Behind the screens: Building security customers appreciate

In this Help Net Security interview, Jess Vachon, CISO at PRA Group, discusses the company’s multi-layered defense against fraud and its commitment to protecting customer trust. Vachon explains how PRA Group balances identity verification with a seamless customer experience.

Vachon also reflects on how AI is changing both the fight against fraud and the way security teams adapt to threats.

Identity verification is a core challenge in debt collection and loan servicing. How do you approach validating identities securely while keeping the process smooth for legitimate customers?

For all customer phone interactions, we verify both the customer’s name and a second piece of personal information before discussing any account information.

For our customer-facing websites, we rely on MFA to prevent fraudulent activity. By requiring multiple independent forms of identity verification to grant access to an account, it ensures that even if an attacker compromises one factor, such as a stolen password, they cannot gain access to the customer’s account because they lack the other necessary authentication methods. 

Many attacks now exploit weak points in identity systems, such as account takeover or synthetic identities. How do you stay ahead of these tactics without adding friction to the customer experience?

While MFA does add some friction to the customer experience, it is a common and required authentication practice across financial institutions. We find MFA has been widely accepted by customers who want to interact digitally with companies that handle sensitive customer information and data. We also utilize security scanning tools at the code level and penetration tests to ensure our login processes remain functional and secure.

Employees are often the first line of defense against fraud. How do you build a culture where staff recognize and report suspicious behavior without fear of blame?

Creating a culture of proactive fraud detection starts with embedding psychological safety into our governance framework. We ensure our staff feel confident that reporting suspicious behavior is not only encouraged but protected. Our multi-layered strategy ensures that employees are empowered to act as security and privacy champions, not scapegoats. That approach includes:

• Ethical standards: our Code of Business Conduct and Ethics outlines expectations for integrity and accountability, reinforcing that fraud prevention is a shared responsibility.
• Training and awareness: We provide ongoing education through Information Security standups and board-level resources that show how leadership helps build a positive security culture.
• Non-punitive reporting channels: Our incident response protocols and policies, localized as needed to the cultural norms of the countries in which we have business operations, demonstrate that even when human error occurs, the focus is on resolution and learning, not blame. We want staff members to come forward if a mistake is made so we can correct it, protecting the organization, our clients, and our customers.
• Leadership modeling: Regular communications from senior leaders consistently reinforce that vigilance and transparency are valued over perfection.

As AI plays a bigger role in both fraud prevention and fraud itself, how do you see its impact shaping the future of your strategy?

AI is reshaping the fraud landscape, both as a tool for defense and a vector for new threats. Our strategy reflects this duality, including:

• Governance-first approach: Our global and localized AI policies emphasize responsible AI adoption, with safeguards around bias, data protection, and human oversight.
• Risk-based deployment: AI initiatives undergo materiality risk assessments and are reviewed by a formal AI working group to ensure alignment with our ethical and operational standards.
• Augmentation, not automation: We view AI as a contributor, not a replacement, for human decision-making. This principle is embedded in our governance documents and reinforced through AI security and privacy training programs.
• Continuous adaptation: Our strategy evolves with the threat landscape. We monitor adversarial machine learning trends and integrate learnings from global regulatory frameworks, such as the EU AI Act.

Our AI strategy is designed to be resilient, transparent, and human-centric, leveraging innovation while safeguarding trust.