Agentic Open Finance Watch one governed action
The doctrine of agentic open finance

Consent opened the account.Authority was never granted.

Open finance gave software the keys to the world's bank accounts. Agentic AI turned that software into an actor. Between the consent token and the payment sits a question no observability stack can answer: was this exact action allowed — at this moment, at this amount, by this agent?

1 tokenopens everything
∞ actionsit never scoped
5 momentsin a governed act
authority-chain · live loop
INTENTagent proposes: pay £4,120 → new payee
MANDATElive scope check — no carry-forward
VERDICTallow · deny · escalate — before execution
FINALITYabove threshold — a named human binds it
PROOFsealed at the act — replayable in a dispute
VERDICT →ALLOW · within mandate

The gap

The consent screen was written for apps that read. Agents act.

Every open-finance regime was designed around a human tapping "approve" for an app that mostly looks at data. An autonomous agent inverts that: it moves money, switches products and commits its principal — thousands of times, unattended.

the consent illusion

A token proves the user let you in — not that they meant this payment.

Consent is granted once, broadly, in advance. The action happens later, specifically, at machine speed. Between those two moments lives every incident report this industry will ever write.

silent scope creep

The actor never sleeps, so the drift never shows.

An agent permitted to "manage payments" will, eventually, manage one you did not mean. Not malice — inference. A standing permission plus a reasoning engine is an unbounded mandate.

the wrong question

Logs answer "what happened" — the dispute asks "was it allowed".

Observability reconstructs behaviour. The auditor, the ombudsman and the regulator ask about authority: in scope, live grant, named approver. Most stacks simply cannot answer.

Anatomy

One governed action, five moments — in order, every time.

Not a workflow diagram — an authority chain. It plays below; tap any step to jump.

Doctrine

The three laws of agentic open finance

If the industry adopts nothing else, it should adopt these. Each closes a failure class consent tokens were never designed to close.

LAW · I

Every action carries its own authority

No standing permission. A grant is scoped to the act — this payee, this ceiling, this window — and checked at execution, not at onboarding. The agent allowed to pay this morning must be allowed again this afternoon. Boring by design: boring is what auditable looks like.

LAW · II

Finality has a name

Below the line, agents run free and fast. Above it — new payee, new ceiling, irreversible transfer — the act stays provisional until a person with the standing to bind says so. When the regulator asks "who authorised this?", the answer is a name, never a model version.

LAW · III

Proof outlives the moment

Every verdict is sealed when it happens: the mandate that applied, the grant that was live, the person who bound it. Not logs assembled after the incident — evidence that already exists before the question is asked. March's dispute is answered from January's seal.

Audiences

Who has to get this right

The gap looks different from every seat at the table. The fix is the same discipline.

You are the account. You wear the loss.

When a third-party agent misfires against an account you hold, the customer calls you. The token was valid, the API worked as documented — and the money is still gone. Your defence is not "consent was granted". It is "the action was checked against a live mandate, and here is the sealed record."

The bank that can prove per-action authority will set the terms of agentic access. The bank that can't will switch it off — and lose the channel.

Your agent's ceiling is its trust, not its intelligence.

Nobody lets a brilliant agent near serious money on brilliance alone. The unlock is bounded autonomy you can demonstrate: show that your agent cannot exceed its mandate even when its reasoning says it should, and doors open that capability alone never will.

"It asks before it binds" is a feature you can sell. "Trust the model" is not.

You aggregate consents. Do you aggregate authority?

A wallet holding forty consent tokens holds forty open doors and zero mandates. The product that wins agentic finance lets the user say: this agent may move this much, to these payees, this month — and shows the proof it never did more.

That screen — the mandate screen, not the consent screen — is the interface this decade gets judged on.

The question is not "was consent given?"

It is: "show me the authority for this specific action." Consent regimes audit the door. Agentic regimes must audit the act — was the mandate live, was the scope honoured, who made it final, and can the answer be reproduced from sealed evidence rather than the firm's own after-the-fact narrative?

Firms that answer per-action are supervisable at machine speed. Firms that can't are asking you to trust a log.

Agentic open finance will be judged not by what agents could do — but by what they were allowed to do.

— the editorial position of this site