In Conversation With: Paddy Lawton, Founder and CEO of FACT360

Oct 17, 2023

With large, multinational companies now operating across multiple applications, channels, systems and countries, the opportunity for security breaches and risks has become more central in the minds of the managing teams. Recognising this, Paddy Lawton created FACT360, and in September 2022, received investment from a Henley Business Angels member, contributing to their funding round of £500k. We spoke with Paddy Lawton, CEO and Founder of FACT360, after the investment to find out more about the company, their progress since Henley Business Angels’ investment and the company’s plans for the future.

What is FACT360?

FACT360 is a tool that allows us to predict people’s behaviour and stop fraud, HR misuse, compliance and risk problems, and insider threats. Essentially, our tool can analyse communications to see if people’s behaviour is changing from the norm, which could mean that their accounts – email, slack etc. – have been compromised, and they don’t know that yet. These are called anomalies, and our tool looks for anomalies in communication.

An example of its use would be big law firms using it for investigations. There’s been an ‘event’; something has happened, or something has been stolen/broken, and our tool would be used to investigate this. We were involved in a really big financial fraud case, and our tool took on about 2 million emails to look at people involved in communication. We spotted the ‘bad guy’ because he was behaving out of character, and then all the other people he was interacting with; it’s like a Red Amber Green warning system for behavioural change.

How did FACT360 come to be?

I previously had a company called Spend360, which was used to analyse invoices from large companies. We had clients such as Nike, BEA, HSBC, and RBS. Take Nike, for example; we would get 10 million invoices from them each year, so every quarter, we’d receive 2.25 million invoices from them to process and analyse where they were spending money. It allowed them to become aware of what they were spending money on, such as the $7 million they were spending annually on Dunkin Donuts. What we also noticed, however, was that there were a lot of weird entries that didn’t look right. Big companies like Nike will know what the large spending is on, for example, millions with Microsoft and IBM, but there were lots of $50k invoices with lots of different security companies that looked anomalous. We were only there to analyse spend, so whilst we told them our findings, that was all we were able to do.

We sold that company in 2017, and I wanted to focus on the potential fraud elements that were difficult to investigate. We started by looking at using communications data with Goldsmiths University because they had been doing some research, and I coincidentally met them. They were using theory from Bletchley Park back before we cracked the Enigma Code. In 1940/41, there was a gentleman called Dr Gordon Welshman, who could work out, just based on what morse code traffic there was between certain people, whether or not there was going to be an attack on mainland Britain. We thought that was interesting and wondered if it was applicable. The maths is still all confidential under the Official Secrets Act, but we thought of applying the principle to communications data over time, making it similar to a page rank for people in correlation with time. We would identify that you are doing something, but compare it to your normal behaviour using historical data, and be able to either retrospectively tell who the ‘bad guy’ is and who they are working with or, in a monitoring session, identify themes.

In terms of that communication data, are you reading content, or is it just interactions?

That is a good point to raise – we do both.

Emails are the majority of what we do, but it can be any communication, so voice, messaging etc., and there are 2 sides to the coin. The first side is what we call Prestige. Prestige is a proxy firm for impact, so good or bad, you have who you communicate with, and how you communicate has an impact on the organisation we’re looking at. That all completely adheres to the European privacy laws such as GDPR because we don’t look at what they’re saying; it’s who they’re talking to; when they’re talking to them; who those people are talking to; the company they keep – you creat this huge network, which is brilliant. That’s the first element of our offering.

The second is when a company is launching an investigation. Whether something abnormal has happened, there’s been a complaint, someone’s whistleblown, or there has been a theft, whatever instigates the investigation, as soon as it begins, the legal framework starts to fall away. Similarly, with an insider threat, the GDPR framework isn’t applicable because it becomes a legal case, and the company has the right to look at your data. Most companies include in their employment contracts that they have the right to look at your company email, however, most companies don’t act on that outside of a formal investigation. 

To answer your question, yes, the first side of the coin is GDPR-compliant and can run across any data without looking at the content, but when it becomes an investigation, we have a language engine which uses some very cool machine learning to support the investigation. The concept of the language engine is from the 70s that we’ve taken on at a pace over the last 50 years. What it allows us to do is to classify interactions in a similar way to the BBC website – in the sense that if you went to the BBC website and you want to look at the Liverpool match results, it falls under ‘Football’, which falls under ‘Sports’, which falls under ‘UK Sports’, which falls under ‘UK News’ and so on. When we classify data through this tool, it pulls interactions into categories in a similar way without it having to explicitly say it. For example, our tool would know an individual was talking about ‘Liverpool’ in relation to football, rather than just the city, without them having to explicitly say it. 

