Welcome to Fraudology Podcast where we dive into the science and study of online fraud from the perspective of an e-commerce fraud fighter. I'm Karisse Hendrick. Welcome back to the Fraudology podcast. I am so excited to have Hailey Windham here with me today. It's been a little while since Hailey's been on the podcast. I know we did a joint episode for Fraud Fight Club back in April, but before that I think it was back in 2025. And if you haven't heard Hailey before, she's been on the community banking side and credit union side of fraud prevention for several years and she very recently, as in the end of last year, started a full time position with Sardine. So welcome, Hailey, to the podcast again.
Thank you so much. It's always a pleasure to join you on Fraudology.
Yes, you are. I can't remember the first time you came on the podcast, but was it three years ago at least?
Yeah, I think it was three years. And I was just a little small town credit union girl who was inspired by you to create her own internal podcast. And there's been a lot of changes, but you've, you've stirred up a lot of inspiration and motivation in me, so I'm always eternally grateful.
Oh, well, I just love getting to see your growth. It's been so exciting to me. And you had, you were the host of the Banking on Fraudology podcast and now it's called Fraud Forward. And really the vision for that podcast is similar to Fraudology, but specifically for banks. Let's go ahead and start with what you've been up to. I mean, I kind of gave a little bit of a overview of what you've been up to since you were last on the podcast. But how is it being at Sardine going from the banking side to the vendor side?
Well, it's been a whirlwind, but in the best way possible. Honestly, from the banking practitioner side, I was afraid to come over on this side, you know, afraid of that, thought of, you know, she's a sellout or, you know, she's gone over to the dark side and now we don't want to talk to her. But it hasn't been like that at all. And mainly one of the main reasons why I joined Sardine was because of that I was told, you know, and since then it's been true. But I was told that we don't want you to try to sell anything. We just want you to keep doing what you're doing. We want to help give you, help you at scale, right? Instead of helping one credit union, help multiple. And making sure that we can get the information out. So I'll say, you know, my role is the community lead for banking. And so I have been focused on, you know, building the resources that are actually useful for fraud practitioners and not just vendors. So it's not just a, hey, this is what's going on in the industry. Let me sell you something. It's, hey, this is what's going on in the industry. Here's how you can make it operational, here's some practical takeaways for you. And just leading with knowledge and information first. Versus over, you know, fear tactics, trying to make you think, oh, the next best technology is the answer. So, you know, obviously the podcast got a facelift, so it's now called Fraud Forward, just a rebranding. But I think the message is pretty clear that fraud isn't static. Right. It evolves constantly. And, you know, the goal was simple. Still have those practitioner led conversations that help move the industry forward. So we've had guests from financial institutions, fintechs, law enforcement, even had consumer advocacy organizations. And I think the one thing that I'm really proud of is that we've been able to balance those strategic conversations with operational reality. So, you know, if someone listens to an episode, I want them to walk away with something they can use tomorrow morning at work. I think that that's very important for any conversation I have. At least that's recorded and other people can hear.
Well, and you and I are so aligned in so many of those things as far as, you know, giving back to the industry. I know that you are currently working on promoting a benchmarking survey for credit unions and community banks. You know, right now they're responding to it. You don't have all of the data gathered yet, but you're getting there. And I think, you know, to my knowledge, there's never been anything like that before. Just like there hadn't been anything like my fraudology benchmarking study for merchants back in, I think it was 2023 now. It was very unique because it asked the questions that merchants wanted to know, not that vendors wanted to know about merchants. And I think that's exactly your goal with the banking survey. And I'm really excited for you to get those results and for them to help people move the needle forward within their organization, to share it with their leadership, to say, hey, we're over here, this is where everyone else is, or, hey, we're actually doing really good. You should give me a raise. Using it for practicality, I think is really exciting when that gets to happen 100%.
