As Capital One’s Tom Poole, Prove’s Rodger Desai, and Citadel’s Chris Palumbo tell Karen Webster, the next era of payments will erase the line between identity and transaction. Authentication won’t feel like a step in the process. It will be the process itself, where trust has to be built in, not bolted on.
Transcript
This is PYMNTS ON Air, a PYMNTS podcast, in-depth conversations, expert panels, and exclusive research brought to life by PYMNTS Intelligence. In this episode, Capital One's Tom Poole, Prove's Rod ger Desai, and Citadel's Chris Palumbo sit down with Karen Webster to talk the next era of payments and how it will erase the line between identity and transaction. Authentication won't feel like a step in the process. It will be the process itself where trust has to be built in, not bolted on.
Karen WebsterFor years, the goal in payments has been to make the experience invisible. Tap or click and then done. But as real-time payments in embedded finance turn every interaction into a transaction, we've learned something. Invisible payments become less so without identity solutions that build trust. So today we're asking how do we move from bolted-on identity, the codes, the passwords, the text messages that make identity a source of friction, to built-in identity that's seamless, secure, and scalable. To have this conversation with me today is Tom Poole, Senior Vice President Digital Payments at Capital One, Rodger Desai, the CEO and founder of Prove, and Chris Palumbo, the Chief Risk Officer at Citadel Credit Union. I don't usually start with a softball question, but I'm going to kind of start with a softball question because in order to think about what we need to be thinking about that's different, I think we need to start with really getting a very good understanding of what's broken about what we're doing today. We all complain about identity and authentication, but I'm curious to get your perspective as those who are in the business trying to both balance fraud and friction-free experiences for your customers. What's fundamentally broken about what we're doing today? What's the weak link? And Tom, I'm going to start with you.
Tom PooleSure. It's a great, I don't know if it's a softball question, Karen. It's a pretty wide open question, right? There's a lot of things that that aren't aren't quite right. But I look, when I look at it, I think it's can consumers do what they want to do when they want to do it? And I think if you look at the low end of the transaction spectrum and what consumers want to do, I think we've got that pretty well handled. Fraud isn't a significant concern. The transactions are frequent, they tend to be lower, dollar volumes, um, bank services fully consider that. I think it's when you start getting to the high end of transactions in terms of this of the size, uh, the different circumstances where the consumers want to do it, where they're not necessarily uh it's not the normal pattern that they follow. I think it's at that end where you start to find that trust breaks down and banks are throwing uh considerable friction in front of consumers. Oftentimes it doesn't make sense, especially if you look at wires. You and I had a conversation once about the number of phone calls you have to place with your bank to conduct a wire transfer at the very extreme end. To me, that's that is the place where you see a lot of weakness and customers not being able to do what they really want to do are encountering endless and frustrating friction.
Karen WebsterSo low end seems to be okay. Higher end, and we'll define what higher end means and the friction that is is is part of that, is is what you think is the is this is the sticky part. Rodger, what about what about you?
Rodger DesaiSo it approved we both have the belief that identity verification and authentication should be kind of fused together. And that's kind of um the inherent problem. When you ask people uh questions about themselves because they can lie, we you know have to balance uh convenience and security. And that's the problem with the internet. You're constantly, you know, kind of trading one thing off the other. And I think if you kind of uh fuse those things together, uh you don't have to make that trade-off. So one of the things Prue's kind of pioneered is you know, how do you uh lean into authentication keys? And if you know who owns and operates those keys, you can make things both convenient and secure.
Karen WebsterThe qu the the knowledge-based questions I find frustrating because I don't always remember the answers. So that's the problem. And um I I'm sure we've all had that experience where it's like, did I really, did I really own that card? I'm not sure if I did. Um, but um, but I I think you know, making it, you know, part of the experience um is is important. I think your point is is bringing both both together is is really relevant. What about for you, Chris?
Chris PalumboFrom my perspective, um, one-time passwords still work for many of our members. It's a bit of a messy process, but the big thing to consider is that trust really starts to erode after there's a single compromise incident when they're using one of these passwords. Um, and as we've talked about in the past, uh there's a lot of steps in the process to get and use a one-time password. Um, you know, email OTPs regularly get lost in junk email boxes. Um and it's also a challenging process if a consumer is using their phone when trying to make a login attempt while also trying to get this password. Um, but generally in the grand scheme of things, um, you know, in my opinion, just a small price to pay for you know peace of mind and security.