Using a real-world example from a few years ago, there was a very famous fraud case called Enron – potentially the biggest corporate fraud case – and the data is freely available, so we use it in our demos. There were several different instances of fraud going on in that business, but one of them was uncovered due to a whistleblower saying he had seen Emron officials, Board Members or people who can make decisions on procurement taking meetings with third-party suppliers. They were meeting them at pubs, restaurants, nightclubs, those kinds of environments, and they’re making agreements along the lines of ‘we’ll give you this contract if you take me on holiday’. What our tool is able to do with that data, by using the categorisation language engine, is take a request such as ‘show me all of the communications between an Enron employee and a non-Enron employee that’s taken place in a leisure environment’, and produce all communications that contained words like ‘lunch’ or ‘beer’ or ‘burritos’. By refining the ask of the engine, and this is the actual stat, it goes from 50,000 communications to 12, and one of those was the individual the whistleblower was talking about. The individual was a very senior person at Enron and had nothing to do with the procurement of software, but he met with the Head of Sales for Perfect Commerce – a big e-commerce platform back then – in a restaurant. The email the Enron individual sent said something along the lines of ‘thanks for dinner last night, very yummy, will do as discussed’. It didn’t say, ‘I’ll give you the contract if you give me the money’, but it was a clear anomaly, and 6 weeks after that email, the tender worth £25 million was awarded to Perfect Commerce when a lot of other people had bid for it. Whilst this was a historical case, it was able to demonstrate how our tool could provide ways for an investigator to get through the data of a medium to large company very quickly. 

What is the business model, at present, for FACT360?

We are a SaaS business. It’s all subscription-based. 

We don’t do consultancy; we just sell the product. It can be on-premises or not, but with the data being quite sensitive, moving it around can be tricky. Not technically tricky, but practically with legal departments etc., so we pick the path of least resistance and deploy the software from UR to UR or Microsoft to UR Cloud, wherever. 

How did you find out about HBA, and what led to your application? 

We had started raising some finance, as prior to this, we funded it privately using the proceeds from the sale of Spend360. We realised it was a good time to get more people involved, not only for the cash but for the expertise they bring. We didn’t want to ask the VCs as A) we didn’t need that much money and B) because you lost control of things. We started off by getting an introduction to the Cambridge Capital Group, and Struan, the Managing Director, offered to introduce us to Henley Business Angels and some other investors in Manchester. Struan gave us a warm introduction, which was always helpful, and we met with the team on your end at the Investment Readiness Workshop after being invited to interview. 

The Investment Readiness Workshop was very helpful to get us pitch-ready because every network does things differently. HBA made things very easy to understand, especially helping us make our pitch easy to consume quickly by giving us advice on adapting our presentation into a better format.

How did you find the HBA application process? What was your experience like?

It was very easy, which is really good because we weren’t experts; we had never sought out formal funding before, even though we’d sold two businesses prior. The first round with Cambridge Capital Group was quite tough because we had to work out what we should be talking about. That allowed us to be slightly pre-armed when coming to Henley Business Angels, but the process was very painless and easy, and we really enjoyed it.

How many investors did you get from HBA, and to what extent was that?

We had one major investor who invested £50k.

What was the end result of your funding round? What investment did you get overall?

About half a million, just shy of half a million in total. We did four separate groups, which included internal and follow-on from myself and other people

What is the plan for that investment?

We’ve been spending it since September. We have a product, it’s built, there’s always more to do, but that never stops. The funding is to be used for getting the word out and making a commercial impact. We’ve taken part in a couple of exhibitions in London, primarily fraud exhibitions, and we sponsored a large legal exhibition, so it’s for building our commercial presence.

Do you have any tips for entrepreneurs with regard to pitching to angel investors?

What we learnt – because we all think we know everything – was that the first thing you need to focus on is your proposition has to be attractive. It needs to be a little bit more than in your own imagination. Obviously, you need investment to build this stuff, but make it more than just a concept. Even building the cheapest, smallest proof of concept that’s very important, and you can do that unless you’re manufacturing something. With software, especially, you can put something together that gives it life. What we learnt, especially, is that even when you have a product, it is about making it understandable to the investment community.

I would also say to just be realistic. Everyone thinks everything is worth 10x more than it actually is, so be prepared. Constructing the concept properly will help you get out of your own head. You may realise the way you’re doing it is wrong, and you need to approach it differently. 

What are the ambitions for the future of FACT360, and what will happen by way of return, do you think?

We’ve got some work to do to get it into the hands of more users; that’s the important bit. As with my previous companies, we’ve always built something that fits. There are a lot of large players in the fraud space, like IBM, so our tool is unique – such as Prestige – and will be, and is, of interest to the bigger software vendors. We’re looking to make sure they know we do our little piece of the puzzle as best as we can, and the idea is just to sell it to a larger vendor. We are a software house, and it will come to a point in the next 18 months to 2 years, maybe a bit longer, depending on market conditions; it will find a home in one of the bigger vendors.

Is that your plan for exit, then? A sale?

Absolutely, we’re never gonna float, especially with all the larger companies that we would fit nicely within.