Can AI work with open finance? If you know something about AI, and especially AI agents, you may have read the title of this post and be thinking, “yes, of course it can, stupid!”. The use case for AI and AI agents in the context of financial services generally is significant, with agents having the capability to automate a multitude of tasks currently performed by humans. Nowhere is this more true than in open finance, where the operating models are built almost entirely on standardized APIs described using OpenAPI, which provides a strong baseline for interpretation by AI. Existing use cases abound, with the potential for AI to work across both closed and open finance to create cohesive features and products.

Some of the possible use cases for AI agents in finance include:

• Payment initiation: Making one or more payments automatically, on behalf of the banking customer, based on fixed constraints defined in a consent.
• Account sweeping: Transferring funds automatically from current and checking accounts to savings accounts to maximize returns.
• Wealth management: Creating a cohesive view of wealth across different accounts and investment vehicles, leveraging features like account sweeping to maximize outcomes.

If open finance were being built from scratch today, then implementing the security protocols and patterns required to allow AI agent access would be a natural extension to the standards. However, never is life so simple. Open finance is growing globally, with a great deal of innovation taking place. Still, the security protocols and patterns are largely wedded to well-established mechanisms such as OAuth 2.0, OpenID Connect, and extensions of those protocols such as the FAPI 2.0 Security Profile. These protocols generally involve a human in the flow at some point, especially given rules such as the requirement in the European Union to reauthorize account access every 180 days. Evolving these protocols to fit an agentic model is vital to ensuring the opportunity for AI in open finance is not lost.

The Use Case for AI in Open Finance

Deploying AI in open finance, especially from an agentic perspective, is actually a natural progression of what third-party providers (TPPs) already do in the financial ecosystem. Take account sweeping, for example. Sweeping fits the agentic model perfectly, as agents can work on behalf of humans to perform sweeping automatically based on a known set of constraints encoded in the consent granted by the human to the TPP or to the AI agent.

The evolution of open finance across global markets is, however, presenting new agentic opportunities more generally. Consider open foreign exchange (FX), currently being created in the UAE, that enables market-wide FX quote comparison, supported by dynamic account opening at a given FX provider. Enabling AI agents to leverage this framework could provide significant financial benefits for organizations seeking to reduce FX and remittance costs and promote new competition in the local FX market. The FX and remittance flows are relatively simple and are simple for an agent to act on.

The biggest challenge, however, lies at the intersection of autonomy and trust, and how agents can operate without a human in the flow.

Side Calls to Humans

Open finance has broken ground already on establishing autonomy by granting TPPs access to customer accounts to entities that are not a bank. However, open banking and open finance frameworks are built with humans at the center of the consent journey. Strong customer authentication (SCA) and rules like PSD2’s 180-day reauthorization require a human to re-affirm their choices, adding deliberate friction to ensure that account-holding customers giving consent to account access do so with full cognizance of the actions they are taking. FAPI 2.0, used in many of the leading open finance ecosystems around the world, and other less prescriptive frameworks like the security framework at the heart of the Berlin Group, have this concept of consented, authorized access at their heart.

Adding friction in this way to user journeys does not lend itself well to granting permissions to AI agents to act autonomously. A human still must be called back into the journey when account reauthorization is required. Another challenge is token lifecycle management. Current OAuth Profiles are not designed, generally speaking, for long-lived, fully autonomous actors, and the need to “callback” to humans regularly is implicit in the flow. User-granted access tokens is where protocols like Model Context Protocol (MCP) currently come unstuck. An MCP server can implement OAuth 2.0, no problem. However, doing so under an Authorization Code flow grant type is less feasible.

There are, however, already significant opportunities to enable agentic access, with side calls to humans, without refactoring the ecosystem and the underlying protocols. Embracing an evolution of authentication and authorization where reauthorization can happen seamlessly is critical. In open finance, we can call out protocols like OpenID for Verifiable Credentials, already a feature of the EU Digital Wallet, which can provide the backbone for dedicated, authorized credentials for agents, or leveraging Client-Initiated Backchannel Authentication (CIBA) to allow out-of-band authentication and authorization by a human. Critical building blocks to authorizing consented, agentic access to accounts therefore already exist, and can be extended to ensure callbacks to humans, when they are required, can happen seamlessly.

Solving for Autonomous Open Finance

The authentication journey and enabling systematic side calls to humans is one side of the agentic coin in open finance. Providing explicit grants to account access is vital to allowing agentic access to accounts. As is often the case with new technologies, the AI community has forged ahead with developing new protocols that serve the needs of agents in acting on behalf of humans.

Initiatives such as the Agent2Agent (A2A) Protocol and the Agent Payments Protocol aim to allow agents to act autonomously without relying on humans in the flow, using a series of “Mandates” that act as verifiable credentials, tied to a specific agent and action. The Agentic Commerce Protocol, developed by OpenAI and Stripe, also seeks to power payments made autonomously on behalf of customers through a dedicated AI agent.

While these protocols are absolutely required to provide a common framework for agentic communication and action, the underlying concepts of enabling roles in an ecosystem to perform specific tasks are already well established in the open finance world.

