Estimated reading time: 53 minutes

Financial institutions are rapidly adopting multimodal AI systems – models and applications that process combinations of text, audio, images, video, and other data – to enhance services from customer authentication to fraud analytics. However, with these advancements comes a new class of threats. Multimodal AI threats in financial services exploit the complexity of multiple data streams, leading to modal-confusion attacks that can subvert security controls. In this deep dive, we first unpack the technical underpinnings of these threats for IT security professionals, examining cross-modal command injection, priority inversion exploits, and temporal desynchronisation attacks with real-world examples and tactics mapped to frameworks like MITRE ATT&CK. We then shift to an executive lens for CISOs and business leaders – exploring risk management, AI governance in banking cybersecurity, regulatory alignment (from global standards to Southeast Asia’s local gaps), and strategies to build resilient, trustworthy AI-driven systems. Throughout, we maintain a vendor-neutral, expert tone, backed by industry standards and credible references.

Multimodal AI Systems in Finance: New Capabilities, New Risks

Financial services have embraced multimodal AI to improve efficiency and user experience. Multimodal models combine inputs like voice commands, facial images, transaction texts, and even sensor data, allowing richer decision-making than single-modal systems. For example, banks deploy biometric authentication that uses both face and voice recognition for higher accuracy, and trading algorithms that ingest news text and market visuals simultaneously for better predictions. These systems offer improved accuracy and functionality by leveraging diverse data – a fraud detection engine might cross-reference call center audio with typed chat logs, or a loan processing AI might analyze scanned documents (images) alongside applicant data (text).

However, this convergence of data types also expands the threat surface. Security teams are finding that traditional controls may miss vulnerabilities unique to multimodal AI. A model interpreting multiple inputs can fail in unexpected ways when those inputs interact maliciously. As one AI security analysis noted, the multi-faceted nature of these models “creates several avenues for potential exploitation,” with each modality (text, image, audio, etc.) presenting its own weaknesses. If attackers can manipulate one or more input channels, they may confuse or mislead the entire system’s decision logic. This risk is particularly acute in finance, where integrity of decisions is paramount – a subtle manipulation across data streams could lead to wrongful access to accounts, fraudulent trades, or false compliance red flags.

Financial organizations are thus contending with modal-confusion attacks in AI systems – threats that exploit the interplay and priority of different input modes. Unlike conventional cyber attacks that might target a single vulnerability (like a software bug or one-factor authentication bypass), modal-confusion attacks leverage the complexity of multimodal processing. Before diving into specific attack types, it’s worth noting that the emerging threat landscape for AI is being codified. The MITRE Adversarial Threat Landscape for AI Systems (ATLAS), an extension of MITRE ATT&CK, has catalogued 14 tactics and 82 techniques used in AI attacks. These include data poisoning, adversarial inputs, model evasion, and more – many of which can manifest in multimodal contexts. MITRE has documented that such AI-focused attacks have already led to substantial financial losses, underscoring the need for robust defenses. In the next sections, we dissect key categories of modal-confusion threats, illustrating how they work and how threat actors are employing them against financial systems.

Modal-Confusion Attacks in AI Systems: Vulnerabilities Exploiting Multiple Modalities

Modal-confusion attacks are a class of exploits where an adversary leverages one modality (or multiple) to confuse, manipulate, or override the intended behavior of an AI system’s other modalities. In essence, the attacker induces the AI to misinterpret which inputs to trust or how to combine them, often leading to unauthorized actions or security failures. We examine three prominent examples: cross-modal command injection, priority inversion exploits, and temporal desynchronisation attacks.

Cross-Modal Command Injection Attacks

One of the most potent multimodal threats is cross-modal command injection – feeding malicious input in one modality that causes unwanted actions via another modality. A recent IBM security piece concisely defines this: “A cross-modal attack involves inputting malicious data in one modality to produce malicious output in another.” In other words, attackers can use, say, an image or audio as the carrier of an exploit that ultimately impacts the system’s text-based logic (or vice versa). These attacks can occur during model training (data poisoning) or at runtime (adversarial inputs).

Modern AI assistants and agents that handle multimodal inputs are particularly susceptible. Researchers have demonstrated cross-modal prompt injection attacks that hijack a multimodal AI’s behavior by embedding hidden instructions in visual inputs. For example, an attacker might create a seemingly benign image that contains carefully crafted perturbations or steganographic content which, when processed by the AI’s vision module, translate into a malicious textual command. The AI ends up executing the hidden command as if it were part of its legitimate instructions. In one proof-of-concept, a security team introduced imperceptible adversarial features into an image presented to a vision-language model, causing the model to “hijack the agent’s decision-making process and execute unauthorized tasks.” This CrossInject technique essentially smuggles a rogue directive through the image channel, which then alters the AI’s text-based reasoning. It’s a multimodal equivalent of a SQL injection – but instead of injecting code through a text field, the attacker injects it via an alternate input medium.

Cross-modal injection isn’t limited to images influencing text. It can take many forms: an audio waveform containing a hidden data signal that flips a system’s internal flag, or a PDF document that, when parsed by an AI’s OCR component, includes a prompt to leak sensitive info. The unifying principle is exploiting the parser or encoder that bridges modalities. As IBM’s red team specialists point out, many libraries that extract data from images or PDFs have had issues in the past – meaning an attacker might even find a vulnerability to execute code at the parser level. But even without low-level exploits, just tricking the AI’s logic via cleverly crafted cross-modal content can be devastating.

Consider a financial services scenario: A bank deploys an AI assistant that can process both email attachments and text instructions to help employees with tasks. An attacker emails a loan officer a forged PDF bank statement with hidden adversarial text embedded. The AI’s vision module reads the figures, but also unknowingly picks up a hidden prompt like “ignore compliance check” encoded in the document. This cross-modal attack could make the assistant omit a crucial fraud screening step when that document is processed, leading to an illicit loan approval. While hypothetical, it mirrors real research outcomes – cross-modal injections allow external instructions to override policy, essentially hijacking AI agent behavior.

From a threat mapping perspective, cross-modal injection attacks correspond to multiple stages in MITRE’s frameworks. They involve Initial Access/Execution (delivering the malicious input) and Evasion/Manipulation(causing the AI to do something it shouldn’t). The MITRE ATLAS knowledge base includes examples like attackers poisoning image datasets to induce bad decisions in text analysis, or exploiting a multimodal model’s reliance on one input to override another. In one case study, attackers targeting a malware-detecting AI discovered it used two models – one to flag malware and another to override false positives – and by appending benign-looking data (a different “mode” of input) to malicious code, they tricked the second model into overriding the malware alert. This is analogous to cross-modal influence: one input channel (“good” features) was injected to neutralize the security-critical channel (malware features). The result was the system completely missing the malware, illustrating how combining inputs can be manipulated to defeat security.

