Imagine you’re in a radar room. Hundreds of screens are lighting up. Every blip is a potential threat; every alert demands attention. Your team is doing their best, but they’re overwhelmed. Even if they could watch every screen, they still couldn’t connect the dots between them.
Jeff Scott, Q2’s managing director of Fraud Intelligence, shared that analogy during Q2’s Future of Fraud Intelligence session at CONNECT 26. It captures what fighting fraud looks like at many financial institutions right now: strong tools that don’t talk to each other and analysts drowning in alerts before a single transaction has been blocked.
The problem is structural. Fraud doesn’t operate in isolated moments anymore. A bad actor might trigger an alert in one part of your platform, exploit a weakness somewhere else in your ecosystem, and then cause damage in a third location. If your detection tools, your response workflows, and your case management systems aren’t connected, your response will always arrive late and incomplete.
“The winning model moves from strong point solutions to a connected fraud intelligence platform.” – Jeff Scott
Scott and H.D. Jacobs, a Q2 senior sales specialist, outlined how Q2 is building that platform, via a framework organized around four interconnected functions: Detect, Intercept, Resolve, and Learn.
Detect is the radar layer where behavioral intelligence, identity signals, channel context, and partner data are all being ingested and watched simultaneously.
Intercept is the action layer, where real-time risk scores translate into action: block, hold, or restrict before a transaction completes.
Resolve is where cases get investigated and closed: the workflow that handles what slipped through, from triage to dispute management.
Underneath all three sits Learn: a continuous feedback loop where every signal detected, every interception made, and every case resolved feeds back into the models, making them sharper over time.
This isn’t just a conceptual framework. Q2 has a portfolio of products that map directly to each layer.
User Activity Monitoring and the revamped Sentinel and Patrol tools anchor Detect.
The Intercept layer includes the recently launched Restricted Entitlements Mode, as well as Centrix Positive Pay, Centrix ACH Processing. It also has a new capability called Delegated Interdiction on Generated Transactions, which allows partner models or Q2 ones, such as Sentinel and User Activity Monitoring, to make decisions on transactions at the point of authorization: allow, block, step up, or place on hold.
Centrix Dispute Management, currently being rebuilt as an AI-native platform, anchors Resolve.
The partner ecosystem extends each layer’s reach. Through Q2’s Innovation Studio, integrations with companies like Plaid, BioCatch, entersekt, and Threatmark bring in signal types that no single platform could generate all on its own. The platform doesn’t just connect Q2’s own tools; it connects the entire ecosystem around them.
Individually, Scott noted, these products all matter. “But together in one platform,” he said, “they’re really powerful.”
Account takeover is the threat Q2 customers raise most consistently, and the one that best exposes the weakness of disconnected tools.
Account takeover fraud attempts often run on real, legitimate credentials and operate entirely inside a valid session, with the fraudster behaving, at least for a while, exactly like the account’s real owner.
“By the time a customer or member actually realizes what’s happening, we’re already at the point of transaction,” Jacobs said. “Money’s already moved.”
These attacks unfold in a variety of ways, including: credential stuffing; phishing texts and emails; fraudsters impersonating customer service representatives to extract one-time passcodes; and search engine manipulation that redirects account holders to fake bank websites designed to harvest login information.
Here’s how Q2 deals with this threat:
User Activity Monitoring uses 30 behavioral detectors across every session, looking for sequences that flag suspicion: excessive navigation, password updates, unusual money movement patterns, mule account activity, and more. When the model flags a session, it surfaces everything in a consolidated view inside the new Fraud Intelligence app within Q2 Console, giving fraud teams the full picture in one place rather than bouncing between systems.
Then Restricted Entitlements Mode gives institutions a great deal more flexibility in how they respond to suspicious behavior, beyond just choosing between shutting off an account holder’s access or allowing them to just keep operating normally, Restricted Entitlements Mode enables institutions to restrict what a suspected fraudster can do inside the platform—such as view-only access, reduced transaction limits, and disabled money movement. It’s configurable based on their risk tolerance and the account holder’s risk profile.