An example here is Rich Authorization Requests (RAR), which is already used in several ecosystems, including the UAE. RAR provides a significantly enhanced means to describe the rights to account access and services in a fine-grained way, specifying precisely the permissions a client has. RAR is an evolution of the consent APIs created during the first wave of open banking standards, and puts the permissioning model back in the realm of access controls. The great thing about RAR is that, from a protocol perspective, it greatly expands what an OAuth scope indicates and makes it much more explicit.

RAR is also, however, a framework, and can be expanded to incorporate prompts alongside structured data. A RAR could therefore become the single source of truth for an agent, and evolve to provide a more agentic view with a natural language prompt. An example is below (encoded as YAML for readability, but more likely to be JSON):

roles:
- aisp
- pisp
use_case: account_sweeping
source_accounts:
- current
target_accounts:
- savings
- stocks_shares_isa
prompt: >
  Use my balance and transaction information from my current and savings account to track outgoings.

  Move money from my current account when the account balance exceeds GBP 5000, moving to my savings account with the best interest rate.

  When my balance across my current account and savings exceeds my outgoings for the next 3 months, move any surplus to my stocks and shares ISA.

RAR could therefore include all the requirements for agents, including what roles they can play, which can then allow agents to interact with reference data like OpenID Connect Discovery to guide their actions.

The level of standardization in RAR will still need to be high, however, to ensure that both TPPs and banks can enforce the RAR in a deterministic way, and that might not be met entirely by transferring all the details of the consent to the prompt. The example above, if reflected in a real RAR design, would almost certainly include more structured data, with potentially more of the behaviors encoded in well-defined properties of a JSON Schema document or OpenAPI description. RAR also needs to be signed to ensure it is tamperproof, so it must therefore be implemented using JWT-Secured Authorization Requests and sent via a backchannel using Pushed Authorization Requests so as to protect the request in transmission and avoid redirects.

RAR can also mean accelerating the implementation of open finance, with change being more readily embraced. For humans, RAR has meant implementing more complex and sophisticated software to interpret this information in a meaningful way. For AI agents, however, it can mean taking information and acting on it without needing humans to write masses of code. Yes, an agent or an AI is going to spool code somewhere, to deal with interpreting the information, but that information can be processed much more readily, and what’s more, the information in RAR can evolve with new versions of standards with lower implementation overhead, as AI will deal with the changes.

API Security for AI Futures

We’ve discussed many aspects of open finance and how AI can be merged into the existing API security standards. A model of what we’ve discussed, where we bring together OpenID Discovery, PAR, JAR, RAR, and CIBA into a web sequence, is shown below. It purposefully ignores MCP and how to handle orchestration at MCP servers and also avoids token passthru anti-patterns, as that topic is for another post.

The skeleton leverages variable recurring payments, which are implemented in markets such as the UK and UAE. Note here, we do not state the agent protocol or how the agent is initiated, simply that the agent receives a prompt to act on behalf of the customer.

Using Guardrails for Agentic Finance

Embracing AI, on review of this post, may seem like the next step in the evolution of open finance, and there are many building blocks already in place that can be leveraged. It is also, of course, a long road between sketching out flows in a sequence diagram and deploying this flow in anger. The industry as a whole needs to ensure that the correct guardrails are in place to safeguard how an access token is granted to an AI agent.

There is also the question of scaling credentials to ensure that agents have ready access to open finance platforms. MCP can potentially help, and could fit into the high-level model shown above (again, a subject for a future post). Finally, there is also the point about open finance maturity across different markets. Several have most, but not all, of these building blocks in place, and moving the market forward requires regulatory alignment, demand from the market, and implementation at the banks.

From the perspective of protecting real human beings and their finances, it is right and good to ask these questions. We’ve seen during AI’s growth how it can, and continues to, get things wrong. However, agents can help power use cases such as account sweeping at a much more granular level, and with the right tools in place, open finance can embrace doing this safely, and with the needs of customers at its heart.

Embracing AI is not about lowering security or making agentic access to accounts more permissive. Instead, it’s about ensuring that the guardrails are set at the right height, and with steady enough handrails to guide AI to exactly what it needs to know to act in the best interests of the customer.

The evolution of open finance markets and standards need to embrace change for AI in three critical ways:

• Frictionless authorization: Delegation of authority to an AI, in the same way as giving consent to account access for a TPP, needs to happen much more easily, removing the redirects to a mobile banking app or internet banking website in existing journeys. The journeys that exist in open finance today can be tweaked to profile deterministic, reliable, and cryptographically bound proofs of authentication and authorization that prove beyond a reasonable doubt that the customer has provided consent.
• Agentic access controls: Improving the bounds of authorization through highly descriptive grants is fundamental to establishing the proper guardrails. Embracing RAR and providing authorization that is fine-grained and deterministic offers the best chance for AI agents to act autonomously without the potential for data or financial loss for banking customers.
• Constant and consistent monitoring: Monitoring the activities of AI agents is vital to ongoing trust, and here open finance can leverage adjacent protocols such as OpenID Shared Signals, which provides the Continuous Access Evaluation Protocol as a means of monitoring agents at scale through common protocols, across an ecosystem, providing a single customer view.

If global open finance markets can embrace such transformations and devise appropriate and right-sized protocols for securing customer data whilst empowering AI agents, open finance could forge ahead as a leader at an industry level. Time will tell whether the important humans in open finance — regulators, banks, standards bodies, and TPPs — will seize this significant opportunity to lead autonomous open finance.