Agentic commerce is the moment fraudsters have been waiting for

Adobe Stock

On the heels of commerce giants Visa, Mastercard, Paypal — and even recently Coinbase — launching agentic AI initiatives, we can officially say the age of agentic commerce has arrived. With AI agents capable of opening accounts, making payments, applying for loans, moving money and communicating with customer service (all on a user's behalf) on the horizon, banks and financial institutions need to act fast. Autonomous systems will undoubtedly change how consumers and businesses interact with financial institutions. Incidentally, autonomy will also change how fraudsters operate, giving rise to new and more complex challenges for institutions of any size. The rise of agentic AI means it's no longer just bad people committing fraud online, but bad software supercharged to defraud us and the institutions we rely on.

The FBI's 2024 Internet Crime Report shows us the devastating impact of deepfakes and LLM-powered forgeries. Americans lost more than $16 billion to internet-enabled crimes last year, up 33% year over year. The most costly and fastest-growing categories were impersonation scams, business email compromise and investment fraud. All online financial criminals have been emboldened with AI at a fraudster's fingertips, and it is representative of a systemic shift rather than a temporary spike. Now, fraudsters can leverage the power and increasing ubiquity of agentic AI, deploying agents to forge documents, fabricate identities and break into accounts at scale. 

Deloitte estimates that generative AI will drive $40 billion in annual losses for banks and consumers by 2027. But what about agentic AI? The current infrastructure to combat fraud in financial services and banking is built on reactive detection, which is no match for the proactive, fast and ubiquitous agentic fraudster. 

Our current regulatory frameworks need to catch up. Frameworks like know your customer, or KYC, and Suspicious Activity Reports, or SARs, were all established under the assumption that humans were the ones initiating transactions and filling out forms. Not only does that assumption break down in an AI-mediated world, but much of our existing regulatory infrastructure was already failing to respond to modern fraud threats. Most SARs are filed after the fact, when the fraud has already occurred. This says little of the fraud that goes unnoticed, as fraudsters use stolen or synthetic identities to slip past weak onboarding checks and exploit inconsistencies across systems. The result is a regulatory paradox: Compliance processes are followed, yet fraud is still rampant.

Although its future remains uncertain in the current climate, the Consumer Financial Protection Bureau's open banking rule, finalized in October 2024, gave consumers greater control to share their financial data. But portability comes with exposure. In an age of convenience, personal and financial information is routinely shared across platforms — broadening the attack surface. As a result, data leaks have become alarmingly common, and with every breach, it gets easier for a fraudster to impersonate you.

Cyber security

How Truist and Western Alliance deploy AI to fight fraud

Two bankers detailed how artificial intelligence is transforming fraud detection and incident response for their institutions. The technology lets analysts ask datasets direct questions.

By Carter Pape

June 4

Policy shifts from firms like Zelle have made it clear: Regulators and courts are holding banks responsible for fraud outcomes even when established compliance benchmarks have been met. To protect consumers and financial institutions from AI agents run wild, we need to redesign our regulations and rethink how we protect consumers from fraud.

Gone should be the days of reactive prevention. Here to stay? Real-time prevention focused on blocking fraudulent transactions and seamlessly authorizing everything else. This could manifest in myriad ways, but we don't need to look very far to get an idea. Modern payment networks show us that it's possible to tie together a web of relying parties to deliver instant, secure transactions with very low fraud rates. Financial institutions could also share signals across networks. After all, fraudsters rarely attack one bank, they attack many. A privacy-preserving, tokenized identity network could flag bad actors in real time, enabling collaborative defense without exposing sensitive personal data.

The government should allow and encourage financial institutions to deploy advanced technologies to protect customer accounts, instead of punishing them for innovating in response to new threats. Regulatory sandboxes, industry-wide interoperability standards and safe harbors for fraud prevention data sharing are essential. 

Agentic commerce is not going away. But the same tools that power fraud can also power fraud prevention. AI agents can commit fraud, yes, but they can also verify signatures, flag forged documents and authenticate digital identities at scale. The fraud problem is evolving, and our defenses must evolve even faster. It's time for the government and the industry to redefine financial trust for a machine-mediated world.