Cybersecurity, Fraud, and the AI Arms Race
By: Paul Schaus
April 8, 2026
I want to start with an uncomfortable truth that I share with every bank executive and board I advise "The cybersecurity threat landscape is not merely getting worse. It is being fundamentally transformed by the same artificial intelligence capabilities that banks are deploying for their own benefit". Criminals are using generative AI to craft convincing phishing campaigns indistinguishable from legitimate communications, create deepfake identities that defeat traditional verification processes, and probe network defenses at machine speed. The OCC elevated cyber risk and operational resilience to its top examination priority in the Fall 2025 Semiannual Risk Perspective, and for good reason. We are witnessing the emergence of a genuine arms race between AI-powered attackers and AI-powered defenders, and the stakes for banking have never been higher.
This is not simply a matter of more attacks or bigger attacks, although both are true. The OCC's 2025 Cybersecurity and Financial System Resilience Report documents persistent threat vectors including ransomware targeting banks and their service providers, exploitation of known software vulnerabilities, and increasingly sophisticated phishing campaigns aimed at employees. What has changed qualitatively is the attackers' ability to use AI to automate, personalize, and scale their operations in ways that were impossible two years ago.
The numbers tell a sobering story. The average cost of a data breach in the financial services industry stands at $5.56 million, according to research cited in CSI's 2026 Banking Priorities report. Over 50 percent of fraud executives believe that fraud losses in U.S. banking will rise more than 10 percent over the next three years, and 68 percent expect AI use by fraudsters to significantly increase within five years. Capgemini's 2026 Top Trends report finds that 59 percent of retail bank executives cite identity fraud as a growing concern.
In my view, we are in a genuine arms race where attackers hold a structural advantage. Attackers can experiment, fail, and iterate without regulatory oversight or compliance constraints. They operate on internet time. Banks, by contrast, must validate, govern, and document every defensive tool they deploy. That unevenness does not mean banks cannot win but it means they must be smarter and more strategic in how they invest in defense.
Here is where I push back on the purely pessimistic narrative. CSI's 2026 Banking Priorities survey found that 57 percent of community bankers identify cybersecurity as AI's top benefit, and 48 percent cite financial crimes prevention, including fraud and anti-money laundering as a primary use case. These are not theoretical applications. AI-powered threat detection, behavioral analytics, and automated incident response are commercially available, increasingly affordable, and demonstrating measurable results.
From my perspective, grounded in what I see across my consulting practice at CCG Catalyst, is that AI represents the most significant advancement in community bank cybersecurity in a decade. Smaller institutions that could never justify the cost of 24/7 security operations centers staffed by specialized analysts can now deploy AI-powered monitoring that performs at a level previously available only to the largest banks. This is genuinely democratizing. We are helping community institutions implement AI-driven fraud detection and threat monitoring that outperforms legacy solutions at a fraction of the cost. The playing field is tilting in favor of the prepared, regardless of asset size.
The key qualification is "prepared." AI-powered defense tools are only as effective as the data they operate on, the governance frameworks that guide them, and the human teams that interpret their outputs and make judgment calls on escalated alerts. Buying an AI security product is not the same as having an AI security capability.
Experian's Global Insights 2026 report identifies the convergence of credit, fraud, and compliance functions as one of the defining trends shaping the financial services landscape. I strongly agree with this assessment, and I would argue that this convergence is long overdue. The traditional operating model, where the fraud team, compliance team, and credit risk team operate independently with separate data sources, separate technology platforms, and separate reporting lines, is leaving exploitable gaps that sophisticated criminals have learned to target.
Consider a common scenario: a fraudster uses a synthetic identity to open an account, passes the compliance team's KYC checks because the identity documents look legitimate, builds a modest credit history to satisfy the credit team's scoring models, and then executes a bust-out fraud that the fraud team detects only after significant losses. Each team's system worked correctly in isolation, but the vulnerability existed in the seams between them.
My recommendation to every bank executive I advise is very direct. Break down these silos. Build unified risk platforms where credit decisioning, fraud scoring, and compliance monitoring operate from a single, integrated view of the customer. This is not primarily a technology challenge, it is an organizational design challenge that requires executive leadership to overcome the territorial instincts of functional teams that have historically operated in their own domains.
