covered.

What if you could build fast but not break privacy?

With Skyflow, you can.

Visit skyflowsecure.com today to learn how.

A lot of times it feels like these financial tools that are trying to

assess the risk of the customer, a lot of times, maybe it's just my

perception, go a little bit overboard on the amount of data they wanna collect.

Maybe enough to make the decision today, but to balance

it against future information to figure out their risk profile.

And does it… I- if we were, if we were to cut that way back to the bare

minimum, what's needed to, to prove who you say you are, to prove, you know, the,

the, the minimum requirements, does…

Wouldn't that make it even harder to create synthetic

identities?

Yeah.

It, it certainly would.

And, and you're, you're bringing up a great point, and this

is something we try to do.

Uh, we try to… We… And we look at that from multiple dimensions.

One of them is minimizing friction, right?

So the less I ask somebody when they're kind of onboarding with me or they're

doing a transaction with me, the less creepy it feels, the less time it

takes, the more likely they are to continue with the, with the transaction.

The more I ask them, the more they start to feel like, "Wow, this

feels invasive"- Mm-hmm … and they're more likely to bail out.

So 100% agree.

And, and the other thing that's really interesting that, that we do is we can

very early on in, in the engagement with a person or business say, "This

looks like a low-risk transaction.

We already know this person.

We think this is, like, a probably pretty safe." And we can, uh, use

predictive technology very early on to say, "Let's remove the friction

here." Whereas for somebody else, we might say, the same predictive

technology says, "This looks very risky.

Like, this is something that does not look right."

So in that case, I might apply a little more friction.

I might gather a little more information.

But certainly it's not a one-size-fits-all.

To your point, it could be, could be a little more nuanced than that.

The idea there was a technology company that could reduce the friction.

Walk me through, like, what their verification process looked like

pre-TrulyYou and then what it

looks and feels like today.

ConsenSys was onboarding businesses, doing business, you know, with others,

uh, after a, a pretty laborious, uh, set of manual confirmation and manual work.

So they had this, this whole workflow.

You know, it would take, you know, it could take hours or even

days to onboard a business with a, with a lot of manual steps.

And so, you know, we stepped in and said, "Look, we can automate a lot of

that, and in fact, we can, you know, not only gather information, help you

make decisions. We can put together a workflow and put this in place that, that

really streamlines a lot of this work," basically taking that down to minutes.

So we're talking, like, hundredfold improvement in speed And all

the while improving security.

So this was like a win-win across both speed and security for ConsenSys that

streamlined their process and is able to do business now much, much faster

in this aspect of what they're doing.

So it's, it's been just great.

So is it fair to say that the trade-off between security and speed is

really a, a falsity when you choose to

use the right technologies?

So true, and, and also the other kind of trade-off we mentioned earlier,

which is between the sort of the, the, the compliance, uh, y- you know,

regulatory anti-fraud people, a- and on the other side of that coin, the

business people who wanna very quickly onboard and, and get, get down to doing

business, uh, with a new customer.

Like, that doesn't have to be, like, a battle.

That can be, like, a both sides win sort of thing by putting the right

technology in place and, and sort of, sort of following best practices.

So yeah.

A lot of these systems, a lot of these tools, a lot of these

policies, a lot of these procedures are really focused on finding human actors

that are perpetrating the fraud, that are using the synthetic identities.

That's… We, we think, maybe it's just me, but, like, I, I think, you know,

a, a room full of people that are, that are just keying away and, like,

applying, applying, applying, applying.

That isn't really the case anymore.

Let me just kind of, like, transport us all a little bit forward, right?

So it's, it's… We're ha- we're at the end of 2027.

I have my own AI assistant that, that, that has been built into a banking app,

and I, I, I built this really cool tech.

Uh, not only that, but then I'm, I'm able to, to book travel.

Um, I'm able to pay my bills.

Uh, I'm, I'm, heck, I'm able to send Hal some money, thanking him for

coming by and, and chatting with me.