So this is actually the project that I'm most excited about. And one of the things that whenever, you know, Sardine asked Hailey, what's one thing you want to do? And I was like, I really want a benchmarking report. And so this is another promise they've kept to me. And so again, we launched this. It's the industry's first practitioner built fraud benchmarking survey. And specifically for community banks and credit unions, we're focusing on 10 billion and under. The goal is to finally answer questions like how many alerts should an investigator handle, you know, efficiently? What does normal staffing look like? How much are institutions actually losing to scams? And you know, early data from the benchmarking, it's confirming what we've already known and felt that they're being asked to do more with less. I will say though, I have to give a shout out to my credit unions right now because 80% of my respondents have been credit unions. So I need my community banks to step it up. But again, you know, fraud teams, I don't think that they've lacked benchmarks necessarily. There are some that are available that are industry, but it's from my experience they were really vendor led versus practitioner led. So it was, hey, here's our, here's our current benchmarking on fraud. And it's like, okay, who'd you poll for this? Like, I follow you guys and you didn't poll me for this information, so where did it come from? You know, that was just one of the things that always bugged me. And then I'll never forget reading one of the industry benchmarks that said, okay, ACH fraud, here's how much they lost. And I was like, is there not a breakdown of, you know, EFT, you know, transferred external transfers that we sent out or member to member internal transfers? Like there's not a breakdown of what is actually happening, like online versus origination with ACH. We just categorized it into one that's not helpful. So I wanted to make sure that I brought some of those, you know, again, just practice practitioner insights into this benchmark so that we could actually take it back and again, use that information tomorrow to help our programs. And so far, the responses, again, I'd love to have a few more before we close it out officially, but I'm really excited to see the insights we have so far and really look forward to posting that, that full benchmark report that'll come out soon.
I remember years ago when I was working for a nonprofit organization, a trade association for e-commerce merchants and fraud. One of my friends that was working at Twitter at the time said, Karisse, your job is to help me do my job better. And that has stuck with me. And even though I don't work for that nonprofit or that, you know, trade association anymore, that's still how I think through things, right? With MFA, coming up with the podcast with those type of things. And I think that's the lens that you look through too, is how can I help my people do their job better.
I love that you mentioned that, that it also leads me to the other two things that I built since starting at Sardine. You know, one thing that I think now that I'm really diving into content is that some people like to, you know, receive it a different way. You know, either through video, podcast, or audio. Or maybe it's reading things or just quick little sound bites. So I've kind of embraced all of it, trying to see, you know, what, what's best received, but also just trying to give back to the industry in the way that they want to receive it. So I also have a newsletter out now. It's called the Monday Fraud Fix. So again, this just kind of helps practitioners start their week informed. So I cover, you know, regulatory updates, industry trends, of course, podcast highlights, and any actionable insights that I find. Again, I just wanted something that was short enough to read with a cup of coffee, but substantive enough to matter. And then on Fridays, I now have five minutes of Fraud, which is just a short form content series. I try to keep it under five minutes, but you guys know me, I talk a lot. So sometimes 5 minutes and 50 seconds, sometimes. I got a message from my boss the other day and he said, he circled it, it said five minutes of fraud, but it was 10min and 51 seconds. And I was like, look, I got on a rant, okay? I couldn't help it. But you know, during that five minutes or less, wink, wink, can't hint, you know, I'll try to break down a, you know, major fraud trend. Again, just a regulatory update or a scam I'm seeing, you know, the fraud world moves quickly and not everyone has time for that hour long podcast. So why not give, just it something in short form? You know, fraud fighters are busy. Sometimes you only have five minutes. Again, I try to, I try to meet that goal of five minutes, but sometimes I just get too excited. But I, I want those short minutes to count for those, so again, just those other two things that, that I felt were ways to give back. And Sardine has fully embraced that and it's given me the platform to do it.
I love that. Yeah, I, I know that people like short form, but I just can't do short form. I have to do long form conversations. So I'm like, that's what you get. But, you know, the transcripts are actually about to all be released online for Fraudology, as well as synopsises of every single episode. I think we're at. I think this one is 407. I actually like completely blazed past the 400 mark and didn't even take time to celebrate it. I didn't notice till it was like 403 and I was like, whoops. Oh, I didn't realize I was close to that.
