Welcome to Tuesday Talks, a live discussion series where we shed light and bring truth to emerging topics in the communications industry. I'm Rebekah Johnson, Founder and CEO of Numeracle and I’ll be co-hosting this session with John Bruner, President and CEO of Aegis Mobile, welcome John.
Thank you, Rebekah, it’s great to be here.
For those who follow Numeracle, you may have seen that we did a press release recently with regards to a partnership that we’re working on. I think it's a good time to introduce everybody to who Aegis Mobile is, why we have partnered, and how this solves problems in the industry. I’m going to tee up Aegis Mobile and give some marketing jargon behind it, but we’re going to let John really dive into it, that's kind of an overview.
Aegis hunts, captures, and retains live and static open-source information to deliver business analytics for brand protection, partner risk assessment, market intelligence, and operational insights and efficiencies. Aegis delivers its multi-level investigative solutions to its clients through proprietary software tools that integrate data and transform it into actionable information with intuitive interfaces and dashboards that prioritize information and alerts to support decision-making.
John, there’s one thing that I've learned very quickly, I think the first time that we talked, which is that you have a lot of passion. You're not there just signing contracts and moving the product. There’s a lot of passion behind what you do in the role that you serve that comes from having a background that's in this area. I really want to hear a little bit more about yourself, Aegis’ core competencies, and your history around supporting the carriers in this space of risk management.
Thank you very much, it’s a pleasure to be here today.
Quickly on me: I spent the first twenty years of my career in the mortgage industry, actually, working with the mortgage giant, Fannie Mae, in all kinds of roles but predominantly in data strategy and IT strategy for the company and the industry. Later moving into the defense industry, providing software and intelligence solutions in that industry. Then about 9 years ago, Aegis Mobile was acquired by a private company and the board asked me to come in and run this company and transform it into a data company.
So Aegis Mobile has a long history going back to 2007, providing compliance services to carriers in the U.S., Canada, and Australia. Specifically starting in the premium SMS space to both vet third-party partners that we're going to be selling content to, onboarding their programs, and testing them for compliance prior to launch, secret shopping in the market to intercept the live experience, the advertising promotions, anything around it to ensure it was compliant. Then later developing intense data analytics on carrier transactions as well as complaint data and revenue data to gain insights into their business.
We expanded from that area into other areas. We realized we had this expertise in capturing data from live markets into competitive intelligence for many of the carriers as well. We're actually helping them win in the market from a market penetration perspective. But predominantly what I want to talk about today is our compliance side of the house, which happens to include Know Your Customer as one part of the total solution.
It’s quite funny, but being in this industry we totally cross paths years ago. It was years ago that I know that we crossed paths and probably worked on the same projects together. When I had a short little stint in the CTIA, it was in the SMS shortcode representing the company that I worked for. I was bringing on large brands to leverage shortcode messaging for prescription reminders or airline notifications with regards to gate changes or ticket changes, and we absolutely leveraged shortcode messaging in a time where it was first starting to be adopted. We had to figure out TPA and the FCC’s rules around that, but going through the shortcode provisioning was my first introduction to this concept of vetting for the use of a particular channel.
That’s something you clearly have a lot of experience in that space, because you stepped up and said, “Hey, we can come in and help with that vetting and verification.” Because as you know, each carrier has their own needs, and rightly so, they should have a say in the types of communications that are traversing their network. So that was my first introduction to it.
During those SMS days, we had a lot of lessons learned, so it's interesting because the way we found each other was down over in the voice guide. So can you talk a little bit about how you've gone from a real mature space with regards to the shortcode provisioning and the vetting, to being pulled over into the voice side of it all? Where do you see those correlations? Why does this make sense?
