The AI threat is already within banks: Opinion

The credit card’s activity looked normal: a S$4 coffee, a purchase on an e-commerce platform, a small digital subscription. None triggered the bank’s fraud detection – because they were not meant to. 

And overnight, the same card made one transfer of nearly S$50,000. The cardholder slept through it.

The instructive part in this hypothetical scenario is what those first three transactions actually were. They were not made by the legitimate cardholder; instead, they were low-value tests quietly executed by attackers as training data. 

Over two weeks, they patiently primed the bank’s system. This means small transfers, repeated just often enough that the bank’s risk model learnt to treat this exact pattern – moving money to the same e-wallets – as the cardholder’s normal behaviour. 

By the time the S$50,000 transaction happened, it didn’t look like an anomaly, but an undertaking the model had already approved a dozen times before. It was taught, one small transaction at a time, to wave the real attack through.

Agentic AI is a security risk

In May, the Monetary Authority of Singapore (MAS) called the chief executives of the country’s largest banks in to discuss artificial intelligence-enabled cyber risk.

Tan Kiat How, senior minister of state for digital development and information, said the quiet part out loud: fully autonomous AI agents running end-to-end attack campaigns are no longer hypothetical, but inevitable.

The more concerning issue is that while the meeting looked outward at AI being weaponised against the system, a quieter shift had already occurred internally. 

The AI deployed across the region’s banks is no longer just an assistant. It judges – making lending decisions in milliseconds, blocking suspected fraud before an analyst opens her laptop, and building anti-money laundering models from thousands of data points before anyone could read one. 

In our work with banking partners and financial institutions across South-east Asia over the years, we’ve watched the industry roll out thousands of AI systems and, in too many cases, struggle to fully explain what these systems decide or how they fail. 

Those struggles are not because the technology is new. Banks have been investing in predictive and real-time analytics for years.

As far back as 2022, market research firm Forrester found that nearly 89 per cent of banking respondents were already in the planning, implementation or operational phase of adopting such tools. 

What’s new is that institutions now lack definitive control over the scope of access these systems have, as well as a full understanding of their decision-making processes.

Controls that regulators still treat as the gold standard – such as selfie-liveness checks, SMS one-time passwords (OTPs) and quarterly model refreshes – are now near obsolete. 

Deepfake and face-swop tools have advanced to the point where synthetic faces can pass most commercial liveness checks within seconds, and the techniques for building them are now widely accessible. 

SIM card swop fraud has turned the OTP into a defence that the attacker already knows how to bypass.

The risk models themselves are probed continuously. Every block reveals the wall’s shape to the attacker. The assumption that the model is the safeguard, on which a great many board packs still rest, no longer holds.

Here is the part most chief information security officers (Cisos) in the region are underestimating: While the external threat is real and growing, the bigger risk is the AI the bank has already invited in. 

As institutions race to deploy copilots and AI systems with direct access to internal data and operations – and, in some cases, agents touching fund movement – they are creating a vulnerability that did not exist 18 months ago.

Shadow AI agents set up by enterprising staff – without the Ciso’s knowledge – were present in multiple large banks we have worked with.

Put plainly, the threat has moved inside. It is the “new hire” whom nobody bothered to screen.

Updated security protocols are necessary

Speed remains the right instinct. The financial inclusion gap in the Asia-Pacific is too wide, and the upside of these AI systems – being able to onboard those who don’t typically have access to banking services – is obvious. 

But concrete changes need to be made to preserve the security of banking systems amid hasty AI adoption.

First, abandon the question that selfie liveness was built to answer, which attackers solved years ago, in favour of continuous behavioural checks: Does this session’s intent match the account it claims to belong to, across every step, not just at login?

Second, govern internal AI agents the way banks govern their people: a named owner, a written scope, an audit trail and a kill switch. Treat any agent operating outside that framework as an unauthorised employee instead of a productivity tool.

An example is the landmark AI agent registry, announced by Singapore’s GovTech in early June, to log and monitor autonomous assistants.

Third, defences need to adapt as quickly as the attacks do. A quarterly model refresh cycle is a lag in the face of systems that adapt in real time.

The MAS principles of fairness, ethics, accountability and transparency remain the right scaffolding, and putting this in front of chief executive officers rather than chief information officers was the right move. 

But the unflattering truth we see on the ground is that many banks in the region today run on autonomous AI they have yet to fully audit, while defending themselves against agentic technology they have yet to reliably block. 

It need not be our reality.

Financial institutions and the technology companies building these systems carry a responsibility here, too. Outperforming a human predecessor on a chosen metric is the wrong benchmark.

The more uncomfortable question is whether the system fails predictably, and whether anyone in the organisation is actually authorised to turn it off.

Singapore’s response to AI-enabled cyberthreats has shown that governance works best when regulators, institutions and technologists move together.

The same principle applies to the deployment of agentic AI in credit, fraud and compliance decisions – systems that affect millions of people across the region every day, largely without their knowledge.

Somewhere tonight, a coffee purchase is being made on a credit card. An item is being bought on an e-commerce platform. A small digital subscription is being renewed.

The bank’s model will see a person settling in for the evening – as planned by an attacker – if yesterday’s rules are not refreshed for the era of AI agents.

The writer is chief data and AI officer at TrustDecision

Source: The Business Times © SPH Media Limited. Permission required for reproduction.

ADV: Newly Published: Singapore Rules of Court: A Practice Guide (2026 Edition) Emergency doctor warns of risk to road users amid reports of accidents involving drug abuse