Municipal governments are rapidly adopting generative artificial intelligence to improve services, automate workflows, and enhance constituent engagement. But this same technology is also accelerating the sophistication and pace of fraud. Threat actors now use AI‑powered tools—such as deepfakes, synthetic identities, and hyper‑realistic phishing—to exploit payment processes, vendor onboarding, payroll, and even public‑facing communication channels.
At the same time, evolving National Automated Clearinghouse Association (NACHA) Operating Rules—the governing standards for Automated Clearinghouse (ACH) payments—introduce new requirements for risk-based monitoring and faster fraud‑recovery capabilities. Municipal leaders must understand these emerging risks and implement modern controls across treasury, procurement, and technology teams.
This article defines AI-related fraud and misuse, outlines the most common attack types impacting local governments, and provides a practical, vendor‑agnostic framework to strengthen defenses.
Key Definitions
AI‑related fraud: Deception or financial crime enabled by artificial intelligence, including deepfake audio/video, AI-enhanced phishing, and machine‑learning‑assisted account takeover.
AI misuse: Improper or unsafe use of AI tools by staff or vendors, such as entering sensitive data into public models or relying on unvetted outputs in decision-making.
Business email compromise (BEC): Social engineering attacks aimed at redirecting payments or harvesting credentials, increasingly amplified by AI‑written messages and deepfake voice calls (see below).
Authorized push payment (APP) fraud: Scams in which victims are tricked into approving legitimate transactions, making recovery of funds challenging.
Synthetic identity: A constructed identity blending real and fabricated data to fraudulently enroll in programs or pass vendor onboarding.
Deepfake: AI‑generated or manipulated audio/video used to impersonate officials or vendors and authorize fraudulent transactions.
AI‑Enabled Fraud and Misuse: Common Threats to Municipalities
Payment and Treasury Fraud
Vendor impersonation and BEC targeting accounts payable or treasury to change banking details.
APP fraud via ACH, wires, or real‑time payments; payroll redirection; ghost vendors; and AI‑generated invoices.
Check fraud involving mail theft, alteration, counterfeits, and mule networks; mobile deposits used to bypass in‑person scrutiny.
Identity and Access Exploits
Synthetic identities used to enroll in benefit programs or compete for contracts.
Account takeover of banking portals enabled by AI‑powered phishing and credential‑stuffing.
Deepfake voice calls used to bypass phone‑based approval controls.
Data and Decision Risks (AI Misuse)
Unvetted AI tools used in procurement, permitting, or HR, leading to biased, erroneous, or noncompliant decisions.
Inadvertent disclosure of confidential or regulated data through AI prompts.
Lack of transparency or auditability for AI‑generated recommendations or documentation.
Best Practices for Municipal Leaders: Identifying and Mitigating AI‑Related Fraud
Governance and Policy
Implement a risk‑based AI governance policy outlining roles, disclosures, approval and labeling requirements, and audit trails.
Prohibit entry of confidential data into public AI tools unless safeguarded; align with HIPAA, CJIS, PCI, and FISMA standards.
Classify AI use cases by risk level (e.g., unacceptable, high, medium, low) and tailor testing and oversight accordingly.
Workforce and Process Controls
Provide mandatory training on BEC, APP fraud, and deepfake recognition.
Require scripted callbacks using trusted phone numbers; enforce dual controls for vendor‑master updates and payment instruction changes.
Maintain segregation of duties; configure Positive Pay and ACH filters; monitor exceptions weekly.
Maintain incident playbooks with banks and law enforcement to expedite freezes, returns, and investigations.
Technology and Data Controls
Use secure API banking connections.
Deploy anomaly detection across payments, vendor master data, and payroll, with consortium data where available.
Preserve immutable logs; automate reconciliation, alerts, and exception handling.
How New NACHA Rules Strengthen Fraud Defense
Recent and upcoming NACHA Operating Rule changes increase fraud‑detection and recovery capabilities across the ACH network. These include:
Expanded Return Reason Code R17 for suspected fraudulent entries.
Adjusted funds availability timing allowing RDFIs to delay access for entries flagged as suspicious (effective Sept. 18, 2026).
Broader ODFI Requests for Return (R06) with mandatory RDFI responses within 10 banking days.
Phased rollout of risk‑based monitoring requirements across all ACH participants (effective March 20, 2026, and June 19, 2026).
Micro‑Entries rules requiring commercially reasonable fraud detection and monitoring.
Practical Implications for Municipal Governments
Validate vendor bank accounts through secure methods, such as prenotes or trusted account‑validation tools.
Configure ACH Positive Pay and ACH filters to reduce unauthorized activity.
Align payment workflows with rapid return/freeze procedures available through banking partners.
Balancing Risks and Rewards
Municipal governments are navigating a rapidly evolving environment where the benefits of AI must be balanced with heightened fraud and misuse risks. By adopting structured governance, strengthening treasury controls, and modernizing their technology infrastructure, municipalities can confidently leverage AI while safeguarding public funds and maintaining resident trust.
How BMO Helps Municipalities Reduce Fraud Exposure
BMO Treasury & Payment Solutions provides tools that directly strengthen payment integrity and treasury security:
ACH Fraud Control / ACH Positive Pay. Block unauthorized ACH debits and credits, set authorization criteria, and review exceptions quickly.
Check Positive Pay and Payee Positive Pay. Match issued checks to presentments and detect alterations or counterfeits.
Commercial and Virtual cards. Add spend controls, merchant category code blocks, configurable limits, and enhanced reconciliation to reduce misuse and vendor risk.
Controlled disbursement. Improve cash forecasting, minimize overdraft risk, and create a review checkpoint to detect anomalies.
Secure APIs and online banking controls. Utilize granular entitlements, audit trails, IP/certificate controls, alerts, and strong segregation of duties.
BMO Treasury & Payment Solutions is committed to supporting municipalities through this transition. To explore which tools, controls, and best practices are right for your organization, connect with your BMO Relationship Manager for more insights and tailored recommendations.