Financial threat actors are actively exploring these techniques. A sophisticated fraud ring could, for instance, seed fake but authoritative-looking financial news stories (text modality) to skew an AI-driven market sentiment analysis, whilesimultaneously injecting pixel-level perturbations into stock charts (image modality) that feed the same system. IBM Security described exactly such a scenario: a “fraudulent hedge fund manager” floods news feeds with fabricated stories and subtly alters stock price graphs in ways invisible to humans, exploiting the AI’s visual analysis. The multimodal system, confused by both falsified text and adulterated visuals, might recommend erroneous trades – in IBM’s example, buying at inflated prices – which the attackers then profit from. This coordinated cross-modal attack demonstrates how synchronized multimodal manipulation can amplify errors and cause financial havoc. As one security blog noted, “imagine the compounded effect of synchronizing these attacks” across data types – the errors and chaos from a multimodal attack can far exceed the sum of single-modality exploits.

Priority Inversion and Fallback Exploitation

Another subtle threat in multimodal AI systems is priority inversion – where an attacker causes a system to prioritize a less secure or malicious input over a more secure or legitimate one. The term “priority inversion” is borrowed from real-time computing (where a low-priority task blocks a high-priority task), but in this context it describes undermining the intended hierarchy or weighting of different authentication or decision factors. In multimodal security systems, not all inputs are equal: a bank may intend that biometric face recognition take precedence over a voice PIN, or that an AI’s risk assessment from transaction history outweigh a single customer-provided document. Attackers seek to flip these priorities.

One common example is in multimodal biometric authentication. Banks and payment apps increasingly use a combination of modalities – e.g. facial recognition + voice recognition – to verify identity, on the premise that layering biometrics is more secure (a concept sometimes called cross-modal biometrics for fraud prevention). But what if one modality is significantly weaker or easier to spoof? An attacker can deliberately sabotage or trick the system into relying on the weaker factor alone. For instance, imagine a mobile banking app that uses face as primary auth but falls back to voice if the camera fails. An adversary who can’t defeat the face recognition might create conditions for a “camera failure” (such as exploiting glare or presenting a doctored image that confuses the face detector into not detecting any face). The app, following its design, falls back to voice authentication – which the attacker can supply via a deepfake audio of the victim’s voice. The result is a successful breach by exploiting the fallback mechanism – a priority inversion where the lower-trust modality is elevated.

A real-world parallel occurred with early voice authentication systems. Back in 2017, a BBC reporter famously demonstrated that HSBC’s phone banking Voice ID could be fooled: the reporter’s non-identical twin brother was able to pass the voice verification and access the account. Here, the bank’s system should have prioritized in-person ID checks if voice auth was uncertain, but it didn’t – the biometric priority was inverted by a clever impostor voice. Today’s deepfake AI makes this even easier. Recent demonstrations show that only a short sample (under one minute) of someone’s voice is needed to clone it convincingly. In one case, a journalist used an AI-generated clone of his voice to successfully trick his bank’s telephone voice verification and log into his account. The bank touted that its Voice ID analyzed “over 100 different characteristics” of a voice and even worked if you have a cold , yet the AI clone sailed through. This underscores how an attacker can push an authentication system to rely on a single modality (voice) and defeat it, rather than allow the system to notice discrepancies or require backup verification.

Priority inversion attacks often go hand-in-hand with social engineering and system misconfiguration. Attackers might intentionally saturate or confuse one input channel so that the AI or security workflow defaults to another. In fraud detection, for example, if an AI model normally weighs multiple factors (transaction velocity, user behavior, device data), an attacker could feed benign values on most factors and concentrate the malicious signal in one factor that the model underestimates. By manipulating how the model balances inputs, the attacker in effect inverts the priority of signals, letting the malicious activity slip by. This concept was illustrated in the earlier MITRE ATLAS case: the malware scanner’s design gave an override model priority to reduce false positives; attackers exploited that by making malware look “good enough” to trigger the override. The higher-priority security alert was suppressed by the lower-priority legitimacy signal – a classic priority inversion resulting in a security failure.

In financial AI contexts, consider KYC (Know Your Customer) identity verification that uses both document image analysis and data cross-checks. If the AI gives more weight to the ID document’s appearance than to data consistency, a criminal could submit a very high-quality fake ID (perhaps even a  deepfake video of an ID being waved) that passes visual checks, while the textual data (name, address) might be mismatched or stolen. If the system isn’t tuned to flag those inconsistencies, it effectively prioritized the wrong modality. Inconsistencies across modalities are a red flag – for example, an AI should catch if an uploaded ID photo doesn’t match the person’s selfie or if the voice on a call doesn’t match the face on video. Attackers aim to create conditions where those checks are skipped or downplayed. Financial regulators have noted exactly this: FinCEN’s recent alert on deepfake fraud advised institutions to watch for mismatches (e.g. between an ID document and a customer’s profile data) and not to overly trust a single identifier. The goal of security design is to prevent one weak link from undermining stronger checks – the goal of attackers is to do the reverse.

Temporal Desynchronisation Attacks

A third class of modal-confusion threats involves temporal desynchronization – disrupting the timing or sequence in which multimodal inputs are processed, to mislead the AI system. Many financial systems assume a certain synchronization between events. For instance, a multi-factor authentication might expect that the same user who initiates a transaction in a banking app will, within a short window, confirm a one-time password (OTP) via SMS or a facial recognition scan. If an attacker can desynchronize these channels – intercepting or delaying one – they may exploit the timing gap. Temporal desynchronisation attacks target the “fusion” logic of multimodal systems, which often correlates inputs based on time.

One scenario is with audio-visual authentication, such as remote onboarding where a user is asked to submit a live selfie video while speaking a random phrase. The idea is to verify liveness (the face matches the ID photo and the lips syncing with the phrase proves it’s not just a photo). An attacker with deepfake tools might attempt to spoof this by playing a pre-recorded video and a synthetic voice. Even if their deepfake isn’t perfect, they might try to trick the system by offsetting the audio and video slightly or looping segments until each modality separately passes thresholds, just not simultaneously. If the system’s liveness check isn’t strict on synchronization, the fake video could pass the face match and, a few seconds off, the fake voice passes the speech check. By manipulating timing – effectively breaking the expected lockstep of face and voice – the attacker bypasses the multi-modal verification. Research in deepfake detection often looks at audio-visual synchrony (lip-sync mismatches) as a telltale sign. Knowing this, a malicious actor might intentionally introduce just enough desync to confuse an automated checker that isn’t robust, or conversely, to avoid known detection features by not having perfectly matching audio and video (since ironically, many current deepfake detectors flag too perfect lip-sync as fake, based on training biases ).

Another vector for temporal attacks is in high-speed trading algorithms that use multimodal input streams. If an AI model correlates news sentiment with market data in real-time, an attacker could try to break the correlation by delaying certain information. For example, hack into or DDoS a news feed API so that the AI receives market price drops before it receives the bad news headline that normally explains it. The algorithm, seeing a price crash without an obvious textual reason, might attribute it to a different cause or even decide it’s a dip to “buy” (not realizing negative news is en route). By the time the news arrives (desynchronized), the AI’s earlier action could be irreversible. Essentially, temporal desynchronisation in data feeds can blindside multimodal decision engines that assume simultaneity.

In fraud monitoring, time plays a crucial role too. Suppose an AI looks at both customer transaction sequences and contextual data (like geolocation, device changes) to flag fraud. An attacker performing account takeover might employ a “time-gap exploitation”: first, they compromise credentials and log in (triggering a location mismatch alert internally), but they refrain from making transactions immediately. If the system is not continuous and only checks context at login, by the time they start transferring money 30 minutes later, that context might be considered stale or a separate session. They have desynchronized the suspicious login event from the subsequent transfer. Without proper correlation in time, the transfer might not get flagged as it should.