Karen WebsterTom, I I want to turn the conversation back to you and and something that you guys have deployed, which is um your air key solution, which actually turns the payment card into a bit of a hardware authenticator. Why did you decide to build identity into a card rather than the phone or an app? I mean, isn't the card kind of a bolted-on identity solution?
Tom PooleSo we, you know, we the environment we were staring at, uh, you know, leading up to the invention of AirKey, which is now seven or eight years running for us, um, was an environment where we saw you know, we essentially commandeered a number of channels if you really step back from what email OTP and SMS OTP are. We commandeered these channels first from the email providers, then from the mobile network operators to deliver messages at a broad scale to customers, something that could essentially reach everybody. Everybody has an email account, everybody has SMS. But over time, we kept seeing these were susceptible to attack. So I think we were really asking, hey, what else could we do that would reach as many customers as possible, something everybody would have? And the answers were sort of thin at the time. Um, and so that's we asked ourselves, well, why not the card? Now keep in mind, air key is the card, but it's the card talking to the phone. So there's a there's a duality to that where both things have to be present, and it's in that intersection that uh Karen has her card. We know that's Karen's phone. The intersection of those two things became to our eyes almost impossible to beat at scale, certainly, arguably very difficult to even even beat from a fraud perspective at an individual level, simply because those two things, getting the same, you know, the same products for the same customer in the same location to make that connection is exceptionally difficult, right? You're you're essentially having to hijack the phone, but then get the corresponding card for that customer. Very difficult to do uh without a very determined effort, again, not scalable. So to us, that made a ton of sense. Now, you ask, why not, why not lean more on the phone? Look, I think as time goes on, it seems to me more and more value and access to value is stored through our through our phone device. And so we we anticipate that that will become a greater and greater source of attacks over time, is number one. And then number two, the phone isn't a native bank. Bank bank doesn't have any connection to your phone other than our apps and our websites. And so we don't know when when things start out in a relationship, we don't know whose phone it is. When you upgrade or change your phone, we don't know whose phone that is, if that's really you or if that's Rodger masquerading as you attempting to convince us that you've upgraded your phone. So there was this, there's also a piece of well, the phone is great. We very much wanted to establish trust that that device was yours. And that's essentially what Eric does is it is allows us to say, hey, those two things, same place at this moment. And that trust can carry forward without a lot of additional taps. Once you know that, you can preserve that trust and keep it going and keep friction out of the process for a pretty long time in a way that wasn't possible if you were just, you know, having to triangulate. Is that really Karen's phone?
Karen WebsterRodger, kicking it to you, you and I have chatted about this and you've described this new identity world as key based, past keys, sim keys, device keys. How does air key fit into your definition of this broader orchestration model using different technology to verify and authenticate identity?
Rodger DesaiThat's a great question. I think uh for sure, um, one of the tenets we believe, especially as we get into you know, um more and more of a digitized economy and get into agenda commerce and all sorts of crypto coins, um, keys are gonna be essential to sign transactions. Uh where air key is special, um like the problem with keys is that as Tom said, um there's life cycle events where keys uh change hands. Like you know, getting that new phone, as Tom mentioned, is a pretty risky event because you just don't know if it's you know Karen or her new phone or me pretending to be Karen. Uh until uh Elon puts uh chips in our heads with Neuralink, you're always gonna have this issue of key management and knowing uh you know, uh ultimately you just want to make sure there is a key bound to identity that you can cryptographically authenticate. The problem is uh again, keys change as you change phone numbers, get new phones, get a second phone. Um the other issue is um um uh consumers have uh preferences. I my mother probably will never use a pass key. She's always gonna rely on the simplest form, like a voice OTP, which is probably the least secure of all the things. Um but I would definitely use more modern things. Um and my son, who's 16, for sure, will use more modern things. So Air Key fits a special place in those moments of transition. Uh-huh. You know, how do you like ultimately I think the goal is you want to keep the consumer out of the security business. And I think that's the fundamental flaw that the fact that we involve consumers in securing themselves is the problem. What AirKey allows you to do is during those high-risk events, you know, you can tap and all of a sudden you're recognized. You know, uh, it's you on your new phone. You know, I I won't mention the name of the brokerage I use, but even this morning I was trying to do something and uh I had to go to a the semantic app that comes as companion to type in the number. And I forgot that I had upgraded my phone so that it wasn't working. And now I have to call their call center to reassociate that semantic app that generates that number to my new phone. That's you know, that's certainly not a great experience for me and uh opex that they shouldn't be spending. Um so I think Eric is it'll be consumer choice. I for sure would make a part of how I authenticate. And then it's definitely great for those times of transition because I don't really want to be bothered calling a call center.
