Synopsis
This article explains how risk professionals can use AI to address new threats emerging from digital and embedded banking, such as data leakage and regulatory challenges, while maintaining customer experience. It outlines practical steps, like deploying behavioral analytics, to improve risk detection and offers impressive AI use cases from within the banking industry.
Introduction
Digital banking automates traditional banking via digital platforms, enabling 24/7 access to accounts, transfers, payments, and loans from mobiles or computers. Customers manage everything online without paperwork or visits, often with features like real-time notifications and biometric security. It contrasts with branch-based banking by prioritizing speed and convenience.
Open banking uses APIs to share customer data securely between banks and third parties, fostering innovation. Embedded banking services, such as payments or loans, seamlessly integrate into apps from unrelated businesses, such as ride-sharing or e-commerce platforms. Customers complete transactions without leaving the host app, powered by Banking-as-a-Service (BaaS) providers.
In the race to deliver seamless, personalized, and app-like experiences, financial institutions have opened their once tightly controlled ecosystems to a web of third-party platforms, APIs, and digital channels. While this transformation has unlocked new revenue streams and customer engagement models, it has also introduced new risk vectors, from data leakage and fraud to regulatory non-compliance and reputational damage.
If you work in a risk function, you live this paradox every day. Customers want banking that feels effortless and intuitive, while regulators expect bulletproof controls, explainability, and zero tolerance for data misuse. The good news is AI can help you deliver both if you embed it into products, partnerships, and operations with risk up front, not bolted on later.
1. Embedded Finance: Seamless CX, Fragmented Risk
Embedded finance allows financial institutions to integrate financial services directly into non-financial platforms, such as checking out on an e-commerce site with a “Buy Now, Pay Later” option powered by a financial institution, or accessing insurance through a ride-hailing app. While this enhances convenience and customer stickiness, it also expands the attack surface for cyber threats. It dilutes control over customer data when third-party platforms are involved. The compliance aspects are challenged by fragmented regulatory frameworks.
The Apple Card partnership illustrates the challenge: Goldman Sachs ultimately agreed to transition the program to Chase after losses and servicing friction, including calendarbased billing that created peak volumes for dispute handling; the CFPB also ordered compensation for customer service breakdowns in 2024.
What works: Apply AI behavioral analytics at the edge (where payments are initiated) to spot anomalies quickly, and use progressive underwriting so risk is assessed with every transaction, not just at origination. JPMorgan describes this “re-underwrite every increment” approach in its WePay integration, improving risk visibility at the SMB scale.
2. Open Banking: Unlocking Innovation, Unleashing Risk
Open banking enables third-party providers to access consumer financial data via secure APIs with customer consent. This approach fosters innovation by allowing seamless data sharing across financial institutions. It originated with regulations like Europe's PSD2 in 2015 and has expanded globally.
Account aggregation and consented data sharing unlock better personal finance, lending, and cash management. But every new API is a new handshake with entities you don’t fully control. Research shows anomaly detection models can flag suspicious access behavior across open banking APIs, and industry analysts warn about credential abuse, scraping, and misconfigurations that expand your attack surface.
Plaid provides open banking solutions through fast, reliable, and secure API-based access. It enables users to connect their financial institution accounts to apps like Venmo and Robinhood. While this improves customer convenience, it also introduces data privacy risks and regulatory scrutiny. Financial institutions must ensure that third-party access is secure, auditable, and compliant.
What works: Monitor API traffic with AI in real time, automate consent lifecycle (granular scopes, expiry, revocation), and score thirdparty risk continuously. Treat API management as digital trust governance, not just routing and performance.
3. Fintech Partnerships: Agility vs. Accountability
Fintech collaboration can be the fastest path to modern experiences, but the risk posture has to keep up. JPMorgan’s acquisition of WePay (2017) and ongoing integration highlight how financial institutions can absorb fintech speed while enforcing bank‑grade controls, e.g., digital onboarding, progressive underwriting, and scale‑ready fraud ops.
What works: Automate vendor due diligence with machine learning, track behavioral drift in partner systems, and make “continuous monitoring” contractual. Federated learning can share risk insights without exposing customer data. Federated Learning is an emerging AI approach that enables organizations to train machine learning models without centralizing sensitive data. Instead of moving data to the cloud, the model is sent to local devices or data sources, trained there, and only anonymous model updates return to the server.
