Who is responsible when the bank's AI makes a mistake and the carder's AI wins?

[Professor]

Abstract: In the silent war between banking security and cybercrime, it's increasingly not humans but algorithms that are fighting. On one side is fraud monitoring, which evaluates millions of transactions in search of anomalies. On the other are neural networks that generate phishing texts, guess card numbers, or simulate human behavior. When the security system fails and the attack system triumphs, a profound philosophical and ethical question arises: who is responsible? The impersonal code, its creators, the organization, or the imperfections of the digital environment itself? This article offers a calm look at the dilemmas of autonomous decision-making in a world where an algorithmic error can cost a fortune, and its genius can result in social harm.

Introduction: A battlefield where soldiers are activation functions​

Picture this: a bank's algorithm, trained on billions of legitimate transactions, analyzes a purchase in a split second. It considers hundreds of parameters: location, amount, time, device, and behavioral history. Its job is to distinguish a legitimate customer from a fraudster. On the other side of the planet, another algorithm, created on the dark web, calculates the optimal moment to attack, selects a combination that looks "normal," and initiates the transaction. It's a duel between two artificial intelligences. But when the dust settles and the money is stolen, the human customer is left alone with the question: "Why did this happen to me?" And who can they ask?

1. Theater of military operations: Forces and resources of the parties​

1.1. Defender AI: A vigilant but limited guardian.

• Goal: To minimize two types of errors: false positive (block a legitimate transaction, angering the customer) and false negative (allow a fraudulent transaction, damaging the bank).
• Its weaknesses: It's trained on yesterday's data. Its logic is based on the patterns of the past. A radically new fraudulent scheme, a data poisoning attack, or a subtle simulation of a specific client's behavior can fool it. It operates within strict regulatory and business restrictions (it can't block too much).
• His ethical dilemma: Where should he set the threshold of suspicion? By raising it, he'll protect the bank but inconvenience thousands of honest customers. By weakening it, he'll make the service seamless but open loopholes for criminals. It's an algorithmic version of the trolley problem.

1.2. Attacker AI: Adaptive, amoral tool.

• The goal: to maximize financial gain while avoiding detection. Its effectiveness is measured by the percentage of successful cashouts.
• Its strength: It's free from ethics and regulations. It can learn on stolen data in real time, conduct thousands of microattacks to probe defenses, and use generative networks (GANs) to create fictitious but plausible profiles. Its main weapon is the speed of adaptation.
• Its ethical dilemma: There isn't one. The attacker's algorithm is pure instrumental reason. Moral questions lie beyond its functions. They are the responsibility of its creators and operators.

2. Moment of Failure: What happens when the defense fails?​

Let's say an attacking AI has found a vulnerability in patterns or learned to bypass detectors. The transaction goes through. The client notices the charge. A chain of questions about responsibility arises.

• Question for the bank: "Why didn't your system protect me?"
  The bank may appeal to the complexity of the threats and the lack of guarantees. Its AI is a service of "reasonable care," not "absolute security." But the client rightly assumes that since they entrusted their money to the bank, the bank, using the most advanced technologies, bears a heightened responsibility for its safety. The responsibility here is organizational. The bank is responsible for selecting, configuring, training, and constantly updating its algorithmic guardian.
• The question for regulators is: "Why did you allow such malicious AI to exist?"
  This is a question for legislators and law enforcement. Responsibility for the creation and use of AI for criminal purposes should lie with the human perpetrator. However, the difficulty is that the tools (machine learning frameworks, algorithms) themselves are neutral. Banning them is like banning mathematics. Regulators' responsibility lies in creating a framework in which the development and use of AI are transparent and accountable, and their criminal use is inevitably punishable.
• The most difficult question is: "Can the bank's AI itself be blamed?"
  At this stage, no. The bank's AI has no agency (free will) or intentionality (intent). It didn't "meant" to make a mistake. It produced a probabilistic answer based on a trained model. Blame is a human category. Responsibility for the consequences of AI decisions always lies with the people and organizations that created it, implemented it, and entrusted it with decision-making.

3. The "black box" problem and the right to an explanation​

The situation is aggravated when it is impossible to understand the logic of the algorithm.

• The customer asks: “Why did you block MY legal purchase?”
• The bank responds: “Our complex neural network, which takes into account thousands of parameters, assessed the risk as high”.

This isn't an explanation. It's a statement. When AI, while protecting, causes inconvenience (a false positive), the client must have the right to a human explanation and appeal. An ethically correct AI must not only make decisions but also be able to generate human-interpretable justifications for its "suspicions." Without this, it becomes a digital dictator whose decisions are unquestionable simply by virtue of their complexity.

4. The Ethics of Asymmetry: Uneven Playing Fields​

The fundamental difference between defender and attacker AI creates an ethical asymmetry.

• The bank's AI is bound by rules: data confidentiality (it cannot use client information as it pleases), regulations, and the need to preserve the client's experience.
• The carder's AI is free of any rules. It can use any data (stolen), any methods (deception, forgery), and doesn't care about the victim's "convenience."

This inequality puts defense at an inherent disadvantage. The ethical response is not to stoop to the enemy's level, but to strengthen cooperation and knowledge sharing. Banks, IT companies, and regulators, by pooling their efforts and anonymizing attack data, can create more robust and ethical defense systems that learn from the mistakes of the entire ecosystem, rather than just a single institution.

5. The Path to Responsible Competition​

How to build ethical relationships in this arms race?

1. Human-in-the-loop principle: Critical decisions (blocking large amounts, closing accounts) must require the mandatory involvement of a human analyst. AI is a triage and warning tool, not a final judge.
2. Algorithm Transparency and Audit: External and internal audits of fraud monitoring models for hidden biases and errors. This does not include a full breakdown (that would be impossible), but rather a check for compliance with stated ethical and operational standards.
3. Flexible bank liability: Recognizing that damages from falsely reported fraud must be compensated by the bank promptly and unconditionally, as an organizational failure. This will create a financial incentive to continuously improve protection.
4. Global AI Ethics: Forming charters within the professional community that condemn the use of AI for malicious purposes, similar to the Hippocratic Oath. This won't stop criminals, but it will create a cultural barrier.

Conclusion: Cultivating an Algorithmic Conscience​

Bank AI and carder AI are two reflections of our times. One reflects our need for security and order, the other a shadowy reflection of amoral ingenuity and greed. Their confrontation is more than just a technical race. It is a test of our ethical principles in the digital age.

Responsibility for the outcome of this silent war lies not with algorithms, but with us. It is up to those who create AI for protection to make it not only smart, but also accountable, transparent, and fair. It is up to those who run banks to invest not only in the power of algorithms but also in human understanding and customer empathy. It is up to society to demand from technology not blind obedience, but intelligent service.

When a bank AI fails and a carder AI wins, it is a signal: our collective algorithmic conscience needs to be refined. Our task is not simply to write code that wins, but to build a digital world where technology enhances trust, responsibility, and fairness, not deception and violence. A world where ethics is built not only into the rules for using algorithms, but into their very architecture.