Karen WebsterChris, I want to bring you into the conversation. How does this sound to you? And as a I I know this is not something that you currently support, but but how does this register with you when you think about your members who really just want things to work? They they you know don't want the friction, but you also don't want things that can unduly you know foster a fraudulent experience either.
Chris PalumboRight. Uh you know, Karen, another good question. I you know, I honestly at times I think credit unions are seen as kind of stodgy or outdated or not technologically savvy. And you know, for many that that is in fact the case, but you know, at Citadel and a significant number of other credit unions across the US, we really are operating as uh Tom and Rodger have mentioned, really trying to operate on the forward edge of technology. You know, our members they prefer options, they enjoy the value of in-person or interpersonal relationships, VR branch networks, but simultaneously, they also value leading edge technology solutions that help enable the broader relationship, to enable greater security, um, you know, exactly as Tom and Rodger have described it. Um, and for all of us, you know, whether it be credit union, a community bank, large multinational organization, um, what we're talking about here really is particularly important as we work to attract younger member base who are really technologically savvy, they're looking for, you know, kind of that the new and innovative way to get things done in their financial lives.
Karen WebsterSo is is this is this something that, I mean, there there still is this, I have to produce the card. And I'm not sure when I'm gonna have to go digging around for my card. So I realize that the chances of doing that are probably not every day, maybe not every week, but there is still this idea that I have to have my card handy and I don't always have my wallet with me. Although I always have my phone with me. So, I mean, how do you how do you solve for that consumer experience? I mean, Chris, from the perspective of what you're doing now and how you evaluate new solutions and Rodger and Tom about how you think about deploying this inside, you know, inside the bank and inside other financial institutions.
Chris PalumboI'll just say from my perspective, Karen, I think as I mentioned, it's all around options. You know, there are some members who, you know, or customers have their card, they have their phone, they're um perfectly capable and willing to spend the time, you know, using both to consummate a financial transaction. There are others who would prefer, as you've described, to really only use their phone. And I think, you know, ultimately here as security practitioners, as fraud practitioners within financial services, it's up to us really to be able to create those options for members and customers so they can transact, you know, kind of on their own terms in the way that they really would like to, and they would would prefer to.
Rodger DesaiI'll jump into some from practical what you're mentioning, Karen, is just the practical utility of like, oh, and I have to remember to do this. Um, yeah, first, like the younger you get, you'll see my son and his friends all put their cards on the back of their phone. But like think of this, like think of like I'm gonna have to call this brokerage. Um, imagine while I'm waiting on hold, it said, hey, if you have an air key, just slap that on the phone and you can hang up. Right. Or that you know, you still have a lot of banks that because um of out-of-pattern transactions, you know, buying lunch for you know, a colleague in Tokyo, you never do that. You gotta decline. You know, what if you just tap the air key? Like it's it's you're gonna start realizing it's a tool uh for those high-risk or painful friction points that, you know, again, um, as Chris said, it's an option. Um, but I kind of like that option. I'd rather slap the card on my phone and not wait 20 minutes. So I think you have to look at it like that.
Tom PooleIf you if you really sort of look through those moments that are number one, you have the card handy anyway. So we talked about activation. Clearly, people have their cards out in that moment. They're usually taking the code off the back or doing something that's lower than security.
Karen WebsterThat makes sense.
