Your money, their agent: What could go wrong?
Imagine this: Your personal finance “agent” wakes up at 9:31 a.m., checks the market, and—because the index is trading above a threshold you set—it moves $500 into a money market fund. Later that afternoon, it pays your contractor after verifying job photos and sends $50 to a friend when their rideshare receipt hits your inbox. No taps. No waiting. Just quiet automation doing what you told it to do.
Convenience is accelerating. As software shifts from recommending to executing, the risk profile changes. What follows: brief background, implications for finance and financial crime, practical red flags, and considerations for leaders.
Background: Agentic AI, finance vs. commerce
Agentic artificial intelligence (AI) systems can plan, decide, and act with limited human intervention. Within that umbrella, we distinguish two domains:
- Agentic commerce: AI agents acting for consumers in retail contexts—finding, buying, returning, and managing purchases on their behalf. It’s transactional and price/fulfillment driven.
- Agentic finance: AI agents orchestrating broader financial workflows—opening accounts, moving funds, investing, paying bills, and reconciling records—often across multiple institutions. It’s about managing end‑to‑end financial journeys.
Both rely on application programming interfaces (APIs), delegated permissions, and increasingly real‑time payment rails, including cards, and digital wallets. Programmatic tokens and smart contracts can support certain use cases with programmable, instant settlement, but they are not a prerequisite for autonomy. The key shift is that agents become decision executors across both legacy and modern rails.
Two simple scenarios illustrate the change:
- “Invest $X in a money market fund if the S&P 500 closes above Y; otherwise invest toward bonds.”
- “Send $50 to Alex when today’s rideshare receipt hits my inbox.”
What this means for finance and the financial crimes risk picture: when agents execute, familiar controls encounter unfamiliar behavior
Automation can fragment activity into thousands of small, 24/7 steps, stressing thresholds tuned to human behavior.
Knowing the customer is necessary but no longer sufficient. Companies need to “know the agent”—who built it, what data and tools it uses, what it’s allowed to do, and how its behavior differs from its principal’s patterns. Treat “agent identity” as a primary risk component.
Prompt injection, compromised plugins/connectors, and mis-scoped API keys can push agents off-policy without any device compromise.
Automated routing and sparse counterparty details complicate real-time sanctions and name screening across cards, Automated Clearing House (ACH), Real-Time Payments (RTP), and tokenized flows.
Transaction monitoring (TM) and sanctions programs must adapt:
1
2
3
Impacts beyond financial crime will also surface:
- Disputes and accountability: Where is the line between authorizing an agent and owning the outcome? Expect pressure on chargebacks, Regulation E under the Electronic Fund Transfer Act (Reg E), Uniform Commercial Code Article 4A (UCC 4A), and card‑network rules as “authorized by agent” meets “disputed by customer.”
- Third‑party risk management (TPRM): As firms rely on external agents and plugins, interagency TPRM expectations and model/AI risk governance will apply across the agent lifecycle.
In the United States, Bank Secrecy Act (BSA) expectations remain unchanged—effective, risk‑based anti‑money laundering/countering the financing of terrorism (AML/CFT) programs; customer identification; sanctions compliance; and suspicious activity reports (SARs). The Financial Crimes Enforcement Network (FinCEN) continues to emphasize effectiveness and modernization, and federal banking agencies expect robust model/AI oversight and third‑party governance. Globally, FATF standards (including the Travel Rule), the European Union’s (EU) Markets in Crypto‑Assets regulation (MiCA), and United Kingdom (UK) initiatives are shaping the perimeter. There is no special carveout for agents—yet. Build as if existing rules apply, because they do.
Red flags to monitor
Focus on sequences and the agent’s “fingerprint” (credentials, tools, timing), not isolated events:
1
Always‑on cadence: Round‑the‑clock activity with bursty micro‑transactions atypical for the customer.
2
Orchestration sprawl: Rapid opening of multiple accounts/wallets coordinated by the same agent identity or API key, often across institutions.
3
Micro‑structuring: Many small transfers just under thresholds, sequenced to evade velocity and amount limits across rails.
4
Tool‑use anomalies: Sudden calls to new or unvetted plugins/APIs; call graphs that diverge from approved workflows.
5
Agent‑to‑agent loops: Transfers with no clear business purpose or circular flows across platforms.
6
Prompt‑injection aftermath: Off‑policy actions shortly after ingesting untrusted content (emails, web pages, sites).
7
Credential drift: API keys used from unfamiliar geographies/devices, at impossible times, or with expanded scopes not previously granted.
8
Dormant to hyperactive: Immediate, high velocity behavior after onboarding without corresponding human signals.
9
Token flow flags (when relevant): Frequent cross chain bridges, rapid in/out to high risk exchanges, or interaction with obfuscation services.
What leaders should do next:
Set direction and accountability first. Draw a line between agentic finance (end-to-end financial workflows) and agentic commerce (consumer retail transactions) and name a single executive owner with authority across product, engineering, risk, and compliance. Define your risk appetite and customer authorization model up front. Then establish “Know Your Agent”: treat each agent as a real identity that is distinct from the customer—know who built and operates it, what data and tools it uses, what it is allowed to do, and how to shut it off quickly. Fold this into existing customer due diligence and third-party governance so accountability is unambiguous.
Next, put hard rails around money movement and upgrade your detection to match automation. Codify clear boundaries (what an agent can do, with whom, how fast, and how much) and require human approval for high-risk actions. Modernize surveillance to recognize agent driven patterns and keep sanctions and name screening effective across all payment rails, not just the newest ones. Make decisions explainable with immutable logs, and align dispute handling so “authorized by agent” is understood and defensible. Learn safely—pilot contained, high-value automations—then scale only when controls consistently protect customers and the company.
Agentic finance and commerce are inevitable because they are useful. The firms that thrive will recognize “agent identity” as a new risk object, adapt monitoring and sanctions programs to automation patterns, and hard‑code sensible guardrails before volume arrives. Build now—while the stakes are still small.
Meet our team
