Trevor Lain spent nearly 25 years as a lawyer counseling banks through financial crises, regulatory change, consent orders, and examiner scrutiny. What he kept seeing troubled him: banks were being held accountable for risks happening far outside their walls: on the customers’ end, on remote devices, in businesses that didn't fully understand the rules that applied to them.
So he started building a solution. LexAlign delivers automated compliance and fraud risk assessments directly to bank customers, and gives community financial institutions the data and documentation they need to demonstrate oversight at scale.
In this installment of The Transformers, Trevor explains how fraud has become a huge global industry, what the 2026 Nacha Rule changes actually require of community FIs, and what they can do right now to protect themselves and their customers.
I spent close to 25 years counseling banks, particularly during times of regulatory change or crisis, when they were dealing with examiners, consent orders, court appearances. What I began to see, especially during the mortgage crisis, was how exposed banks are to operations they no longer control.
A lot of basic banking functions like loan originations, servicing, and now payments, have migrated out to third parties and customers. But when the regulators show up, those operations are still the bank's responsibility.
The problem I kept running into was that it's just not possible to visit every customer site as often as you need to in order to manage and demonstrate compliance. And a lot of these smaller organizations don't have access to expertise they need to manage the risk of their operations. They don't even know what they don't know. They can't produce the audit reports, action plans, or checklists that demonstrate compliance. And yet the bank is held to account. So I realized we needed to solve a two-sided problem: get expertise out to the customers in a way that's accessible and actionable, and bring data and scoring back to the banks so they can manage risk at scale.
Fraudsters have figured out that they don't need to attack the bank anymore. The bank has thick walls, physically and figuratively. Who doesn't have those protections is the bank customer: the treasury customer, the business originating ACH entries or wires, the check depositors who do not fully appreciate the risk and rules framework they operate in.
So fraudsters focus on the customer. They either burrow into their systems and do an account takeover, pushing deposits out to an account they control, or they use social engineering: business email compromise, double spoofing, payment impersonation. They get the customer to unwittingly originate a transfer. And then there's check fraud, which is surging.
What's made it dramatically worse is that fraud has become industrialized. We're talking about large, organized operations, sometimes using what amounts to slave labor, running sophisticated fraud campaigns. And over 80% of them are now using AI. It's an arms race, and the financial system cannot win it without recruiting and empowering customers to help prevent fraud where it actually hits the system.
About 22% of financial institutions reported losing over $5 million in the past 12 months due to fraud. Community banks are fighting a two-front war: check fraud losses are rising sharply, and we're also seeing increases in account takeovers, identity theft, and business email compromise on the commercial side. On the consumer side, romance scams have become very prominent and are particularly difficult to solve for, because it's genuinely hard to convince someone they're being scammed.
The encouraging finding is that 68% of institutions have increased fraud prevention spending and are seeing positive impacts, not just on fraud losses, but on the customer relationship itself. Higher loyalty, higher retention, more deposits, more sales. There is a real ROI to fraud prevention.
What works is going beyond education to empowerment. Sending a long email or linking to a web page doesn’t work anymore; people don't read it. What we find resonates is taking customers through a process that sensitizes them to the risks and motivates them to take action. Then if you give them a tool to act on it, they respond really well. And a bank or credit union that positions itself as caring about that earns a lot of goodwill.
We start with a self-assessment, following what the Federal Trade Commission identifies as the fundamental steps for risk management. We take bank customers through what we call a diagnostic interview, a structured process modeled more like a doctor's visit. We ask customers questions they already know the answers to: what are you doing, how are you doing it, where are you doing it? The system uses those answers to determine which rules and risks apply to them, and then assesses whether they're meeting regulatory expectations.
Upon finishing their self-assessment, customers immediately see a dashboard with an audit report and a gap analysis showing where they're meeting expectations and where they aren't, and they get an action plan in plain language telling them exactly what to do to get compliant. The business customers also receive a policy and procedures document they can use to train staff.
On the bank side, the financial institution gets a dashboard with scoring and data across their entire customer base. They can filter by risk factor: for example, “Show me all the customers who aren't encrypting their Wi-Fi,” or “Show me all customers that have problems with their check scanners.” That scoring and data enable the FI to take targeted and low cost but meaningful proaction. That's the kind of risk-based management regulators expect but that's impossible without this data set.
No single solution checks all the boxes here, and you need a toolkit approach. The March deadline got a lot of attention for what the Originating Depository Financial Institutions (ODFI) must do around transaction monitoring, but the rule actually starts with the customer. Each non-consumer originator and third-party sender must implement risk-based processes and procedures to detect and prevent unauthorized entries. The word "authorized" appears three times in that one sentence. That's intentional.
The key thing many community bankers may not fully appreciate is that the ODFI is explicitly responsible for its customers' compliance. Article Two says the ODFI is responsible for the compliance of all entries, even those originated by its customers. Nacha has even stated in presentations that the ODFI is responsible for "everything," in all caps.
The good news is this doesn't have to be a heavy lift. Solutions exist that can get you up and running in weeks, with no technical integration required on your side. LexAlign is specifically designed to give banks a way to conduct and document that customer oversight without requiring technical integration or significant staff time. The compliance investment pays off in reduced fraud, stronger customer relationships, and the documentation you need to show examiners you're doing what the rules require. You can reach our team at contact@lexalign.com.
Acceleron is a modern correspondent banking platform that empowers community banks and credit unions to automate international wire transfers, capture non-interest income, and compete more effectively with big banks. With a foreign exchange (FX) marketplace and currency conversion engine, Acceleron’s API-first infrastructure helps institutions turn cross-border payment flows into efficient, revenue-generating opportunities. Serving over 200 financial institutions and facilitating more than $1 billion in international payments annually, our correspondent banking services and international payment automation solutions are pre-integrated seamlessly with Fiserv Payments Exchange, Braid, and other leading payments platforms.
Subscribe to our monthly newsletter, "The Exchange," to stay ahead of the curve and get original content and actionable insights you won't find anywhere else!