As digital payments make up a growing share of money movement, payments fraud is becoming more frequent and complex, requiring a broader range of ever-more-powerful security tools. SardineAI seeks to meet that need with an AI-powered fraud prevention and compliance platform that uses device intelligence, behavior-based analytics, and machine learning to protect financial services, fintech, and e-commerce businesses.
In this episode of Talking Banking Matters, SardineAI cofounder and CEO Soups Ranjan speaks with McKinsey partner and payments industry expert Roshan Varadarajan about Ranjan’s experience leading financial crime prevention at Revolut and Coinbase before starting Sardine; the future of payment fraud prevention, given the emergence of agentic commerce; and the growth of the payments security industry. The following edited transcript shares highlights from their conversation. For more discussion of the banking issues that matter, follow Talking Banking Matters on your preferred podcast platform.
Roshan Varadarajan, McKinsey: Soups, take us through the journey of Sardine. What does the company do, and what was the genesis of it?
Soups Ranjan, SardineAI: We are a behavior-based and AI-based fraud and compliance provider. We work with financial institutions, including fintechs, payment processors, banks, and online marketplaces. And we also work with high-risk industries like crypto exchanges, gift card exchanges, ticketing, et cetera. Before I started Sardine, I was head of financial crime risk for Revolut and headed up their crypto product. And before that, I led data science and risk for Coinbase. I have been involved with cybersecurity and fraud risk pretty much my entire career, and I’m a machine-learning engineer by training, so I always wanted to start a company around financial-crime prevention.
Two fintech trends led to the idea for Sardine. One was the rise of neobanks all around the world, and another was the increase in numbers of crypto exchanges. In the face of this at both Revolut and Coinbase, we realized we had to quickly become expert in fraud prevention as well as compliance, and that means understanding KYC [know-your-customer] regulations and standards in various geographies, as well as AML [anti-money laundering]. How do you do that in all these geographies you’re trying to serve? The idea of Sardine was to become that expert and be a provider of KYC-AML expertise to these neobanks and crypto exchanges, among others, so that they could focus on building their products and scaling their companies.
Roshan Varadarajan: How have you had to evolve since then? Has adding new customer segments changed the nature and flavor of the product?
Soups Ranjan: What we said when we started was, “If we can solve for fraud in the high-risk industries like crypto, then we can solve for it elsewhere.” Or, in other words, if you grow up in a tough neighborhood, then you learn a trick or two. When you create a great experience for customers by making money movement or client onboarding easier with digital technology, you attract the worst of the worst when it comes to scammers and fraudsters. So we thought, “Let’s first solve for fraud in these high-risk industries and later move into solving it for other industries.”
What we’re seeing now is that the same fraud and scam patterns that we were seeing in crypto ten years ago have now become commonplace in banks. So for us, we never had to change the product to serve those other industries. It was essentially the same product and platform, just with an expanded go-to-market.
Roshan Varadarajan: How have you differentiated your product from other fraud platforms or solutions in the market?
Soups Ranjan: First, we are very much a real-time fraud and compliance engine. Second, we do both fraud and AML together in one solution. And third, we are very much a behavior-based fraud and transaction-monitoring engine. Because we are real-time, we can sit in line in the transaction flow, and we can interdict and stop fraudulent transactions before they happen. That truly differentiates us, because the legacy fraud players that we compete with have not had to build anything real-time, given that in the US, bank transfer methods like ACH or wire transfers have a window of at least several hours during which fraud or other problems can be detected. But with real-time payments like RTP or FedNow, you have to stop the fraud in real time, within just a few hundreds of milliseconds. And that’s where we come in.
Also, fraudsters move and adapt quickly. Legacy players that don’t run in the cloud often have to make on-premises changes to adapt to a new typology of fraud. At Sardine, when there’s a new fraud attack, an anomaly alert fires, and you can write a new rule based on that anomaly, using AI. You can just talk to our AI and specify what the rule is that you want to create, in natural language, and it’ll create the rule for you. It’ll also back test the rule over the last several months of data and tell you how much impact it would have. And then you deploy the rule in production. All of this you can do very quickly, within a minute.
Roshan Varadarajan: You do both fraud and anti-money-laundering monitoring together, as a platform. What is the benefit of offering these tools that way?