Never too late to celebrate what you've done, Karisse. Truly.
Yeah, I suppose I'm not good at celebrating myself. I'm very. I love celebrating other people and their success, but that's just not my. It's not something I think about. But so tell me, what you know, because you are so dialed in to community banks and credit unions. What are some of the things that they're worried about? What are they, what are they working on? What are they worried about? Is it external fraud threats? Is it internal, you know, fraud operations? Is it justifying their job to senior leadership? Like, what are their concerns right now?
So I'll tell you, the concerns kind of stayed the same from whenever I was a practitioner. I know that I focused heavily on how in the world do I even get them to understand that fraud is important? But because fraud and scams are just at an all time high, the scams and social engineering aspect is like the number one issue for fraud people right now. And it's because executives are finally paying attention. You know, the industry has gotten better at detecting stolen credentials and account takeover. But scams are different because the customer is often, you know, authorizing that transaction themselves. So, you know, fraud teams are asking how, how do we detect scams? How do we educate customers and who ultimately bears the loss? Because there's the struggle of, and I faced this whenever I was the practitioner, it's, you know, here I have this, this member that came in. They received a call from someone impersonating our organization and eventually had them log on with these codes or said, hey, what's this code that we're about to send to you? We just want to authenticate to you. But in reality, that was part of the MFA. It was part of them trying to make sure, hey, here's the code was a one time password we've sent out. And then the fraudsters use that information from that phone call and now they've, you know, accessed the account. But that person was tricked or social engineered because they were impersonating the financial institution from the mirrored phone number. So it looks like it was a legitimate one, but that person gave access by giving over the code. So who bears that loss and how do we justify those answers? And then how do we make sure that we are consistently applying it across the board? Because that's where we really mess up in regards to Reg E. If you don't apply it consistently, that's where you have trouble. And so trying to make sure that happy medium or trying to understand how we interpret the regulation is really a big issue. And which again just early insights from that benchmarking survey did find that scams were overwhelmingly identified as a top threat for community banks and credit unions. The other thing that I think is top of mind is the AI opportunity and risk. Community bankers are excited about the potential of AI, but they're also pretty cautious. You know, they're asking how do we deploy AI responsibly, what governance is needed and how do we explain AI decisions to regulators making sure that they are, you know, fully intertwined with whoever their vendor is or their solution provider. And again, most institutions, they don't want AI replacing the humans, but they do want AI augmenting investigators. So, you know, how can we use it to help us to, you know, a lot of times we are fraud fighters of one. I need help. So let me, let me automate a few things. And I think that the overall theme that we always see of course is the doing more with less. You know, because teams are dealing with the growing fraud losses, the faster payments, staffing shortages, budget constraints. Many fraud teams are at or beyond capacity while expectations continue to rise. So fraud isn't growing linear anymore, it's growing exponentially while our resources aren't.
Yeah, I think that's something that no matter what side of fraud you're on, whether it's merchant side, banking side, smaller bank, bigger bank, all those things, I think those are challenges that we all face, right, that fraud is growing exponentially and at scale and we don't have new resources, we still have duct tape and bailing wire. We still have to figure it out. No, those are really good insights and things that I think other types of fraud fighters can really relate to. Sometimes we get distracted by the shiny things but at the end of the day, the things that really are creating systemic pain points are, you know, the same old, same old things that we just don't fix or haven't found a way yet.
Very true. I also think that at least from the community banker, credit union side, one thing that I just, I don't know how we get beyond it other than we've got to start pushing back on these core providers, but we are stuck in these legacy cores that won't really integrate well with other solutions that we need and we feel like we can't leave them. Right. We've, we've been with these cores 20, 30 years and it's like, man, it's so scary getting out of that comfort zone. But we have to, in order to, to stay afloat and to stay in front of this fraud problem, we've got to try to be in that proactive, you know, innovative side of the, of the world and where we could be versus being stuck. So that's just another call out that I feel I would be remiss if I didn't mention that the legacy core issue is on the infrastructure. I mean, we've got to get that part figured out so that we can have layered controls and bring in more solutions that can help us augment some of these things.
