When the CFO on the Zoom Call Isn't the CFO: AI Fraud, DORA Enforcement, and the Identity Reckoning

This week, financial services got fresh evidence that the era of "trust but verify" is over. The new motto: verify, verify, then verify again — preferably with a biometric.

If 2025 was the year financial services started worrying about AI-enabled fraud, 2026 is the year the worry turned into a line item. As of this week, fresh disclosures, a regulatory rollout from FINRA, and the steady arrival of DORA's enforcement teeth are reshaping how banks, fintechs, and crypto platforms think about digital trust. The common thread: the attack surface isn't the network anymore. It's the human at the keyboard, and the AI pretending to be one.

A New Wave of AI-Powered Onboarding Fraud Hits Fintech and Crypto

According to a May 4 report from Phil Star Tech, fintech and crypto onboarding flows are being hit by a surge in AI-generated identity attacks, synthetic IDs, deepfaked selfies, AI-generated proof-of-address documents, and orchestrated bot rings that can pass naive KYC checks at industrial scale.

The numbers are sobering. Sumsub's Identity Fraud Report shows high-quality attacks increased 180% year over year in 2025, and during the first half of 2025 alone, deepfake-related fraud losses topped $410 million, with several individual incidents exceeding $680,000. Deloitte's Center for Financial Services has projected that generative-AI-enabled fraud across the U.S. financial sector could reach roughly $40 billion annually by 2027, a number that, until a year ago, sounded like a worst-case slide.

Why onboarding is the bleeding edge

The reason onboarding has become Ground Zero is structural: it's the moment a financial institution has the least information about the user, the highest pressure to convert, and the thinnest evidence of liveness. Add a generative model that can produce a passport photo plus a deepfaked selfie video in under 30 seconds, and the old document-plus-selfie playbook is no longer a defense, it's a checkbox. The new playbook: adaptive, orchestrated identity verification with liveness signals, device fingerprinting, behavioral biometrics, and document chips read via NFC.

CB Financial Services Discloses a Breach, and the Pattern Repeats

On May 11, CB Financial Services, Inc. disclosed a cybersecurity incident confirmed as a data breach via an SEC filing, per the Board Cybersecurity incident tracker. Details on attack type and number of records affected weren't disclosed at the time of the filing.

The bigger pattern is what matters. According to PKWARE's 2026 data breach roundup, financial services continues to lead industries targeted in 2026, with banks, lenders, investment firms, and payment processors absorbing a disproportionate share of ransomware attacks and identity-driven incursions. 16% of breaches now involve AI-driven attacks, including phishing and deepfake impersonation.

FINRA Rolls Out ID.me, and the Identity Verification Bar Moves Up

Also on May 11, the Financial Industry Regulatory Authority (FINRA) introduced identity verification through ID.me for users of its Entitlement Platform. It's a relatively small operational change with an outsized signal: a U.S. financial regulator is now using a third-party identity provider, one that combines document verification with biometric liveness, as the baseline for accessing supervisory infrastructure.

If regulators are willing to bet on biometric-anchored identity for their own platforms, expect the bar to keep rising for the firms they supervise. Broker-dealers, RIAs, and the fintechs that touch them should read this as a directional indicator: the days of password-plus-SMS as defensible authentication are numbered.

DORA Goes From Paper to Practice

Across the Atlantic, the Digital Operational Resilience Act (DORA) continues its transition from "compliance project" to "actual supervisory expectation." DORA took effect in January 2025, but 2026 is the year regulators are digging into how institutions actually manage third-party risk, whether their resilience plans are tested against real-world threat scenarios, and whether they can demonstrate, not just document, recovery.

Per analysis from Veridas and Secfense, DORA requires strong (multi-factor) authentication, and biometrics are now widely considered the most resilient factor for protecting critical financial systems.

The eIDAS 2.0 Countdown: EU Wallets Due by December 2026

Layered on top of DORA is eIDAS 2.0 (Regulation EU 2024/1183), which requires all 27 EU Member States to provide citizens with European Digital Identity Wallets by December 2026. For financial services, this is the largest identity infrastructure rollout in EU history. EUDI Wallets promise simpler KYC at onboarding (verified attributes from a sovereign source), simpler strong customer authentication for payments, and a path to consent-based data sharing that's more user-friendly and more auditable than today's open banking flows.

Per coverage at Biometric Update, the wallets are arriving alongside a broader maturation of biometric standards, including ISO/IEC liveness benchmarks and growing industry agreement on what "high-assurance" means in practice.

The Boardroom Picture: 72% Say AI Fraud Is a Top Operational Risk

A telling data point ties this all together. According to industry surveys synthesized in Fourthline's 2026 deepfake report, 72% of business leaders identified AI-enabled fraud and deepfakes as among their top operational challenges for 2026. A separate Medius survey found that 53% of businesses across the U.S. and U.K. have been targeted in deepfake scams, and 85% of corporate executives view such incidents as an "existential" threat to their organization's financial security.

That's a remarkable shift from two years ago, when the Arup deepfake-CFO case, the engineering firm that lost roughly $25 million to a real-time deepfake video call, was treated as a one-off cautionary tale. In 2026, it's the prototype.

What This Means If You're Running Risk

Boil all this down and three priorities emerge for the back half of 2026. First, treat identity verification as a moving target, not a one-time deployment, the fraud playbook is updating in weeks, not years. Second, get your DORA recovery testing real; tabletop exercises are not the same as actually failing over to a backup provider on a Wednesday.

Third, prepare for the EUDI Wallet rollout now, December 2026 sounds far away, but not for an integration that touches onboarding, SCA, and consent management simultaneously.

The encouraging part: the defensive tooling is finally catching up. Biometric liveness, AI-driven transaction monitoring, and orchestrated identity layers are more capable than they've ever been. The catch is that none of them work as a single silver bullet. Digital trust in 2026 is layered, adaptive, and built to assume the adversary is using the same AI tools you are. Because, almost certainly, they are.