Digital Transactions Authoritative, insightful and timely information for payments professionals
When Zelle launched, consumers were enamored with the ability to send and receive instant, frictionless payments without leaving their banking app. Fraudsters took notice. Social-engineering scams quickly exploited Zelle’s speed and irreversibility, leaving banks, regulators, and consumers tangled in years of disputes over a deceptively simple question: Who was responsible?
AI agents are banking’s next version of that problem, but at a scale orders of magnitude larger.
The biggest technical challenge when it comes to spotting agentic fraud is that banking fraud controls were built on the assumption that behind every session is a human. Banks can spot “traditional” bots because they don’t behave like humans — their timing, navigation patterns, and session behavior are fundamentally different. Equally important, they don’t come from the consumer’s device.
But agents don’t act like traditional bots. In fact, the banks we work with cannot reliably distinguish whether they are interacting with a human customer or an AI agent acting on that customer’s behalf. Fraud models trained on years of human interaction data may misclassify agentic activity in both directions. Flag too aggressively and legitimate customers face friction. Approve too loosely and banks authorize activity they shouldn’t.
To avoid those scenarios, banks are trying to distinguish good bots from bad ones. That requires a strategic focus on intent: is this a legitimate AI agent acting for a customer, or a rogue or adversarial agent executing fraud? Banks need to decide what agentic actions they’re willing to allow outright, and which ones they’ll make consumers liable for if they authorized the agent to act on their behalf.
It’s the classic fraud-versus-friction conundrum, reimagined in the age of AI. And the answer may well determine the difference between smooth commerce and significant financial and reputational damage.
Most conversations about AI risk in banking still treat threats in isolation: deepfakes during onboarding, phishing and account takeover, fraud in payments. But consumer AI agents collapse those categories. For the first time, banks may face a world where customers routinely delegate financial activity to AI systems that can access banking applications and make decisions on their behalf.
The numbers reflect this shift. In Darwinium’s recent survey of 500 fraud, risk, and security leaders, 97% said AI-facilitated attacks increased over the past year, while 89% expect non-human traffic to rise further in the next 12 months. Notably, 55% already reported seeing legitimate agentic activity tied to customer-account actions.
Banks need to ask whether their fraud controls can adapt, as preparing for agentic commerce is not a trivial undertaking. Consumers already choose their own browsers and devices for digital banking. AI agents may simply become the next interface layer for services that don’t yet exist. Security and fraud teams need to be in the room when new services are being designed, not brought in to clean up afterward.
Because it is steeped in unknowns and ambiguity, the liability question is hard to parse. In the same Darwinium survey, fraud and risk leaders were sharply divided: 39% pointed to the AI provider when an agent-driven transaction goes wrong, while others assigned responsibility to customers (20%), merchants (14%), or banks (11%).
That spread reflects the complexity involved in determining liability. Picture a likely scenario: a consumer authorizes an AI assistant to manage certain financial tasks. The agent is hijacked into executing a large transfer the customer never explicitly approved or denied. The bank approves the session because credentials and authentication signals look legitimate.
Who bears responsibility? The customer authorized the agent. The agent was compromised. The bank approved behavior it couldn’t distinguish from legitimate activity. And no established framework exists for allocating liability across those three parties.
Regulators have historically intervened once consumer harm outpaces existing protections. The fights over authorized push- payment (APP) fraud and Zelle reimbursement showed how quickly public pressure can reshape assumptions regarding customer responsibility and bank accountability. AI agents raise the same issues, only at greater scale and speed.
Banks that handled APP fraud well developed broader contextual views of customer behavior over time. Now they face a harder question: is this activity coming from the customer, or from the customer’s AI agent? Those are different risk profiles, and almost certainly different liability profiles too.
The lesson from Zelle isn’t that innovation should slow down. It’s that accountability frameworks need to evolve before losses scale, not after. That work is unglamorous and often runs into resistance from business stakeholders. But the cost of anticipating these issues is almost certainly lower than litigating them.
The billion-dollar question is, will banks choose the easy way or the hard way?
—Alisdair Faulkner is co-founder and chief executive at Darwinium.