Tom PooleYep. Uh you know, we find for through for network step-ups where you're challenged on a transaction and you're forced to enter a code, we find that's a moment when people have their card. And that works. Um, and by the way, it annoy it avoids sort of nasty declines because so many of those transactions are very high risk. The fact that they're showing up there is an indication. So you get there's also this category called I can do things that I before you would have just said no. Um, whether that's higher Zell transfers or whether it's it's big transactions that you know, you're trying to buy a television at Best Buy and you're challenged on this, you know, Eric allows us to do more for customers and say yes more than we could otherwise. But then you get to this category of things where there's just incredibly high friction. And to your point, that is the standard. If it's if it's choices, great. I agree with Chris. We find there's just some customers who understand it better. And Rodger, my my 85-year-old mother is absolutely in this category. She would, even though it's new technology, she would get tapping a card to a phone in a heartbeat over a host of other alternatives. That would make sense to her. But there is this. Um, you find there are a number of things, whether it's waiting on phones to deal with transactions, whether it's you know, and it steps both inside and outside of banking, whether it's just these high-risk moments you mentioned, Karen, in our in our pre-pre-calls, uh, wire transfers are exceptionally lengthy. Um, we've all seen those cases where banks sometimes ping you two or three times consecutively for SMS text because you're going through steps and the last step doesn't recognize where you were in the process. Um, and so it's really looking for those moments as opposed to trying to just simply offer this as a substitute for something that works pretty well today. And certainly SMS one-time pins tend to work well for a whole host of transactions. They're not super high fidelity, but they're they're generally good enough for a lot of things. And I don't think you'd use ERC in place of that because it's so quick to enter that at the moment, um, so quick to sort of respond to that, that most customers would choose that. But again, there are many cases. And I think when you when you sort of become aware of it, you realize how many times your life is interrupted by onerous processes to do things you you recognize are risky, but just feels like way too much work. Um and I think that's where Earchy is going to thrive.
Karen WebsterSo I want to go back to something Chris said, which is options, right? Optionality. You've all you've all referenced it as it's it's an option. At least for now, it's not the only way to do this, which which suggests that you, you know, everyone has to support multiple ways of authenticating, verifying and authenticating a consumer. Um, first of all, how do you support these different layers and these different experiences, especially from the consumer perspective, who may have obviously different relationships with different financial institutions? And so there's a fragmented experience across the portfolio of card products they're using. But also, is there a tipping point where there is this decision to say, you know what, this is a better experience for both the cardholder, customer, and the financial institution. And so I'm just going to go all in and make this something that I want to be the default. Chris, I'll start with you.
Chris PalumboKaren, as you know, in financial services, um, obviously we've got members and customers who have varying preferences across the entire servicing spectrum. So, you know, I don't think that there's, in my opinion, there's not one size fits all. And I don't think um you can only go all in on any one particular type of either verification or way to service, you know, the consumer. Um, as we've talked about, we need to provide options. Some consumers choose to interact with us in branches, others choose to interact with us in via the call center. Um, we at Citadel have a video chat capability as well, um, you know, online through bots and um and various chat mechanisms. So, you know, each of the channels that we provide in terms of interaction needs to be um, you know, we need to have a specific way to verify that our, you know, the consumer is who and who is in fact that they say they are. Um and as we've talked about, some of those um mechanisms require a little bit more friction, and some of those mechanisms uh allow less friction. But either way, you know, ultimately here the goal here is to make sure that we're protecting our customers, we're protecting our members, and that um not only can they have the most seamless interaction with us as humanly possible, but we're also protecting their financial well-being.
Karen WebsterSo Tom, what are your thoughts? I mean, you obviously um have implemented this, use it, um, but you have to support other methods as well.
Tom PooleYeah, look, I think there's not a fraud professional in our industry or any anywhere adjacent to our industry that wouldn't say you need to have multiple tools available. Um at the end of the day, sometimes customers, as you pointed out, they may not have their card handy. So just relying exclusively on air key would leave our customer unable to ultimately do the very service that Air Key is designed to protect or it's designed to serve. The thing they want to do, the you know, nobody comes to a bank or to any institution for purposes of authentication. That's not what they're paying for. If they're paying for the service that's on the other side of that. So having choices really matters. I think we're also keenly aware, for anybody who's been around this industry a while, how quickly choices can quickly uh can be found to be insecure and need to be abandoned. We've, as you pointed out in the beginning of this call, out-of-wallet questions. We've had to abandon those. Why? Because fraudsters knew the answers to those better than our customers did. Um, and so there's a graveyard of these tools that didn't work. And it's getting faster now because you see tools like uh selfie match being beaten by AI, maybe not at scale yet, but suddenly the technology that I thought might be a real winner in the industry is suddenly showing some cracks and vulnerabilities at the margin. Um, not to say that tool won't be valuable, it probably will, uh, but it shows how quickly that the dynamism of the opponent we're working against as a collective industry, how quickly that opponent can quick, you know, can find solutions to overcome whatever barriers we put up. And so you've got to have multiple tools to respond to those moments.
Karen WebsterRodger, your thoughts.