Overall, temporal attacks are about race conditions in AI perception – hitting the right input at the wrong (or right) time. Financial threat actors may not articulate it as “temporal desynchronization,” but their tactics reflect it. For instance, many mobile banking Trojans intercept SMS OTP codes; by timing the interception so the user’s app never sees the SMS (or sees it too late), the malware enters the OTP on the attacker’s side to validate fraudulent transactions. Here the attacker effectively separated the timing of user awareness from transaction authorization – a desync that favors the attacker.

Modern defensive systems are learning to expect such tricks. Solutions include requiring tightly bound multi-modal signals (e.g., “video selfies” that include dynamic challenges must be verified in real-time) and using timestamps to correlate events across channels. If an AI gets inputs outside expected time windows, it can raise alarms or invalidate one of the inputs. But designing these systems is tricky – too strict and you get false rejects (hurting customer experience), too lenient and you leave openings. As we’ll see, these are areas where standards like NIST’s AI risk framework and industry best practices are evolving guidance.

Threat Actor Tactics and Real-World Incidents Involving Multimodal AI

Threat actors ranging from cybercrime gangs to state-sponsored APTs are incorporating these modal-confusion techniques into their playbooks. Financial services have already witnessed some real-world failures and attacksexploiting multimodal AI and authentication:

• Deepfake Voice Scams – Perhaps the most infamous example is the 2019 incident where criminals used an AI-generated voice deepfake to impersonate a CEO and trick a bank manager into transferring funds. In that case, the attackers called a UK energy firm’s chief executive, mimicking the German parent company’s CEO’s voice with astonishing accuracy. The deepfake audio convinced the victim of an urgent transfer of $243,000, which was sent to the fraudsters’ account. According to the report, the AI voice was “indistinguishable” from the real person and even carried the right accent and mannerisms. This attack bypassed traditional verification not by hacking a network, but by social engineering via multimodal AI – using the voice modality to exploit the trust normally placed in a known individual. TrendMicro noted this “deepfake audio fraud” as a new cyberattack type that shows how AI can make scams harder to detect. It’s essentially an adversarial attack on the human-AI boundary: the bank manager’s voice authentication (the human ear) was duped by AI, and the bank had no additional control in place for this scenario.
• Live Deepfake Video Impersonation – In 2023, an even more complex multimodal scam was reported: a Hong Kong-based bank’s employee was conned into a huge transfer (over $25 million) through a deepfake video conference. In Singapore, police detailed a case where a company finance director joined a Zoom call with what appeared to be his CEO and a lawyer, instructing a large transfer. The “CEO” on the call was actually an imposter using deepfake technology to project the boss’s likeness in real time. Believing he was following orders from his CEO on video, the director transferred roughly half a million USD, which was immediately siphoned abroad. Fortunately, that particular transfer was later clawed back once the scam was uncovered. This incident demonstrates the leaps in deepfake capabilities: it was not just a fake voice on a phone, but a synchronized fake face and voice on a live call. Multiple modalities (visual and audio) were impersonated together to defeat the usual verification (seeing someone’s face while hearing them). It’s a direct attack on multimodal authentication by humans – normally, seeing and hearing someone together is our gold-standard for identity, but AI can now falsify both in tandem. The implications for customer trust are severe: if a CFO can’t trust that the person on a video call is real, one can imagine consumers questioning video banking services or remote advisors. Law enforcement in that case urged businesses to establish protocols to verify the authenticity of video calls, especially when unusual fund transfers are requested.
• Biometric Evasion and Synthetic Identities – Fraudsters are also targeting banks’ AI-powered identity verification processes. With the rise of online account opening, many banks use document verification AI and selfie biometrics to onboard customers remotely. Criminals have responded by creating synthetic identities – combining real and fake information – sometimes augmented with AI-generated profile pictures or even deepfake videos of an “individual” holding an ID. A recent report by Sumsub found a four-fold increase globally in deepfake usage, now accounting for 7% of fraud attempts in identity verification processes. In Asia-Pacific, identity fraud spikes have been partially “driven by deepfake surge,” with Singapore seeing one of the biggest jumps. Deepfakes in this context can mean doctored images or videos used to fool KYC checks. For example, a deepfake could morph the facial features on a stolen ID to match the imposter’s face during a live check, or generate a completely AI-made “person” that passes automated checks since it doesn’t appear in any watchlist. These attacks exploit both visual and data modalities – the AI can be tricked by photorealistic fake imagery, and if there’s no robust database cross-check, a fake identity might go undetected. Financial institutions have detected instances of “deepfake identity documents”, leading them to institute additional due diligence for discrepancies. In practice, that means checking for things like mismatched metadata in image files, or requiring a brief live interaction (like “turn your head left then right”) to ensure it’s not a replayed video. Still, the prevalence of these attempts is rising. One study noted “attempts to weaponise deepfake technology for scams or fraud are projected to grow, due to the widespread accessibility of tools to create highly convincing deepfakes at relatively low cost.”Banks are on the frontline of this fight, as they must distinguish real customers from AI-generated imposters.
• Adversarial Market Manipulation – As previewed in the IBM scenario, there is a clear motivation for financially motivated attackers to tamper with the multimodal inputs to trading algorithms and market intelligence systems. While no public attribution exists yet for a specific incident of this nature (likely due to difficulty in proving it), the ingredients have been demonstrated. We have seen isolated cases of fake news causing stock impacts (e.g., bogus press releases or tweets moving markets). We have also seen adversarial ML examples in other industries (like making autonomous cars “see” a fake object via adversarial graffiti). Combine these, and the threat emerges of an attacker orchestrating both false textual signals and subtle data perturbations to cause an automated trading system to make unfavorable trades. The IBM red team essentially did this in a test, as described earlier: flood news sources with false stories and perturb stock charts with undetectable changes , leading the AI to output bad trading advice. Now imagine this being done by a malicious actor holding positions to gain from those moves – it’s a sophisticated form of market manipulation. It requires significant effort and knowledge of the target AI, but the payoff could be large. In terms of MITRE ATT&CK techniques, it would involve reconnaissance on the AI model’s features, poisoning data sources, and evasion of detection – all tactics covered in MITRE’s ATLAS matrix for AI threats. Indeed, ATLAS includes case studies where attackers studied a victim model’s behavior and then adjusted inputs to exploit its blind spots. The lesson is that threat actors can and will tailor multi-pronged attacks if the target is valuable enough, and financial algorithms present lucrative targets.
• Insider-Assisted Modal Attacks – A noteworthy threat actor category is the malicious insider or collusive employee. An insider with knowledge of how a bank’s AI systems weigh inputs could intentionally assist in a priority inversion or injection attack. For instance, a rogue employee in the fraud department might suppress certain alerts or feed the AI “clean” feedback for fraudulent transactions (training the AI to accept them) – effectively poisoning the model’s learning. Alternatively, insiders might leak data that helps attackers craft more convincing deepfakes (like voice samples of executives, or detailed customer data to get past knowledge-based verification questions). The human element thus intertwines with multimodal AI security: attackers may use AI outputs to social engineer humans (as in deepfake CEO calls), and insiders may use human knowledge to help subvert AI. This creates a complex threat landscape where technical and social attack vectors reinforce each other.