Aegis actually did the vetting of companies to wish to lease shortcodes for premium SMS for CPIA back in the day. We also did even deeper vets for Verizon and for Sprint back in that 2009-2010 through 2014 timeframe. Back then, we developed deep relational analytics background checks with very sophisticated data structures that allowed us to not only vet the company that was looking to gain access to a shortcode but for key employees, related companies, and key employees of related companies. The reason that that was very important back then was for the ability to prevent players that were trying to commit fraud against consumers from being discovered, removed from a network, and then coming back as a new entity a week later. It was so easy to stand up a new company, so those deep relational analytics had to prevent people from coming back as new entities.
It was a very helpful start in terms of developing the sophisticated data structures to create this holistic vetting platform. More recently with the launch of 10-DLC in the U.S. market and RCS going globally, there’s a need for higher-volume lower-cost verification processes. We developed this automated vetting platform where we take a standard business record, validate it’s an accurate record, and then process it through as a background check in all of about ten seconds and pass back the risk score all via an API.
We launched in the 10-DLC space in the United States, we were working with CCMI to do RCS in the United States, and I saw Rebekah speaking in a conference where she was talking about SHAKEN/STIR and Verified Callers. I was looking at these diagrams being put up and thought it was 10-DLC, it was the same model of a verified sender, this is a verified caller. I had to get a hold of Rebekah and see how we get into this industry.
We have a mutual friend, I think you reached out to our mutual friend and then he reached out to me, and we connected. I think right off the bat when we first talked there so many lightbulbs that were going off because a lot of the work that you do, Numeracle is doing it manually. I was just blown away from the presentation, you can literally do all these steps very fast and we’re sitting here doing man-hours, essentially. That's the huge value add, it’s your ability to do that in bulk review as opposed to one at a time.
We got to talk to some of your agents and they were feeling some of our pain points. It was nice, from our side, for our agents to be talking with your agents, because it feels like there was somebody else who understands this world of vetting. Except, that’s what you do all day, so why not partner with the organization that wakes up every single day thinking about how we make this better for our customers. I'm a huge believer in partnering with other industry experts, so it totally made sense here.
I want to go back to something that you just said. You used that word: risk. For the users of the service that need the vetting, I'm going to refer to them, at least on the voice side, as service providers. Service providers are required now to know who their customer is. There is a risk associated with doing business with a certain entity.
Can you talk a little bit more about what the risk means and how a service provider should bring that into their business decision-making in whether or not to onboard? Essentially, whether or not to deliver communications on behalf of this client?
Risk is a very interesting conversation because it means something different to everyone, not necessarily as a definition of what risk, but what is risky to you as a business. An example is, we’ve got a lot of work in the insurance industry and in the finance industry doing background checks. One instance was doing background checks on bail bond companies. Took the entire State of California, risk scored for all the bail bond companies in California, and we found most of them to be highly risky. So we met with the chairman of the board of this big insurance conglomerate and presented our summary findings and asked why they were making these companies so risky from a risk score perspective. And they said the CEO was in and out of jail three times and there were four knowns gangs in the area. Being a member of a gang is how they get business as a bail bond company.
So we need to find risk it has to be configurable. For example, RCS, rich content for messaging, the brand is involved and the brand logo is involved. So copyright infringements and trademark infringements become very important from a risk perspective when you’re looking at a company. But in messaging there is no brand logo involved but there is consumer fraud or any kind of TCPA violation like continuous calling when they’ve asked you to stop. Being able to configure what the risk of events is that you as a brand want to avoid, in terms of the companies you are going to do business with, has to be a configurable thing based on different industries. That's how we approach it. We come up with standard configuration so we can gauge our customers to then customize exactly how they define risk their company and then we have a consistent process for applying it for every company we look at.
One of the things that I learned that I didn't even know what a concept that I should have considered because this is what you do every day and you're evaluating entities for multiple service advisers and clients, you've discovered from your vantage point that there are some known bad actors, an identified company that you don't want to work with. It could take a lot of research for a service provider to discover that, but in your system, it’s a quick hit against the data to know you have already done this research on this particular entity.
As you mentioned, they keep popping up trying to set up new businesses, but, based on the way that you’re able to search it, you know right away that’s on the list of those to definitely do business with. Do I have that right, is that correct?