Soups Ranjan: What banks are increasingly realizing is that they’ve had a lot of vendor sprawl. They’ve got a point solution for doing fraud at onboarding, another for doing fraud at log-in for account takeovers, another for just payment fraud, and then a full system for AML. And then the cybersecurity team has its own system for detecting denial-of-service attacks. And none of these systems talks to each other, so fraudsters live in the gaps between these point solutions. As payments become more complex, so does fraud, and the harder it is for such point solutions to detect it.
Roshan Varadarajan: Can you give us an example of this in action?
Soups Ranjan: Say a fraudster quickly clones a bank’s website using AI tools and sends phishing links to point the bank’s customers to this cloned site. A victim tries to log into their account using the link, which gives the attacker their username, password, and even the 2FA [two-factor authentication] token. And then the attacker replays those credentials on the real website and takes control of the victim’s account. Then they can create a new virtual card, attach it to an ApplePay or GooglePay account, and go on a spending spree.
The cloning of the bank’s website is handled by one cybersecurity team, and account takeover is handled by another. When the fraudster logs in using the stolen credentials, the point solution security system sees a normal customer log-in. The fraudulent transactions using the virtual card are covered by yet another security team. These teams are using separate solutions appropriate to their area of fraud, but none of these teams or solutions is talking to another, so it’s possible for the bank to fail to understand how this type of fraud happens. And that is where Sardine comes in, because we take a platform-based approach and can combine all of that together.
Roshan Varadarajan: You have built a product that is a consortium of pooled, anonymized data that customers can tap into to identify fraudulent activities as they occur and prevent them from spreading across the global financial system. Is that consortium model where the industry is going? Is data an advantage here?
Soups Ranjan: The answer to that is nuanced. We quickly built one of the largest consortiums, which has about three billion devices worldwide that we have profiled and have an idea about whether these are bad devices or good. And we have 350 million–plus consumers and entities and several million businesses that we have profiled as well. But what I often find is that a bad actor can create new identities faster than you can actually put them in a consortium. So regardless of the size of a consortium, what matters is whether you actually do zero-day detection, which refers to entirely new devices that no consortium has information about yet.
To do zero-day detection, you need to know things like how, for example, a phone is being used to log in or make a transaction. Does it look like someone is typing on the phone keyboard, but the phone is actually face down or not moving or the battery is always at 100 percent? Maybe the phone is in a fixed orientation in a data center and isn’t being operated by a human at all. Or on a web browser, if there’s no mouse movement, now you know that’s an AI browser and not a human operating an actual computer. So the consortium is only one tool; you need the capabilities to detect these other signs of scam fraud, too.
The 2025 McKinsey Global Payments Report: Competing systems, contested outcomes
Roshan Varadarajan: How do you think about the verticals you operate in beyond financial services?
Soups Ranjan: What I like to say is that wherever there’s money movement, there’s fraud, scams, and financial-crime risk. And for any vertical you can think of, there’s a customer in that vertical in Sardine’s portfolio. For example, if you’re making a rent payment, are you sure your payment instrument is secure enough or that the place where you send your rent money is the right place? So we have rental companies as a segment. Same for insurance companies: Is the payout being made going to the right beneficiary? Did the right beneficiary get fraudulently swapped out? We also serve online ticketing, online marketplaces, payment services companies, point-of-sale devices, online card acceptance companies, and traditional e-commerce retailers as well.
Roshan Varadarajan: What are the unique challenges you see in commerce-driven use cases? How do you think about decision-making across the value chain to help strike the sensitive balance between reducing false declines and identifying fraudulent transactions? Which side of the transaction do you integrate with?
Soups Ranjan: We have customers in all parts of the value chain. Merchants want to know if a card being used is stolen, so we do fraud prevention and detection for them. As e-commerce shifts to instant delivery of goods, merchants need to do fraud detection at the pre-authorization stage of a payment. Until quite recently, merchants had a couple of days before they actually shipped the goods being ordered, so they could do fraud detection post-authorization. This is where our ability to do real-time detection is critical.
We also help issuing processors as well as traditional card issuers. There’s a lot of what I call vertical SaaS card issuers, who are offering cobranded cards and similar products, and they’re coming to us because they need to stop card fraud in real time. There are also merchant acquiring banks as well and payment terminals too. We have found that when payment terminal companies are selling their devices to physical merchants, they need to detect fraud on the merchant side, too. Perhaps it’s a general goods shop, but they’re only running a few transactions a day, and the payment terminal company is looking to avoid complicity in money laundering. We help with that, too.
