9 Jun, 2026
Fraud teams rarely struggle with the obvious cases. It’s the in-between moments that are hardest: a suspicious login here, a profile change there, a third-party signal that something might be off. The problem is that most account takeover defenses still force a binary choice. Lock the user out or let them through. In this episode, Q2 Product Manager Kristina Wingers joins host Jim Young to talk about why that binary approach no longer fits the reality of modern fraud, what a more proportional response looks like, and how financial institutions can buy themselves time to investigate without shutting down legitimate customers or letting fraud slide.
Listen
Subscribe
.png?width=255&height=116&name=Spotify_white_bg%20(1).png)
Related Links
[Blog] Beyond Binary: A Smarter Way to Respond to Account Takeover Risk
[Webpage] Stop Account Takeover Before It Does Damage
[LinkedIn] Kristina Wingers
Transcript
Jim Young
Welcome to The Purposeful Banker, the podcast brought to you by Q2, where we discuss the big topics on the minds of today's best bankers. I'm Jim Young, welcome to the show.
Here's a scenario every fraud team has faced. Something feels just off about a user, a login from an unfamiliar device, a session that looks weird, maybe a signal from a third party that an account has been compromised. But there's nothing definitive enough to justify locking that user out entirely. At the same time, you just want to cross your fingers and hope that whatever felt off was nothing to worry about.
So what do you do? Well, unfortunately for most banks and credit unions, the answer is not much. You either let it go or you pull the plug.
Today we're talking with Kristina Wingers about why that choice isn't good enough anymore and what a better option looks like.
Kristina is a senior product owner at Q2, focused on fraud solutions. She works closely with financial institutions on how they detect, respond to, and contain account takeover risk. She also recently wrote a blog post on this topic called "Beyond Binary: A Smarter Way to Respond to Account Takeover Risk," which is the jumping off point for our conversation. We'll have a link to that blog in our show notes.
Kristina, welcome to the show.
Kristina Wingers
Thanks for having me.
Jim Young
So Kristina, your blog post is called "Beyond Binary," and I want to start right there. When you say in that post that fraud decisioning is still binary, are you basically referring to what I just mentioned above? And if so, is that... I know I said it, but I want to make sure from you, is that really still true given how much fraud technology has evolved?
Kristina Wingers
Yeah. So when I talk about fraud decisioning being binary, what I really mean is that the response options are still pretty binary, even if detection's evolved a lot. So banks and credit unions have gotten a lot better at identifying suspicious behavior. We have MFA step-up authentication, behavioral analytics, device intelligence, third-party signals, all these different things, and they've all improved a ton, but most of the decisions still happen one event at a time.
So maybe a login looks risky, and the user gets stepped up. They pass MFA and then everyone kind of moves on. But later in that same session, maybe they start changing profile information or adding recipients and trying to move money. Whatever that may be, there's often just not a good way to say the whole situation still feels a little off and that's really the gap.
Institutions often end up evaluating risk action by action and they don't always have a good way to respond to that uncertainty across the broader session or the relationship. And operationally, that response then still just comes down to either let the user continue normally or fully shut them down and there's just not much of a middle ground.
Jim Young
Got you. So it sounds like what you're saying here, basically if they can get past that login and that step-up, they're sort of in, I guess. Even if they're doing stuff at that point that looks suspicious, it's sort of like they've passed through the gates at that point and you're kind of just watching, I guess. Is that too ...
Kristina Wingers
Right. And to be fair, there's additional controls that could happen later, but the bigger issue is that once someone passes a challenge, there's often not a proportional next step if the institution's still uncomfortable. So maybe there's still suspicious behavior happening or there's an external account takeover signal or just the session doesn't feel right based off of what the institution's used to seeing. But unless they're confident enough to completely block the customer, there's often just not something they can do other than continue to monitor and hope nothing bad happens action by action.
So fraud teams are ... They end up stuck in this gray area where they're thinking, "We don't fully trust it, but we just don't have enough information to justify shutting the whole thing down." And that's becoming more and more common.
