The Regulator-Bank Alliance for Cybersecurity and Fraud Defense

Driven by an ever-changing, ever-escalating cybersecurity landscape, the regulator-bank relationship has evolved from oversight to operational collaboration. With cyberattacks growing in sophistication and scope, financial institutions are no longer defending their digital perimeters alone. Increasingly, federal and state regulators are stepping beyond supervision to co-design simulations, sponsor ethical hacking exercises, and deploy real-time fraud defenses alongside banks. 

This transformation is more than procedural; it’s philosophical. It reflects a recognition that defending the U.S. financial system is a shared responsibility—one that requires tighter coordination, mutual transparency, and joint resilience exercises that mirror the threats of the modern age. 

Quantum Dawn VI: Lessons from Large-Scale Simulations

Cyber “war games,” once the domain of elite tech firms or military contractors, are now a fixture of financial regulation. In October 2023, The Wall Street Journal reported on a joint Federal Reserve/U.S. Treasury simulation exercise known as Quantum Dawn VI, organized by the Securities Industry and Financial Markets Association (SIFMA). The simulation tested how banks, regulators, and market infrastructure players would respond to a fictional but plausible cyberattack that disabled payment systems and leaked sensitive consumer data. 

More than 100 institutions took part—including regulators, who didn’t merely observe but engaged as active participants. As SIFMA explained, the exercise emphasized the importance of rapid, coordinated responses to systemic threats. “There is a clear understanding now that cyber defense isn’t just an internal IT function—it’s a systemic issue,” noted SIFMA Managing Director Tom Price. 

FFIEC Initiatives: Tabletop Exercises for Bank Readiness

Smaller-scale versions of these simulations are now encouraged by the Federal Financial Institutions Examination Council (FFIEC), which promotes regular tabletop exercises between regulators and bank leaders. These events are designed not only to rehearse but to reinforce readiness. 

Another tool rising in prominence is “ethical hacking,” a deliberate attempt to breach a bank’s digital defenses in order to discover vulnerabilities before bad actors do. Increasingly, such penetration tests are conducted with regulatory input. 

American Banker reporting from early 2024 noted that regulators had begun actively encouraging “threat-informed defense” strategies—especially those aligned with the MITRE ATT&CK framework. The Office of the Comptroller of the Currency (OCC), for instance, supports the use of red and blue team exercises not just for audits, but to build adaptive threat profiles based on real-world attacker behaviors. 

The Rise of Purple Teaming

The growing popularity of “purple teaming” reflects this collaborative mindset. Cobalt Labs, a San Francisco–based penetration testing firm, explains that purple teaming merges offensive (red) and defensive (blue) security efforts so that defenders and testers work side by side in real time—enhancing both detection and response capabilities. This method is gaining traction with examiners and bank security officers alike, as it fosters collaboration and improves real-time threat identification. 

Noting some of the unique community bank challenges in this space, Joel Frisch, co-founder and COO of Falkin (an international AI scam prevention fintech), observes: “Community banks often lack the dedicated fraud engineering teams or in-house behavioral analytics that larger institutions rely on. But that doesn’t mean they’re locked out of collaborative defenses. 

“What’s working today,” he continues, “is lightweight coordination. That means shared intelligence about emerging scam patterns, early-warning signals based on customer interactions, and clearer user communication. For smaller banks, the path forward isn’t more complexity—it’s smarter alignment between fraud ops, customer support, and digital channels.” 

Patrick Keating, President and CEO of Keysec Advisors, Cherry Hill, N.J., echoes Frisch’s observations on defensive testing. “Collaborative exercises like purple teaming and ethical hacking are no longer optional for organizations seeking to mature their cybersecurity programs. They are fast becoming examiner expectations. 

“These practices move institutions beyond static testing to demonstrate real-time validation of both detection and response capabilities.” 

Keating makes the point that merely compiling investigative data and creating written analyses based on those results doesn’t constitute a thorough approach. 

“It’s not enough to test once and file the report,” he points out. “Regulators want to see that organizations are following through on exercises with tangible improvements, learning from adversarial behavior and improving defenses continuously.” 

Cybersecurity isn’t limited to firewalls and malware scans. Increasingly, it’s about preventing and detecting bank fraud—especially in fast-evolving payment channels. To succeed in this high-risk environment, regulators are partnering with banks and fintechs to co-develop fraud-defense frameworks. 

