The MoneyPot
Welcome to The Moneypot, the podcast from Money20/20.
Money Changed. Know more!
The MoneyPot
The Future is Here: Exploring Single-Click Authentication with Sunil Madhu
Money20/20 LIVE Series!!
Ever wondered how a tech genius transitions from being an IBM employee to a successful serial entrepreneur? Prepare to be enthralled as we invite Sunil Madhu, the innovative mind behind Instant, into an insightful conversation about his entrepreneurial journey. Sunil doesn't shy away from sharing the highs, the lows, and the valuable lessons learned from his past ventures, and how he has skillfully applied these to his current endeavor. One key takeaway - the importance of HR and managing company culture right from the start to avoid growing pains.
As we peel back the layers on Instant's groundbreaking technology, Sunil reveals how it is revolutionizing identity verification, mitigating fraud loss, and introducing the concept of fraud risk insurance. We dive into the psyche behind password protection, the emergence of one-click authentication, and the hurdles hindering the complete adoption of this technology. Tune in as Sunil predicts a future sans passwords and multiple authentication layers, and shares how businesses are leveraging this technology to reduce cyber liability risk, eliminate friction, leading to customer satisfaction. Don't miss this fascinating exploration into a future where your digital identity becomes as easy as a single click.
Guest: Sunil Madhu, CEO, Instnt
Hosts: Sanjib Kalita, Wizard, Money20/20
Rachel Morrissey, Executive Producer of The MoneyPot, Money20/20
Follow us on LinkedIn
Welcome to the Money Pot. I am Sanjib Khalidah and I'm your host. Today. We are live at Money 2020 here in Las Vegas and very excited to bring you this episode about Instant with Sunil Madhu.
Speaker 2:Thanks for having me, Sunjib.
Speaker 1:Hi, so, sunil, could you just state your name and title?
Speaker 2:Sure, my name is Sunil Madhu. I'm the founder and CEO of Instant Instant's.
Speaker 1:My sixth company. Sixth company. I guess you really have a lot of energy.
Speaker 2:I started young as well, since it doesn't hurt.
Speaker 3:Your sixth company. It sounds like what you really like to do is start companies.
Speaker 2:Yeah, lots of problems I've had to solve and I've gotten on the mind going all the time, so there are so many issues. I've been on this journey and the governance, risk and compliance market for quite some time.
Speaker 1:So how did you decide to get into starting companies?
Speaker 2:Well, my parents didn't raise an entrepreneur, that's for sure. I was basically asked to fit into the cogwheel and find a career for myself. So the first half of my career I did exactly that. I'm a computer science and MIS and I started off my career in IBM, which was my alma mater, and went into security and started with network security and database security and then application security through the 90s and I kind of did a career switch back then in the early 90s where I met the founders of this company that was pivoting called Nitegrity. They were a checkpoint firewall reseller and I joined them just at the pivot and I just was blown away with the whole startup experience and the camaraderie and the culture and I never really felt like I fit inside the enterprises, you know, and I never looked back.
Speaker 2:So I learned a lot under the wings of those founders there. Deepak Dineja, barry Boykhoff and the company went public in 2001 and we brought a standard along with it into the industry called Single Sign On and Identity Federation Sound, called SAML, which is used by about 40% of the global enterprises in order to federate people's employees' identities. Yeah, and that experience over seven years just sort of taught me a lot and got the itch from there on. And it was just a progression, you know, solving for the problem of identifying who we are, which in the early 90s was a huge problem In the enterprise. New employees have to remember 20 or more passwords for all these applications. There was a progression from there to based on who you are controlling and what you can and can't do in the enterprise.
Speaker 2:So I started another startup called Securant, which we exited to Cisco in 2007. And then I decided to step a wee bit out of security in my comfort zone and try to learn something new in a different domain. So I started a startup in marketing which I exited to WPP. And then I came back into security on the back of that company called Upscotch, with this idea of combining social signals to figure out who we are online for identity verification, and that was the foundation for Secure. The name actually comes from social and secure combined and I grew that as its CEO for nearly eight and a half years. I brought to double digit revenue with insight of IPO. And as I was growing Secure, I saw this other problem which required me to kind of change the business model and product. In Secure, we bet which quite honestly the board was not happy in doing in a company on scaling up, so I left the company to start instant in late 2019, early 2020 is when we founded the first version of the product.
Speaker 1:And that's fascinating. So I mean you talked about you know, not necessarily being. You know how you can. One can be a cog in a machine in large company, but instead you've created multiple machines.
