<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[Jason Wang]]></title><description><![CDATA[Practical essays on giving AI agents useful authority without giving up human control — starting with the agent-ready bank.]]></description><link>https://www.jasonwang.ai</link><image><url>https://substackcdn.com/image/fetch/$s_!iqxE!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0eec8b0d-21cb-4ad3-8722-264ddeb73992_337x337.png</url><title>Jason Wang</title><link>https://www.jasonwang.ai</link></image><generator>Substack</generator><lastBuildDate>Tue, 14 Jul 2026 12:30:21 GMT</lastBuildDate><atom:link href="https://www.jasonwang.ai/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Jason Wang]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[jasonwangai@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[jasonwangai@substack.com]]></itunes:email><itunes:name><![CDATA[Jason Wang]]></itunes:name></itunes:owner><itunes:author><![CDATA[Jason Wang]]></itunes:author><googleplay:owner><![CDATA[jasonwangai@substack.com]]></googleplay:owner><googleplay:email><![CDATA[jasonwangai@substack.com]]></googleplay:email><googleplay:author><![CDATA[Jason Wang]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[Agentic banking is closer than you think]]></title><description><![CDATA[A decade of open-banking compliance built the trust stack AI agents need.]]></description><link>https://www.jasonwang.ai/p/agentic-banking-is-closer-than-you</link><guid isPermaLink="false">https://www.jasonwang.ai/p/agentic-banking-is-closer-than-you</guid><dc:creator><![CDATA[Jason Wang]]></dc:creator><pubDate>Mon, 13 Jul 2026 19:28:15 GMT</pubDate><enclosure url="https://substack-post-media.s3.amazonaws.com/public/images/362f2bda-a85a-4604-80d3-61e44cc562a7_2400x1350.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>This February, <a href="https://www.westpac.co.nz/about-us/media/mastercard-completes-nzs-first-authenticated-agentic-transactions-with-westpac/">an AI agent bought cinema tickets in New Zealand</a>.</p><p>It used a real debit card through a major bank and Mastercard&#8217;s network. Every participant in the payment chain could see that an agent initiated it, with the cardholder&#8217;s consent.</p><p>A test, not a product. But look at what just happened: the payment rails recognised software as a legitimate actor.</p><p>Most people I speak to expect banking to be one of the last industries to let AI agents near money: too regulated, too risk-averse, too much at stake.</p><p>I&#8217;ve spent twenty-plus years building banking systems, and the last stretch building AI-agent integrations against real banking infrastructure. From that seat, I think the consensus has it backwards. <strong>Banking may be one of the industries closest to useful, tightly controlled agent access.</strong> The reason is the least glamorous thing in fintech: a decade of open-banking compliance work.</p><p>My read: <strong>open banking wasn&#8217;t waiting for its killer app. It was waiting for the AI agent.</strong></p><h2>The groundwork banking already has</h2><p>Banks did not build APIs because they wanted to. Regulators made them &#8212; <a href="https://eur-lex.europa.eu/eli/dir/2015/2366/oj/eng">PSD2</a> in Europe, the <a href="https://www.cdr.gov.au/">Consumer Data Right</a> in Australia, and New Zealand&#8217;s Customer and Product Data Act, whose <a href="https://www.mbie.govt.nz/business-and-employment/business/consumer-data-right/consumer-data-right-policy-design/open-banking">banking designation took effect in December 2025</a>.</p><p>For years, open banking carried an awkward verdict: expensive compliance infrastructure, uncertain returns, no killer app. The criticism was real enough that Australia <a href="https://ministers.treasury.gov.au/ministers/stephen-jones-2022/media-releases/consumer-data-right-expansion-deliver-better-deal">reset its Consumer Data Right partly to address high compliance costs and limited uptake</a>, while <a href="https://www.fca.org.uk/publication/research-notes/open-banking-open-finance-uk.pdf">an FCA research note reported</a> that many account providers still viewed open banking as a compliance obligation, with uncertain revenue potential.</p><p>The &#8220;no impact&#8221; version now goes too far. Open Banking Limited reported <a href="https://www.openbanking.org.uk/insights/open-banking-in-2025-now-part-of-the-uks-everyday-financial-life/">16.5 million user connections by December 2025 and 351 million open-banking payments across the year</a>. The rails are being used. But no single consumer product has made the investment feel inevitable.</p><p>Now look at what that infrastructure produced, through the eyes of someone trying to build an agent channel today:</p><p><strong>1. A consent framework that maps cleanly to agents.</strong> Open banking&#8217;s core mechanic is a customer granting a third party scoped, revocable, auditable access to their accounts &#8212; with consent screens, expiry, and an unambiguous record of who authorised what.</p><p>Swap &#8220;budgeting app&#8221; for &#8220;my AI assistant&#8221; and the framework still holds. The assistant has to arrive through an accredited requestor or a bank-sanctioned channel &#8212; accreditation and liability don&#8217;t vanish &#8212; but that&#8217;s governance work on rails that exist, not invention. Few sectors have a regulator-hardened answer to &#8220;how does software get permission to act for a person?&#8221;</p><p><strong>2. Security standards agents can reuse.</strong> Major open-banking regimes adopted <a href="https://openid.net/wg/fapi/">FAPI</a>-based profiles, and <a href="https://eur-lex.europa.eu/eli/dir/2015/2366/oj/eng">PSD2</a> made Strong Customer Authentication a legal requirement, not a best practice.