Rodger DesaiYeah, I think uh Chris and Tom said it well. Um maybe uh something to add is um you know tools are there to adapt to the things our you know the customers are trying to do. I just see more and more complex, out-of-pattern transactions you know, over time. And that's why you have to have more advanced tools, especially as we get into agenda commerce. You know, I see that um every year we have a lot of interns. They're all you know using AI platforms more than Google to search for things. Increasingly they're asking for things like you know, the cheapest flight to Tampa, things, things like that. Uh if you imagine how authentication can get done in an environment where you're telling an agent to go do something for you that may happen, you know, may happen a minute later, may happen a month later, may never happen if you're trying to hit a certain price point. You know, the tools have to kind of adapt to uh the experiences the consumers are trying to do. And ideally with the most security and the least friction. Um so I think Eric and these newer authenticators are a fantastic way to kind of you know to address those new experiences that people are gonna expect from their financial institutions.
Karen WebsterWe we talked in the beginning about um invisible payments invisible invisibility, identity being invisible, at least in terms of authentication. Do you think the consumers need to feel something or see something to feel that they're transacting? And maybe this is more at the higher end, the more risky transactions, to feel that this is in fact something that someone on the other end is paying attention to to actually feel comfortable making that transaction.
Chris PalumboFrom my perspective, Karen, I think that the answer to that honestly depends on the demographic group you're speaking to. You know, I would say that um, you know, folks who might be a little older expect to see things happen that they, you know, that would increase the confidence that what they're about to undertake financially is in fact being you know watched and guarded by their financial institutions. And I think uh folks on the younger side of the generational gap here um would expect that they would see minimal uh types of barriers or friction in the transaction. Now, the interesting thing about that, in my opinion, as you highlighted earlier, is that um my hypothesis on why that's the case is because uh folks have been around the block quite some time, have themselves experienced some type of financial fraud or financial um challenges. Uh, and folks on the younger side haven't seen them yet, and they don't really know how challenging and painful those experiences can be when they do experience them. Um, and I think that over time, as they you know become more worldly in their financial transactions and start to experience some of this nefarious type of activity that goes on, they too will also come to not only um respect, but also look for um, you know, kind of seeing those physical cues of the confidence being there, that the financial institution is in fact, you know, kind of watchful around what's going on as they conduct their financial lives.
Karen WebsterDoesn't it depend on what transaction they're doing? I mean, when you're when you're looking at a transaction that you might put on your credit card, you know, buying a new television or something that's several thousand dollars, you have confidence that if something does go wrong, the issuer is there to protect the consumer. I think when you're moving money out of your bank account, I mean, you, Tom, you mentioned, you know, making a Zell payment, you know, that is money coming out of your bank account. And so depending upon the amount of money, um, I think that's where it gets to be do I need to see something or feel that there's some point of authentication to make sure that it is in fact a legitimate transaction. I mean, I think the bank obviously wants that, wants that as well. Tom, Tom, what are your thoughts?
Tom PooleThere's always a debate with any sort of generational shift that we observe, whether or not it's permanent or or whether it's it's it's just a function of, hey, the age group doesn't have the same exposure risks or profile yet, but they will have that profile. Um, and I think, yeah, my hunch is this one feels very similar. Uh, this one definitely feels like a as soon as you have something to lose, as soon as you amass enough assets, right? You're gonna care deeply about security. And it's inevitable in the climate we live in with more and more transactions being digital. And Rodger's earlier point of hey, the problem with digital is nobody knows if you're a dog, right? I think that's a from a very meeker presentation at one point. Um, and so when you intersect those two things, everybody's going to come to that moment and they're going to be really invested in figuring out, you know, and figuring out who has the best security or um what are the security steps I can layer on to my account uh to make it more secure. And they're going to also have some expectations, especially if they've been defrauded, they're going to become particularly sensitive to whatever type of transaction they're defrauded on. Asking why isn't there stronger security here? I could have, I could beat this if you've ever had one of those moments where you look at what was what you were challenged on and question how secure that really is. Um so uh inevitable, again, in the climb we live in, everybody will encounter that. And I think you're gonna see um, you know, this this isn't a lasting phase that people will expect new and smarter security. Maybe the standards will go up overall from from what we hold or what our our parents before us held um in terms of expectations, but ultimately consumers think banks banks are there to protect them. Um and uh gets more and more difficult, and and banks have to insert some security to be able to deliver on that promise.
Karen WebsterRodger, you you've said that trust is as much about the user experience as it is about the technology that delivers that trusted commerce experience. How does that argue for making identity too invisible? Does it need to be more visible in order to gain and keep the trust of the consumer?