These incidents and tactics underline that multimodal AI threats are not just theoretical. They are happening now, and evolving quickly. In response, detection and mitigation strategies have begun to emerge, often combining technical controls with process and policy. We will next explore how organizations can detect these complex attacks and what frameworks and best practices are available to manage the risk.

Detecting and Defending Against Multimodal AI Attacks

Catching multimodal attacks is challenging – by design, these exploits try to appear as normal inputs in each channel. Nevertheless, a combination of advanced tooling, rigorous processes, and architectural safeguards can mitigate the risk. This section covers detection methodologies (from deepfake detection to anomaly detection in AI inputs) and maps them to frameworks like NIST’s AI Risk Management Framework, ISO 27001 controls, and other best practices. The goal is a layered defense: technical measures to flag or block attacks in real-time, and governance measures to manage AI risks continuously.

Anomaly Detection and Cross-Modal Consistency Checks

One of the first lines of defense is implementing checks for consistency across modalities and for anomalies that indicate manipulation. Since modal-confusion attacks often introduce inconsistencies (e.g., mismatched audio and video, or data that doesn’t correlate with historical patterns), detecting those can reveal the attack. For instance, anti-deepfake systems analyze audio-visual congruence – ensuring that the movements of a speaker’s mouth align perfectly with the spoken words. Research has shown that many deepfake videos have slight phoneme-viseme mismatches (the lip movements don’t quite match the sounds), which can be caught by AI classifiers trained for that purpose. Financial institutions are starting to adopt such deepfake detection tools for their video KYC and video conferencing platforms. On the audio side, banks can employ voice biometrics that not only match voiceprints but also detect signs of synthesized speech (such as odd spectrogram artifacts or lack of natural background noise). Indeed, some solutions look at “liveness” in audio – for example, asking the speaker to say a random phrase and checking that the response isn’t a spliced-together recording.

Another key technique is verifying data consistency. As recommended in a FinCEN alert, banks should flag if a customer’s provided identity documents have inconsistencies with each other or with the person’s profile. If a driver’s license shows one address and a utility bill shows another, and a selfie video doesn’t quite match the ID photo, these are multiple red flags even if each item alone might pass automated checks. By correlating information from different sources (something multimodal AI can actually assist with if configured to do so), systems can require manual review when things don’t add up. In the context of priority inversion attacks, the solution is to not blindly trust a single input. For example, if a face recognition fails but voice succeeds, the system shouldn’t automatically fall back – instead, it could trigger a higher security tier: ask additional knowledge-based questions, or alert an analyst. Several banks now implement such step-up authentication flows when risk indicators are mixed. As Biometric Update reported, no biometric should be used in isolation; combining factors and monitoring for anomalies is crucial to catch spoofing.

Behavioral analytics provide another powerful anomaly detection layer. Modern fraud detection engines look at user behavior patterns (typing cadence, mouse movement, phone sensor data) to distinguish legitimate users from bots or impersonators. If an account takeover attacker deepfakes a victim’s voice on a call, they might still exhibit behavior changes – maybe they navigate the IVR differently or fail if asked an impromptu security question. Banks’ fraud systems often score transactions and sessions based on dozens of such signals. As recommended by one biometric security expert, banks should integrate their fraud detection engines with authentication, so that even if an authentication factor is spoofed, unusual patterns (like a new device, odd time of access, high-risk transaction context) will prompt re-authentication or intervention. In practice, this could mean that after a voice authentication, before allowing a large wire transfer, the system checks device ID and geolocation; if something is off (new device or unexpected country), it doesn’t care that voice passed – it will ask for another factor or hold the transaction. Such multi-dimensional anomaly scoring is vital against AI-enabled attacks which might beat one or two isolated checks but rarely can they mimic everything about a legitimate user perfectly.

From an architectural standpoint, isolating and monitoring the data pipelines for each modality can help. If an AI system suddenly starts getting a flood of inputs in one channel (e.g., hundreds of “news articles” about a certain stock in an hour, as in the earlier example), rate-limiting or source verification might mitigate a data poisoning attempt. Likewise, if an image input is found to contain hidden text (detected via steganalysis or even simply noticing weird metadata or an embedded prompt), the system could refuse that input or strip out the hidden content. Some organizations have begun deploying content scanners for inputs to AI models – akin to antivirus for data – that look for known adversarial patterns or perform sanity checks. For example, an image classification system might run a quick secondary check: if an image is purportedly of a check or ID document, does it actually look like one, or is it mostly noise/patterns that could be adversarial? This kind of validation can catch obvious cases of input that is crafted for machines rather than humans.

Liveness and Multi-Factor Verification

Liveness detection deserves special emphasis in financial authentication. It is the set of techniques used to ensure that a biometric input (face, voice, fingerprint) is from a live person present at the time, not a replay or deepfake. Banks have significantly improved liveness checks in recent years: face recognition logins often ask the user to blink, smile, or turn head, and some employ 3D depth sensing to make sure it’s not a flat image. Voice systems may prompt for random phrases or use the conversation itself (passive voice biometrics) but then insert challenge-response when risk is high. The American Banking Association’s security journal noted that failure to confirm real-time presence leaves biometric tech vulnerable to spoofing or “presentation attacks.”. In other words, without liveness, a photo or recording can fool the system.

Financial standards bodies and regulators have started urging the use of phishing-resistant MFA and liveness for anything AI-mediated. FinCEN’s alert on deepfake identities specifically cites multi-factor authentication (beyond just an ID scan) and live verification (audio or video) as best practices to reduce deepfake account opening fraud. The implication is that if one factor is deepfaked, another independent factor might still catch the impostor (for instance, a deepfake face might pass video, but the criminal might falter when asked to answer a phone call or provide a fingerprint). The convergence of modalities actually can be a strength if used correctly – it forces the attacker to succeed in multiple domains simultaneously. Therefore, banks should layer authentication modalities such that no single mode, if compromised, grants full access. One bank might use face + device cryptographic key, another might use voice + one-time SMS, etc. The combination of something you are (biometric), something you have (device or token), and something you know (PIN or security question) still holds as a strong defense, even as AI threats evolve. The key is making sure the “something you are” (like face/voice) is verified with liveness and the other factors are truly independent (an AI shouldn’t be able to fake the device possession, for example).

For ongoing fraud detection (beyond initial login), many banks have instituted real-time transaction monitoring with AI that can halt suspicious transactions before completion. These systems use machine learning models to score the likelihood of fraud for each transaction. While those models themselves could be targets of adversarial attacks, they add an important safety net: even if an account is taken over via deepfake or other means, an outgoing wire to a new beneficiary in an odd country might get flagged by the fraud AI. The institution can then delay the transfer and perform manual callbacks to the customer. Indeed, in the deepfake CEO case in the UK, the second attempted transfer was stopped because the pattern diverged from normal (the request came at an odd time from an unusual phone number, raising suspicion). So, maintaining a robust fraud monitoring process with human-in-the-loop for high-risk events is critical. This speaks to a broader principle: zero trust mindset applied to AI interactions – don’t fully trust even authenticated sessions when high-value operations are at stake; continuously verify and challenge.

