Transcript
And joining me for today's Executive Exchange is James Simcox, the COO and CPO at Equals Money. James, welcome. Thank you for having me. Now, before you and I talk about the importance of security and innovation, would you mind just introducing yourself to our fans here today, a little bit about you and your role and what being a COO and CPO at Equals Money means? Yeah, sure. So I'm James, and I'm the Chief Operations and Product Officer for Equals Money. Equals Money is a UK and EU-based payments business. We help businesses with payments, cards, both for themselves and for the underlying customers, which gives a really interesting dual role of having to look after our customers, but also protect then their businesses and their brands as well. Ops and product is an interesting combination, but I do everything from building our products for customers the whole way through to customer service. Well, to kick things off, we're going to talk about this new thing called AI. So there's a lot of pressure for companies to adopt and embrace AI, but there's also a lot of pressure to move fast, and sometimes people can leave security behind. So can you tell us a little bit about maybe how that's shown up in your world and how you guys are thinking about it and addressing it today? Sure. I think not an hour goes by without someone saying, oh my God, guys, we should use AI for this thing. Yeah. And I love my teams using AI. It's fantastic because it really helps us be more efficient. But it's almost like AI tools are designed sometimes to make you want to overshare with them. It's so easy just to click a button and link up your Slack or link up your email. And so as a business, we have to put a big framework around that, making sure that not only are the tools we use approved by the business and we deal with the security elements of are they training on the customer data? What does their privacy policy look like? Everyone goes, oh, AI is a new thing. Well, actually, we treat it a lot like just buying traditional software when it comes to approvals. But then also building that framework around our staff, understanding what they can and can't do is really important. And we kind of view it that you own security everywhere in the business anyway. AI is just an extension of that, right? But it is very easy, I think, sometimes to overshare with AI. Oh, for sure. Now, you've mentioned before the necessity of invisible security. So you're delivering that seamless customer experience because as you mentioned in your role, you're working with a customer from end to end. So how do you avoid adding too much friction but also creating just enough so your customers do have that safe environment for them to have a great experience but also know that their information and identity is being protected? Yeah, I think a lot of businesses like to put the security at the front door, right? For a long time, we've all thought if we protect the entrance to our platform, let's just do like protect the login. That's the important thing because then once the customer is in, we know who they are. We know, though, that that's not how it works. And the bad guys are very good at getting information out of our customers, whether it's just logging in as them or tricking them into doing things they shouldn't do. And so we've tried to take a really balanced approach where we put 2FA up front to keep customers safe, but we have to also account for customers that are vulnerable, so we can't make them use pass keys and we can't make them use newer methods of security. Some customers don't even like email links for passwords, right? That's not how they like to work, so we have to account for those customers. So what we do instead is use a whole bunch of risk factors that we get from Auth0 that we then feed into other systems. So a customer signs in, great, it's a new device, it's a new location, but they use their usual 2FA method, so it's probably fine, right? And we'll let them in the platform there, but we feed all that information about the device, where it came from, everything else into our risk platforms so that when it comes to them making a payment that's a bit too big or it looks a bit unusual, we're actually taking the information from the very start of their journey, the whole way through to the end, and we go, hang on a second, this looks like either something we found before somewhere else, or it just needs a further investigation, right? And so we've tried to pull as much of that security as we can to the point where the action's actually happening and not at the login, because I think at login you can be very arbitrary and you catch a lot of customers that are actually just your real customers. Yeah, I may have forgotten my password a time or two being in another country. In the payments world, account takeovers is a major risk, so how are you thinking about it and how are you going from being reactive to proactively thinking about it and building it into your product roadmap? Yes, for us account takeover is a big problem, right? We see it all the time where people try and get into accounts, because if they can get into a customer's accounts, they don't just walk away with data, they actually walk away with the real money, right? If they can affect a real payment that we push off, that cash is gone. And so for us it's really important to protect customers against that account takeover piece. I think in the past we very much were looking at how do we add as much friction as we can at login journey to make sure that it's the customer, right? So whether it's pushing customers to use, say, passkeys as a thing we try to use for corporate customers, or going, this login's weird, let's have an email that you might interface with. We do that sometimes, but it's really, really much important for us to just feed all that data and all that reporting into our other systems in the business, whether it's our transaction systems, whether it's our other security reporting systems, to try and spot patterns across customers. Because normally account takeover isn't a single person. It's normally quite orchestrated when you look at how it works. We've seen cases where people build login pages that look exactly like our customers, they're paying for Google ads that look exactly like us, and it flows the whole way through. So it's not just someone calling you up and trying to take your account, it's actually quite well orchestrated. And so it's kind of professionals there, so we have a really professional approach to handling it in the background. Totally. It's like you're looking at that customer journey, and there's so many different touch points where bad actors can be gathering information to position to do an account takeover, which is really scary, I'd imagine. It's terrifying. We used to see you call up and say, hey, I'm calling from Equals, give me your password in the olden days. Now it's so much more well orchestrated. And actually AI's not helping us, right? Because with AI agents, you can actually behave like a human in that login journey. Yes. And so what used to be really obvious, because it's a bot, and they're just attacking