Carolyne Moran is VP, Product Management and UX at OneSpan, a digital identity and anti-fraud solutions company. She began her career in logistics and product management at Airborne Entertainment, where she managed direct-to-consumer mobile promotions. Carolyne then transitioned to managing mobile apps and UX at Yellow Pages/Pages Jaunes – Canada, a digital media and marketing company. She later joined eSignLive by VASCO, which was acquired by OneSpan in 2015.
In our conversation, Carolyne talks about how her team needs to incorporate accessibility, regulations, compliance, and self-serve capabilities into a complex security product, all while maintaining a great user experience. She also discusses the importance of building security products in a way that supports a range of users, as well as the role of educating clients on product decisions.
OneSpan is a digital agreement security company. We’re a global company available across every region — LATAM, APAC, EMEA, and North America. We have different selling models depending on the region you’re in. We also do security and e-signatures, both separately and together.
I’m responsible for what we call the digital agreements business unit, which encompasses e-signatures, identity verification and security, validation during onboarding processes, etc. My team also manages virtual rooms where people collaborate on digital contracts.
We also own a new component in the industry: remote online notarization. During the pandemic, people couldn’t meet face-to-face with notaries. This was a huge issue for our clients. It’s a very regulated industry and each state had to change its notary policies during COVID.
We are a B2B2C company, but the B2C component is key as we work with some of the largest BFSI (banking, financial services, and insurance) companies in the world. They have workflows in place that then go to the end user to sign. Our product’s core is around being security- and compliance-ready. We’re SOC 2 compliant, and the E-Sign Act put huge restrictions and regulations in place for us. At the end of the day, security is the most important thing for us and our clients. When we build our products, that’s taken into consideration from day one.
I’m not one to say that you need strict and rigid processes in place, but we have a very tight product lifecycle management (PLM) process. With that, our team has deployed what we call a stakeholder go/no-go. This is when you have to sell the product within five slides and with three things in mind: desirability, feasibility, and profitability. This takes into account how we can deliver a product with security needs and UX in mind.
The other really important aspect is the regulations behind the UX we’re designing. Especially when it comes to e-signature and contracts, users might be signing documents worth millions of dollars. They’re legally binding themselves to an agreement. We use the term “customer primacy” to describe our approach. We’re constantly testing with our customers and iterating our products. We make sure we run tests with people who have never used e-signature products before. It comes down to supporting that security side while also bringing a great user experience.
Yes, and I don’t think it only applies to the world that I work in. We’ve developed a lot of self-serve features and functionalities. You can go in, choose your workflow management, and choose how you want certain things to come in. Some features unfortunately can’t be self-serve due to regulation and compliance issues, but we try to make it possible as much as we can. In general, it’s more user-centric to offer a self-serve model where the user can choose their own configurations versus having to call support to make modifications.
We have customer client councils as well as extended, behind-the-scenes user testing programs. The first phase of our process is always framing. We look at the market and user insights, and as a SaaS company, we also get a lot of requests from clients. We have an ideas portal where clients can submit ideas, and we look at them weekly and create high-level design concepts from them.
I like to say that UX is subjective — you might like pink and I might like green. Everyone has an idea, but our team knows that user feedback is the most important thing. What do users think and what are our competitors doing? What are companies operating in an adjacent space doing? We get this feedback, take the research we conduct, and redesign. This goes back to our mantra of test, iterate, and continuously go. This process allows our UX team the freedom to have connections with our clients as well.
When we were developing our remote online notarization tool, we knew we needed to enable a two-way video camera. Notaries were a new world for us, and we weren’t sure which controls would be important. We joined a board of notaries and had them create accounts, walk through our design process, and give us insight. We got a fantastic view into their world and what they do. Their jobs are very regulated. They have specific steps to follow. When does the journal come in? When do notes come in? What is the order?
From a video perspective, this product had to be extremely secure. With a two-way video call, I can’t just let you have screen access — I need to hand off access. There’s a very specific order that has to be followed. From a UX perspective, these notaries helped us design where certain mouse clicks should be and where specific popups should come up to alert people about passing control over. These are all things we would have never thought about.
It depends on who your audience is. Our team is composed of business-driven product managers, and a few are also very technical. We speak with our clients often, and if I’m sitting in front of the security group at a bank, it will be different than when I’m sitting in front of the business group, but we have to adapt as the product team has to meet all client needs. They will ask questions about the product and why certain things happen at certain times.