Adversarial Training and Model Hardening

On the more technical side, organizations can invest in making their AI models themselves more robust to adversarial manipulation. Adversarial training is a technique where you train or fine-tune models on examples of attacks so they learn to resist them. For instance, a vision model could be adversarially trained with images that have various perturbations so that it learns not to be overly sensitive to any single pattern. In a multimodal model, you might train it to ignore inputs that don’t align with others (e.g., if an image’s content conflicts with accompanying text, maybe the model should discount the image). Researchers are actively working on multimodal robustness, proposing methods to ensure that multimodal embeddings can detect when one modality is “out of sync” or implausible given the other. Some approaches use cross-modal consistency losses during training to penalize the model if, say, the text and image embeddings are contradictory. This way, at inference time, if an attacker injects malicious text into an image, the model might flag it as inconsistent because it violates what it learned during training.

Another aspect is model hardening – securing the supply chain of AI models and data. Financial firms should control training data quality (to thwart poisoning), keep model details confidential when possible (to prevent attackers from easily probing them), and apply patches to AI frameworks for known vulnerabilities. It’s analogous to traditional software security: if an OCR library has a buffer overflow that could be exploited by a malformed PDF, that needs patching just as urgently as an OS update. Ensuring all libraries and model files have integrity checks (hashes, digital signatures) can help prevent tampering. For cloud-based AI services, due diligence on how those providers protect against adversarial inputs is needed. Many vendors of AI APIs (vision, speech, etc.) are now building threat detection on their side, since they process inputs from countless customers and can sometimes identify a widespread adversarial pattern emerging.

In addition, monitoring AI model performance metrics and drift can catch if an attack is succeeding under the radar. If a fraud detection model that used to catch 99% of a certain fraud type suddenly drops in efficacy, it could be because fraudsters found a new adversarial technique. Security teams can tie this into their SIEM (Security Information and Event Management) systems – e.g., generate alerts when model outputs deviate drastically from norm or when confidence scores are unusually low across many inputs, which might indicate the model is confused by adversarial noise. Essentially, treat the AI’s behavior as another thing to audit and monitor.

Frameworks and Standards: NIST AI RMF, ISO and COBIT Guidance

Detecting and mitigating AI threats isn’t just a technical challenge; it’s also procedural. This is where frameworks like NIST’s AI Risk Management Framework (AI RMF), ISO/IEC standards, and COBIT come into play to guide organizations in systematically managing AI risks. These frameworks don’t provide magic solutions, but they help ensure you’ve covered all bases – from development to deployment to monitoring.

The NIST AI RMF 1.0, released in 2023, provides a structured approach to evaluate and control AI risks. It outlines four core functions: Govern, Map, Measure, and Manage. In the context of multimodal AI security:

• Govern means having the organizational policies and accountability in place. For example, ensuring there is clear ownership of AI systems and their security (who is responsible if the biometric login is bypassed?), and establishing an AI security committee or including AI in the existing cybersecurity governance. This ties closely with COBIT’s emphasis on governance and clear ownership; COBIT helps by defining roles and ensuring alignment with business objectives. For AI, governance includes setting risk appetite (how much fraud loss can we tolerate vs. how much friction to introduce) and complying with regulations around AI. It also means training staff – both technical teams and end-users – about AI threats (e.g., awareness training for employees about deepfake calls, as part of social engineering training).
• Map refers to contextualizing the AI system – understanding what it’s used for, what could go wrong, and identifying risk factors. For a bank’s multimodal AI, this means enumerating all the modalities and data sources it relies on and mapping out potential threat scenarios for each. For instance: our customer service bot uses voice and text – map the risk of voice deepfakes, map the risk of prompt injection via text. Mapping also involves knowing what controls are currently in place for each risk. This function encourages organizations to not be blindsided; you systematically go through “what happens if X modality is compromised?” for all X. Many banks perform threat modeling for traditional apps; here they need to extend it to AI models and data flows.
• Measure involves assessing AI system vulnerabilities and impacts. This is where technical testing comes in – conducting red team exercises, security evaluations, bias and robustness testing. NIST advocates quantitative or qualitative measurement of how well your AI controls are working. An example measure: attack success rate in red team simulations (lower is better). A bank might use MITRE ATLAS as a reference to ensure they test a variety of attack techniques. If an internal red team can consistently fool the biometric system with deepfake voices in 3 out of 10 tries, that’s a risk metric. You’d then try improvements and measure again. Continuous monitoring is also part of Measure – tracking metrics in production like fraud rates, false authentication attempts, anomaly counts, etc. If those metrics spike, it might indicate an ongoing attack or new vulnerability.
• Manage is about risk treatment and mitigation – implementing controls and improvements based on what you found in Map and Measure, and then managing residual risk. This is an ongoing function to “manage” AI risks within acceptable levels. For example, after identifying the risk of cross-modal injection, you decide to manage it by implementing an input sanitizer or restricting which file types the AI assistant will accept. Or to manage deepfake call risks, you implement an out-of-band callback verification for large transactions. Manage also covers incident response preparation: having a plan for what to do if an AI system is compromised or fooled (e.g., how to quickly lock down systems if a deepfake attack is detected, how to investigate and recover).

NIST’s framework emphasizes a socio-technical approach, reminding that AI risks are not purely technical – they involve human factors, processes, and even societal impact. This aligns well with the idea that security teams must collaborate with data science teams, risk officers, and business units when securing AI. It’s not solely an IT problem.

On the ISO front, ISO/IEC 27001:2022 (the leading standard for information security management) has integrated modern controls that can be applied to AI systems. While ISO 27001 doesn’t mention AI explicitly, its risk-based approach is fully applicable. For example, Annex A of ISO 27001 includes controls like Threat Intelligence (new in 2022) – organizations should gather threat intel on emerging issues like deepfakes and AI model exploits. Another control is secure development (ensuring AI models are developed and tested with security in mind, analogous to software). ISO 27001 also stresses supplier security – if using third-party AI services, those should be assessed for security, aligning with guidance like FFIEC’s third-party risk management which now would include AI SaaS providers. In essence, an ISO27001-certified ISMS should categorize AI systems as information assets with confidentiality, integrity, availability requirements, and then apply appropriate controls. For instance, control A.12 (operations security) would entail monitoring AI model predictions for security anomalies, and A.14 (system acquisition, development) would require security reviews of AI models before deployment. Leading organizations are mapping these controls to AI; some even pursue the newer ISO/IEC 42001 (AI Management System) which is a nascent standard specifically for AI governance and risk management.