Yeah, e-commerce companies don't necessarily have legacy cores in the same way that banking does, but they do have legacy systems that just aren't detecting the fraud of today as much as they used to. They're not able to see behavior biometrics and device intelligence and the signals that they need to be able to identify things like card testing and enumeration or account takeovers, you know, more sophisticated account takeovers and things like that. So that we can relate to you as well for sure. So one of the things that came out actually as recently as yesterday from when we were recording, but last week from when people are going to listen, is that it was pretty big. I mean, I remember seeing multiple posts about it just, you know, being like, oh my gosh, I can't believe this happened. That FinCEN came out, you know, so that's in the US came out with updated guidance that seems to have kind of reinvigorated and excited people in banking fraud. Can you explain what the updated guidance was and kind of what, why it's such a big deal?
Absolutely. I actually just did a quick little blurb about it in my newsletter and I titled it a little louder for the people in the back. You know, so it happened on June 12, which was my mom's birthday, by the way, Benson dropped. I figured that was important for everyone to know because my mom thinks it's important, but so on June 12, Benson dropped a new fact sheet clarifying how 314(b) actually works. And I mean, I'm here to say I want more fraud fighters to know that this exists, if they don't already, and that they can and should use it. So it wasn't just like a minor tweak. It expands on and replaces the 2020 guidance and directly addresses three things that practitioners have been asking about for years, which are whether real time information sharing is permissible, under what circumstances fraud related information can be shared and how to actually use it. So, you know, I've sat in enough rooms and I've heard enough calls to know that 314(b) information sharing is wildly underutilized. And it's not because people don't care, but because there's been a real confusion about what's actually permissible. There's always just been this fear of being burned by the regulators for sharing information when maybe it wasn't the right circumstance. And I mean, Vincent hurt us, right? So they finally provided that clarity that we've been asking for. And so it's section 314(b) of the USA Patriot Act. It lets financial institutions share information with each other under a liability safe harbor to identify and report potential money laundering and terrorist activity. And now it includes fraud. So the updated fact sheet is something the industry has needed truly for a long time. Practitioners have been asking for that clearer language, clearer permission, and clearer protection. And so what we got clarified are four different things that I want to highlight. And one is that fraud is explicitly now in the scope. So information sharing can cover activity tied to specified unlawful activities, which includes fraud against individuals, organizations or governments, and computer fraud. So you don't need a confirmed money laundering case to share. You just need a reasonable basis to believe that activity may involve money laundering or terrorist activity, which is huge for us. Right? Because again, we've had those scenarios where it's like, man, I just want to call my next door neighbor bank and say, hey, this is what's going on. I know they're 314(b) compliant, but my compliance officer is telling me, hey, they don't share that unless it is for sure following money laundering or has this or that, you know, qualifications. The other thing that this new guidance addresses is now we don't need certainty to, to participate. So this is one that I think that the institutions definitely have to internalize so you don't have to have it all figured out before you pick up the phone. Reasonable suspicion is enough. Sharing early, even on incomplete information is the point. Right. Because how else are we going to get in front of it? The third thing is that real time information sharing is permissible. So this is not just written, not just formal verbal. We can use video surveillance footage, IP addresses, you know, attempted transaction. These are things that are happening in real time that we can utilize in our information sharing to determine, hey, this is kind of suspicion enough, reasonable suspicion enough. All of it is fair game under the safe harbor as long as you've registered and are using the information appropriately. And then the fourth thing is that non bank entities can form associations too, which is huge. Right? Compliance service providers and industry groups can now organize 314(b) associations, meaning that financial institutions don't have to go at it alone. I think that the point of this all is that, you know, fraud doesn't stop at one institution. It moves across your network. Your neighboring credit union, the community bank across the street, any merchant name insert here, you know, they share tactics, they test and they pivot and it's time that we do the same. So the 314(b) now gives us a legal framework to collaborate in real time. And the updated guidance, at least for me, it, it removes the excuses.