Yes, customized databases to support ‘Do Not Return’ lists are what we call them. Typically, when we onboard a client they'll have their own ‘Do Not Return’ list. We also have gathered ‘Do Not Return’ lists in different industries on our own. We'll take our clients, and typically they’ll have the business name and our analysts will fill out the related data to that business including key employees and things like that. Then that becomes part of our checking criteria in the automated vet to see if we can match any of that information about that company on a new company coming in. So absolutely, that’s a key part of what we do.
It’s interesting because when we take on new contracts, for example, for the Federal Governments’ Food Stamp Program, they have removed tens of thousands of storefronts that were committing fraud accepting food stamps for tobacco and things like that. What they didn’t realize is they might’ve removed one store, but that store is family owned and they had seven other stores. The other six stores were still committing fraud on the program but because they didn't do the relational analytics from a vetting perspective, they had really only removed one and only cured part of the problem.
What you're hitting on, and I'm a strong believer in this, is that ‘Know Your Customer’ and the vetting part of it. We can implement STIR/SHAKEN, which I know we’ve talked a little bit about, we can implement number authorization, and to me, this is just a channel to deliver data. That’s essentially what these standards are. All the heavy work where we really can stop fraudulent calls from happening is the activity at the very beginning of the service provider implementation to do that validation. I don't think we appreciate that part enough in the industry.
Everyone's so focused on the standards, and they have to because we have this Robocall Mitigation deadline for submitting your plan to implement STIR/SHAKEN. But technology doesn't solve this problem, it just puts an identity on top of whoever is delivering the call. The vetting, the identifying, and really, having your own local policy for what you're going to deem as risk is just another element of why we partnered with you.
We've learned enough from our customers that they have their own definition of risk and that’s one thing that Numeracle is not going to get into. We’re not here to tell you who you should or should not do work with but we should, at least, bring to the forefront some information that allows you to make the right decision. I know that’s kind of the approach you guys are taking too, you’re not saying that we are the tsar that tells you who can do business and who can’t. But somebody has to perform this vetting part and do it with a high level of due diligence from that perspective.
So talk a little bit about that, because I know you have some configurations with regards to how to set their own policy and be responsible.
Absolutely. The reality is, for the nine years I’ve been here at Aegis, the lawyers of our clients have become our best friends because they're the ones that are really engaged in the litigation and in the regulatory matters that come out of this. The reality is that we work with the brands that are taking the risk to prevent them from doing business with the types of companies that they don't want to do business with. We don't define who they should or they shouldn't, we get them to define it for us and then we provide consistent implementation of that through a unique configuration for that specific industry, for that specific business channel, for that specific client.
At the end of the day, we also do it in a fully auditable way so that any kind of dispute that comes up, any kind of litigation or regulatory matter, we've had years of experience producing the actual results of what we found or what we did or how we did it that could be used to protect the brands we work for. But again, it’s really them that have to define what risk they're willing to take on what risk they're not. It's our job to consistently implement that for them.
I know that there are some conversations about having one company vetting entities and I think that's where we go wrong. Really, this concept of vetting is nothing new, the Know Your Customer. It comes from the money-laundering side and we actually do better when we have multiple entry points, let’s say it's the banks and financial institutions, all performing their own verification as opposed to one entity who decides who can and cannot do business. It will fall apart if that’s the approach we take.
Not to mention, John, this is a global issue. It’s a little bit arrogant for the United States to say we’re the decision-makers on anyone and everyone in any country who is allowed to deliver communications. I’ll be at the forefront fighting against that. I think we’ve done the right thing with regards to the TRACED Act, with regards to giving the FCC the authority that they need to regulate the service providers to push down that requirement of knowing who your customers are. One way of doing that is by implementing the standards for the attestation. This all circles back around to attestation.
