Brandon Janes
abril 9, 2026
4 minute read

New Regulations Are Making the Case for Behavioral Biometrics Harder to Ignore

As fraud tactics evolve and regulators raise expectations, financial institutions can no longer rely on static authentication alone. Behavioral biometrics, delivered through 360 Fraud Protection’s 360 Risk Control Behavioral Intelligence, is emerging as a critical layer to continuously validate trust, curb account takeover, and strengthen fraud defenses without adding unnecessary friction. 

The days of relying on weak, point-in-time authentication methods like OTPs are coming to an end.

A recent filing by the New York Attorney General signals a shift in how regulators are evaluating fraud prevention: financial institutions are no longer being judged solely on whether controls exist, but on whether those controls are sufficient to address modern attack methods.

Citibank, sued last year for failing to protect customers from online fraud, is now facing claims that it should have implemented layered security approaches, such as monitoring anomalous behavior, flagging unrecognized devices, and detecting unusual transaction patterns, rather than relying on basic username-and-password authentication.

This marks a broader shift: fraud prevention is no longer about access alone; it is about continuously validating trust.

A Changing Threat Landscape Requires Continuous Validation

The attack surface for banks and fintechs is expanding rapidly. Phishing campaigns, spoofed banking experiences, and malware such as Remote Access Trojans (RATs) allow attackers to operate inside trusted sessions, often after passing traditional login checks. In many cases, the attacker appears indistinguishable from the legitimate user at the point of authentication.

Recent FBI Internet Crime Complaint Center (IC3) data illustrates the scale of the problem. In 2024, reported internet crime losses climbed to roughly 16.6 billion dollars, a 33 percent increase over the prior year, with cyber-enabled fraud responsible for approximately 13.7 billion dollars, or almost 83 percent, of those losses. In 2025, the FBI further highlighted account takeover (ATO) fraud as a growing concern, noting losses of more than 262 million dollars across just a few thousand reported incidents, with average losses exceeding 50,000 dollars per case.

In this environment, authentication at a single point in time is no longer sufficient. 

What Effective Fraud Prevention Looks Like Now

To address these risks, financial institutions need to move beyond static authentication and adopt a layered, continuous approach to identity verification.

This includes:

  • Monitoring user behavior throughout the session, not just at login, so subtle changes in how a user navigates, types, or interacts with the interface can be evaluated in context over time.
  • Identifying deviations from known patterns in real time, allowing high-risk behavior to trigger step-up checks, transaction holds, or additional review instead of relying on fixed rules alone.
  • Correlating behavioral signals with device intelligence and transaction risk, so decisions reflect the full picture: who appears to be behind the session, what device they are using, and how risky the transaction itself looks.

The goal is not simply to grant access, but to continuously evaluate whether the entity behind the session remains legitimate. This is where behavioral biometrics has become increasingly critical.

Behavioral Biometrics as a Foundational Layer

Behavioral biometrics, once considered experimental, is now becoming a standard component of modern fraud prevention strategies.

Solutions like 360 Risk Control Behavioral Intelligence analyze highly nuanced human-computer interaction signals, including:

  • Swiping patterns, such as speed, trajectory, and pressure changes as a user scrolls or navigates through an app.
  • Typing speed and rhythm, including dwell time on keys, error-correction patterns, and how users move between fields.
  • Subtle variations in device handling, like micro-adjustments in how a phone is held, orientation changes, or tiny accelerometer and gyroscope signals captured during normal use.

These signals are extremely difficult for attackers to replicate, even when they have valid credentials or remote control of the device, because they reflect deep-seated motor behaviors rather than visible login artifacts. For the theory reference, you can hyperlink behavioral biometrics to a computational motor control source such as A Computational Neuroanatomy for Motor Control. When combined with device intelligence and transaction risk analysis, behavioral biometrics adds a continuous verification layer that operates throughout the session—not just at login. 

Reducing Friction While Strengthening Security

One of the key advantages of behavioral biometrics is that it operates passively in the background.

Instead of interrupting users with repeated authentication challenges, continuous behavioral monitoring allows institutions to:

  • Reduce reliance on OTPs and frequent step-up authentication, reserving those interventions for truly high-risk scenarios.
  • Minimize user friction and abandonment by keeping most legitimate sessions uninterrupted, even as risk assessments continue behind the scenes.
  • Maintain strong security without degrading the customer experience, supporting higher digital adoption and greater trust in mobile and online banking channels.

This balance between security and usability is increasingly important as digital banking continues to grow and customers compare experiences across providers.

From Best Practice to Regulatory Expectation

The legal action from the New York Attorney General reinforces a clear direction: financial institutions are expected to adopt more advanced, layered defenses against fraud, especially as attackers move deeper into trusted sessions.

What was once considered a best practice is quickly becoming a baseline expectation. Within 360 Fraud Protection, behavioral biometrics plays a central role in enabling this shift, supporting continuous authentication, strengthening fraud detection across ATO and device takeover (DTO) scenarios, and helping institutions align with evolving regulatory standards.

As attackers continue to operate within trusted sessions, the ability to continuously validate user behavior is no longer optional. It is becoming essential to reducing fraud risk, protecting customers, and meeting regulatory expectations in a changing threat and compliance landscape.

To see how 360 Fraud Protection applies behavioral biometrics to real-time fraud defense, explore 360 Risk Control Behavioral Intelligence as a foundational layer in your authentication strategy.