For example, when you’re signing something electronically on a mobile device, everything is touch-based. One of our clients asked, “Why do I have to double tap?” We said, “Imagine you’re just scrolling in the document and accidentally click on the signature.” That was a case when we specifically did have to educate them on that decision. It’s important to explain why we do certain things, especially because a lot of this work revolves around sensitive information. That’s part of our business — security is in our DNA and is at the heart of our company.
There are times when, unfortunately, a feature can’t go out the door the way that we want it to. In those situations, we have to explain why these certain functionalities have to happen in a specific way, but it’s pretty rare.
Today, the technical and compliance aspects of things have evolved so much and have gotten a lot easier to work with. Five years ago, for example, we wanted to send something via SMS but were told no. There were concerns that it could get spoofed or someone else could click that link. Five years later, we can do that with no problem. SMS communication is extremely common. We just have to evolve with the market and what regulators say behind the scenes.
We build our product in a way that supports a range of users. We are at WCAG 2.0 AA compliant accessibility across the board. Sometimes, people view accessibility in UX as just aiding people with visual impairments, but it’s more than that. It’s how you use the product all around. Our texts and button sizes are built in a way that’s usable by anybody, regardless of their age or capabilities. You can pinch and zoom in or out, whether it’s on a computer or your phone.
We build it that way from start to finish. That’s actually part of the UX team’s role. Their goal is to make sure that we use all these pieces, such as color contrast tools. It’s about how you, as a user, want to interact with the product.
I was very fortunate to own accessibility in the company a couple of years ago. I learned so much about the importance of making sure that the product suits everyone’s needs. In areas that are more prone to fraud, we add additional checks. Or, if the country we’re working with doesn’t accept SMS validation, we’ll do two-factor authentication instead.
Innovation is not always just what the customer needs. You need to understand what the product is going to look like from a future standpoint. What will your customers need and what’s the innovative technology behind it? Today, even if I don’t have clients asking me about AI, I’m still looking into AI and what it means for our company. Customers may not be talking about blockchain, but we are still bringing in blockchain to make sure that we have a second layer of security.
We foster that growth and also have innovation groups within the organization. I don’t want my team bogged down in issues 24/7. At least once a month, I want them to take the time to sit together and brainstorm. I also try to foster a group of cross-product department collaboration. This means bringing in developers, PMMs, and salespeople. It’s a group effort. I don’t believe that product management owns it alone.
When you look at product-led growth, everything is around CSM, support, sales, and product. It’s an organizational thing. Every person that’s part of that and within the organization can bring great ideas to the table. Product-led growth is something that everyone thinks about, but not everyone implements. It’s important to make sure that everyone’s on the same page from that perspective.
There’s always open communication. We use different channels within Microsoft Teams — whether it’s an innovation channel, an ideas channel, or just a group of people chatting about a new feature. Specifically in the ideas channel, people can submit their ideas as they come up. That fosters openness as a group and I believe that every idea has the potential to be a good one. I want to bring that in, discuss it together, and work as a team. Innovation is constantly pouring in from different people and different angles.
We are already seeing our lives digitized, which means there will be so much more open data about you and your unprotected privacy. We already see stricter regulations coming in but will that be enough as digital identity fraud around the world is continuously expanding?
The future of identity management is evolving. How do we safeguard ourselves, our clients and their users — the “trifecta of protection?” I believe the key factor is going to be continued education and more stringent verification procedures. Fraud is a trillion-dollar market. The more we go digital, the more we have to protect our end users and figure out the right way of doing that. It’s constantly changing and we have to be ready.
LogRocket identifies friction points in the user experience so you can make informed decisions about product and design changes that must happen to hit your goals.
With LogRocket, you can understand the scope of the issues affecting your product and prioritize the changes that need to be made. LogRocket simplifies workflows by allowing Engineering, Product, UX, and Design teams to work from the same data as you, eliminating any confusion about what needs to be done.
Get your teams on the same page — try LogRocket today.
Want to get sent new PM Leadership Spotlights when they come out?
A fractional product manager (FPM) is a part-time, contract-based product manager who works with organizations on a flexible basis.
As a product manager, you express customer needs to your development teams so that you can work together to build the best possible solution.
Karen Letendre talks about how she helps her team advance in their careers via mentorship, upskilling programs, and more.
An IPT isn’t just another team; it’s a strategic approach that breaks down unnecessary communication blockades for open communication.