4. Crypto, Stablecoins & Tokenization: Build Controls Where Customers Transact
Demand for crypto access and faster value transfer is not going away. The risk answer is instrumentation and governance, not avoidance. Revolut reports blocking $13.5M in potentially fraudulent crypto transfers over three months in 2024 using real-time monitoring and AI-based checks, while also adding biometric withdrawal verification.
Stablecoins are maturing, too. PayPal’s PYUSD launched in 2023 with 1:1 reserves and NYDFS-regulated issuance via Paxos; in 2025, PayPal disclosed the SEC closed its PYUSD inquiry without enforcement, reducing regulatory overhang for payment-use stablecoins.
What works: Enforce transaction-level AI for AML/fraud (including smart-contract scanning where relevant), maintain risk-adjusted product limits, and require reserve attestation + redemption SLAs for any stablecoin capability.
5. Tokenization: Your Best Defense (and a Revenue Enabler)
Whether it’s Apple Pay or card-on-file, tokenization replaces primary card numbers with device/account tokens and one-time cryptograms, making replay attacks far less useful. Apple’s developer documentation details the Secure Element and token flow (DAN + per-transaction cryptogram).
At the network scale, Visa reports 10+ billion tokens issued, $650M fraud savings in the past year, and improved approval rates, evidence that tokenization is now both a security and growth lever.
What works: Push network tokens across all channels (including wallets), keep token lifecycle under AI-assisted governance, and use updater services to reduce false declines and failed recurring payments.
6. The App-Like Experience: A Double-Edged Sword
Today’s customers expect banking to be as intuitive as using Spotify or Uber.
Customers expect 24/7 help, proactive insights, and micro-personalization, delivered safely. Two useful blueprints:
- Wells Fargo – Fargo: handled 245M+ interactions in 2024 with a privacy-first orchestration that scrubs/tokenizes requests before model calls, no sensitive data passed to the LLM, while still delivering intent detection and actioning via internal APIs.
- Bank of America – Erica: surpassed 2–3B lifetime interactions, combining proactive insights with fast self-service while reducing call center load; proof that AI service can scale with strong governance.
What works: Keep PII outside model contexts, enforce human-in-the-loop for edge cases, and log explainability artifacts for audit.
7. AI Governance: Regulators Want Explainability, Controls, and Third-Party Oversight
In the United States, regulators are not issuing AI-specific rules just yet, but they are expecting banks and credit unions to manage AI under existing supervisory frameworks. Think of it as “AI fits inside your current obligations.” Agencies like the Federal Reserve, OCC, FDIC, CFPB, and FTC have all signaled the same message:
If your financial institution uses AI, directly or through a vendor, you must be able to explain it, control it, monitor it, and defend it.
AI is expanding quickly across underwriting, fraud, servicing, marketing, and collections. And with that expansion comes increased model-risk exposure, fair-lending scrutiny, and heightened third-party governance responsibilities, especially since so many models and datasets now originate from external providers. Regulators are paying close attention to how financial institutions validate models, mitigate bias, protect consumer data, and ensure that outsourced AI doesn’t create unmanaged risks.
What works: A practical approach looks like this:
- Map every AI system to existing risk frameworks – operational risk, model risk (SR 11-7 style), compliance, privacy, and UDAAP.
- Strengthen vendor governance by requiring AI-specific attestations from suppliers (data sources, model lineage, training methods, testing procedures, fairness controls, cybersecurity posture).
- Maintain audit-ready documentation, including data lineage, model cards, testing protocols, performance reporting, human-oversight checkpoints, and intervention logs.
What to Do Next: A Practical Checklist
- Embed risk early in the customer experience
Instrument onboarding flows, payments, and service interactions with real-time anomaly detection and decision-intervention points. This helps catch fraud, identity issues, and AI-driven decision errors before they impact customers.
- Harden API ecosystems
Treat APIs as a regulated trust boundary. Use AI-enabled traffic monitoring, consent-management controls, and strict authentication to manage risks associated with data sharing, open-banking connectivity, and fintech integrations.
- Treat tokenization as a default security layer
Whether it’s wallets, e-commerce flows, or card-on-file, tokenization helps reduce fraud and improve authorization quality. Use AI monitoring to assess token health, suspicious patterns, and credential-based attacks.