Q2’s integration with Plaid and its vast network illustrates another dimension to account takeover protection, one that extends to accounts held at other institutions outside the Q2 digital banking platform.
"Plaid can tie that user across all of those different surface areas,” explained Aly Yarris, network partnership leader at Plaid. “So if we get a signal that there's account takeover in one of those held-away accounts, we can actually pipe that back to Q2 and back to you as a financial institution so that you can take action on that user's behalf."
That action—rotating passwords, adding friction, or applying entitlement restrictions, for example—is taken before that fraud ever reaches your platform. The threat is identified upstream, and the defenses are in place before the attack arrives.
Recently, a bank suffered a fraud event in which fraudster created fake sub-users and then used them to send $3.3 million in fraudulent ACH batches. The bank spotted some of the batches, but $2.33 million was still lost. They gave their logs to Q2, to retroactively analyze as part of the testing of User Activity Monitoring. The model flagged both fraudulent sub-user creation events, the root cause of the entire fraud, at 100% probability, in sub-seconds. Had User Activity Monitoring been in place at the time and integrated with Restricted Entitlements Mode, those users would have been restricted before they ever created a transaction. No approvals needed. No funds on hold. No losses to recover.
AI has become such a ubiquitous part of fraud conversations that it’s lost some of its meaning. Q2’s focus is on the outcomes AI is already generating within its current solutions and on the areas where AI will make an impact in the coming months.
AI’s primary advantage is parallelism: It can watch every alert, every account, all at once, and surface the signal that actually matters to a human analyst. Also, AI agents can handle case intake, preliminary investigation, and routing.
“Agents are tireless,” Scott said. “They can do all that operational work that we can’t continue to throw bodies at.”
User Activity Monitoring’s model is trained on 18 months of confirmed account takeover and business email compromise fraud cases and can flag a suspicious session within sub-seconds. The AI-powered Payee Match capability within Centrix Positive Pay dramatically reduces false positives on check fraud detection. The Agentic Investigator, currently on the roadmap, will take fraud cases to the five-yard line autonomously, before handing off to a human analyst for the final call.
“AI is not the platform. The platform is the platform. You need connected signals, embedded workflows, continuous learning. AI’s going to make it sharper, but without that foundation, AI is just a feature.”
The platform advantage compounds over time. Every attack, every signal detected, every response, and every resolution makes the system smarter. Institutions that operate a connected intelligence platform don’t just defend better; they build a capability that grows stronger with every attack it faces, while fraud teams shift from chasing individual alerts to running something closer to a real intelligence operation.
Fraud defense and a great customer experience aren’t competing priorities; they’re fundamentally connected ones. A better risk score doesn’t just mean blocking more fraud. It means letting legitimate account holders do more, with less friction.
The fraud roadmap was one of several sessions at Connect 26 where we shared our thinking on the threats facing financial institutions and what we’re doing about them. Here’s a quick look at what else was covered.
We explored how financial institutions can help their account holders outsmart the growing wave of AI-driven scams, including deepfakes and voice cloning, by pairing real-time detection with controls that prompt account holders to pause and verify before sending money. We also went deeper on account takeover protection in a dedicated breakout session, showing how User Activity Monitoring, Restricted Entitlements Mode, and our broader partner ecosystem work in concert to disrupt account takeover across the full fraud life cycle.
On the ACH side, we showed how Centrix PIQS can automate risk reviews and help institutions confidently meet rising NACHA expectations, with a customer story connecting regulatory pressure to real-world outcomes. We also shared how we’re using technology, and Monit CheckSync in particular, to improve business client adoption of Positive Pay. And we took a closer look at how we’re evolving Centrix Dispute Management to resolve claims faster and turn a traditionally frustrating process into one that builds trust with account holders.