the thing, and you go, well, you're a bot, come on, go away. Now it actually can look like a real human login journey, because agents behave like humans. And it's kind of, well, it's really helpful if you and I want to do an agentic payment, great. It's not really that helpful when we're trying to stop people from doing bad things. Right. No, I think, I mean, again, with security and innovation, it's like we're embracing AI agents, but with that comes a certain risk and vulnerability that impacts businesses as infrastructure, but also how just you're thinking of that customer journey. It's actually, I'm curious, in the payment space, like many other industries, we're seeing this huge transformation with agentic AI. So customers can start delegating their tasks to their own personal AI payment system. So is this something you're seeing already? And what do you think the industry can do to start preparing for these shifts as we're embracing more agentic AI? So we're definitely seeing the shift. I mean, even just this week, the first agentic AI payment happened in a conference in the UAE somewhere, MasterCard. I don't know if it was the first, but anyway. But we're definitely seeing that shift happening. And we know that our customers are going to start using agents a lot more. One of the challenges we have, I think, in that space, though, certainly in the payments industry, is there's a whole bunch of standards that everyone's creating right now, right? There's X402, there's agentic commerce protocol, there's others out there. And until we standardize on one of those things, it's going to be very hard for us to build our products to make it work for the customers the right way, right? There's also this whole DIY builder and agent type product out there, right? Anyone can go online these days and search, oh, agent builder, and do a thing. And what we'll start seeing is people trying to do things that seem innocuous to them, like, oh, let's build an agent that will help me make a holiday and then pay for it, right? Great. But that then starts meaning they might hand over all their login data to this random third-party agent, which they have no idea about what it is, what the security is like behind it. And so I expect we're going to see a lot of kind of more sophisticated account takeover approaches from those kinds of agents where people just hand their information across. It's like the old days of screen scraping before open banking came around. People used to just literally hand their bank details over to a service to go and scrape their account information, which is terrifying because someone's logging in as you. And what happens if that person logs in as you then makes a payment you didn't approve, you didn't ask for, or you wanted to pay a maximum of $1,000 for your holiday and they spent $10. Like, how does that work? How is it regulated? Right. And there is just no regulation on that currently. And some countries have laws that will compensate consumers for things like that, but we haven't got the framework or the rules or an agreed standard or anything yet for that space. So I think we as an industry really need to get there quickly because otherwise we're going to just make it easy. Customers looking for an easy answer will just take the easiest route, which definitely isn't the most secure route for them. Right. And I think people are embracing AI and they're excited. So they're, to your point, building agents or logging in and testing out new technologies. But with that comes kind of this inherent risk of, is it secure? Does the agent know when the job is done? Is it secure? And that's kind of this open-ended question that people might be walking into without knowing the answer. Absolutely. And I also think, like, think about the amount of due diligence we do as a company on, like, AI product we bring into the business. The average person at home doesn't do that. How many times have you read the privacy policy or the terms and conditions? Obviously, every single time. Every time. Every time. Of course. I check that box with full consent. We don't read them. Right. And so you could easily be handing over all your information to a completely scammed product, which is only there to collect your data to go and do things. Right. But because we think, oh, AI is great. It's going to really help me out. Actually, I think we'll have got a much lower barrier for what they're going to give across. You wouldn't just email your bank password to someone, but you'll happily give an AI agent your bank password potentially. And that is a concerning place for us to be. Huge risk. Totally. Now, it's interesting. We've talked about kind of the customer journey and how you're thinking of it for your customers. But what about your employees at Equals Money? Are you finding that there's the same kind of rigor applied to your AI policies there? I know we talk with customers and there's concerns around, like, shadow AI or shadow IT. I think early on there was a lack of guidance or compliance for some companies around how to embrace AI. So going all the way back to us talking about that customer journey, how are you thinking of your employees? How are you enabling and empowering them to use AI to streamline their day to day? Yeah. So it's really important for us that we can let our staff integrate the tools they need to their products. It's very easy just to click on those AI things and integrate it across. But if you're an admin on our CRM, let's say, you might have access to everything. And when you're really struggling to get that AI tool to work, you might say, screw it. Have all the permissions I have. Use my admin account. See what happens. And that can be the right thing to do in the dev environment. But it's definitely not the right thing to do in the production environment. So I can't have the staff just looking across every single platform to see if every single tool has the right identity or the right access it needs for the role it has. That's why I bought Okta's Identity Security Posture Management tool to help us secure those non-human identities in the platform. And that's how Okta helps us secure AI. We have a monitoring layer across every single thing we're doing all the time, which tracks if I give access to something, then we know straight away. And we can check, is that the right tool? Is it not the right tool? Right access? And we can intervene at the point it happens and not just some annual IT audit a year later. And we go, oh, turns out, had admin access for an entire year. Who knows what happened? Well, it's too late now. So, you know. Yeah. It's powerful. You want your employees to be able to move quickly and securely so they can innovate and focus on that customer journey while still getting their work done. Exactly. It's really important for our staff to move really, really fast, help our customers, but do it in a really secure way. And that's how Okta helps us out. I love to hear that. James, thank you so much for joining us today. It was really helpful hearing your thoughts on security and innovation. And we hope you'll join us again soon. Thank you for having me. Thank you. Thank you.