</p><p>Certified OAuth flows, sender-constrained tokens, strong authentication on sensitive actions: few of the sectors agents are expected to enter first have an equivalent baseline. Banking prepaid much of the security bill that agent access requires.</p><p><strong>3. APIs that map cleanly to tools.</strong> Open-banking standards bodies published <a href="https://standards.openbanking.org.uk/api-specifications/latest/">uniform, versioned specifications</a> &#8212; accounts, transactions, payment initiation &#8212; that participating institutions implement from a shared playbook.</p><p>For anyone building an <a href="https://modelcontextprotocol.io">MCP</a> server (the open protocol that lets assistants like Claude and ChatGPT call external systems), this is a gift: the mapping from open-banking endpoint to agent tool is almost mechanical. I know because I&#8217;ve done it.</p><p><strong>4. Out-of-band confirmation rails customers already know.</strong> SCA pushed banks to build out-of-band approval &#8212; often a push notification: the &#8220;confirm this payment in your app&#8221; moment. That rail is precisely the safety net an agent channel needs: the agent works in one channel, the human approves in another, and prompt manipulation in the first channel can&#8217;t reach into the second &#8212; provided the challenge shows, and binds, the exact payee and amount being approved.</p><p>Now try building that in the industries agents are expected to enter first. A telco, utility, or health provider can&#8217;t assume its customers have installed an authentication-grade app. Many banks already have one because regulation pushed them there.</p><p>Consent, security, standard APIs, out-of-band approval. That&#8217;s not an industry starting from zero on agent readiness. Few industries have already built those capabilities into one regulated, audited stack.</p><p>The rails came first. The actor that needs all four is only now arriving.</p><h2>The market is telling the same story</h2><p>That cinema-ticket demo was the readiness showing on the card rails. The account-access layer is moving too.</p><p>In May, OpenAI <a href="https://openai.com/index/personal-finance-chatgpt/">launched a personal-finance experience inside ChatGPT</a>. Within six weeks it had rolled out to Plus and Pro subscribers in the US, with Plaid connecting more than 12,000 financial institutions. In one product cycle, connecting your bank to an AI assistant became a mainstream product feature.</p><p>Read the fine print, though: the connection is strictly read-only. <a href="https://help.openai.com/en/articles/20001222-finances-in-chatgpt">OpenAI&#8217;s own docs</a> say ChatGPT &#8220;cannot take financial actions&#8221;: it can&#8217;t move money, and it can&#8217;t pay a bill.</p><p>OpenAI wired banks into its assistant, then stopped at the glass. Not because the write path is impossible, but because the write path is a <em>trust</em> product. Whoever owns the interface, it still runs on bank participation and bank-enforced controls: exactly the four rails above.</p><p>And the supply side? Here is the state of play as of July 2026, from my own survey:</p><ul><li><p><strong>Business banking</strong> runs <a href="https://www.meow.com/blog/agent-native-vs-agent-compatible-banking">live agent payments</a> (Meow, Slash) &#8212; API keys and commercial accounts, not consumer channels.</p></li><li><p><strong>Retail banking</strong>: the <a href="https://www.openbankingtracker.com/banks-with-mcp-servers">directory of banks with MCP servers</a> is short and dominated by business platforms and betas; where a consumer can point an assistant at a retail bank at all, it&#8217;s read-only &#8212; one US bank in beta, plus the Plaid path above.</p></li><li><p><strong>Core-banking vendors</strong> are shipping <a href="https://www.nymbus.com/press/nymbus-launches-industry-leading-secure-MCP-server-for-AI-driven-core-banking-actions/">agent tools for bank </a><em><a href="https://www.nymbus.com/press/nymbus-launches-industry-leading-secure-MCP-server-for-AI-driven-core-banking-actions/">staff</a></em>, not customers.</p></li><li><p><strong>The card networks</strong> are piloting <a href="https://www.westpac.co.nz/about-us/media/mastercard-completes-nzs-first-authenticated-agentic-transactions-with-westpac/">authenticated agentic checkout with retail-bank issuers</a> &#8212; the NZ demo above among them &#8212; through network-led identity and control frameworks, not by opening the banks&#8217; own account APIs.</p></li></ul><p><strong>As of July 2026, my survey found no generally available consumer retail-bank product that lets customers connect their own general-purpose assistant and initiate per-payment, human-approved bill payments.</strong> That leaves a strikingly buildable consumer product sitting on rails that already exist.</p><h2>From one-tap approval to bounded mandates</h2><p>Bill-paying is just the entry point. The destination is money that manages itself within bounds you set: an agent that knows the school fees land on the 15th and the mortgage reprices in March; that keeps your transaction account at the float you chose and sweeps the excess into savings; that spots the power bill 40% above normal and asks you about it <em>before</em> paying.</p><p>Not a dashboard telling you what happened &#8212; an agent acting ahead of what&#8217;s coming, tuned to your goals and your calendar.</p><p>Today, that level of proactive, individual attention is mostly reserved for private banking. Agent rails make more of it programmable.</p><p>The consent model matures with it: per-transaction approval first, then bounded standing mandates &#8212; <em>&#8220;keep me between X and Y, ask me about anything outside it&#8221;</em> &#8212; the direct debit of the agent era, with the same property that made direct debit work: the customer sets the bounds, and the bank enforces them.