Speaker 2:Yeah, I try not to create machines.
Speaker 1:I've had to create more, better culture than that, yeah, so actually that is my a little bit of my question like how, now that you're on the sixth company, like how you know you obviously learned. Like how, what do you do better now than you did in the first one?
Speaker 2:No, it's an interesting thing I tell people in life we learn from failure and mistakes and Startups. We learn from success. Mm-hmm because with every new startup, those new ways of failing. Yeah it's a failure is normal. Yeah but you take the things that succeeded in the previous companies. You end up using that speed up things in the next one. Yeah you know it kind of works.
Speaker 2:Yeah so that's, that's really the main goal, and to instill Kind of a culture of people that aren't afraid of change, aren't afraid of Failing, as I said, and can iterate very quickly. Those are some of the things that I really focus on and the companies I built and so that's really cool.
Speaker 3:Um, what was something that you did in as a success in in like so cure that you've brought into instant?
Speaker 2:I hired. My first hiring instant was my head of HR, my chief of staff, kimberly Nash, and she's amazing. She'd. You know I wouldn't have been able to come this far without her help, especially because of the pandemic now. Normally in most startups we don't really go about hiring HR till like a couple of years in, when your teams like approaching 50 people and stuff and and I think that a lot of founders end up making a mistake there, because culture is a hard thing to manage and Having a stakeholder working alongside due to care of that is paramount. So in this, you know and secure, I didn't do that and I ended up having problems with insubordination for my co-founder and you know All sorts of growing pains.
Speaker 2:You know, startups have, and, and it was just tired, tiresome. So when I started this company, one of the first hires I did was for HR. The pandemic happened and we had to go remote the you know, without Kim's help keeping everybody together. It's a full-time job.
Speaker 1:Yeah.
Speaker 2:Yeah, so yeah, that's. That's a good example.
Speaker 1:I would say. And another, you know, big issue with building companies is trying, you know, finding product market fit. So with instant, like sort of how did you think about that product market fit?
Speaker 2:I Usually don't like wandering around the desert for product market fit. Yeah, I'm a market research guy so, like I really Believe, thought, before you write a line of code for a tech company, yeah, go understand the market you're operating in, who's in it, what's the gap if you build it, will they pay, etc. You know, look, do all of that. Research might take a year. You know to do prototype stuff. You know, do all of that before you commit to Building the product. And I think if you don't do that, you end up doing that, wandering the desert trying to figure out how to fit the thing, whereas you got, if you had input from the customers are going to pay for it from the outset. When you go and sell it it'll fit, you know.
Speaker 3:I love that, and so One of the things that that's interesting is you're like you'd already kind of knew the problem right from your work at secure. You'd already kind of had it. And the fact that you have kind of been a serial entrepreneur means you sort of Start a company and then you see another problem, and then you start another company is see another problem.
Speaker 2:Well, it's the side effect. Yeah, it's exactly right. I mean, I tell people it's the effect of being in the industry for so long, you know, and I'm geek as well, which I'm proud of. So I look at how to use technology, solve problems for people and, operating in this government's risk compliance industry, working with identity as much as I have, I've been able to plot the future. In a way, the best way to make the future happen is to invent it.
Speaker 3:Yeah, that's so. That's quite. That's the aphorism, right? You're like if you want it to be a certain way, make it that way.
Speaker 1:So when, when you built in, still in the process, like where do you see the market going and how does instant fit in there?
Speaker 2:So instance are entirely different kind of business model or I've been told that by every venture capitalist Street to me which is unique is a good thing. So if you look around the floor here in this conference every year, one of the main themes you'll see is around fraud prevention and identity verification and KYC. It's, it's crucial to all financial institutions, right, it's the foundation of it, and Each year you'll see more and more tools, vendors and one thing I learned selling so cure, which I look at as a very good screwdriver to solve the problem of fraud and identity verification that's sold into most people's toolboxes Is the is the fact that no matter how good the tools are, the toolbox overall isn't that good. The false positive rates of all of these tools add up. So no matter how good the tools the toolbox tend to be, every customer is left holding the fraud loss liability on their own balance sheet. For some of the larger banks that have to comply with Basel 3 requirements to keep capital reserves and treasury against their risk exposure, this could be billions of dollars of working capital that's tied up in treasury.
Speaker 2:So I had this brain fart to essentially arbitrage the market, and so what instant is is essentially fraud loss protection insurance.