Hmm, that's great. Is it real? Is it collaboration through like picking up the phone and calling another financial institution? Or, and, or is it collaboration through technology like you know, sharing negative lists, things like that, like on a bigger scale?
Yep. So before it was definitely through the technology we could do that. We could, I remember working through different case management solutions where we could go into the 314(b) section and if we had a joint customer or member that maybe was also a member at a neighboring fi, if they participated through this one case management system, we could communicate through there and that, that case management could let us know, hey, there's a potential that you guys have the same person committing fraud against you. And we would be notified of whenever if say bank A closed an investigation and they closed it for fraud, that's whenever all the other banks, Bank B and C would then get a notification, hey, you've got someone that matches this, that they just had a case that was closed for fraud. Do you want to initiate an information sharing request? But now it says that we can share in real time, meaning we don't necessarily have to wait. We could, we could definitely call and we could say, hey, and one thing that I think about this is like the check 21 systems that we use or the. I can't remember exactly, but whenever we're onboarding and we're trying to look to see, hey, does this person have, you know, financial institutions or whatever? And we can see that one was closed. We don't know the reason they were closed, but we could call. So I'm thinking of all these elder people now who've had their accounts closed because they were participating in investment scams. And the FI did all they could, but now the only option was to close them out. Well, then they go to the next bank. Now the next bank can say, hey, this is a great customer. What happened? Why'd they close? And now it's, you know, we can get that information in real time to know, hey, there was a potential scam and. Or a scam going on, potential fraud. We don't need to, you know, be careful going forward.
Is that an acceptable reason for closing an account? So if bank A tells bank B, hey, we just closed this account for John Smith due to fraud, and bank B says, oh, John Smith opened an account last week. Now we want to close the account because bank A told us that his account there was fraud. Are you. Does this guidance give you the ability to cancel if you were bank B to cancel John Smith's account? Or is it more, hey, you have to flag it and then really, you know, scrutinize the behavior and see what it's doing and then close for your own reasons?
Yeah, so those are different things. So the 314(b) is only giving us the ability to share information where we couldn't before.
The guide. And so that comes on your own. So the financial institutions or a bank is different from a credit union. The bank can close an account for any reason that they want. It's at their discretion. But the credit unions, they operate in a different capacity. Every member is a member of that cooperative. So they can't necessarily close the account, but they can limit convenient services. So convenient services could be debit card transactions, wires, ach, credits and debits. You know, anything that is not necessarily cash in and cash out could be considered a convenient service that the credit union could use. And again, that information sharing is just to let another FI know, hey, we had fraud here. So it just is a way for us to be on high alert for potential suspicious activity.
Yeah, because I can see if you used that to close an account based on another financial institution's account or, you know, or what their experience, that that could cause blowback, you know, in the form of lawsuits or in the form of other things where, you know, every financial institution and e-commerce merchant for that matter, have their own criteria of what constitutes fraud. So if you're taking their word for it and you're now shutting down the business, you know, or their access to their accounts because somebody else said that they were done wrong, that would pose more problems than, hey, huge heads up. I think we have this account or this cardholder too. Here's the information I've pulled, but then also here's the information I've pulled and here's what you can maybe not act on, but ingest and then flag. So, you know, hey, if we start to see suspicious activity on this account, that's there's just one more piece of data saying, well, Bank ABC already closed them down for fraud and hopefully you can mitigate your losses.
Yep. It's just another piece of data that can help us act in real time to again, just be more proactive and preventative versus reactive and you know, trying to recoup money or mitigate losses that way.
Interesting. So how do you think this is going to change things? I mean, how do you think this is going to impact the industry?
Again? I think that the updated guidance just removes the excuses we had before. So basically it was internally we had fraud fighters who wanted to share the information with other fraud fighters in the industry by, you know, either reaching out or by saying, hey, this is fraud. And now I see that there is other money going to another financial institution like we need to let them know. But in the past it was, hey, this isn't necessarily money laundering, so we can't share this information. It had to meet those criteria. Now we've got it where fraud is a part of that criteria. And again that just reasonable suspicion is now enough, so we can now share that information, whether it's early or even incomplete, as long as we have reasonable suspicion that it is fraud.