One such initiative is the FDIC’s Tech Sprint, which brings together financial institutions and fintechs to rapidly prototype fraud-recognition tools under regulatory guidance. In 2023, participating teams developed machine learning models to flag synthetic identity fraud—an increasingly common tactic among cybercriminals. Several of these tools are now under review for broader adoption. 

Meanwhile, the Federal Reserve’s FedPayments Improvement initiative has placed growing emphasis on the risk of real-time payments fraud. According to a joint RFI issued on June 16, 2025, by the Fed, FDIC, and OCC, external collaboration among regulators, Reserve Banks, and industry participants is critical to counter fraud threats emerging through faster payments. 

Through FedPayments Improvement Community events, smaller and regional banks are being encouraged to join pay transparency forums and share threat indicators. These interchanges allow banks to detect patterns more quickly, turning individual incidents into shared intelligence. In short, regulators are fostering ecosystem-wide partnerships to help community banks keep pace. 

The federal government is also investing in cross-sector coordination. The Office of the National Cyber Director (ONCD) recently convened a public-private task force to improve the sector’s ability to identify and respond to fraud threats in real time. These efforts include developing standardized fraud-alert protocols and encouraging interoperability among fraud monitoring systems, a critical need for banks still operating on legacy infrastructure. 

In this evolving threat environment, Falkin COO Frisch sees distinct advantages in collaborative testing. “Including regulators in exercises works best when it’s not just about technical failure modes,” he says. “The more progressive banks are simulating the social engineering vectors like the text message that kicks off a scam, or the customer who believes they’re doing the right thing, or the moment trust gets exploited. Bringing regulators into those scenarios leads to better conversations about timing, intervention points, and shared responsibility for education—not just compliance.” 

Keysec CEO Keating adds, “Community banks are on the front lines of a rapidly evolving fraud landscape, in which artificial intelligence is now being weaponized to automate and scale social engineering, account takeovers, and synthetic identity attacks. 

“Unlike larger institutions, community banks often lack the resources to keep pace with these AI-driven threats, making it critical to invest in smarter fraud detection, employee training and layered defenses.” 

Keating plainly summarizes the current situation for community banks: “The challenge isn’t just detecting fraud. It’s doing so faster than machines can adapt.” 

For up-and-coming professionals—especially those in risk, compliance, or operations—this shift signals a redefinition of leadership competencies. Cyber fluency and regulatory coordination are quickly becoming essential for career growth. 

More banks are embedding regulatory liaisons within cybersecurity and fraud teams. Junior staff exposed to war-game planning or regulatory coordination exercises are increasingly being groomed for leadership roles. At the October 2024 Chicago Fed symposium, community bank participants were encouraged to define cyber response roles collaboratively with regulators—reinforcing that shared readiness is now the norm. Fluency in “cyber regulatory language” is earning rising professionals the attention of boards and examiners alike. 

Perhaps most significant, this marks a tonal shift: Regulators are no longer simply waiting to identify mistakes after they happen. Increasingly, they’re working alongside banks to prevent those mistakes altogether. That’s a message the next generation of bankers should take to heart. 

Keating expands this observation, commenting: “When banks include regulators in their cyber- or fraud-defense exercises, it signals a shift from reactive oversight to protective partnership.” 

These exercises aren’t about just compliance anymore. They’re leadership moments that spotlight a bank’s readiness, culture, and commitment to shared resilience.

He advises that successful organizations: 

• Engage regulators early in the planning process 
• Design realistic, risk-based scenarios that include AI-enhanced threats 
• Use the exercise to demonstrate cross-functional coordination, operational maturity, and threat adaptability 

“Just as important,” Keating says, “is to show how lessons learned drive real improvements. These exercises aren’t about just compliance anymore. They’re leadership moments that spotlight a bank’s readiness, culture, and commitment to shared resilience.” 

As digital threats evolve, so must the relationships among those responsible for protecting the financial system. What was once a rigid line between regulator and bank is now defined by shared priorities and joint defenses. 

Frisch sees the shift in real time. “There’s a growing recognition that ‘cyber’ is no longer just about systems. It’s also about psychology—how real people get deceived. That’s where a new layer of security is emerging, focused on behavioral protection and consumer safety. 

“It doesn’t replace cybersecurity,” he concludes. “It completes it.” 

Whether it’s war-gaming a ransomware attack, co-developing machine learning models for fraud detection, or simulating systemic failures, the next wave of cybersecurity won’t be built in silos. It will be forged in partnership. 

For fledgling bankers, the takeaway is simple: Tomorrow’s top performers will not just understand the rules—they’ll help write them, shoulder to shoulder with the regulators across the table.