Speaker 2:It's a fraud risk insurance. That's the simplest way to put it. So we're the first company in the world that will help businesses take up to a hundred million dollars of loss that they hold in their balance sheets and most businesses do have that, you know, somewhere in that range per line of business. We are the first company that will price that risk and essentially help move that risk off the company's balance sheet. And in doing that we provide smoke alarm, a thin layer of technology that helps prevent a lot of that fraud in the first place. So we don't have to have unnecessary claims. And so the arbitrage is essentially the value of the uninsured balance sheet losses people hold, minus the diminished claims that when we move that risk into the insurance market. So we're not just to be clear, we're not an insurance company, we're an insure tech company. We provide the SAS layer that allows us to move the risk from the organizational silos in the industry, pull that risk and move that into the insurance marketplace.
Speaker 3:Fascinating when we were talking about Instant before, you guys have a product that's basically being used even by, like the State Department and by passport services. It's literally called Passport right.
Speaker 2:So that's a new thing that we're actually launching. We just announced it at the show yesterday, right, and so I want to talk about.
Speaker 3:Passport, because I think that we've all noticed that there's certain parts that are just broken, and I think this is the kind of thing that we're interested in addressing across the marketplace.
Speaker 2:Yeah, it's a largely unsolved problem in that in the course of my journey in the last 20 years, when we created a single sign on for the enterprise, that evolved into open authentication technology for the internet. So today you have the ability to authenticate or identify who you are to an application by virtue of using credentials, and you get those credentials after you sign up and you're accepted by the business, right? Typically it's user IDs and passwords. No matter how hard people have tried to kill passwords, they persisted because they're, frankly, easy and people are lazy and so it's easy for them. But they're not secure, right, and people tend to reuse the same password multiple times across different sites. So if someone compromised the password, all of the sites you have access to where you've established accounts are compromised.
Speaker 2:Then there's the notion of friction, right, as a customer, I want to get to the product or service as easily as possible, but instead I have to deal with all the security and compliance and risk and governance stuff. That's in my way. The business has to put that stuff in place because they have to protect themselves, but that's all layers of friction between me and the product. So we kind of looked at this idea of combining identity with a reusable kind of pass and have trust bindings in them, and by that I mean if I were to present that pass to someone. Just the pass itself and the nature of the pass satisfies the non-repudiation aspect, the security aspect, the way you were previously verified which pieces of information about you were verified.
Speaker 2:What level of risk were those pieces of information validated to? What is the KYC status? When does the KYC expire? All of that information is imbibed into a single pass. So when that pass is presented, when you want to sign up for a new product or you want to authenticate yourself, you just present the pass. You don't need to have passwords, you don't need to have multi-factor authentication and you don't need to keep giving up the same pieces of information about yourselves over and over and over again, like we have to do today. So the technology itself is built and possible because of two standards that have developed over the last decade or so. W3c has ratified both of them. One's called verifiable credentials, and that's the pass format, if you will, and the other is the proof of ownership of that pass, so that when Sanjeeb gives me your pass, I know it's only Sanjeeb's data that's there in that pass and no one else could have faked that pass or stolen your data.
Speaker 2:And so the non-repudiation aspect and the ownership aspect. The ownership aspect is covered through another standard called decentralized ID, which involves the blockchain, and the combination of these two things, because of those two standards maturing and being adopted by W3C, is the thing that makes this universal pass possible now and timely. And, just to be clear, I don't have government customers just yet. At instant, they're even longer of a pain to sell to than financial services. So, and we're a tiny little company, but we'll get there. The point I was making was that the government's implemented the standard themselves. So Department of Homeland Security, for example, is working on verifiable credentials and decentralized ID for passes the government can issue to citizens, like digital passports of future, and the private sector is also starting to adopt the technology, so it's starting to gain legs very quickly.
Speaker 3:Well, it sells a lot of issues, and I think the password thing is interesting, because we hate passwords and yet we won't give them up. So do you have any insight into why that is yeah?
Speaker 2:it's psychology we, as people, we are built to expend the least amount of energy conservation of energy, if you will and so most of the things we like involve lazy behaviors which involve no new learning. Right, that's the way nature's optimized us.
Speaker 3:You're only adapting as much as you need to. Yeah, it's like stereotype everything. Just don't think about it.
Speaker 2:So in order for something to succeed, it has to be that easy. I mean, I can remember a password, everyone can and for the first time there's a technology that does that. It actually is very lazy behavior. It's so lazy, in fact, that it just requires a single click or the scan of a QR code to obtain the pass and to provide a proof. Request to hand the pass over.