But if my AI agent tries to move $500 at two o'clock in the morning-

Who's verifying this AI?

We're seeing, we're seeing sort of this advent of agentic

commerce that you're touching on.

So we've moved from KYC, you know, to KYB, and, and now we throw around

this terminology KYA, know your agent.

The move towards agentic is gonna be very interesting and, and, uh, you know, you

know, we're seeing the rise of it now.

And, and, you know, the funny s- thing about this is that agentic commerce

agents just come in and they say, "Oh, I'm just a very sophisticated bot," right?

And so- But

I'm, but I want the agent to come by, just not the bad bot.

Yes.

Yes, of course.

I want the good bot, not the bad bot.

Yes, of course.

How are, how, how should they be looking at good versus bad

bot, I guess, in this case?

Yeah.

We, uh, actually wrote a white paper last year, and, uh, went

out there with some ideas around this and said, "Hey, you know, there, there

are some elements around agents that you could know." And we, we proposed

this idea of an agentic passport.

And so the, the passport would contain certain elements like who was

the, actually the developer behind the agent, where did it come from?

What's its, what's its origin?

Uh, what's the code behind the agent?

What does the code do?

And has the code been altered since its origins?

And then who's using the agent?

Who's the agent operating on behalf of?

It might be buying concert tickets for you, it might be doing, you

know, shopping for me, um, but, but it's operating on someone's behalf.

So some, some people are behind the agent, the developer, the, the

person it's operating on behalf of.

Why couldn't you use the traditional KYC, KYB frameworks but

just pivot it to the AI agent then?

They're, they're not deep enough.

They're not real time enough.

So, you know, that p- a, a person comes to the, a, a website to do a, you know,

some commerce in sort of human speed.

Agents are coming at computer speed.

Well, and I think really what you're, you're talking about

is that the framework for trust that we have, especially around finances,

really assumes, and currently really assumes that there's a person or a

legal entity on the other end of it.

They aren't really, today, for the most part, aren't really looking

at the actual software- Yeah

that is using it.

Yeah.

Um, it's not really intended for that.

You, one of the things I, I'm gonna pull out of the little nugget you said

is that going in to see or figuring out has that code been tampered with?

Is it, is it the code that was there when the originating actor,

being the consumer, said, "Yes, go do this," or has it been altered?

Could you dive into that just a

little bit deeper?

Yeah, because it's almost like the, the analogy of a person going in

and saying like me, me going and saying, "Hey, I'm Tedd." And there'd

be certain checks against that.

And like my face isn't the same, I don't know some of the same information as you.

And so we believe it's a, it's possible to interrogate the code

that's running behind the agent to see if it's actually the same.

We believe all these things are possible to, to show that the code hasn't been

altered and that, uh, the agent is doing what it says it's gonna do, is

operating with consent of the people behind it, and is also operating

within the bounds that people set.

Walk me through

what KYA or Know Your Agent actually is.

And, and explain it from the perspective of I'm a fintech founder that, yeah, I've

thought about agentic commerce and, yeah, I've thought about that, but really it

hasn't been a problem for me, and why the agentic or Agent Passport is structurally

different from just the agent logging

in with like a username and password.

So the passport carries additional information, add- additional

reassurance to the person who's receiving the transaction or about

to allow the transaction that this is all possible and that the, the

agent is who and what it says it is.

So it's actually a deeper and more secure check than, than a username and password,

which, you know, as we said before, could be floating around the dark web somewhere.

So we also believe that there has to be a real-time check.

So when that agent shows up to do this transaction, there's actually… The,

the, like the, um, the e-commerce site could actually kind of, kind of flash

back to the origin and say, "Does this look real to you? And does this make

sense?" And this sort of background check would actually be a consortium

of has this agent been seen before?

Does it sort of have a high reputation, low risk factor?

And is it operating on the internet in a way that I trust?

Can it go fast enough in a transactional piece?

Because we all know that when you're buying something online, three

seconds feels like three days.