- Operationalize model-risk management for AI
Create explainability documentation, fairness/bias testing routines, and policies for human-in-the-loop oversight. Make sure third‑party models, LLMs, scoring engines, fraud tools, and biometric solutions are included in your MRM inventory and validated with the same rigor as internal models.
- Monitor reimbursement and liability rules that affect financial institutions
The regulatory landscape is evolving through CFPB guidance, Reg E interpretations, and state-level data and liability rules. Strengthening payee verification, confirmation signals, and inbound-payment controls helps prepare for potential future changes in reimbursement expectations.
Bottom Line
AI isn’t a cure‑all, but when it is governed with the right mix of tokenization, real‑time analytics, privacy‑first design, and principle‑based controls, it enables truly modern, app‑grade experiences without sacrificing bank‑grade safety. The financial institutions that pull ahead will treat AI as a risk‑aware, transparent, explainable, and well‑controlled capability, embedded in every customer journey and every third‑party relationship.
Author
Paresh Ashara
Vice-President at Quinte Financial Technologies
Paresh is a Vice-President at Quinte Financial Technologies, managing Data Analytics, AI & Automation solutions & services. He has over 26 years of IT services and product engineering experience in the BFSI vertical. He is passionate about data and advanced analytics and has dabbled in creating solutions leveraging Generative AI and Agentic AI technologies.
Paresh is a Vice-President at Quinte Financial Technologies, managing Data Analytics, AI & Automation solutions & services. He has over 26 years of IT services and product engineering experience in the BFSI vertical. He is passionate about data and advanced analytics and has dabbled in creating solutions leveraging Generative AI and Agentic AI technologies.
Source: This article was originally published in “Intelligent Risk by PRMIA” on March, 2026.
References:
- Embedded Finance: A Strategic Roadmap for Banks https://mobeyforum.org/mobey-forum-unveils-new-report-embedded-finance-a-strategic-roadmap-for-banks/
- The Risks of AI in Banking https://www.ncontracts.com/nsight-blog/risks-of-ai-in-banking
- Apple Card – Apple https://www.apple.com/apple-card/
- Integrating WePay Into Our Modern Commerce Platform | J.P. Morgan https://www.jpmorgan.com/insights/payments/merchant-services/wepay-integration
- Dynamic Micro-Personalization in Banking: Case Studies https://superagi.com/dynamic-micro-personalization-in-banking-case-studies-on-ai-driven-customer-experiences/
- Erica – Virtual Financial Assistant https://info.bankofamerica.com/en/digital-banking/erica
- Risk Management in Open Banking: Beyond Fraud Detection | Vellis https://www.vellis.financial/blog/vellis-news/open-banking-risk-management
- Revolut prevents $13.5M of ‘potential fraud transactions’ in crypto - https://cointelegraph.com/news/revolut-prevents-14-million-fraud-crypto-3-months
- Payment token format reference | Apple Developer Documentation https://developer.apple.com/documentation/passkit/payment-token-format-reference
- Visa Issues 10 Billionth Token, Generating $40 Billion in Incremental E-commerce Globally | Visa https://usa.visa.com/about-visa/newsroom/press-releases.releaseId.20701.html
- Why tokens are key to future proofing your payments | Visa Acceptance Solutions https://www.visaacceptance.com/en-us/blog/article/2025/tokens-are-key-to-future-proofing-payments.html
- Wells Fargo’s AI assistant just crossed 245 million interactions – no human handoffs, no sensitive data exposed | VentureBeat https://venturebeat.com/ai/wells-fargos-ai-assistant-just-crossed-245-million-interactions-with-zero-humans-in-the-loop-and-zero-pii-to-the-llm
- BofA’s Erica Surpasses 2 Billion Interactions, Helping 42 Million Clients Since Launch | Press Releases | Newsroom | Bank of America https://newsroom.bankofamerica.com/content/newsroom/press-releases/2024/04/bofa-s-erica-surpasses-2-billion-interactions--helping-42-millio.html
- A Decade of AI Innovation: BofA’s Virtual Assistant Erica Surpasses 3 Billion Client Interactions | Press Releases | Newsroom | Bank of America https://newsroom.bankofamerica.com/content/newsroom/press-releases/2025/08/a-decade-of-ai-innovation--bofa-s-virtual-assistant-erica-surpas.html