Speaker 1:I'm just curious did you do any like anthropological research of people using your service and sort of like? I'm fascinated to know that.
Speaker 2:Again, product market fit. So we went out to the market and we said would you like to eliminate friction? Truly, what's the least friction? You have One click right and that's click satisfies the governance and compliance needs from KYC. It satisfies the fraud prevention and risk management needs. It satisfies the security needs of identifying who you are with the strong authenticator. So we told them hey, this standard and this technology can allow you to eliminate all of these legacy mishmash of layered technology that's causing friction and drop off. Especially for the newer demographic, that's instant gratification generation right, and their feedback is what we took before we built this and then we started identifying which of those companies wanted to actually pilot this.
Speaker 2:It turns out a lot of credit unions love this solution, primarily because they're nonprofits and they don't have a lot of resources to manage that layer of technology and they want the members to have frictionless experiences, especially as they're sort of rapidly digitizing and they're creating marketplaces of different types of financial products.
Speaker 2:So they just want to bring together from different vendors, right? They don't want the members to have to sign up and sign on 15,000 times, so they are the early adopters in the technology curve. The way we're positioning the solution here in the market is for brands to get value out of the technology across their silos of businesses. So today, when I opened up a checking account, I've got to sign up, and then when I want to get a loan, I've got to sign up again and then I got credit card from the same bank, right? So we're saying, look, you can eliminate that friction, truly, and while you're giving your customer that instant gratification feeling, you've solved another problem for yourself, which is the notion of cyber liability risk caused by data breaches, because you're holding on to everybody's information in a centralized manner today. So if someone breaches that database you lose and your customers lose. So this is for the first time a win-win, because the technology says push the customer's data, after it's been verified, back to the customer.
Speaker 2:And then ask them to present that data to you whenever you need it right.
Speaker 1:It's sort of interesting. I spoke to the CEO of a QSO, a credit union service organization, about like two, three months ago and I asked him so what's your top priority? And he's like front security. And I was like what's your number two priority? He said front security.
Speaker 2:Yeah, I mean in this day and age. It's a tangible thing. Everyone wants to cut costs, reduce OPEX, lower their loss exposure that's instant value delivered to them. But at the same time the CEO and the CFO of mandate is trying to grow the business right. So one sort of stands in the way of the other in a way, because if you open the faucet of customer acceptance you also open the faucet of fraud. So our solution solves for both of these in a very nice manner, because we not only are able to give you the authenticator and reduce friction, but we're backing that with a fraud loss liability protection. So any customer that's accepted with that pass, any business that accepts you with that pass, for example, can rest assured that if any fraud happens say someone stole your password and got it in wherever the business is not going to lose money right.
Speaker 3:I keep thinking about this because I do think that it's always at odds. The nature of what we want as customers, as you said, is anything that is the easiest, the shortest point between A and B right?
Speaker 2:Yeah, we might not think that way, though, because we think from ego. We think much higher of ourselves than we actually are.
Speaker 3:We all know that there's this stress, especially with the introduction of real-time payments and the launching of FedNow in the United States, and we've had this going on and the amount of fraud with, say, bank-to-bank payments that are instant and everything that's going on in that space. We also know that every point of growth there has increased fraud levels and fake accounts and all kinds of craziness.
Speaker 2:Fraud is normal.
Speaker 3:Yeah, that's the other part that I was thinking about this. There's the psychology of we want it to be easy, point A to point B, but then we also forget that fraud is part of the human condition. And so when you're thinking about it that way, how is it that you're thinking about the fraudsters are pretty good. They're getting trickier and trickier, so how do you guys think about outsmarting the fraudsters?
Speaker 2:So this is the conundrum Everyone said if you go about asking people, do you care about fraud? Ego, yes, we care about fraud. Meanwhile, in real world, hey, send me a picture of yourself to see which celebrity you look like and, by the way, give me the last four of your social or I'll give you your rock star name and it's your address with the social security. You know, this is the dichotomy. The other thing is when I say fraud is normal, fraud is a crime. Sure, it has motive, means and opportunity. So the motive is make money.
Speaker 3:The means is use all this instant transfer, money transfer, all the complexity and they do make a lot of money and they're good at that and so if you consider that the making the money, the motivation and the means are kind of standard, now right, you can take them as standard.