Jim Young
You basically started to go into my next question, which is this isn't really a new problem, but why does it feel like it's more pressing now? I mean, it's not ideal, but if it's been around, what's making it maybe a bigger problem now?
Kristina Wingers
Fraudsters just operate differently now. So a lot of them are more patient. They're more deliberate than they used to be. They're not always logging in and immediately trying to drain an account anymore. Sometimes they sit for a while, they'll change settings, they'll test behavior, they'll wait until something feels safe before they try to take an action. And at the same time, legitimate customer behavior is also just getting a lot harder to model.
So people use multiple devices now. They travel. Using VPN is really common. Remote work changed location patterns completely. So commercial users might have teams logging in from different places, and behavior that used to look obviously suspicious is now sometimes completely normal. And then if you layer that on top of the fact that money moves faster, and as we know, once funds leave the institution, there's such little time to recover them.
So fraud teams are feeling pressure to act quickly, but they're also dealing with more ambiguity than ever before. And I think that creates a really big operational dilemma where they may have enough concern to feel uncomfortable, but not enough certainty to actually justify fully locking out a legitimate customer, especially on the commercial side where friction can have a pretty big impact.
Jim Young
So you have a much more difficult decision to make and much less time to make it basically.
Kristina Wingers
Yeah.
Jim Young
All right, great. Well, all right. Before we depress everybody too much, you talk about in that post about a third option here besides just block or allow. So tell me about what that third option looks like. Because to be honest, when you first described it to me, I wasn't really totally sure how this could work in practice.
Kristina Wingers
Yeah. The idea is basically instead of making an all or nothing decision, you let the customer continue to access digital banking and you just temporarily control what they can do. So maybe they can still log in and view balances, but they can't change their profile information or update their secure access code targets. Maybe wires or instant payments are temporarily disabled and other transactions have reduced limits.
Really what you're doing is reducing exposure and then buying the fraud team some time. And at Q2, we call this Restricted Entitlements Mode. And I think the important thing is that it acknowledges something that a lot of fraud teams already know, which is that risk isn't always black and white. Sometimes you're operating in uncertainty, and institutions really need a proportional way to respond to that.
Jim Young
OK. I'm trying to think of the analogy here a little bit. So maybe it's not right to call an account holder a lobster being boiled, but I'm sort of wondering, when you're doing this and you're putting them in a restricted state, do the users know that? I mean, do they have a sense of like, "Hey, I'm in some sort of a probation type or purgatory," or is that the right word to use?
Kristina Wingers
Yeah. Today it's pretty lightweight from the customer perspective. So in most cases, the user just kind of notices that certain capabilities aren't available right now. It's not a big dramatic flashing experience saying, "Fraud's happening. You're restricted," but over time I think that experience could evolve.
So maybe at some point users could authenticate their way back to higher access levels if they knew or if they had more of those flashing signs, or potentially commercial administrators could approve certain actions and maybe there's a lot more transparency into why restrictions exist right now. But right now the bigger focus is more on giving institutions a way to reduce risk without immediately creating a huge high-friction customer event.
Jim Young
Got it. OK. Yeah, that makes sense. And I guess it’s fair to say too that you wouldn't necessarily ... Tell me if I'm jumping to a conclusion here, is there a benefit too to maybe not tipping off the fraudster necessarily that you're investigating them?
Kristina Wingers
Yeah, I've heard it both ways. Sometimes you may not want the fraudster to know, hey, we've noticed that you're doing these certain behaviors in this certain way, so that we continue to let them think that they're getting through when they're really not.
Jim Young
OK. All right. I've got it conceptually, at least I think I've got it conceptually, but so let's maybe get into some more of the specifics. What are some of those sort of signals or situations that would lead a bank or a credit union to put someone into a restricted state rather than the typical all or nothing response?
Kristina Wingers
Yeah. A lot of value comes from situations that are suspicious but not definitive. So an example could be an external signal like a Plaid account takeover alert saying that an account could have been linked somewhere that the customer didn't actually authorize. Another example is just unusual session behavior. So think multiple active sessions and possible travel scenarios or excessive navigation patterns, things like that.
