Agentic Open Finance
Agentic Open Finance

Open finance handed agents the keys. Nobody wrote down what they may do inside.

A consent token opens the account. It says nothing about what the agent is allowed to make happen next. Access is a door. Authority is a mandate. The industry built the door first — and then connected software that acts.

The gap

The consent screen was written for apps that read. Agents act.

Every open-finance regime was designed around a human tapping “approve” for an app that mostly looks at data. An autonomous agent inverts that: it moves money, switches products, and commits its principal, thousands of times, unattended. Three uncomfortable truths follow.

01

A token proves the user let you in — not that they meant this payment.

Consent is granted once, broadly, in advance. The action happens later, specifically, at machine speed. Between those two moments lives every incident report this industry will ever write.

02

Scope creep is silent when the actor never sleeps.

An agent permitted to “manage payments” will, eventually, manage one you did not mean. Not through malice — through inference. A standing permission plus a reasoning engine is an unbounded mandate.

03

When it goes wrong, the log shows what happened — not whether it was allowed.

Observability answers “what did the agent do?” The dispute, the auditor and the regulator ask a harder question: “was the agent allowed to do it, at that moment, at that amount?” Most stacks cannot answer it.

Anatomy

What one governed action looks like

Not a workflow diagram — an authority chain. Five moments, in order, every single time an agent touches money. No step skipped, no step assumed.

INTENTagent proposes act MANDATEis this in scope, now? VERDICTallow · deny · escalate FINALITYa named human binds it PROOFsealed, replayable SCOPED · LIVE · NO CARRY-FORWARD ABOVE THRESHOLD → A PERSON, BY NAME
The order is the point. Authority is resolved before the action, not reconstructed after. The mandate is checked live — yesterday’s permission does not carry forward. Finality above a threshold belongs to a named person. And the proof is sealed at the moment of the act, so “was this allowed?” has an answer months later, offline, in a dispute.

Doctrine

The three laws of agentic open finance

If the industry adopts nothing else, it should adopt these. Each one closes a failure class that consent tokens were never designed to close.

LAW 01 Every action carries its own authority +

No standing permission. A grant is scoped to the act — this payee, this ceiling, this window — and it is checked at the moment of execution, not at the moment of onboarding. An agent that was allowed to pay this morning has to be allowed again this afternoon. Boring by design: boring is what auditable looks like.

LAW 02 Finality has a name +

Below the line, agents run free and fast. Above it — new payee, new ceiling, irreversible transfer — the act stays provisional until a person with the standing to bind says so. Accountability never transfers to software. When the regulator asks “who authorised this?”, the answer is a name, not a model version.

LAW 03 Proof outlives the moment +

Every verdict — allow, deny, escalate — is sealed when it happens: the mandate that applied, the grant that was live, the person who bound it. Not logs to be assembled after the incident; evidence that already exists before the question is asked. A dispute in March should be answerable from what was sealed in January.

Audiences

Who has to get this right

Pick your seat at the table. The gap looks different from each one — the fix is the same discipline.

You are the account. You wear the loss.

When a third-party agent misfires against an account you hold, the customer calls you. The token was valid, the API worked as documented, and the money is still gone. Your defence is not “the consent was granted” — it is “the action was checked against a live mandate, and here is the sealed record.”

The bank that can prove per-action authority will set the terms of agentic access. The bank that can’t will simply switch it off — and lose the channel.

Your agent’s ceiling is its trust, not its intelligence.

Nobody will let a brilliant agent near serious money on brilliance alone. The unlock is bounded autonomy you can demonstrate: show that your agent cannot exceed its mandate even when its reasoning says it should, and doors open that capability alone will never open.

“It asks before it binds” is a feature you can sell. “Trust the model” is not.

You aggregate consents. Do you aggregate authority?

A wallet holding forty consent tokens is holding forty open doors and zero mandates. The product that wins agentic finance is the one where the user can say: this agent may move up to this much, to these payees, this month — and see the proof it never did more.

That screen — the mandate screen, not the consent screen — is the interface this decade gets judged on.

The question to ask is not “was consent given?”

It is: “show me the authority for this specific action.” Consent regimes audit the door. Agentic regimes must audit the act — was the mandate live, was the scope honoured, who made it final, and can the answer be reproduced from sealed evidence rather than from the firm’s own after-the-fact narrative?

Firms that can answer per-action are supervisable at machine speed. Firms that can’t are asking you to trust a log.

Agentic open finance will be judged not by what agents could do — but by what they were allowed to do.

— the editorial position of this site