Rodger DesaiUm I just haven't seen it. I think you know, there's an old um adage that if uh most Americans will give you their full social for free shipping.
Karen WebsterAnd I've never done that, Rodger.
Rodger DesaiAnd I I um I just don't see that happening. I think Amazon is teaching us what you know behaviors. Um between all the companies, their amazing experience, Amazon, Apple, they teach us uh what to expect. Um you know, yesterday I was in the airport and it was an Amazon store, which I I didn't, you know. So I just got a few things and there was nothing. I was like, where do I check out? They just just walk out. I'm like, okay. And then you know a few seconds later I got a text with a charge. That was pretty convenient. And you know, I yeah, I think Chris is right. I think like as you get burned by things, you definitely, you know, suddenly realize how um what the world is really like. But I think you know, most most there's obviously lots of fraud, uh, but banks do a great job of mitigating it. And I think most people just want to get on with their lives and expect really simple experiences. Um I just see that more and more. So I just haven't seen that the need for, you know, sometimes the the perfect balance is a great experience and a little bit of security theater, but making me uh, you know, there's still pretty you know, tech technically advanced companies that make you figure out where all the bicycles are. Like that's kind of insane. That's neither secure or comforting.
Karen WebsterOr now now it's putting the uh putting the puzzle pieces together. That's it, that's the latest one.
Rodger DesaiYeah, we're flipping around. Like I'm not like flipping an open around doesn't make me feel like this is more secure.
Karen WebsterNo, it uh doesn't. That's that's one of my favorite things. I I always try to make it less than three seconds to put the puzzle pieces together, see if I can beat my own record. Um, let's um let's talk about air key for for another few minutes. Um so I think you you alluded to the fact that you know it's it's great, it works inside of your environment at Capital One. But if you think about the potential, it has to scale outside of that into ecosystems where it can be more of a cohesive experience as of a fragmented one for consumers. And those relying parties. How do you get to that point? What's needed for that interoperability across issuers and wallets and merchants and other relying parties? Does everyone need air keys? And how realistic is that to expect?
Tom PooleYou know, it's funny. I think banks for years in the US have looked at what could be done in the space of identity. I think it's been said many times banks have the gold standard of identity. And I used to question that statement, but the more I look at it, the more I think it's true. Banks are already, before we talk about any of this, are significantly invested in understanding who their customers are, who has access to bank accounts, who has access to credit lines, because they stand to lose a lot of money, obviously, right? So they care deeply. And they're monetary at 24-7, looking for any signs that something has changed in the in the makeup of that person. So banks have this information. The funny part is, and this gets to the your question you're asking, Karen, the funny part is banks don't have a consistent front end to this. Like a lot of banks have sophisticated models or they have they they layer together six or seven tools. The problem is if you try to sort of string together a consistent experience in the banking industry, you couldn't do it. Everybody would have different levels. And by the way, no bank would trust any other bank because the consistency would vary dramatically by bank. And even further, banks would, fraud departments would say this is my secret sauce. I can't share the cutoffs I have for when I deploy this technique versus this one. What choice I offer it to whom and why? I'm not sharing that with my peer, they're not sharing with me. So to us, air key represents an opportunity to be that consistent experience. And it does matter that it's the same thing. So we see a world that as banks choose to engage, that there is an opportunity for this to be the front end, and it's got to be coupled with some other things, but to be the consistent user experience that lets you register an account on eBay that other eBay buyers can trust, that lets you open an account with Airbnb that people can rent safely to because they know it's a bank verified identity, or rent from because they know it's a bank verified identity. Have a big money movement out of e-trade because you can trust that that's been verified by the bank as one of the levers you employ. So there'd be value in that if you could again have that consistency of experience so consumers knew what to expect. And every bank could have that as a sort of a point of interface to say, okay, if that mark is accepted here, if that works, then heck, we can absolutely, you know, I can use my card, whatever bank has issued it. Um and so again, to me, that's the the the struggle banks have as they try to figure out what do we do with this sort of knowledge that fragmented as we are, we have this great asset, but we just have no way to deploy it.
Karen WebsterSo so Chris, for a credit union like Citadel, um knowing that it's layers, knowing that it's differ different consumers with different optionality, when you think about deploying something that is new like this, is it that is the tipping point for you a critical mass of other financial institutions adopting this? Is it is it deploying the resources and the funding to actually develop and support? Is it consumers wanting something different? What are what are the decision levers that you use to contemplate something new that that might include something like this?
