Financial groups lay out a plan to fight AI identity attacks

Generative AI tools have brought the cost of deepfake production low enough that criminals and state-sponsored actors now use them routinely against financial institutions. A joint paper from the American Bankers Association, the Better Identity Coalition, and the Financial Services Sector Coordinating Council lays out the scale of the problem and calls on federal and state policymakers to act across various areas.

Deepfake incidents in the fintech sector increased 700% in 2023 compared to 2022. Deloitte’s Center for Financial Services projects that AI-enabled fraud losses in the United States could reach $40 billion by 2027, up from $12.3 billion in 2023, a compound annual growth rate of 32%. In 2021, 42% of Suspicious Activity Reports filed under the Bank Secrecy Act were tied to identity or authentication compromise.

Ten attack categories are currently targeting financial institutions, including deepfakes used against identity verification systems, AI-generated phishing campaigns, synthetic identity creation, real-time deepfake fraud, and the use of AI agents for account takeovers.

Why phishing is scaling so fast

LLMs can automate the entire phishing process. That automation cuts the cost of phishing attacks by more than 95% and produces success rates equal to or greater than manually crafted campaigns. Sixty percent of people have fallen victim to AI-automated phishing, according to research cited in the report.

Legacy authentication vulnerabilities are now compounded by what AI enables. SMS-based one-time passcodes and push-based authenticator apps are phishable. Passwords are phishable. AI tools allow adversaries to exploit those weaknesses at a scale and speed that was previously uneconomical.

What policymakers are being asked to do

The recommendations are organized into four initiatives. The first covers identity proofing and verification. A Treasury Department-led task force would coordinate federal, state, and local agencies on closing the gap between physical credentials and their digital equivalents. Mobile driver’s licenses, which use asymmetric public key cryptography, are identified as one viable path. A deepfake cannot spoof possession of a private cryptographic key, which makes cryptography-based credentials resistant to current AI-generated attacks.

Expanding the Social Security Administration’s Electronic Consent-Based Social Security Number Verification system, known as eCBSV, is also on the list. The system is currently limited to a subset of credit-related financial services. Opening it to account opening, background checks, and other identity validation use cases would give financial institutions and other organizations a way to verify identities against an authoritative government source.

Further actions in this initiative include federal grants to help states modernize identity infrastructure, new attribute validation services at the IRS, State Department, and U.S. Postal Service, a digital passport option for Americans, authority for USPS to offer in-person identity verification services, and updated NIST guidance on biometric algorithms and liveness detection technology.

The second initiative covers authentication. Regulators would be encouraged to push financial institutions toward phishing-resistant authentication, specifically FIDO security keys and passkeys, for both internal systems and customer-facing applications. Policymakers would also be asked to avoid creating restrictions that limit the use of data analytics for risk-based fraud detection.

Jeremy Grant, coordinator of the Better Identity Coalition, told Help Net Security that passkey adoption is stronger than it may appear given how recently the technology arrived at scale. “We didn’t really see passkeys start to emerge at scale in the consumer space until late 2023, and the fact that most consumers now know what they are not even three years later is notable, given how long it takes most new technology to find its way to consumers,” Grant said.

Grant pointed to a persistent misconception that complicates adoption efforts. Some people believe going passwordless makes them less secure, a view shaped by decades of guidance telling people to create strong, unique passwords. “That has not been an effective cybersecurity tool for a long time now, but that doesn’t mean your average consumer understands this,” Grant said. A public awareness campaign around phishing-resistant authentication is one of the report’s final recommendations, in part to address that gap.

The third initiative covers international coordination. NIST, DHS, and Treasury would engage with counterparts in the European Union and other countries on digital wallet interoperability and standards. China and other adversaries are active in international standards bodies that cover digital identity and authentication, and U.S. participation in those bodies is constrained by budget and staffing limitations.

The fourth initiative covers public education, including a campaign for Treasury to run with CISA and financial institutions on deepfake threats, and a separate public awareness effort around passkeys and other phishing-resistant tools.

The regulatory gap

Financial institutions operate under Bank Secrecy Act requirements for customer identity verification and under Federal Financial Institutions Examination Council guidance for authentication. Both are areas where regulators need to issue updated guidance to give institutions confidence in using newer credential technologies to meet existing compliance requirements.

Grant said the threat extends well beyond financial services. “Deepfakes are not a sector-specific problem but a national problem,” he said. “It’s the same organized criminals and hostile nation-states exploiting the same core deficiencies in identity and authentication infrastructure to steal from banks, fintechs, health, retailers, cryptocurrency players, and government.”

Grant identified four of the 20 recommendations as having the broadest cross-sector impact: the state infrastructure grant program tied to NIST guidance, expanding eCBSV access, accelerating NIST’s liveness detection guidance, and creating a multi-agency task force to monitor AI-driven identity threats. He also noted interest in HR 7270, the Stop Identity Fraud and Identity Theft Act of 2026, which would have Treasury run a grant program covering both financial sector security and fraud in government benefits distribution.

The recommendations are scoped to actions achievable within two to three years, with the authors citing past examples of large-scale identity initiatives that failed to gain traction due to complexity.

Download: 2026 SANS Identity Threats & Defenses Survey