So what you offer, and that's why Numeracle reached out to you, is because we’re a little bit closer to the STIR/SHAKEN solution side of it all. I know you've been on the SMS side, and now we’re bringing you over to the voice side. It's just such a really good fit to be able to wrap up the work that you're doing and tie that down to why I as a service provider, made the decision to label this call with A-Level Attestation. It means more than having a contract, which some service providers are going to just say they have a contract and a credit card swiped and that’ll be good enough for them. Fine, I think some people are going to be able to get away with that in the beginning. But as the enforcement side starts to get busy and identifying companies and service providers who aren't implementing and vetting, that’s when we're going to see a shift.
And that’s what I told you, that business is going to boom for you. It should boom come towards the end of this year into next year because there's going to be an expectation of what that is and I think it'll get defined as we go and we have enforcement. I think everyone will become very crystal clear on what the expectation is for how they should set their local policy. Since this concept of Know Your Customer and vetting, as you mentioned, is in the SMS space and also in the voice.
I don't see, and I'd like to hear your thoughts on it, I don't see one side of the table from the voice side saying they’re going to define what vetting is, and then it ends up conflicting with the texting side. There has to be some sort of umbrella over it. I don't know if you're already seeing how the two different sides of the carrier side have different expectations? I just don’t know how we want to reconcile that industry. Are there any insights you have from that perspective?
So far we've been pretty lucky to get the carriers on the messaging side and 10-DLC that are participating to agree on a specific configuration of risk, what kinds of risk, what kinds of regulatory matters, what kinds of international sanctions, what kinds of legal matters… are relevant to cause reductions to a company’s score. It’s been interesting what we've actually gotten there, and there are thousands of things that we’re looking at, so to get them there was a big success, quite honestly, for the same place.
Because we’re so new in the voice zone, of course, this is the first time Aegis has been in voice, we've been around for almost 13 years working directly with carriers, this is actually the first time we’ve been on the voice side. Usually, we’re on the value-added services side like location services, identity platforms, IoT platforms, and messaging, but what we’re seeing with our current implementations for voice is most are trying to adopt the same thing that we put in place from a risk perspective for messaging so far as of now.
I think RCS will be a little bit different than voice because they're going to want to look harder at logo validation and ownership of that logo. I think as the voice side for STIR/SHAKEN starts going down that path to actually present a logo, they'll probably want to adopt that as well, that extra checking in the background to make sure there's no trademark or patent violations or anything like that that would indicate a possibility of using somebody else's logo that you're not authorized to use.
Absolutely, and that’s a good point that you brought up. I hope nobody from the Federal Government is listening to the podcast and getting ideas, but I think you bring up a really good point, that could be a new realm that we enter into with companies who potentially could go after and sue service providers who allowed someone to initiate communications with their logos. I think that’s a huge risk. Now, we don’t know what that world looks like and I’m not a lawyer, I don’t know what rights a company would have but maybe they do come under the trademark violations where you put their logo and there's no record of them ever allowing you to do that.
Where this maybe could be used fraudulently is maybe with the warranty calls that are sent out, maybe they want to use Ford or Nissan or something like that, and make people think since they received a logo on a call, therefore they can trust it. I have a lot of concerns and reservations over a quick launch of rich call data. I think we have to get some of these protective measures in place even on just allowing entities to deliver calls. But when you start putting in the logos maybe call reasons, we’ve released an opportunity to erode all trust in the voice channel. I think it's everyone's responsibility to implement proper due diligence because we all want to leverage this communication channel, whether it's voice, text, or whatever other channels to deliver information. No pressure, John, but it's really on you.
We’ll be ready, Rebekah, we’ll work together on that. You know what we’re doing for rich content messaging, we’re developing that for rich content messaging and it’ll be reusable by rich content calling.
Perfect. So at this time let's turn it over to your audience to ask some questions. Do we have any questions you'd like to pose?
Yes, we do. So let's start here with: How do voice service providers deal with the subjectivity around vetting? Is it as black and white as ‘good actor’ versus ‘bad actor’ in telecom?