Federal regulators have been clear about their expectations. The OCC has made cybersecurity the top-ranked operational risk priority for examiners, with preventative controls specifically called out for the first time alongside traditional areas of focus like incident response, data recovery, and operational resilience. The Federal Reserve continues to apply a risk-focused supervisory approach that scales examination intensity to the complexity of an institution's operations and technology infrastructure. The 2021 interagency Computer-Security Incident Notification Rule requires banking organizations to notify their primary federal regulator within 36 hours of a significant cybersecurity incident, a tight timeline that demands pre-planned response procedures.
My view is that regulators are doing exactly the right thing by elevating cybersecurity to a board-level strategic issue rather than treating it as an IT operational matter. The institutions that internalize this perspective where the board receives regular, substantive cybersecurity briefings and the CISO has direct access to senior leadership will be better positioned both to weather regulatory examinations and to survive actual incidents. The institutions that still delegate cybersecurity to the IT department and review it once a quarter are carrying more risks than they realize.
The external threat landscape dominates the headlines, but the most underappreciated cybersecurity risk in banking right now may be internal. IBM and Ponemon Institute research, cited in CSI's report, found that nearly 67 percent of organizations reported experiencing an AI-related security incident, and 63 percent had no AI governance policies in place to prevent them. Shadow AI, the use of unauthorized AI tools and applications by employees without IT or compliance oversight creates massive blind spots that traditional security frameworks are not designed to detect.
As a consultant, I have seen these firsthand, loan officers using public large language models to draft credit memos containing confidential borrower information, risk analysts prompting consumer AI tools with proprietary portfolio data, and marketing teams generating content with tools that retain and learn from every input. Each instance represents a potential data exposure that could trigger regulatory consequences, customer trust violations, and reputational damage.
Every financial institution needs an AI acceptable use policy, not next quarter, not after the next board meeting, but now. The policy should define which AI tools are approved for use, what categories of data may and may not be processed through them, how outputs are reviewed and documented, and what the consequences are for non-compliance. One data exposure incident will cost more than years of investment in proper governance, and the regulatory environment is moving quickly toward explicit expectations in this area.
The cybersecurity arms race has no finish line. The threats will continue to evolve, the attackers will continue to innovate, and regulatory expectations will continue to increase. Banks that treat cybersecurity as a cost center, spending the minimum necessary to pass an examination will be perpetually vulnerable and perpetually reactive. Those that treat it as a strategic capability, powered by AI, governed by strong policies, integrated across risk functions, and elevated to genuine board-level attention, will be resilient. In 2026, there is no middle ground.
OCC, Semiannual Risk Perspective, Fall 2025
OCC, 2025 Cybersecurity and Financial System Resilience Report
CSI/CITE Research, 2026 Banking Priorities Executive Report (October 2025 survey)
Experian, Global Insights 2026: 7 Shifts
Capgemini, Top Trends 2026 Banking
Newgen, Banking Top Trends FY26: Banking Identity 2026
Deloitte Insights, Tech Trends 2026 (The AI Dilemma chapter)
IBM/Ponemon Institute, Cost of a Data Breach Report (cited in CSI report)
Federal Reserve, Cybersecurity and Operational Resilience Guidance
FFIEC Joint Statement on Risk Management for Cloud Computing Services (2020)
Interagency Guidance on Third-Party Relationships: Risk Management (2023)
Interagency Computer-Security Incident Notification Rule (2021)
Next in this series: Customer Experience Reimagined: Personalization, Digital Fatigue, and the Branch Question
CCG Catalyst Consulting is a banking and fintech advisory firm that has guided over 600 financial institutions through core modernization, digital transformation, AI strategy, payments, contract negotiations, and M&A. Through its Bankers Fintech Council, CCG Catalyst also bridges the gap between banks and fintechs to accelerate responsible innovation. Managing Partner Paul Schaus is a recognized Top 25 Financial Services Consultant, and subject matter expert in banking, bringing experience across every level of the industry to the firm's advisory practice. Learn more at www.ccgcatalyst.com
