LatAm Banking Risk Priorities 2026: What Changed and What Your Board Expects

The Bank Director 2026 Risk Survey is out, and two numbers changed the conversation in every boardroom that read it: fraud and cyber are now the number one and number two risks on the CEO risk list — the first time in the survey's history that operational risks have displaced capital and credit concerns at the top. This is not a minor shift. It is a structural reordering of what boards are expected to control.

What the 2026 Bank Director Survey actually found

The Bank Director 2026 Risk Survey polled 304 bank executives and board members across North and South America. In the LatAm subsample, the top five risks ranked by CEOs were: (1) Fraud / scam losses, (2) Cyber / operational resilience, (3) Regulatory compliance, (4) Credit quality deterioration, (5) Digital transformation execution.

Three years ago the order was inverted. Credit risk sat at #1 because post-pandemic loan books were still under stress. Cyber was somewhere in the middle. Fraud was considered an operational line item, not a strategic risk. What changed?

Three compounding factors shifted the ranking. First, real-time payment rails — Pix in Brazil, SPEI in Mexico, ACH Inmediato in Colombia — became the attack surface of choice. Fraudsters discovered that once a Pix transfer clears, reversal windows are 15 minutes or less and recovery rates are below 30%. Second, generative AI lowered the cost of social-engineering attacks by roughly 40x. Voice cloning that required $50,000 of compute in 2022 costs under $200 today. Third, CNBV and Banco Central do Brasil increased disclosure requirements in 2025, making fraud losses visible to boards for the first time — and what they saw alarmed them.

What this means for the board agenda

The practical consequence of fraud moving to #1 is that every board now expects a quantified fraud risk appetite — not a qualitative statement, but a number. "We accept up to 0.08% of transaction volume in fraud losses before escalating to the board" is the kind of statement directors now expect to hear. Most bank management teams are not yet producing it.

The second expectation is scenario testing. The Bank Director survey found that 71% of respondents whose bank had experienced a material fraud event in the past 24 months had conducted a formal tabletop exercise before the event. Among banks that had not experienced a material event, only 34% had run a tabletop. Correlation is not causation, but the board understands the direction of the argument.

Third, cyber and fraud are now expected to appear on the same agenda item, not in separate risk committee silos. The reason is architecture: the typical social-engineering fraud attack that results in an unauthorized Pix transfer involves a cyber component (credential theft or session hijacking), an operational component (inadequate step-up authentication), and a fraud component (the actual transfer). Separating them in reporting obscures the chain of failure.

The three board questions you will get in 2026

Based on the survey findings and regulatory guidance from CNBV, Banco Central do Brasil, and Superintendencia Financiera de Colombia, there are three questions that are near-certain to appear in a 2026 board meeting for any LatAm bank above $500M in assets:

1. "What is our fraud loss rate versus LatAm peer median, and is it improving?" This is the quantitative baseline question. The answer requires a KPI framework that tracks fraud losses as a percentage of transaction volume, by channel, benchmarked against available industry data. The LatAm Banking KPI Benchmarks includes the fraud loss rate metric with 2025 peer data across six countries.

2. "Have we run a tabletop for a Pix/SPEI social-engineering scenario in the last 12 months?" This is the qualitative preparedness question. The expected answer is yes, with a date, a summary of findings, and a list of remediations completed. The Fraud & Scam Prevention Kit includes a 12-page tabletop script with three scenarios: Pix social-engineering, SPEI business email compromise, and USD wire fraud — ready to run with your operational risk team.

3. "What is the board's fraud risk appetite, and how was it set?" This is the governance question. The board expects to have approved a fraud risk appetite statement that was developed with input from the CRO, CISO, and Head of Fraud Operations — not simply inherited from the prior year's risk framework. The Board Meeting Prep Kit includes six questions specifically on fraud risk governance to prepare you for this conversation.

What credit risk dropping to #4 means for your board pack

Credit risk has not disappeared. NPL ratios in Mexico and Colombia remain elevated versus 2022 levels, and BBVA Research's Q1 2026 LatAm outlook flags credit card delinquency as a watch item for H2. But the board's attention horizon has shortened. Directors now expect the credit risk section of the board pack to be compressed and efficient — 2-3 slides with a clean KPI dashboard — so that more time can be allocated to fraud, cyber, and digital transformation risk.

If your quarterly board pack still leads with a 12-slide credit risk section followed by a 2-slide fraud section, you are presenting against the risk priorities your board actually has in 2026. The sequence should be inverted.

Preparedness checklist: fraud and cyber readiness for the 2026 board

The boards that will ask the hardest questions in 2026 are the ones that read the Bank Director survey and shared it with management. The boards that will ask no questions are the ones that haven't read it yet. The difference between those two scenarios is preparation — and preparation in this context means having a number, a script, and a playbook ready before the meeting, not during it.