COBIT 2019, being a governance framework, helps bridge the gap between technical controls and enterprise governance. COBIT provides a comprehensive set of processes and practices for IT management, many of which can be extended to AI. For example, COBIT’s APO (Align, Plan, Organize) domain would advise enterprises to include AI in strategy and risk assessments, ensuring AI initiatives support business goals and have proper risk oversight. The EDM (Evaluate, Direct, Monitor) domain in COBIT means the board and executives should be evaluating AI risk and directing that appropriate mitigations (like those we’ve discussed) are in place. COBIT explicitly highlights ensuring clear ownership and accountability for emerging tech like AI , and the need for an integrated governance m Without it, an AI project might slip through governance cracks (perhaps considered “just an experiment” by IT but deployed in production serving customers – a recipe for disaster if not governed). COBIT also brings in the idea of performance metrics – even for security and risk. A COBIT-aligned approach might have KPIs like “percentage of AI systems with completed threat models” or “time to detect adversarial attack”. Crucially, COBIT includes Risk Management practices (in processes like APO12 Risk Management) which can be adapted to AI risks. As one analysis noted, “the COBIT framework includes comprehensive risk management practices, enabling organizations to identify, assess, and mitigate risks associated with AI.” This gives a formal structure to what might otherwise be ad-hoc efforts. It ensures AI risk management is continuous and tied into enterprise risk appetite.

A practical outcome of following frameworks is improved transparency and documentation. For high-risk AI, many regulators (e.g., under the EU AI Act draft) will require documentation of risk assessments and controls. Using NIST or ISO or COBIT helps produce those artifacts. For instance, NIST AI RMF suggests documenting attack taxonomies considered, results of red team tests, etc. These documents not only help internally but also demonstrate due diligence to regulators and clients.

To sum up, detection and defense in multimodal AI is not one silver bullet but a collection of practices: robust technology (liveness, anomaly detection, adversarial training), vigilant processes (continuous monitoring, incident response, third-party vetting), and strong governance (frameworks and standards ensuring nothing is overlooked). By leveraging these, financial institutions can start turning the tables on attackers, making AI a defensive asset as much as it is a target. In the next sections, we transition to broader risk management and governance discussions, focusing on how to integrate these technical efforts into an overall strategy that includes regulatory compliance and resilience building.

AI Governance and Risk Management in Banking Cybersecurity

As the technical teams shore up defenses, CISOs and executive leadership face a strategic challenge: how to manage multimodal AI risks at the organizational level. This entails governance structures, policies, budgeting, and aligning with regulatory expectations. In this section, we discuss AI governance in banking cybersecurity – essentially how to extend your cybersecurity and IT governance frameworks to cover AI systems – and how to factor these new threats into enterprise risk management. We’ll also examine the global regulatory landscape and what it means for financial institutions in different regions, including regulatory risk from multimodal authentication and other AI uses.

Strengthening AI Governance in Banking Cybersecurity

Governance is the backbone that ensures all the technical measures we discussed are properly implemented and sustained. If AI systems are developed in silos without governance, security will be inconsistent. Many banks are establishing dedicated AI governance committees or working groups, often under the purview of existing risk management committees. These groups bring together stakeholders from IT security, data science, compliance, legal, and business units to set policies for AI use. Key governance actions include:

• Defining an AI Use Policy: Banks create internal policies that define acceptable use of AI, required approvals for deploying AI in sensitive processes, and guidelines for human oversight. For example, a policy might mandate that any AI system making customer-impacting decisions (credit scoring, fraud flags, authentication) must undergo security review and include a human-in-the-loop for override in critical cases. It would also enumerate prohibited practices (like using AI that cannot be explained or audited in high-risk decisions, or using generated synthetic data without validation).
• Integrating AI into Existing Risk Frameworks: Most banks already follow enterprise risk management (ERM) frameworks covering credit risk, market risk, operational risk, etc. AI-related risks – including security threats – should be incorporated. Some banks treat AI risks under operational or technology risk. For instance, U.S. regulators (Federal Reserve, OCC) expect banks to follow Model Risk Management (MRM) guidance (SR 11-7) which requires rigorous validation of models. AI models are essentially “models” under these rules, so they should undergo validation not just for accuracy but also for robustness and security. Governance means making sure the MRM team and infosec team collaborate, e.g., validation now includes checking adversarial robustness and bias in AI models. COBIT’s principle of integrated governance directly applies: break down silos between data science and security teams so that AI model owners are aware of security and the security team is aware of new AI deployments.
• Accountability and Training: Ensure there are named executives responsible for AI risk (some firms appoint a Chief AI Officer or expand the CIO/CISO role to cover this). Board oversight is increasingly important. Regulators in some jurisdictions may ask: does your board understand the AI risks your firm is taking? Under governance best practices, the board or a board committee (like Risk Committee) should be briefed on AI cybersecurity threats and mitigation plans. From top to bottom, building AI literacy is important – not just for tech teams but also for front-line staff. Employees should be trained to recognize deepfake scams and other AI-enabled fraud attempts (e.g., relationship managers learning how to verify client requests that come via AI avatars, or call center staff trained to spot signs of synthesized voices). One survey mentioned by FSB found 96% of executives expect GenAI adoption to increase breach chances – awareness at the top is already high; governance turns that awareness into concrete action plans.
• Incident Response and Reporting: Governance frameworks should update incident response plans to explicitly cover AI incidents. For example, a plan for responding to a large-scale deepfake fraud event: how to communicate with customers (to reassure and advise them), how to liaise with law enforcement, and how to rapidly patch AI systems or revert to manual processes if needed. Reporting mechanisms internally should encourage employees to escalate any suspicious AI-related activity. Many attacks might first be noticed by an employee thinking “this audio request felt off” – if they know who to tell and that it will be taken seriously, the bank can react faster. Externally, banks may be subject to reporting requirements (e.g., GDPR requires breach notification; some countries might mandate reporting significant fraud incidents to regulators). If a deepfake attack leads to customer losses, governance should trigger proper reporting and disclosure to maintain compliance and transparency.

From a COBIT perspective, all of these fall under ensuring processes and structures are in place to manage AI as part of IT. COBIT’s enablers (Principles, Processes, Organizational Structures, People, Information, Services) should be reviewed with AI in mind. For example, COBIT’s DSS (Deliver, Service, Support) processes such as incident management (DSS02) need to incorporate AI-specific scenarios. COBIT’s MEA (Monitor, Evaluate, Assess)processes mean regularly reviewing the effectiveness of AI controls and compliance. The payoff is not just risk reduction, but also value creation: A well-governed AI can be leveraged with confidence to create new products, whereas poorly governed AI might be held back due to fear of unknown risks.

Regulatory Landscape: Global to Local Alignment

Financial regulators around the world are keenly watching AI developments. They recognize the promise of AI for efficiency and inclusion, but also the perils if things go wrong (bias, opacity, security breaches). Thus, we see moves at global, regional, and national levels to set guidelines or rules for AI in financial services. Navigating this regulatory landscape is a key part of governance, to avoid penalties and to ensure alignment with best practices.

