What I Learned at Peach Pay 2025
Notes from the Southeast's premier payments innovation conference. Crypto, deepfakes, FedNOW, quantum computing, and the age-skills gap were just some of the topics discussed. Enjoy my notes!
Disclaimer: I am an employee of Global Payments. The posts (or views) on this site are my own and do not reflect the positions, strategies or opinions of Global Payments Inc.
On Thursday, I attended the Atlanta Federal Reserve’s Peach Pay Conference. It was an intimate forum for learning about and sharing insights on the future of payments. We discussed a range of topics from Stablecoins to AI Fraud to Quantum Computing. This post summarizes the key takeaways for the payments and fintech industry and provides additional reading for you to go even deeper.
Jump to A Topic
Addressing Vendor Risks
“It’s a matter of time until it happens again.”
When faced with the Buy-Buy-Partner decision, most banks and fintechs tend to choose partners. However, this can lead to over-reliance on a vendor for core services — something the CrowdStrike outage highlighted last year. This problem is unlikely to go away in the coming years, so it’s important that businesses take steps to address it.
To resolve these risks, leaders can look to diversify and reduce reliance on a single vendor (ex: deploy a multi-cloud strategy). They may also bring solutions in-house (either by building or buying) to reduce or eliminate the third-party risks. As businesses scale and modernize, it’s important to regularly examine third party risks and externalities by running failure and disaster recovery tests.
Good starting places to draw additional inspiration are the logistics of nearshoring and building antifragile supply chains.
Future-Proofing the Workforce
“We’ve got a tenure problem. 30-40% of the Federal Reserve’s workforce is at or near retirement.”
The Fed has a deep well of knowledge and expertise — something you should want in a critical public institution. However, their workforce is aging creating a block of key person risk, which is why it’s important to focus on knowledge transfer. The challenge lies in training the next generation before those skills and insights are lost.
The Fed is addressing the challenge in a number of ways, including combining traditional apprenticeships with the SECI Framework:
Socialize: Hire younger talent and pair them with a tenured employee.
Externalize: Have the younger employee shadow a tenured employee on a project or initiative.
Combine: Younger employee creates a deliverable with help from the tenured employee (e.g. blog post, working paper, panel discussion).
Internalize: Younger employee retains the knowledge through the act of making the new deliverable.
Fed’s AI Adoption Playbook
It’s no wild west, but we’re running controlled AI experiments and sandboxes across robotics, decisioning, and content generation, with plans to scale to higher-order problems.
The Fed is taking a snowball approach to artificial intelligence (“AI”) in adoption — testing across smaller problems first to ensure security and scalability. They’re doing more than generative AI (“GenAI”), and leaning into the advanced machine learning (“ML”) side of AI. ML is great for the more repetitive tasks faced by the Fed: payments clearing and settlement, cash and liquidity management, etc.
The snowball approach is a great way to introduce technology within an organization. The Fed builds the internal experience with the new tools before risking issues with a mass deployment. It also gives time to vet whether the new tools are even worth it to introduce and scale.
For a more practical approach to successful technology introduction, there’s a five step framework from this 1988 paper:
coordinating training with corporate strategy,
implementing continuous learning and employee involvement strategies as a response to change,
encouraging imaginative manufacturer-vendor cooperation,
improving the cost-effectiveness of training,
and linking retraining and continuous learning practices
Pulling Ahead in the Fraud Arms Race
Many fraud solutions are too focused on the past.
George Clemenceau, PM of France during WWI, quipped, “generals always prepare to fight the last war.” The same can be said of most fraud tools and policies. In the Fraud Arms Race, the industry is often in a reactionary posture — going to great lengths to neutralize the most recent fraud innovation. This is great for addressing scams based on structural gaps (i.e., counterfeit cards) but struggles to address new account takeover and card-not-present (CNP) fraud.
Taking a proactive approach to fraud involves thinking like a fraudster. This is most often done through “red teams” whose job is to spot vulnerabilities in a system.
For more on red teams, there’s the UK Government’s 2010 guide and the very thorough Wikipedia page for the topic.
