The most interesting line from this week's payments fraud coverage came from a fraud strategist, not an academic.

"The entire environment has completely changed, and we really need AI to fight AI."

That was Matt Vega, chief fraud strategist at Sardine, talking to Payments Dive on the sidelines of Nacha's Smarter Faster Payments conference in San Diego. The quote travels well because it is true. The quieter observation behind it is the more important one.

Fraud is not a technical phenomenon. It is a moral one. AI did not invent new fraudsters. It just removed the moral friction that kept some of them out of the game.

That observation is what made Nacha's second-day sessions different from the usual fraud-tooling discourse.

What the Conference Sessions Actually Said

The early Tuesday sessions at Nacha 2026, reported by Finextra, focused on a specific dynamic. Generative AI lets attackers create distance between themselves and their victims. The voice on the phone is not theirs. The face on the video call is not theirs. The script is not theirs. The cognitive cost of harming a stranger is now lower than it has ever been, because the attacker is, in a real sense, not the one doing the harming.

Voice cloning is the cleanest example. A fraudster targeting an elderly customer used to need to speak to that customer, hear them sound confused, and continue anyway. A voice clone, generated from three seconds of social media audio, removes the moral dialogue from the equation. The attacker becomes a director, not an actor.

Deepfake video extends the pattern. Generative scripting extends it further. Each layer of synthesis lets the attacker step further back from the impact of the attack.

The pool of would-be fraudsters expands as a result. People who would not have made the call themselves will press the button to send the AI to make it. The defensive question becomes harder. The supervisory question becomes harder. The ethical question becomes harder still.

This is a different conversation than "AI helps fraudsters at scale." Scale was always coming. The moral-distance argument is about who joins the attacker pool in the first place.

The Defensive Side, Quoted Directly

Sardine's Vega coined the phrase that will probably outlast this news cycle: "polymorphic agentic agents." His description was concrete. "AI agents that actually can adapt, based on the controls that you all put in place." He cited a client where, within seconds of a defensive deployment, the attacking agent identified the new control and routed around it.

Google Cloud has shipped a fraud defense product. Elizabeth Bourgoin, who heads banking for Google Cloud Services, was direct about who is using the same tools. "Fraudsters are using these same technologies to interject and get through safeguards and interact with payments processing and find vulnerabilities in platforms."

Featurespace, acquired by Visa in 2024, was at the conference in the form of founder Dave Excell, who reported a client experiencing AI-generated phone-call flooding as a novel attack vector. The point of the acquisition, in the context we covered earlier, was exactly this: getting AI fraud-prevention capability inside a network's perimeter ahead of the threat curve.

Early Warning Services is moving similarly. Ben Chance leads the Certos identity and payment risk services unit. His framing at the conference echoed Greg Williamson at Nasdaq Verafin, who flagged a structural problem we have written about before. Fraudsters can "test, learn and move quickly." Banks can take up to 18 months to deploy a new AI model into production.

Joe Fuqua at Truist put the same point in operational terms. The bank has the data and the algorithms. The deployment cycle is the bottleneck.

Why Real-Time Payments Make the Moral Argument Worse

The Nacha sessions matter more because they happened at a Nacha conference. Same-day ACH limits are about to rise again. The networks are accelerating, not decelerating.

Real-time payments compress the clawback window from days to seconds. We have written about this dynamic in the instant payments fraud paradox and in the broader AI fraud paradox. Both pieces argue the same thing in different forms.

Speed is a feature when both sides are honest. It is a vulnerability when one side is automated.

The moral-distance argument adds a layer. In a slow payment system, the attacker had to live with what they did long enough to notice the consequences. Reversal windows imposed an emotional friction. In a real-time system that emotional window collapses to seconds. In a real-time system run by an agent, it collapses to zero.

Nacha announced this week that the same-day ACH per-transaction limit will rise in 2027 to support tax, payroll, and high-value transactions. The volume capacity is going up. The moral friction is going down. The defensive arms race has to absorb both shifts at once.

The Congressional Piece

There is a legislative track running alongside this. Vega told Payments Dive that the House Financial Services Committee, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation are working on a regulatory framework "that allows for rapid adoption of AI and agentic AI use cases in financial services."

His framing was specific: bipartisan support exists, the work is in early stages, but progression is expected to be faster than the typical financial-regulation timeline.

That is the right work. It is also a different problem from what Nacha's panels were describing. A framework that allows rapid AI adoption by banks does not address the rapid AI adoption by attackers. The two timelines are decoupled.

The UK's experience with Authorized Push Payment fraud reimbursement, which we covered in our Meta APP fraud liability piece, is a useful prior. There, the regulator imposed a liability split that forced platforms and banks to share the cost of fraud occurring on their rails. The arms race did not slow. The cost allocation did change. That is a separate intervention from "let banks deploy AI faster," and the US has not made the equivalent move.

What to Watch

Three signals will tell us whether the defensive side is keeping up.

APP fraud liability rules in the US. The UK's split has been live for over a year. CFPB and OCC working groups have been studying the question. Any concrete US move toward shared liability for app-fraud or business-email-compromise losses would change the economics of every fraud-prevention buy in the country.

Same-day ACH per-transaction limit. Nacha announced the increase this week. The exact figure and the rollout timing will matter for fraud surface area. Larger transactions in real-time rails are larger targets.

AI model deployment cycles inside banks. Williamson's 18-month figure is the structural bottleneck. If even one major bank publicly compresses that cycle to under six months without losing model risk management discipline, the rest of the industry will follow. If nobody manages it, the gap to attackers widens by another year.

The Nacha sessions named the moral-distance problem clearly. The defensive industry has the tools. Sardine, Featurespace, Verafin, Sift, Riskified, and Meta's own internal fraud work are all visible in the MM Verified directory. The question is whether the deployment cycle inside the regulated entities can compress fast enough to use them.

Sources

If AI removed the last moral friction keeping some attackers out of the game, what is the equivalent intervention on the defensive side?

Charlie Major is a Product Development Manager at Mastercard. The views and opinions expressed in Major Matters are his own and do not represent those of Mastercard.