The headlines over the last two years have been jarring: a finance executive at a firm in Hong Kong was fooled by criminals impersonating his colleagues with deepfake technology to send them $25 million. Seniors wiring thousands of dollars to fraudsters who used deepfakes of grandkids to make their grandparents think the kids were in trouble. And in financial services, waves of attacks where criminals leverage deepfake technology to defeat legacy tools banks use to verify identity to open and secure accounts.

Across banking, fintech, and crypto, the firms we work with all report seeing a sharp increase in these kinds of attacks. While leading firms in the financial services sector are taking steps to detect and defeat attacks leveraging deepfakes and other adversarial applications of generative artificial intelligence (Gen AI), many firms – especially those who are smaller – lack the resources and expertise to respond, or don’t know where to start.

The Better Identity Coalition is honored to be a part of a new public-private initiative to help address this problem. We co-chaired an initiative in the Financial Services Sector Coordinating Committee (FSSCC) over the last 18 months with our friends at the American Bankers Association (ABA) to convene senior executives from financial institutions, federal and state financial regulators, and security experts to collaborate on creating two “playbooks” focused on addressing the threat from AI-powered attacks against identity and authentication systems. 

The working group also included members of the Financial and Banking Information Infrastructure Committee (FBIIC) – which is the government counterpart to the FSSCC – as part of a broader Treasury Department-sponsored Artificial Intelligence Executive Oversight Group (AIEOG) of industry and government leaders created to help develop practical tools and guidance that financial institutions can use to manage AI-specific cybersecurity risks while unleashing innovation. In total, more than 130 experts contributed to the two papers.

Both papers have been published here.

• Mitigating AI-Powered Attacks Against Identity and Authentication identifies the top ten attack vectors that financial institutions face because of Gen AI, and details specific tools those institutions can use to detect and stop those attacks. The paper also includes a new Maturity Model for Identity Controls to Combat Gen AI-powered Attacks – recognizing that resource constraints in smaller institutions pose challenges that may be easier to solve for larger ones – and laying out steps that institutions at every level of sophistication can take to get started.
• Recommendations for Policymakers: Mitigating AI-Powered Attacks Against Identity and Authentication is a companion piece that outlines the role that government needs to play to help address these attacks – outlining 20 distinct actions for policymakers and regulators. There are two reasons why we believe government has a critical role to play:

First, identity and authentication are heavily regulated in the financial services sector, with rules governing how financial institutions verify the identity of new customers, as well as how they authenticate customers signing into their accounts online. These rules need to be updated — or regulators need to clarify their intent — for FIs to feel comfortable in embracing newer tools such as passkeys or mobile driver’s licenses (mDLs) that can thwart Gen AI-powered attacks.

Second, government — through a mix of Federal, state, and local agencies — is the only authoritative issuer of identity credentials in the United States. While driver licenses and passports can be used by customers in-person at a financial institution, digital counterparts are in short supply to those paper and plastic credentials. At a time when security tools that try to predict whether someone is who they claim to be are coming under attack from Gen AI, the need is greater than ever for government to help close the gap between physical and digital credentials.

The FSSCC’s policy recommendations were also echoed in a new report to Congress from Treasury itself on “Innovative Technologies to Counter Illicit Finance Involving Digital Assets.”  The recently passed GENIUS Act tasked Treasury with crafting recommendations for Congress on new legislative and regulatory proposals that could help FIs better detect illicit activity involving digital assets; Congress specifically called out digital identity verification as one area where Treasury should focus. Per the new report, Treasury will:

• Issue guidance to financial institutions on how they can utilize verifiable digital credentials in their existing customer identification programs. This has been a top Coalition priority: our members who are FIs have been eager to see formal guidance from Treasury which makes clear that they can leverage enable mDLs and other verifiable digital credentials when verifying the identity of new customers.
• Explore working with Congress on legislation to incentivize the development and integration of digital identity tools aimed at countering illicit finance, such as providing additional grant funding, particularly for small businesses and state authorities. This has been another top Coalition priority – and one that was embraced in new bipartisan legislation from Congressmen Pete Sessions (R-TX) and Bill Foster (D-IL).
• In partnership with the National Institute of Standards and Technology (NIST), collaborate with international partners to promote common guidelines for the use of digital identity tools to counter illicit finance and bolster interoperability across jurisdictions.
• Work with Congress on ways to better enable third-party service providers to conduct identity verifications and issue verifiable digital credentials that can be accepted by financial institutions to fulfill elements of customer identification and verification requirements.

 At a time when criminals and hostile nation-states are leveraging AI-powered deepfakes to convincingly spoof photos, videos, and voices, companies need concrete, actionable recommendations on how to address these threats to best protect consumers from identity theft and fraud. Stopping AI-powered cybercrime and fraud starts with hardening our identity and authentication infrastructure; the FSSCC’s new publications and Treasury’s GENIUS Act recommendations provide both financial institutions and government a roadmap on where to get started. 

‍