Chris PalumboKaren, a couple of thoughts from my perspective on this topic. So, first off, if you look back in financial services historically, um, the really the linchpin that drove um significant innovation and change um were two things. Number one, the idea, okay, and you know, Rodger and Tom have talked a little bit about Air Key, and it's it's a fantastic idea. But secondly, and in my opinion, more importantly, are the standards, right? If you look back historically, you know, the standards that are set in the industry is really what drives adoption by the financial services institutions, because there is a way for all institutions to be operating on the same playing field. And then it's up to the institutions to differentiate their products within that set of standards to appeal to consumers. Okay. And, you know, so again, look back historically, you could see where that the, you know, having a set of standards has catapulted new ideas forward. And if you look today, um, you can also see where there are stumbling blocks where there has been new innovation and have not been standards, and it's caused some, you know, some hiccups. And you know, two notable, in my opinion, are real-time payments and cryptocurrency. Right. There are no, up until recently, there aren't been really any industry standards which have driven consistency across the industry, which actually makes it hard for Capital One and Citadel Credit Union and Bank of America and other institutions to really go full bore with some of these ideas. Um, so that's one uh point of view I have on this. The second thing is I actually think it takes all three in order to really um move, you know, move the needle in terms of some of these ideas. First off, the standards, which I just talked about, which really uh you know ensures interoperability across institutions. I can take my account from one to the other, and I have you know confidence to know that it can be handled by another institution, as well as it increases consumer confidence around security. The second thing is that institutions need to be willing to make that financial investment to develop reliable and functional measures. And then lastly, consumers really need to see it as having utility, improving their financial lives, and really keeping them safe.
Karen WebsterAnd they need to understand how to use it.
Chris PalumboAbsolutely, which is a big topic, you know, which is a topic we really haven't talked too much about, which is just consumer education. You know, again, in my opinion, I think it is incumbent upon financial institutions to be educating consumers, to educating members, customers around how products and services work. Because if we do a good job of that, I think that a lot of the friction that we introduce could be eliminated because consumers would be more educated on how to engage in certain transactions and they themselves can take measures to prevent being taken advantage of from uh from some of the criminals out there.
Karen WebsterYeah. And they understand how things work, so they trust it more. I think that's a that's a really good point. Um, wrapping up, I I want to just touch on a couple of a couple of quick things. Um, Rodger, you referenced this earlier in the conversation, and that is as a genetic commerce chat becomes a front door for transacting. How does that change the the equation for fraud and identity in your view? And what's necessary to protect consumers and relying parties in those in those situations?
Rodger DesaiIt's a great, great question. I um I've worked on uh a lot of the wallets that the US has tried to uh put in the market, whether they're bank-led, network-led, telecom-led, merchant-led, and none of them have worked. Apple Pay, you know, Cash App, you could argue are the only ones that kind of succeeded. Um and that's mainly because the consumer never showed up. Uh you can't you can't pay consumers enough to change their behavior. And so you we all knew why wallets were important in an age where things are commoditized, everyone wants to be a consumer's digital sherpa. Uh, but now the consumers are showing up, they are showing up in in AI, you know, and putting purchase intent. Which to us means that the entire tech stack has to be rewired to that purchase intent, which fundamentally you have to go back to first principles for fraud, risk, uh, authentication. It's the same, you know, North Star, like the least amount of friction with the most amount of security, um, you know, with the least amount of you know uh education you have to do with the consumer. So those the North Star doesn't change, but I think you're back to first principles on how you architect these things. There's a lot of things we design, like you can't imagine if you said buy those tail still tickets, but only they hit this price point at three in the morning, if that price point is hey, do you have to respond to an OTP? That that wouldn't make any sense to have the human in in that sense. So I think it's gonna be uh a reimagining of uh the back of the purchase intent uh working backward.
Karen WebsterTom, question for you. What replaces SMS first? Don't say air key, and then what what replaces that? Well, you know, it's yeah.
Tom PooleSo I would say to this to SMS, right? SMS has been declared dead many times in the past 10 years, and long live SMS is still here, right? Because it's just incredibly low friction. Think about how optimized when you get that code, how it just plugs into your keyboard where you just press tap a single click and you've got this code and this fulfillment and a reasonable verification device is yours uh for whoever's doing that that taking that action. So I I tend to find many tools don't fully retire. Um it's almost like commerce where there's still you know, the earliest days of commerce were around barter, and that's still going on to some extent. And so it, you know, in all things money, it's it's very rare that something actually sees a physical end of well. We can debate pennies late, Rodger. I don't know what's happening with pennies. I thought they were gonna be around. We will all certainly have our personal.