How, how do you do those sorts of checks for the agents in a way

where they don't get so frustrated?

'Cause I mean, it's humans building it, so you know they're gonna get frustrated.

That they just, they just- pummel with request after request after

request, trying to get it through and possibly calling, causing

a denial of service attack.

Human beings are not very patient, right?

We need things to happen very quickly, and that's true.

But I think this could, uh, be made to operate at, at like the, you

know, like 100 milliseconds speed.

It, it can't fall down with lack of scale.

It's gotta be very, very scalable.

One of the things I noticed, December of 2025, Google

launched their AP2 protocol.

And, and I'm curious is with an open standard for AI agents,

if they're executing financial transactions, what does it mean to

you, and what is the signal about the direction the market's headed?

Yeah.

So first of all, we're super happy that Google picked this up and published

AP2 as an open standards specification, and that's the kind of justification

you need behind something to get people to look at it and take it seriously.

It also signals that, um, it kinda tells people to be ready for

it, that agents are gonna go way beyond bots and be very successful.

And so it's a, it's one of those sorta tipping point moments I think

we see out there where the, the, the big guys start to get behind it and

say, "This is gonna be an approved standard, and it's gonna be, it's

gonna be okay for everyone to use it."

Doesn't having an open standard like defeat the purpose

of authenticating these agents?

Not,

not really.

So, you know, just in the same way that like fintech, uh, transactions

happen today under f- fairly open standards with, with tokens and

network transactions and usernames and passwords and MFA and, and all the,

the facility we have there now, tho- those also operate under open standards.

And really, you, you actually need open standards, I think,

to, to, um, to get buy-in.

Also, to get the kind of, uh, rigorous examination and testing to make sure

that you didn't miss something or leave, you know, an open backdoor or something

where, uh, something is exploitable.

So, um, you, you kinda need that as well for the, uh, the

community to look at it and say, "Yeah, this really is bulletproof.

This really is, uh, you know, not gonna be open to attack."

One of the questions that I have is, as we start to look at this,

and nobody, by the way, nobody in the industry likes to answer this clearly,

succinctly, or plainly And I, I'm looking for an honest answer, like no caveats.

In the ARMS race right now for fraud, are defenders winning or are they losing?

It's asymmetric warfare.

It's not fair.

I would say the bad guys are always ahead.

They're always gonna be ahead.

A- anybody that claims that they're ahead of the bad guys

is not telling you the truth.

They're not being straight, and I'll be straight with you and

say I, I know that to be a fact.

The question we should ask ourselves goes back to a previous point,

and that is what is the gap?

So is there a wide gap between what the bad guys can do and our defenses,

or is it a narrow gap and we're closing those loopholes and those

problems as fast as we see them?

It goes back to that feedback loop idea.

Mm-hmm.

So if we can, if we can see problems, if we can anticipate problems, if we

can close problems quickly, we, we leave that s- kind of that smaller gap between

what the attackers are doing and what the defenders are able to counter with.

So I think that's the game we're playing.

It's not one of ever s- kinda sitting down, relaxing, putting our pencils

down and saying, "We win." As, as defenders, we're never gonna win,

but we can be close to having a, a, a small a gap as possible with what the,

the attackers are hitting us with.

You get to see a lot of things,

everything from Fang, Fortune 500, all the way down to your,

your traditional e-commerce groups.

What is the, the one thing that most fintech leaders get wrong about

identity, the mistake that if corrected, would change their risk profile?

More than anything else that they could do?

I think it's them going with the kind of one size fits all,

or the I have a hammer, everything looks like a nail approach.

The sort of sad truth is that it's a messy world.

Identity's a very messy space.

As standards evolve, we keep hoping we'll get to something in the future

that will be simpler and better, but my guess is that, you know, for the

rest of my lifetime, probably for the rest of your l- lifetime, we're stuck

with a, a very messy environment, and, uh, it's, it's gonna continue to

be messy for the foreseeable future.

