Staying one step ahead of the financial fraudsters

From deepfakes to cloud-banking vulnerabilities, financial fraud is evolving faster than traditional defences can respond, amplifying the scale and sophistication of attacks. Banks and fintechs now need smarter, adaptive, AI driven systems that can anticipate and stop threats in real time, moving from reactive detection to predictive prevention.

In today’s digital banking era, financial institutions are facing a fundamentally different threat landscape, driven by AI, automation, and the blurring of digital channels, says Muireann O’Keeffe, director at PwC Ireland.

“With the increase of fintechs in Ireland, regulators are now also highlighting AI-enabled deepfakes, and rising fraud in e-money and remittances,” she says. “Threats have evolved to social-engineering scams where customers are manipulated into authorising payments. Some of the biggest concerns are authorised push payments (APP) fraud, instant-payment fraud, and synthetic identity fraud.” 

The legal framework is playing catch-up with the speed of AI-driven fraud, says Patrick Brandt, partner, financial regulation advisory, A&L Goodbody. 

“Current regulatory rules were designed for traditional fraud and therefore are not always fit for countering AI-generated deception. The rise of deepfake scams illustrates how convincingly identity can be manipulated.” 

Brandt says the Central Bank of Ireland’s 2026 Regulatory & Supervisory Outlook has indicated that AI tools and digitalisation assist criminal conduct.

The regulatory environment is adapting, however. “Laws such as the EU’s Digital Operational Resilience Act (DORA) impose strict requirements around ICT risk management, incident reporting and cyber resilience, which help firms detect and respond to fraud,” says Brandt.

Irish banks and fintechs are strengthening their defences, he continues. “Irish and EU banks are using AI and machine learning to mitigate fraud risk. More recently, they are implementing verification of payee measures, which is a significant payment fraud mitigation measure. Ireland also has a number of industry-wide initiatives on fraud prevention, including, for example, the BPFI’s Anti-Fraud Forum and ScamChecker.ie to check hyperlinks.” 

Financial institutions are deploying sophisticated risk-detection models which assess risk at the point of payment, informed by individual customer behaviour, says O’Keeffe. “There is an increase in data-driven ‘perpetual Know Your Customer’ models to provide a single customer view across the financial institution.

“Voice analytics and virtual service agents are being used to intervene in real time or escalate higher-risk transactions to specialist teams. AI-enabled root cause analysis is being used to drive fraud control improvements in financial institutions.” 

The biggest vulnerability to fraud is human behaviour, says Brandt. “Impersonation scams, where fraudsters pose as a trusted institution and create a sense of urgency to induce a customer to transfer funds, are examples of human behaviour being exploited. However, technology infrastructure is a close second.

“Increased reliance on outsourcing, cloud services, and a small number of technology providers creates concentration risk, especially if those systems and platforms are compromised.” 

Intelligence sharing with law enforcement and cross-border co-operation are essential, says O’Keeffe.

“Importantly, the new EU Anti-Money Laundering (AML) Regulation, which comes into force in July 2027, explicitly permits and encourages information-sharing between financial institutions, within GDPR safeguards.” There is a clear shift from reactive liability to proactive prevention, says Brandt. “DORA requires financial entities to anticipate, prevent, and recover from operational disruptions, with resilience testing and monitoring requirements.

“The proposed PSD3 [Third Payment Services Directive] reforms introduce refund obligations for certain fraud victims, incentivising payment services providers to prevent fraud. Liability for fraud will become a major industry topic as the industry will point towards customer hazard principles, while regulators will focus on industry obligations to take steps to prevent fraud.” 

Ireland has implemented part of its National Payments Strategy through a cross sector Anti Fraud Forum involving industry and regulators. “Regulators will increasingly hold institutions accountable for failing to anticipate and prevent fraud, not just for failing to appropriately react to it,” explains Brandt.

The GDPR gives individuals the right not to be subject to decisions based solely on automated processing that produce significant effects, says O’Keeffe. “Algorithmic bias is also a real risk and has been for some time. There is a risk that AI models can perpetuate discrimination in credit, risk scoring, and account monitoring.

“Therefore, human oversight will be an important step in mitigating some of these risks.”