Roshan Varadarajan: What’s the future of identity and fraud in an agentic-commerce world, where consumers have an agent shopping for them?
Soups Ranjan: We think fraud detection will have to move from the point of checkout to the point of intent, when you actually pass on instructions to an agent. One issue is that all the agentic browsers just look like a bot to Sardine, which means the agent will be blocked from making a purchase. We need, as an industry, to get together and build a concept of a trusted-agent directory, so that if I’ve directed an agentic AI to shop at Target for me, at the point of checkout, fraud detection systems like Sardine can query it and say, “Even though this looks like a bot, it was actually authorized by Soups, and therefore, let it go through.”
Roshan Varadarajan: How do you see competitive dynamics evolving? How do you reconcile the fact that the market for payments security is vast and growing but is still relatively fragmented, with many actors serving many different parts of the value chain?
Soups Ranjan: There’s a couple of trends that are happening faster than we can imagine, which means the overall size of the market we’re playing in is only going to get larger. The first is that scams in general are skyrocketing, which means banks will increasingly need to put more investment into preventing them. Second, the number of false positives that transaction- and sanctions-monitoring systems generate is just mind-boggling.
Banks are increasingly realizing that all this huge operational staff they hired could be much more efficient if they used agentic AI. For example, we have solutions deployed that use agentic AI today and can auto-resolve 55 to 75 percent of sanctions alerts using an AI agent. For onboarding reviews, about 95 percent can be fully automated using agentic AI. Imagine you’re a bank with a huge back office. If there were 100 cases for onboarding reviews, the people in that back office would only have to do five of them. Or if there were 100 sanctions cases, they would only have maybe 25 to do. The rest would auto-resolve in a fully auditable and compliant manner. So the ROI is just massive. In other words, as KYC compliance and identity verification become increasingly automated, the total addressable market is only going to get larger for the AI-native fraud prevention and AML compliance companies.
Roshan Varadarajan: Let’s switch gears a bit and talk about your own journey. You were very central to making early Revolut and Coinbase more secure. What did you bring from those experiences to Sardine?
Soups Ranjan: I learned quite a bit from my days at Revolut and Coinbase, and a lot of Sardine’s culture comes from the journey that I had at those companies. For example, the CEO of Coinbase, Brian Armstrong, has a pithy way of saying essentially, “If you’re stuck, just get going.” So at Sardine, we seek to embody this focus on velocity. We ship [software] weekly, so we don’t have two-week sprints but do one-week sprints instead. We feel that the best way of making progress is to work incrementally week by week, and over time, it adds up. If you have a huge mountain to climb and just look at it and think, “Oh, man, that’s a big mountain,” you might give up before you even start.
Another piece of our culture that has its DNA in my Revolut days is that we focus on building a multiproduct platform that will let us take multiple paths at once and keep growing the platform.
Roshan Varadarajan: How does this culture manifest in your leadership style?
Soups Ranjan: To me, speed or velocity of shipping is very important. Whenever I see that we are slowing down, there is a wake-up call from me.
But I avoid having to do that by making sure I stay up-to-date. For example, even if I’m traveling, there’s a couple of meetings I never miss. One is our Monday stand-up with the sales team just to understand the go-to-market. So I still have my pulse on pretty much all the deals; I keep track of most of them. And then the other meeting I try never to miss is our product demo session, which is every Thursday. Every engineer, whatever they have built, even if it is just a few lines of code—they actually show it to my cofounders and me, and the entire company is invited.
Roshan Varadarajan: Take us forward five years. What’s your aspiration for what Sardine looks like and who it serves?
Soups Ranjan: We certainly want to be known as the platform that banks or any money movement institution uses when it comes to any risk, whether it’s related to fraud, compliance, sanctions, or credit.
Payments are super interesting and exciting, and maybe, a few years from now, we’ll also have a payments-related business that leverages our unique capabilities. What that looks like, I don’t know yet. I’m actively thinking and brainstorming with my team about it. We have this saying that, in order to do payments really well, you have to worry about increasing your acceptance rate, but you have to also worry about all the hard things around fraud and compliance. The payments industry is hard at its edges. The edge cases are what make real-time payments so challenging, and most of those edge cases come from fraud and compliance risks. With the advent of stablecoins, et cetera, we’re thinking about how we could bring our fraud and compliance lens to making payments faster, cheaper, and better for everyone.
Roshan Varadarajan: Soups, thank you very, very much.
Soups Ranjan: Thank you so much for having me, Roshan.