Companies spend most of their time chasing fraud rather than proactively learning client behaviors to prevent fraud.
David Excell, CEO of FeatureSpace, has spent the last 17 years fighting fraud. Excell believes that understanding how a “real” client behaves is the best long-term solution to identifying fraud. Building behavior profiles into the payment process has proven successful — reducing fraud by 39% at Metro Bank.
AI models have a key advantage over static rules-based approaches: evolving with the customer profile. According to Excell, it only took three days in March 2020 for their models to fully adapt to the lockdown spending behaviors. Given the sharp increase in online, card-not-present transactions, this was especially important. As digital payments increase for cards and pay-by-bank, fraud solutions will need to become increasingly proactive and dynamic.
For more on FeatureSpace, check out Excell’s retrospective on the first 16 years or the recent Visa acquisition news.
Most fraud is still reliant on social engineering and tricking people. Deepfakes alone don’t cause more fraud, but it does increase the probability of success.
Deepfakes are audio and/or video which allow one person to appear to be someone else. Deepfakes used to require hundreds of hours of video and audio to create a persona, but AI tools can do it with just a single photo and a short audio clip. If you’ve seen how good Snapchat filters, thispersondoesnotexist.com, or the recent Studio Ghibli filters are, you can understand why fraud teams are worried.
AI-generated deepfakes are making traditional photo, video, and voice authentication obsolete. The industry spent the last two decades moving away from passphrases and physical tokens. It was believed live video and audio were suitable protections. AI has blown a hole in that belief. Now, risk management teams are fighting back with anti-deepfake AI, behavioral biometrics, and traditional verification methods.
However, AI deepfakes aren’t just a threat to account takeover. These tools are good enough to trick people into falling for social engineering scams. These scams prey on human psychology (“need to be a hero” or “intense urgency”) and weak governance. An example from last year saw a finance employee sending $25 million to fraudsters who had deepfaked the CFO. This is a big, flashy example, but it’s almost a guarantee that it’s happening at smaller scales throughout organizations.
Education is key — Verify, Verify, Verify. Talk to your friends and co-workers, talk to your relatives, and always be suspicious of people asking you for money — especially if it’s urgent yet vague and relies on sending gift cards. For more reading, here’s a guide to avoiding gift card scams from the FTC.
Instant Payments Challenges & Opportunities
The real value [for RTP and FedNow] comes at the level the network effects begin.
Instant payments (RTP, FedNow) in the U.S. are close to reaching critical mass in terms of receiving accounts. Cheryl Venable, Atlanta Fed COO, stressed her view that small banks should have a plan for instant payments. Otherwise, these banks risk being left behind.
The challenge is getting more send-enabled accounts on the networks. This is where financial service providers can step in to provide ready-made, “turnkey” solutions to connect to RTP and FedNow. There are more systemic challenges such as fraud management in push-only systems and expanding the viable use cases for RTP. Until these fraud and broad acceptance (nevermind float and rewards) problems are solved, it’s unlikely that we’ll see broad acceptance.
I’ve written before on the “hammer in search of a nail” problem facing RTP. For more on request for payment, here’s a good technical write-up on TCH’s solution.
Shifting Global Payments with Cryptocurrency
Traditional finance is based on the account while cryptocurrency is based on the wallet.
The account-based model of finance and payments relies on third-parties to tell you what your balance is and transfer the funds on your behalf. The wallet-based model places control of funds and information in your hands. There’s an argument to be made here that Open Banking is a sort of middle ground. In this space, the FI is merely a custodian and overseer while the customer maintains control over their financial data.
Cross-chain payments are a good testing ground for cross-border transactions.
The buzz around stablecoins revolves around cheaper, faster cross-border payments. Cross-border is notoriously complex and difficult to solve — it’s one of the oldest problems in banking. This is because you need to get the funds to the other party and then convert it to a usable form of currency. In crypto, the first is handled through the crypto ecosystem while the latter is handled through on- and off-ramps with traditional financial institutions.
The real innovation in moving funds within the crypto ecosystem has been “cross-chain” transactions. These transactions allow value in one network (e.g. USDC, a USD stablecoin) to be transferred to another network (e.g. ERUC, a EUR stablecoin). It’s a similar process for getting funds in and out of the network.