But the nuance here is that those signals in and of themselves don't necessarily mean fraud. So two sessions could really just be two spouses that have shared their credentials. Or excessive navigation, right? That could be somebody who logs in once a month and just forgot where things are and are just trying to get something done quickly.
That's why this restricted state really matters. The institution doesn't have to be completely certain before taking action because they can reduce their exposure while they figure out what's actually happening behind the scenes. And honestly, one of the most interesting use cases is new customers because with new customers, the institution doesn't know enough to confidently model the behavior. They don't even have a baseline yet.
Jim Young
OK. Yeah. I know I said the phrase probationary, and I guess that's kind of a little bit of that, right? Is before we're going to let you do any and everything here, we need to make sure you're legit basically.
Kristina Wingers
Yep, exactly.
Jim Young
OK. Let's talk a little bit about the operational side of this. For a bank or a credit union that wants to set up this Restricted Entitlements Mode type thing, is this a set it and forget it? Is someone making a manual call on this sort of thing when they see this suspicious behavior?
Kristina Wingers
I usually explain Restricted Entitlements Mode as a containment layer and not a decisioning layer. It basically is the mechanism that applies restrictions, but the separate question is who decides when somebody should actually enter that state? And that can come from a variety of different places like you mentioned. It can be AI decision engines, user activity monitoring, third-party platforms like Alloy or even manual fraud operation teams.
So Restricted Entitlements Mode could absolutely be applied manually today. A fraud analyst could go in, place somebody in a restricted state while they have time and create that time to investigate, but the real value comes when it's connected to a broader fraud ecosystem where those decisions can happen automatically and proportionally based on risk. So think Restricted Entitlements Mode is more of a holding room. The decision engine determines who goes there and which room they go in and how restrictive that experience should be altogether.
Jim Young
OK, gotcha. Different grades on that sort of thing based on the risk, different levels of restriction based on the level of risk basically. OK, got it. I know for me when I started looking at the blog post, I immediately came at it from the customer experience angle on this sort of thing of like you don't want to annoy a customer by locking them out of their account when they actually haven't done anything wrong if it's, again, like you and your spouse are both trying to access your account and then you get locked out. But you actually suggested that in a lot of ways this is more of a back-office story. Can you explain what you mean by that?
Kristina Wingers
Yeah. I do think it's just as much an operational story as it is a customer experience story. So when an institution fully locks somebody out, it creates this ripple effect. You've got escalations, angry customers, support calls, manual reviews, and now the fraud team's trying to investigate fraud while also managing customer disruption at the same time. And a proportional response gives the team breathing room so that they can contain that risk without immediately creating this massive operational event around a customer.
And could teams overuse this initially? Maybe. Probably. But anytime you introduce a middle state, there's a temptation to leave people there too long while investigations pile up, but operationally, that allows teams to adapt pretty quickly. They do adapt pretty quickly because queues force discipline, and then over time they'll learn which signals justify restrictions, which ones require stronger action, and which ones probably just aren't meaningful enough to act on at all.
Jim Young
I assume they're spending more time investigating in this system and less time responding to angry account holders who have been unnecessarily locked out in the old style system basically.
Kristina Wingers
Absolutely. And that's the goal.
Jim Young
All right. Well, it's really interesting stuff, Kristina. Thank you so much for coming on The Purposeful Banker and sharing this with us.
Kristina Wingers
Yeah, absolutely. Thanks again for having me.
Jim Young
And just a reminder that the post that's sort of the basis, the foundation of this conversation that we just had with Kristina is called "Beyond Binary: A Smarter Way to Respond to Account Takeover Risk." It's on q2.com/blog. Again, we'll have a link to it in the show notes. You can also by going to our account takeover product page there, you find a link to the Restricted Entitlements Mode product page as well that kind of goes through, describes, you can sort of see some of the things that Kristina was explaining in our conversation on that page as well.
That will do it for this episode of The Purposeful Banker. You can subscribe to the show wherever you listen to podcasts, including YouTube, Apple, and Spotify, and you can see our archive of podcasts at hub.q2.com/podcasts with an S. Until next time, this is Jim Young and you've been listening to The Purposeful Banker.