The way that we set it up is we actually provide all the different types of outcomes that we can find when doing a background check on a company. So all of the legal types of actions, all of the regulatory types of actions, all the sanctions, and watch lists, and terrorist lists, and things like that. We work with our customers to assign weights to each of those. We also work to assign adjusters based on years in business and company size. So for example, if I put AT&T into our system they're going to come back with thousands of legal matters. If I only take one point off for each one it's a problem because they're going to get a zero from the score perspective.
So we have all kinds of adjusters that based on if you’re a Fortune 500, or Russell 3000, how many years have you been in business, how many employees you have, what your annual revenue is, how many countries you operate in… These are different things to take into account for how to risk score a company appropriately based on the types of risk you're afraid of, such as spam calling.
If these legal matters have nothing to do with consumer harm and they're all about a personal injury on college campuses and you're running a college through this vetting system, those actions may come back. But by working with your customers you weigh those as zero because they're not relevant to the risk you're trying to prevent.
It's a very configurable process. It may sound like the setup is very hard but it's not. We have templates and forms to do that, but that's the approach.
I’m going to add to that because of all that work that John mentioned, and I know he rattled it off in a few short seconds, it's actually a lot of work to do that. You have to have an understanding, like you mentioned with the Fortune 100s, there's a lot of data points that you have to take in that are not necessarily available. You can’t just do Google searches for that information, you have to have an understanding of the industry that you're evaluating. You have to have an understanding of the structure.
There’s a lot of data that comes back when you do all of this vetting research and that’s what Aegis has been able to put together. It’s taking the manual thought process that you would have to do on every single individual vetting and put it into an algorithm. And that's powerful, I cannot stress that enough because that's what we did at Numeracle, was doing all that work. So that's an extension that we're looking forward to offering to our customers to be able to leverage. As you said, it's not complicated but it allows for the service provider, or whoever needs services for vetting, to be able to tailor it to your local policy.
Chances are you’re probably going to change it, that’s what you do with policies. You evaluate it once a year, and one thing I know about Aegis Mobile is if there is something new that should be considered, they’re going to be the ones focusing on that and updating their system. You don't necessarily have to stay in the know. It’s a whole career set that people don’t realize, this is our entire career. You can get certifications, which our internal have gotten those certifications. It’s a lot of work and a lot of investment. For service providers who are originating calls, that’s not their job. Why would you spend so much money on hiring all of these resources when you can just partner with someone who already offers those kinds of services? I’m just a big believer in that aspect.
I think we have one more question and it's probably all we have time for.
What is your number one piece of advice for carriers out there who want to keep pace with the new requirements for KYC and customer vetting and don't know where to start?
My number one advice, at least from the carrier’s perspective for KYC starts with where you’re not going to find it. You’re not going to find KYC inside the STIR/SHAKEN standards, and that’s not the place for it, it’s just not. Where you will find it, number one, go look at what the FTC is doing from the enforcement side. Look at these beautiful public reports where they talk about what their final decisions were with regards to Globax, which is one that we all know about, they actually detail it. You can literally take that out for your policy and have that as a starting point. So I think that's a great place to look at, is the enforcement side.
KYC, as far as the requirements side of it, I just mentioned, is a well-established industry. I'm going to say don't look to voice different providers to tell you what KYC should be. This has been around for a very long time. Maybe something that we can do in a blog somewhere is I'll put a list of all the different areas of standards around I the Know Your Customer framework that are very useful and helpful in understanding how you set up your own process. And again, if you want to get into the space of monitoring and tracking fraudulent activity and companies, you can start a career down that path. I know you said one piece of advice, but that was two: where not to look and where to look.
All right well that takes us to the end. We would like to thank all of you for joining us for another episode of Tuesday Talks. We hope to see you all again on Tuesday, June 15th where will be joined by special guest, Kevin Rupy, to discuss everybody's favorite topic: The Robocall Mitigation Database. With that upcoming deadline on June 30th, you don't want to miss this episode. Thank you everyone, and have a great day.