Interesting. And then as far as, you know, you had mentioned the organizations, you know, trade associations, outside organizations can, can now have these consortiums of sort. Do you think that we'll start seeing some of those pop up as well?
I think so. I think that we, we definitely already have, have some, you know, one in particular that I can think of off the top of my head obviously being Sonar and Sardine. A piece of Sardine is Sonar where there is that consortium data where we can share. So they are 314(b) compliant. I know that there are others that exist. But as you know, when we look externally, if we need to be able to share. And we're looking for a vendor that we can again, either receive more data from other FIs that say, hey, yeah, this is following patterns of fraud. We've got to have those vendors that have, that are 314(b) compliant. So I, I'm, I'm interested to see if there are more that pop up, but I do know that already exist.
Okay, I see. I was thinking more, I guess of like trade associations or things like that where they might have an email list or might have, you know, something like where you could upload a Google spreadsheet of your top 20 biggest offenders or, or having roundtable calls where, you know, hey, has anybody dealt with Bob Smith at 1:23 Main, you know, Charleston, South Carolina? Oh yeah, me too. You know, that type of thing. I guess that's what I was picturing.
But it's good that, you know, vendors like Sardine are 314(b) compliant so that they can just do it for you so the banks don't have to worry about integrating with each other one by one by one. Because that would be, it would take forever and it just wouldn't be sustainable. It wouldn't be scalable.
Yeah, so I pulled up that, that piece of it. So it does state who is eligible to participate in this information sharing and associations consisting of the financial institutions listed above. So. Yeah, you're exactly right. So if we think, you know, ACFE, we think the ACFCs, the IECECI, which I know the IFCI already does information sharing for the 314(a), which is with law enforcement. So being able to expand that with the 314(b) is really cool. As well as any of the other associations, maybe even the Knoble. That's one that would be really cool to start seeing some information sharing coming from. So. Absolutely. I think it opens it up.
That's exciting. And I get why everyone was freaking out about it yesterday.
Yeah. Because it's, it was like finally.
Yeah, yeah. It kind of came out of the blue and you know, it's six years later and a lot has happened in the world of fraud in the last six years and, and you know, there's just so much going on that it's important that the government catch up.
You know, I think that you just made another valid point. I think that, you know, there are some nonprofits that we are familiar with as well that I hope that they become more involved in these association type things so that they could share that information too. I think that'd be one of those things that would just be phenomenal. The one in particular I'm thinking about, of course, is Operation Shamrock, where they are constantly receiving information on accounts, you know, that are, have either, you know, facilitated the money movement or participated in it in some way. And it'd be great to get some information coming back from organizations like that. So I think that's great. You know, if we could get them involved in some of these associations to then share, that'd be really cool.
Yeah, that's a good idea. I hadn't actually thought of that, but yeah, it'd be great to get them involved because, you know, they're seeing it on the ground from the victim before it's hit law enforcement or bank, you know, their bank or anything else like that.
Yeah, I just think about, like the way that they are already communicating and like some of these crypto platforms that are already communicating with law enforcement to say, hey, here's, here's a wallet that was used. Can we get an investigator on it? Imagine being able to do that as well. For the financial institutions with the information sharing. It's a phenomenal approach.
Yeah, no, that's. That would be great.