Global and Regional Initiatives:

• MITRE ATLAS and Standards Bodies: While not a regulator, MITRE’s ATLAS and organizations like IEEE and ISO provide quasi-regulatory guidance that often informs actual regulations. For instance, the IEEE/ISO 23894 standard (Guidance on AI risk management) and ISO/IEC 42001 (AI management system) give internationally vetted frameworks that regulators may expect firms to follow as proof of due diligence. Adopting these can put a bank ahead of the curve.
• EU AI Act (proposed): The European Union is finalizing what will likely be the world’s first broad AI regulation. The AI Act will classify AI systems by risk. Many uses in financial services (e.g., credit scoring, fraud detection, AML screening) are likely to be deemed “high-risk” AI systems. That means banks in the EU (or providing services into the EU) will have to meet stringent requirements: conducting risk assessments before deployment, ensuring data quality, keeping documentation (technical file) of the AI system, logging its operations, providing transparency to users, and having human oversight. Importantly, security is part of this – the AI Act mandates that high-risk AI be designed to be robust, secure, and able to handle errors or attempts to manipulate it. This directly ties to our discussion: an AI credit scoring system, for example, must be tested and secured against manipulation (like someone gaming its inputs). Non-compliance could lead to hefty fines (the AI Act considers fines up to €30 million or a percentage of global turnover for serious breaches, similar to GDPR). Even though the Act is not yet law, forward-looking banks are preparing by adopting its principles. Additionally, EU’s existing regulations like GDPR apply when AI touches personal data – biometric data usage requires explicit consent in many cases, and any AI security breach involving personal data could trigger GDPR breach notifications and fines. There’s also regulatory guidance from the EBA (European Banking Authority)and ECB around model risk and AI ethics in finance. All this suggests that EU-region institutions need robust AI governance or risk regulatory sanctions and reputational harm.
• US Perspective: In the United States, there isn’t a single AI law yet, but regulators are using existing frameworks to cover AI. Federal banking regulators (Fed, OCC, FDIC) emphasize model risk management, as mentioned. The CFPB (Consumer Financial Protection Bureau) has warned that algorithms used in consumer finance must not produce discriminatory or unfair outcomes – indicating that if an AI is tricked or biased (say, by an adversary poisoning data to make it biased), the bank could still be held accountable for resulting compliance violations (e.g., ECOA violations in lending). On security specifically, agencies like the FFIEC are updating their guidance; for instance, FFIEC’s IT Examination Handbook now includes sections on emerging tech including AI, telling examiners to ask how AI systems are secured and governed. We also see agencies like FinCEN issuing alerts as we discussed, about deepfake fraud trends. FinCEN in 2024 explicitly alerted financial institutions to watch out for deepfake media in identity proofing and to share relevant SARs (Suspicious Activity Reports) if such fraud is suspected. Notably, FinCEN suggested using verification steps and technical tools against deepfakes, and also leveraging inter-agency resources like DHS’s deepfake detection research. This means US financial regulators expect banks to be aware of and countering these threats now, under existing obligations to know your customer and prevent fraud. Additionally, the White House published a Blueprint for an AI Bill of Rights (a non-binding set of principles) that calls for safe and effective AI systems – while broad, it reinforces that critical decisions (like those in finance) should have protection from unintended harms.
• Asia and Southeast Asia: In Asia, approaches vary. Singapore is a leader through the Monetary Authority of Singapore (MAS). MAS has issued FEAT principles (Fairness, Ethics, Accountability, Transparency) for the use of AI in financial services. While primarily focused on ethical use, these principles also implicitly require robust AI (for instance, accountability and reliability tie into security – an AI can hardly be accountable if it’s easily manipulated by attackers). MAS, together with industry, launched the Veritas initiative to develop assessment methodologies for FEAT, including methodologies for customer marketing and fraud risk scoring use cases. This implies tools to assess if an AI model is robust and not biased. On the cybersecurity side, MAS’s Technology Risk Management (TRM) guidelines (revised 2021) state that financial institutions should secure their systems and data – which includes AI systems. Singapore’s financial regulators are also attuned to scams; the Singapore police and MAS frequently issue advisories on scams involving spoofed identities and encourage banks to strengthen verification (the earlier CNA reports are an example of raising awareness). Other SEA countries are catching up: Malaysia’s BNM and Thailand’s BOT have discussed AI governance in banking (often in the context of innovation sandboxes). They may leverage international standards like ISO or OECD AI Principles. However, outside Singapore, explicit regulations focused on AI in finance are still in nascent stages, which is a regulatory gap that banks must navigate carefully. It means banks should self-impose high standards rather than assume “no rule means no issue” – because general regulations (like those on outsourcing, or data protection, or simply sound risk management) will still apply to outcomes from AI.
• Regional Cooperation: Organizations like the Financial Stability Board (FSB) and BIS have been studying AI’s impact. The FSB’s 2024 report noted that AI can amplify vulnerabilities such as third-party concentration, cybersecurity, and model risk, potentially increasing systemic risk. Significantly, it warned that generative AI could “increase financial fraud and disinformation in financial markets.”. While these are observations, not regulations, they often precede coordinated regulatory actions or guidance. So we can anticipate that national regulators (through FSB influence) might start explicitly asking about how banks manage AI-third-party risk and how they guard against AI-enhanced fraud. Indeed, the FSB has called on authorities to enhance monitoring of AI developments and assess if policy frameworks are adequate. The message to banks: regulators are looking closely, and it’s better to proactively align with emerging global expectations (like having an inventory of AI models, risk rankings for each, controls in place, etc.) before being forced to under urgency.

Regulatory Risk from Multimodal Authentication is an interesting angle: if a bank relies on multimodal biometric authentication and it fails (leading to account takeovers or privacy breaches), regulators might sanction the bank for not doing enough to safeguard customer accounts (violating safety and soundness standards or consumer protection laws). For example, if numerous customers are defrauded because the bank’s voice authentication was easily spoofed by deepfakes, a regulator could deem the control inadequate and require remediation, possibly even fine the bank for negligence. There’s precedent: banks have been fined for weak cybersecurity that led to hacks – an AI failure could similarly be seen as a security control failure. Additionally, data privacy regulators could have a say; biometric data is highly sensitive, and using it without proper security could violate laws like the California Consumer Privacy Act or equivalents. If a biometric database is compromised or if authentication is misused, the legal fallout could be significant (class action lawsuits, etc., like we saw with some companies under Illinois BIPA for mishandling biometrics).

On the flip side, regulators also worry that if banks avoid innovative authentication due to fear, customers might be stuck with less convenient methods. So, regulators want balanced approaches – adopt new tech but do it safely. They may issue guidance like: ensure multimodal auth has liveness detection, ensure fallback methods (like OTPs) are secure, etc. For instance, the UK’s FCA might not issue specific rules on deepfakes, but it expects firms to manage fraud risk – so if deepfakes cause fraud, the firm should have foreseen and mitigated that.

In Southeast Asia, regulatory gaps mean that not every country has catch-all rules for AI, but many have general ICT risk guidelines. Banks in countries like Indonesia or Philippines likely follow their central bank’s IT risk guidelines which emphasize resiliency and security for all systems. Those implicitly cover AI: e.g., ensure proper access controls (who can modify an AI model), audit trails, etc. Without explicit AI rules, one challenge is lack of clarity – banks must interpret how existing rules apply. For instance, if an AI model makes a credit decision that’s wrong due to an adversarial attack, is that an operational risk incident to report? Forward-leaning banks aren’t waiting to be told – they are including AI in internal audits and regulator discussions voluntarily.