Functionally, these processes mirror the nostro/vostro (“mine/yours”) account structures used for centuries in cross-border banking. See below:
Ultimately, people will use the payment method that offers the greatest ease and most benefits. The battle for ‘top of wallet’ status has expanded to include P2P apps and crypto, however, these lack commercial use (in the US) and benefits comparable to cards (fraud protections, rewards, etc.).
For more on stablecoins in cross-border, check out this writeup from BVNK. For how traditional finance is getting into the cyrpto space check out the recent Visa/World Network rumors.
Quantum Computing’s Future Security Risks
Asymmetric cryptography [public and private key encryption] is the basis of trust in modern payment systems. Quantum computing puts 2048-bit RSA encryption at risk.
Quantum computing turns discrete, binary computing (0 or 1) into a probabilistic machine (0 or 1 or 0.1 or 0.11…). This characteristic makes them good at handling complex math problems, like finding the factors of a number, but not so great at multiplying — the joke is “2 x 2 = 4 … most of the time.”
The encryption standards used by modern systems, Rivest Shamir Adleman (RSA), are notoriously difficult for traditional computers to crack. They can take billions of years to solve, making them practically unbreakable. This is because traditional computers are really good at multiplying two numbers (3 * 5 = 15) but really inefficient at factoring them (15 → 3 * 5).
Quantum computers can use Shore’s algorithm to find prime factors. This algorithm cuts the time needed to crack RSA encryption from billions of years to hours or even minutes.
Right now, and for the near future, these machines can only be run and implemented at the nation-state level. However, “Y2Q” – the day hackers gain access to functional quantum computers – is expected to arrive in the next 5-7 years. To adequately prepare, Financial institutions need to start phasing out weak encryption protocols now.1
Making things ‘quantum safe’ on legacy systems is like finding and replacing all the nails in a house without knocking it down.
Protecting against quantum encryption breaking requires adding quantum-safe encryption2 (“new nails”) in addition to the existing encryption standards. However, banks first have to find all the encrypted data bases and servers in their systems. In addition, they’ll need to identify everywhere encrypted data is transferred.
In a card transaction transaction this means at least four databases and five transmission lines need to be evaluated. Mapping and upgrading all of these systems is expected to take years for each step. An opportunity exists for “quantum risk assessments” to help banks and merchants map out encrypted endpoints in their payments infrastructure.
Quantum computing is still an emerging technology. It’s not anywhere near public scale at the moment. Looking at the history of the internet, quantum computing today is more akin to DARPANET than dial-up or digital internet. To learn more about quantum-safe cryptography, I’ll point you to IBM.
What Do We Make of This?
The sessions all carried one common theme: addressing tomorrow’s opportunities today. The future is going to present us with new problems to solve and new solutions to build. As we see with stablecoins and deepfake fraud, sometimes the best solutions need to look back and borrow from the past. The future of this industry will belong to those who can balance speed with security and experimentation with execution.
Will quantum computers become ubiquitous and replace existing computers? No. What’s more likely to happen is that they live at the data center level with quantum computing offered as a service. Why?
First, they require immense start-up investments and operating costs – the machines must be kept very, very cold. This makes the tools cost prohibitive to everyone except governments and the largest technology corporations.
Second, these computers don’t have stored memory and are bad at tasks that require discrete outcomes – you wouldn’t want to look away and see the 100 in your spreadsheet change to 104 then down to 98.
Everyone is waiting on NIST to set a standard which will trickle into the US government. Once the US agencies are quantum-safe, then their vendors will need to be as well. This is the process for most standard proliferation in the U.S. However, there is a world where insurance companies tell their corporate policy holders “we won’t insure you unless you’re quantum-safe.”
In either case, the solution is likely to be top-down, not bottom-up.
Quantum computing sounds like another security opportunity. Capital will need to be deployed to develop solutions to defend against Quantum computing attacks. Whether that's just encryption or something else, several billion-dollar firms could emerge here, given the challenge QC could bring from an "attack" perspective.