Well, that's exciting that they're moving forward. I know that there's been some forward movement from the Department of Justice on, you know, trying to prosecute some of these cases. I know that Google just filed lawsuits against, I believe it was Chinese nationals that owned a phishing platform called Outsider that was responsible for. Let me look at my notes because it was a crazy number, but it was responsible for the theft of over 3.87 million credit cards. And it was like over $1.9 billion in losses. And it was this one channel on Telegram that provides all the phishing resources you need. Right. Like to create a fake website or if you need hundreds of phone lines or, you know, whatever you need, they can provide it. And while law enforcement isn't going after them, Google is. So, you know, that's a start too. But you know, I was, as I was saying the Department of Justice has been cracking down more on fraud situations and these large scale operations. And I think the combination of that along with FinCEN saying, okay, fraud's bad enough. Now where we need to clarify this 314(b) and say you guys are good to communicate these things. And in Europe they have GDPR and one of their exceptions is for fraud as well. You know, hey, you need to keep things, you know, very private. But if it, when it comes to fraud, you, you can pursue that. So, you know, you can share Information as well is really what, you know, they say gdpr, you can, you can also cancel accounts due to GDPR due to fraud under GDPR as well. So it's, it's nice to see some of these governments catching up. I mean, I think that there's a long way that we can go, but it's nice to see, you know, them catching up and maybe listening to the industry too, who's just been saying the same thing over and over again.
Absolutely. I would like to give a bit of clarification on the onboarding piece that I was mentioning earlier. Yeah, I feel like I maybe missed a piece of like the conditional aspect of that. So I'll give kind of a scenario for it. If you think about like a community bank is onboarding a new business customer and they notice, you know, know, multiple identities that are tied to maybe the same device, suspicious IP addresses, connections to the known mule activity, and that the fraud indicators are kind of suggesting that it's maybe synthetic identity or account abuse. The bank could potentially contact another FI under 314(b) and ask, you know, we are evaluating whether to establish an account relationship with XYZ llc. Have you observed activity involving this entity that may relate to fraud, money laundering or other specified unlawful activity? And the, the reason why is to, it's especially relevant because the 314(b) explicitly allows sharing information to determine whether to establish or maintain an account or engage in a transaction. You know, FinCEN has long recognized this use case and the 2026 guidance further clarifies that suspected fraud falls under this scope. But again, there are the four conditions. One is that both institutions must be registered for 314(b). So you simply, you can't just simply call any bank, right? You need to verify that they're registered participants. There also has to be that reasonable basis for suspicion. So this is not intended for like routine due diligence or tell me if this customer is good. There should be fraud, AML or illicit activity indicators.
Fenceland does not require that certainty, but it does require the reasonable basis. The third thing is that the information must be used only for permissible purposes. So, such as identifying illicit activity, whether to establish or maintain an account, and then the supporting of AML compliance. And then the fourth thing was you still cannot disclose sars or reveal that a SAR was filed. So you can't say, you know, we filed a SAR on this customer. But what you can say is we've observed activity consistent with mule behavior and suspicious transfers. So again, I think that I suspect that we'll See more formalized 314(b) on boarding request emerge especially for those suspected synthetic identities, business account fraud mule activities, high risk fintech relationships and any kind of like first party fraud rings. I think historically, right, many FIs were hesitant to make these calls because they viewed 314(b) as strictly AML terrorist financing. But the new June guidance explicitly clarifies that fraud may encourage more proactive collaboration. So I just wanted to make sure that I called that out because I felt like maybe I was a little too broad in that earlier example.
Yeah, no, it's interesting. It kind of makes my brain go two different directions. So one of them is, you know, we have something similar in the credit card processing world on the acquirer side, which is called the match list. And whenever a new, but this is more. I mean you had said that it's not to replace, you know, it's not to be in your SOPs, right. It's not supposed to be every single time. But in this case whenever some, an organization or an entity applies for credit card processing, the credit card processors have to go out to the match list and see or it's also called TM math list. I think that you know, to see if they've been shut down for fraud before, you know, they've had their account, their merchant account closed for suspicious reasons or confirmed reasons. The other thing that made me think of was just how, how it will really be helpful to a lot of companies to be able to, you know, validate themselves. Right. Like hey, we're seeing this suspicious behavior. Is it really as suspicious as we think? What does the other bank see from the other perspective getting all of that information? But one of the other things I see is do you think this is going to require more manpower on the financial institution side or can it be done with aging? You know, I mean as far as the manual piece of calling up another bank or sending them an information request or whatever it is. Or are you, are we just talking about using vendors that are 314(b) compliant that would say hey, go to your vendor in these cases, I guess just what's the workload on that like? Or do you know?