One emerging trend: Stress Testing and Scenario Analysis for AI Risks. Regulators might begin to ask banks to include AI failure scenarios in their operational risk stress tests. For example, “What’s the impact if your facial recognition login is unavailable or compromised for 3 days? Do you have backup processes, and how many customers would be affected?” Or “What if a widespread deepfake scam targeted 10% of your customers – what would that do to fraud losses and how would you respond?” These are essentially systemic risk modeling exercises. A well-prepared CISO should have thought through such scenarios, possibly even quantifying them (e.g., expected fraud loss in such scenario, potential recovery time). The FSB’s note about long-term macro impact hints that central banks might consider macroprudential rules if AI risks seem to contribute to systemic risk (for example, if many banks rely on the same AI cloud service and it’s attacked, is that like a “single point of failure” in the system?). To preempt heavy-handed rules, banks can show they are self-regulating responsibly – through consortiums like FS-ISAC sharing intel on AI threats, and by adopting best-in-class security. FS-ISAC actually produced a “Deepfakes Threat Taxonomy” for banks , underlining that industry groups are treating this seriously.

Budgeting and Investment: The Cost of Security vs. The Cost of Breach

For executives, one practical aspect of risk management is ensuring sufficient budget and resources are allocated to address these AI threats. Multimodal AI security might require new investments – in talent (e.g., hiring AI security specialists, data scientists in risk roles), in technology (such as subscribing to deepfake detection services, purchasing anti-fraud AI analytics, or upgrading authentication systems), and in training/awareness programs for staff and customers.

CISOs often need to make a business case for such investments. Fortunately, the cases we’ve covered provide clear ROI arguments. Consider the losses: a single deepfake CEO call caused $243k loss ; another attempt nearly got $500k ; a deepfake video scam led to $25M transfer (some recovered). And these are early examples. If left unchecked, such fraud could scale and potentially cause tens or hundreds of millions in losses across the industry. Beyond direct theft, there’s reputational damage – customers might lose trust in a bank that falls victim to a widely publicized deepfake fraud or that cannot protect their biometric data. Trust is hard to quantify, but regulators and executives know it’s invaluable in financial services. Thus, budgeting for preventative measures (which might be in the order of a few million for a large bank) is easily justified against the potential losses and damage.

Specifically, budgets are being directed to:

• AI Red Teaming and Security Testing: Setting up an internal “AI red team” or engaging external experts to routinely pentest AI systems. IBM’s report illustrated that red teaming multimodal AI can catch vulnerabilities before real adversaries do. This proactive approach costs money (experts, tools, time), but it’s a worthy investment. Some banks are even simulating attack scenarios (like the trading scenario) in their cyber ranges to see how their systems hold up.
• Tools for Monitoring and Detection: Allocating funds for advanced fraud detection systems that incorporate behavioral biometrics, device fingerprinting, and AI anomaly detection. Many vendors offer ML-driven fraud platforms – upgrading to those can significantly improve detection of these new threat patterns, but they come at a price. Similarly, solutions specifically designed to detect deepfakes (for videos or audio in call centers) might be procured. Banks might integrate third-party APIs that scan images for signs of manipulation as part of their mobile app’s document upload process.
• Resilience Measures: This includes backup authentication methods (issuing physical tokens to customers as a fallback, for example, or maintaining staffed hotlines for verification if digital methods are under attack), and incident response enhancements (like contracts with forensic firms or communications firms for crisis management in case of a deepfake incident). It also may involve cyber insurance – though insurers are still grappling with how to price AI-related risks, having coverage for social engineering fraud is important. If an insurer sees the bank has implemented deepfake fraud training and detection, the premiums or coverage might be more favorable.
• Research and Development: Big institutions may invest in R&D for AI security, potentially partnering with academia or consortiums. This is long-term investment to stay ahead of threats (like developing better multimodal verification algorithms that are attacker-aware, or contributing to open-source defensive tools).

CISOs should present these not just as costs but as enablers of innovation with confidence. By securing AI, the bank can roll out AI-powered services faster and differentiate in the market (knowing they can manage the risks). There is also a competitive aspect: customers will prefer banks that provide both convenience (like voice or face login) and security. If a bank can advertise that its facial recognition login has industry-leading liveness and has never been spoofed, that’s a trust signal that could attract customers.

Regulators implicitly expect banks to invest appropriately in risk mitigation. Under regulations like Basel’s operational risk principles or even ISO 27001, management must provide resources to implement controls commensurate with risk. Cutting corners in budget could be seen as a governance failure. On the flip side, it’s not about blank-check spending; it’s about smart investment driven by risk assessments. That’s why frameworks are useful – they help pinpoint where investment yields the best risk reduction.

Building Resilient AI-Driven Systems and Fostering Customer Trust

At a high level, the goal is not just defense, but resilience. Resilience means even if an attack happens, the system can recover quickly and critical functions can continue. For multimodal AI, resilience plans might include the ability to degrade gracefully. For example, if the fancy AI authentication goes down or is compromised, can the bank quickly switch all customers to an alternate method (like ask them to use branch visits or ATM card PINs temporarily)? It may inconvenience customers, but that’s better than a complete shutdown or massive fraud.

Resilience also involves continuous improvement. Threats will evolve, so banks should treat every incident or near-miss as a learning opportunity to strengthen the system. Incorporating feedback loops – e.g., after analyzing thwarted fraud attempts, update the fraud models; after discovering a new deepfake trick, update training sets for detection – is vital.

From the customer perspective, banks should communicate what they are doing and also educate customers on their role. Many banks now warn customers about voice scams and advise them that the bank will never ask for certain info via voice message alone, etc. Some are introducing verification phrases or secondary channels – for instance, if a relationship manager calls a client with an unusual request, the client can ask for a one-time code sent via the banking app to verify the employee’s identity. Establishing such verification rituals can maintain trust even in the era of deepfakes. It essentially adds a layer of human protocol on top of tech, acknowledging that technology alone might not be foolproof.

Finally, a resilient and trustworthy system is one that not only is secure, but is also transparent and fair. Why mention fairness in a security context? Because adversaries might exploit unfair or opaque systems to cause chaos or reputational damage. For example, an attacker could exploit bias in a credit AI to cause systematic wrong decisions and then publicize it, causing reputational hit. By ensuring your AI is fair and explainable, you reduce certain attack surfaces (like someone can’t as easily feed inputs that exploit the black-box nature of your model if you’ve made it more interpretable and robust). Moreover, customers and regulators trust AI that can be explained. So, in building systems, choosing models that can provide reasons (or at least can be audited) can help when something goes wrong – you can pinpoint if it was a malicious input or a flaw, and address it.

In conclusion, multimodal AI threats in financial services represent a complex, evolving challenge that must be addressed on multiple fronts. Technically, it requires cutting-edge detection and preventative controls; strategically, it demands strong governance, industry collaboration, and alignment with regulatory frameworks. The financial sector has faced waves of new threats before – from malware to APTs – and has adapted by hardening systems and sharing knowledge. The rise of modal-confusion attacks and AI-driven threats is the next big test. By taking a proactive, comprehensive approach as outlined – combining deep technical defenses with forward-looking risk management – banks and insurers can continue to harness the benefits of AI while maintaining security and customer trust.

Frequently Asked Questions

Keep the Curiosity Rolling →

• Cybersecurity Policy Development: Building Digital Defense
• Deepfakes Dilemma: A Guide to Recognising AI Fabrications
• AI Reshaping Cybersecurity Strategies
• AI Threat Detection: Transforming Cyber Defense Strategies
• Threat Intelligence: Mastering Proactive Cybersecurity Tactics