So we've, we've got founders, we've got operators, we've

got compliance leads, we've got CTOs that, that listen in and watch the show.

If you were to give them one piece of advice heading into the rest

of 2026 and looking at what is possible for '27, what is the one

thing they should do differently this quarter to prepare for that?

Ask your vendor what they're doing about false negatives, and about

not just their true positive rate, and ask them for the numbers that span

that, um, very specifically, and ask them what they're doing to improve.

If there's one thing you wanna want the audience to understand

about identity, about trust, and what's actually at stake, what is that one thing?

I think it's the trade-off between, um, security, speed,

friction, low friction s- a- and understanding that sometimes those

preconceived notions are false.

Sometimes we look at those things and say, "Ah, I can't do this because it'll

cause too much friction," and… or, or, or I'm giving up security for speed.

And I think if we look at it the right way, there doesn't have

to be the trade-off we think.

It's not a zero-sum game.

What are the things that, that I missed today?

I think technology right now, it, it… I know from my point of view, there's a

lot of, uh- Uh, uncertainty around what's happening with AI, and not just with, um,

identity specifically, but with, like, SaaS and all of software development.

There…

A- and I think people have taken a bit of a pause in a way because they're

almost afraid to make investments in the tech or in further development

because they're thinking, "Uh, maybe AI will do that tomorrow. Maybe AI will do

my job, or maybe AI wi- will for, you know, save me from having to hire five

more engineers or five more analysts."

And I'm a little afraid that this pause we're taking right now while we

sort out AI- Mm-hmm … is opening up yet another window for the bad guys.

They're not taking a break.

They're not wondering if AI's gonna do their job.

They're leveraging it every day.

And so I worry a little bit that we're in this sort of a bit of a holding

pattern right now, uh, across the tech industry, and I'm just afraid that we're,

we're giving the bad guys some space here that- They'll take advantage of.

That

is very interesting because, uh, we, we, we're seeing today lots of,

of people unfortunately, um, being laid off with AI being identified as the piece.

But we also at the same time have the CEO of NVIDIA saying that the cost of

compute has exceeded the cost of the human that was doing it to begin with.

I appreciate you coming in and sharing that insight with us.

Yeah.

Thanks, Tedd.

It's very interesting times, and great to talk to you.

Folks, Hal Lonas, the CTO of Trulioo.

Like, this has been fantastic to have him on.

Again, Hal, thank you so much for being here.

Uh, if, if you've liked what we covered today around architecture, around

synthetic identity, fraud, the AI arms race, uh, everything that goes underneath

of it, especially with the best operators.

You've mentioned how some of these folks are handling these things.

If any of this landed for you, go ahead, head over to YouTube,

Spotify, Apple Podcasts, heck, even head over to Fintech Confidential.

Sign up there to find out what we're digging into, how we're diving into

it, and really understand what's going on in the marketplace today.

And if someone is making decisions around identity and fraud around that,

go ahead and share this with them.

Make sure they understand that there are solutions out there for them.

And as always, keep moving forward.

As we wrap up today's episode, I've got one last thing for you.

If you're in the trenches fighting fraud and financial crime, you

know it's a complex battlefield.

That's where Hawk's AI tools for real-time payment screening, AML,

transaction monitoring, and dynamic customer risk rating come into play.

These aren't just buzzwords.

They're game changers designed to make your compliance more

effective and less of a headache.

Imagine slashing through false positives with precision and giving your

compliance strategy the edge it needs.

Head on over to gethawkai.com to sign up for a demo and discover how

their platform can revolutionize how you fight fraud and financial crime.

This has been a production of DD3 Media with all rights reserved.

This is provided for informational purposes only.

It is not offered or intended to be used as legal, tax, investment,

financial, or other advice.

We strive to provide accurate and up-to-date information, but will

not be responsible for any missing facts or inaccurate information.

You comply and understand that you should use any of this

information at your own risk.

Cryptocurrencies are highly volatile financial assets, so research and

make your own financial decisions.