Well, I can just say from my personal experience, I think the workload probably going to be about the same for most fraud fighters because we were, we like to skirt the line because we felt like we needed to be proactive in that and Right. Would just face the repercussions from our compliance team. So I'll say that. But I do think, you know, you mentioned agents. I don't think that agents will be the ones responding or requesting the information, but I do think that they will be escalating those for review for the investigators to look at. Like, hey, this one, like, maybe we do onboarding and, you know, we're trying to do the due diligence. And then something just seems odd. It's flagged as, you know, potential synthetic identity, or, hey, this business was just opened and just established. Like, but we do see that there are other financial institutions attached. Something seems kind of odd here. Why are they opening up another account at another FI? You may want to reach out. And so just with all the indicators, again, utilizing behavioral biometrics, too, to say, hey, this device just kind of is doing some funky things. Maybe we just need to reach out and ask the other FI. Hey, we think that something's kind of suspicious going on. Can you confirm? Are we going crazy, or do you see the same thing? And so then it just becomes that collaborative effort that fraud needs anyways in order for us to be effective.
That's great. Well, thank you for coming on and explaining that in more detail. I think it will be interesting to people in the financial institutions in case they didn't see the update guidance or maybe they didn't fully understand the fine print. But I also think it's interesting for, you know, online merchants or, you know, other sectors of fraud prevention because we're able to say, hey, you gave banks permission to do this, so, you know, I would like to also have permission to do this. Or, you know, how can we do this in a different way? Now, there are some fraud tools that have consortiums within them. They only will apply to the other merchants that use that same fraud technology. So there's not, you know, but usually merchants, while they're not regulated and they don't have FinCEN over them, their privacy officers or their legal team will say, no, no, no, don't be sharing any of that information, you know, on a phone call or in an email or anything like that. So similar issues on both sides as far as, you know, sharing information. And it's always very frustrating that fraudsters have no hoops they have to go through. They don't have any of these guidelines or, you know, laws or rules or privacy officers or anything else. But it's what we have to do to play by the rules and, you know, that we're given and. And do the best we can.
I agree completely. I'm so excited, though. I think that we're finally. The industry's finally moving in the right direction. Right. We're finally there where everybody is, starting to pay attention now to fraud, which is why I think, you know, I'll call it back out of the benchmarking, I think is just so important. But also just the way that you show up in your organization. I think culture's everything. Making sure that you show up consistently. I'm the fraud person. We've gotta, you know, have this, you know, the way that we conduct business. We wanna be consistent and we wanna make sure that when people reach out, they're gonna get the same Hailey that they get all the time. Otherwise, it's hard to build relationships that way. So I think in fraud, it's super important because you have one time to be too passionate and then you lose the buy-in from executives. So just making sure that you are consistent in your approach to how you have those conversations internally.
That's a great note to end on. Well, Hailey, thank you again for joining me on the OG Fraudology podcast.
Always. My favorite podcast.
Oh, I always enjoy our conversations whether they're on air or off air. But I will, I think everyone knows how to find you. You're most active on LinkedIn, but I will try to remember because I haven't been good about this the last few guests, but I will try to remember to put a link to your LinkedIn in the show notes. But people can find you just looking up Hailey Windham. I think you're the only one that's in fraud, so you're easy to find.
Okay, good. Yeah. Thank you again so much for having me on and for letting me talk through this. It was a topic that I was already really excited and geeking out about. So when you reached out, I was like, for sure, we can talk about it. So. Always happy to have a conversation.
I'm glad I wasn't assigning you a research project like I accidentally did to Frank.
Oh, no. Well, I'm sure he dove into it anyways.
He did. Head first, but I felt bad. I thought he already knew about it. So I was like, hey, can we talk about it this? And he was like, sure. And then he tells me I did a whole, I researched it all weekend. And I'm like, oh, no, I thought you knew. Oops. All right, well, I will talk to you again soon. And to everyone else, I will talk to you again next week.