Speaker 2:Granted, what you're left with is opportunity. So I tell people the nature of fraud is you don't think of yourself as a fraudster. But let's say you're unemployed and you have a family to feed and you're walking down the street and there's a city bank ATM that's malfunctioning and spitting $100 bills into street. How many people who think of themselves as non fraudsters, regular people, will take that money off the street and stick into their pocket and keep walking? Versus going into the bank and saying, hey, you're ATM spitting money into the street. That's the nature of fraud. Fraud is normal. It's not the fraudster versus us. Anyone given the right opportunity and the pressure cooker circumstances will commit fraud.
Speaker 3:So I always think about all the heist movies. There's always all these movies where you kind of celebrate the underdog criminal getting away with just a little bit of cheating against the big guy.
Speaker 2:Yeah, exactly, I mean, these fraudsters are not like Robin Harris.
Speaker 3:No, no, no, no, I know, but I'm just saying we have that mentality that sometimes we sort of celebrate the person who's just kind of able to get away with it.
Speaker 2:But you got to. You know the ingenuity of some people. It just astounds me. So I pretty much sort of treat fraud as it's going to happen. So you know, one of the things we've done different in the instant in dealing with this problem is to not care so much about the fraud itself you have to worry about it but as to care more about the losses. Right, I tell people, if you're selling gold bars and you're selling paper clips, you're going to get fraud affecting both. But what do you care about the gold bar losses or the paper clip losses? So in our unique way of shifting fraud loss risk and ensuring for fraud loss, one of the things we do is reshape the loss curve so we, for example, can ensure against first party fraud.
Speaker 2:There's a few companies coming out with solutions around first party fraud management. They talk the talk but at the end of the day they're still leaving you with the losses. We're the only ones that'll actually take the losses off your books. So first party fraud nature is everyday, ordinary people. Real people submit their real information with the intent of defrauding you, which is a psychological thing. They woke up one morning angry a brand. They wanted to fraud you, right? How do you stop that? So it's not possible to stop it, that's the answer. But you can reshape the losses from it. So if you can predict, for example, what percentage of those people are likely to default on the loan and when the default happens, what's the magnitude of the default, and using that to attenuate the fraud and, some cases, letting the fraud in so that you can accept more customers, these are newer concepts that I think the industry is just sort of learning and we're pioneering.
Speaker 1:So you talked about how the instant solution has, I guess, a smoke alarm you described, and so can you talk a little bit about that as well.
Speaker 2:So we price the risk and we underwrite the losses. That's the simplest part of it. We provide a very thin layer of technology. It works very like Google Analytics the line of code that's added to the UI layer of the application, whether it's a mobile app or a kiosk or online web. The line of code is invisible to the end user, it just sits in the background running analytics. But the purpose of that is to use it to stop different types of fraud before the fraud happens.
Speaker 2:So, for example, the majority of the solutions, the tools that are sold here to stop synthetic and stolen IDs in the market, involve cross referencing your personal information across a bunch of different databases. But I could tell you can stop that fraud by just checking to see if the interaction with your application is with a non-human, because the fraudsters are spraying and preying 10,000 stolen IDs across 100 businesses. They're not sitting in front of your website typing in 5,000. They'd be stopped. So if you look to the nature of the attack and you say, well, I can stop that by just checking if it's non-human, because I know the outcomes are going to be bad, if it's a fraud, stop the bot, stop the fraud. You don't even have to look at the personal information.
Speaker 2:So these are the types of intuitive and non-intuitive things that we've taken into account in building that thin layer of technology so that, in essence, filters out a lot of fraud for us and then provides a whole bunch of signals beyond just personal information.
Speaker 2:For example, if you want to solve for first party fraud losses, you can't be building machine learning models on personal information, because those models are going to become racist. You're going to have zip codes that exclude people. Redlining happens that way. So beware of any first party fraud solution that just says oh, we just need your name and address and shit, you need financial data to model first party loss. So we've done all of these types of innovations aback. We've taken the complexity of all of the technological layers for risk and compliance and security away from the end user. Again, going back to laziness, right, how much more lazy can you get than copying and pasting a line of code? So that's the smoke alarm and that allows us to reduce our exposure and reduce the claims when we end up taking your losses and moving them to the insurance market.
Speaker 1:That's wonderful.
Speaker 3:That's the perfect place for us to wrap it up. Thank you.
Speaker 2:Thank you so much for your time.
Speaker 1:Thank you all for joining me. Thank you to all of our listeners, both here at the show and our podcast audience. If you have any ideas for the show, write us at podcast at money2020.com. If you like the show, leave us a review on iTunes or Spotify. We love our fintech nerds. Thank you for joining us.