Karen WebsterBut they're gonna go away. All coins are gonna go away.
Tom PooleSo um, but these things they tend to stick around uh in terms of security tools. Um, and so when you start thinking about, hey, what's what's next to replace it, I think you're looking for something again that has this broad scale ubiquitous reach. It's got to, right? And that's you know, you just can't have tools that only a selective handful of customers can use. You run into significant problems, you're trying to serve as broad and inverse an audience as possible. Uh, they have to be reliable. Um, again, you you know, you we sit, we see we've certainly seen some shift to things that are mobile app based. Uh, we've seen some shifts to things that are sort of the selfie ID. But again, as fast as we create these tools, they have they have problems. And so that doesn't mean they necessarily are dead on arrival. It just means we have to keep layering in defenses, getting more sophisticated about liability checks, things like that as it relates to these technologies. Um, and keep them as you know, as as both Rodger and uh Chris have said, keep them, you know, maximum security, least friction possible. Um, that said, in terms if you ask me what's next after SMS, and you said I couldn't say air key, um, yeah, I you know, I like it's it's not there's a bunch of things in development. A lot of it's backgrounded. So a lot of it is, hey, there's this increasingly this broad web of information available about us uh that is that is accessible to both our banks as well as other institutions that just exist in the ether. And to the generational point, I think the younger generations get this, they they understand it's out there and are comfortable in many ways with that. And I think more and more of that's being used to predict what is likely behavior for us at any given point in time and use that as a backgrounded this is likely Tom. He does he is a free, you know, he's at Lowe's every weekend, Saturday morning. This is his transaction, regardless of the scale. Uh, you know, so again, that that'll cover a great many things. Um, and it's entirely possible, you know. I think banks will get more and more sophisticated in interpreting each transaction in light of your history uh relative to where we've been. So it'll be more subtle backgrounded things, is my sense, less, less directionally confronting consumers.
Karen WebsterYeah, and I I think I think that's right, because I do think that consumers expect that you know what their predictable patterns are and enough about your travel bookings that you are in fact in Tokyo buying someone lunch because your tickets have been purchased, and that is in fact where you where you are. So I do think that that will evolve, and I do think that those those kinds of expectations on the part of the consumer will be will be realized as um as AI becomes more advanced. Chris, I'm gonna I'm gonna end with you. So this this is sort of Rodgers Penny's comment, but I want to apply it to passwords. So 2030 will be here before we know it. We're you know closing in on 2026 in just a few months. Will we still be focused on passwords? Are they still going to be what we use? Hopefully, no. But anyway, or are they the cockroaches of digital security? I mean, will there always be someone who wants to know your password?
Chris PalumboJust just my uh my opinion, Karen, but I think uh password passwords are already dinosaurs and they just don't even realize it yet. And yeah, I think we're we're actually even seeing that when you uh any any of any financial website, um, any um shopping website, any place really you're you're um you know, we're e-commerce, um, organizations are already trying to get consumers to stop using passwords, right? Um for me, you know, I logged into my personal email address this morning, and it defaults now to um not allowing me to use my password, right? That's awesome. So I think I think more and more institutions, organizations are going to be heading in that direction, and they're gonna be looking for alternative methods to validate that I am who I say I am as I am securely interacting with them. Yeah.
Karen WebsterWe can only hope because I can't tell you how many passwords I still navigate with uh with financial institutions who should probably be thinking about other ways to uh to authenticate me when I'm when I'm uh when I'm accessing my accounts. Well, listen, this has been a great conversation, Tom, Rodger, and Chris. I really enjoyed it. I think we all learned a lot and look forward to uh the next steps on the identity continuum, especially as we think about the role of Gen AI and agents in commerce and transacting going forward. It's it's it's already here and it will certainly be part of our future and an important part at that. Thanks again for your time.
Chris PalumboThank you.
NaratorThat's it for this episode of the PYMNTS Podcast: The thinking behind the doing. Conversations with the leaders transforming payments, commerce, and the digital economy. Be sure to follow us on Spotify and Apple Podcasts. You can also catch every episode on pymnts.com/podcasts. Thanks for listening.