</p><h2>What building it actually teaches you</h2><p>I know the gap is closable because I&#8217;ve built a working prototype against a production-grade core: an MCP server where the agent authenticates as the customer through standard OAuth with explicit consent screens and sees only that customer&#8217;s accounts.</p><p>It can prepare payments. It cannot release them.</p><p>The engineering surprise is how little of the hard work is API plumbing &#8212; point 3 above took care of that. The hard work is trust design, and it concentrates in three places:</p><p><strong>The agent must act as the customer, never as a service account.</strong> Every tool call runs under the customer&#8217;s own identity and scope. One architectural decision, and the bank&#8217;s existing security model remains the foundation &#8212; supplemented by agent-specific controls, not rebuilt.</p><p><strong>The threat model is new even when the APIs aren&#8217;t.</strong> The textbook case: a malicious &#8220;invoice&#8221; email that steers a helpful agent into paying an attacker. Prompt injection, model error on amounts and payees, stolen agent credentials &#8212; none of these are hypothetical, and none are solved at the API layer.</p><p><strong>The answer to both centres on the consent moment.</strong> An agent-initiated payment triggers a step-up challenge to the human&#8217;s phone &#8212; the exact payee and amount, bound to the approval, out-of-band from the agent, one tap to approve or refuse.</p><p>It doesn&#8217;t stand alone. Transaction limits, anomaly detection, and instant revocation back it up, and approval fatigue is a real design problem, not a footnote. But it is the centre of gravity: the agent does the work; the human spends the money.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!w19X!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!w19X!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png 424w, https://substackcdn.com/image/fetch/$s_!w19X!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png 848w, https://substackcdn.com/image/fetch/$s_!w19X!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png 1272w, https://substackcdn.com/image/fetch/$s_!w19X!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!w19X!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png" width="1080" height="1350" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1350,&quot;width&quot;:1080,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:186104,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://www.jasonwang.ai/i/206902064?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!w19X!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png 424w, https://substackcdn.com/image/fetch/$s_!w19X!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png 848w, https://substackcdn.com/image/fetch/$s_!w19X!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png 1272w, https://substackcdn.com/image/fetch/$s_!w19X!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9254cc62-75dd-41dd-bcaa-8be666fab79b_1080x1350.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>Get that moment right and agent banking is arguably <em>safer</em> than a tired human paying bills at midnight. Get it wrong and the first fraud headline sets the category back years.</p><blockquote><p><strong>The consent moment is the product. Everything else is integration.</strong></p></blockquote><h2>Why a mid-tier bank may move first</h2><p>Here&#8217;s the last twist. My four points are about <em>readiness</em> &#8212; and the big banks have all of it. The harder question is <em>willingness</em>: extending your own account rails to customer agents is a small technical step and a large institutional decision, and large banks typically make those decisions slowly.</p><p>The cinema-ticket demo illustrates the lower-friction path. A top-four bank participated through network-led card rails rather than exposing its own account APIs.</p><p>A mid-tier institution may be able to decide faster. The stack is integration, not invention: an MCP server on the existing core, the open-banking consent and security machinery repointed at a new actor, existing digital onboarding at the end of a new funnel.</p><p>The distribution prize may compound. As discovery moves inside assistants, &#8220;the first bank in the country your AI assistant can actually bank with&#8221; becomes harder to dislodge &#8212; and a potentially meaningful acquisition channel.</p><p>The consensus says banking goes last. The rails say banking goes first. The only question is which bank reads its own infrastructure correctly &#8212; and puts a human tap of approval at the centre of it.</p><p>I&#8217;m building in exactly this space, and there are working demos I&#8217;m looking forward to showing you soon &#8212; an agent preparing real banking actions, with a human approving every one.</p><p>If you work in or around a regulated institution, what would stop this first? Reply or leave a comment. I want to know where this architecture meets the hardest constraint.</p><div><hr></div><p><em>This is the first essay in a series about how AI agents earn authority without taking control. Banking is the first proving ground: consent moments, bounded mandates, threat models, human vetoes, and working demos from inside the build.</em></p><p><em>Jason Wang is a principal architect who has spent twenty-plus years building banking systems and now builds AI-agent integrations against regulated infrastructure.</em></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://www.jasonwang.ai/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div>]]></content:encoded></item></channel></rss>