Banks Built APIs for Regulators. Now They Need Them for AI Agents.

Grasshopper Bank shipped an MCP server in August 2025. Built by their digital banking provider Narmi, it lets business banking clients query account balances and categorize vendor spending through Claude. Read-only access, bank-grade auth, structured data responses. It was the first MCP server launched by a US bank.

Seven months later, only a handful of institutions have followed. Griffin in the UK offers read-write MCP access. Personetics released an MCP server that exposes financial behavior models and predictive analytics to LLM clients. Prometeo built agentic banking infrastructure connecting AI agents to payment rails across Latin America and the US. That’s roughly the full list.

This gap between what’s possible and what’s deployed tells you everything about where agentic banking stands in early 2026.

The protocol layer is ready. The banks are not.

MCP (Model Context Protocol) was open-sourced by Anthropic in November 2024. By December 2025 it had been donated to the Agentic AI Foundation under the Linux Foundation, co-founded by Anthropic, Block, and OpenAI. Every major cloud provider and LLM platform now supports it. The 2026 MCP roadmap, published March 9, focuses on horizontal scaling, enterprise readiness, and better tooling for production deployments.

For banks, MCP matters because it standardizes how AI agents connect to external systems. Instead of building custom integrations for every LLM provider, a bank can expose a single MCP server that any compatible agent can consume. Account data, transaction history, payment initiation, KYC status checks: all available through a consistent protocol with structured permissions and audit trails.

The technical bar is not especially high. If your bank already has REST APIs (and most do, because open banking regulations required them), wrapping those APIs in an MCP server is a well-understood engineering problem. Narmi did it for Grasshopper. Prometeo did it across hundreds of banks in LATAM. The tooling exists.

What’s missing is the institutional decision to do it.

Open banking built the pipes. Agents need to use them.

Most banks treated open banking as a compliance exercise. They built APIs to satisfy PSD2 in Europe, CDR in Australia, or Section 1033 in the US. They set up consent flows, throttled third-party access, and moved on. Ron van Wezel, strategic advisor at Datos Insights, made this point in a recent Camunda session: banks built the pipes, but very little actually happens with the data flowing through them.

Agentic AI changes the economics of those pipes. An AI agent that can access a customer’s transaction data across multiple institutions (with consent) can do things that static dashboards and quarterly reports cannot. Spot a recurring subscription the customer forgot about. Notice that a business client’s payroll deposits dropped 30% month-over-month and flag a cash flow issue before the client calls. Compare FX rates across providers in real time and execute a transfer on the cheapest rail.

These are not hypothetical use cases. Mastercard announced Virtual C-Suite in March 2026, an agentic product that plugs into accounting systems and banking applications to give small businesses CFO-level financial analysis. The first module is a Virtual CFO agent that monitors cash flow and answers natural language questions like “What’s driving this week’s cash swing?” It runs on top of the financial data that open banking already makes available.

The difference between a chatbot and an agent is action. Chatbots answer questions. Agents execute multi-step workflows. For a bank, that distinction maps directly to the API surface: read-only APIs power chatbots, read-write APIs power agents. And read-write is where the value concentrates.

The identity problem nobody is talking about enough

PYMNTS reported in March 2026 on what Security Boulevard calls “non-human identities”: the digital credentials that let AI agents authenticate and interact with banking systems. This infrastructure problem will determine how fast agentic banking scales.

When a human logs into their bank, the identity chain is well understood. Username, password, MFA, session token. When an AI agent acts on behalf of that human, the chain gets complicated. Who authorized this agent? What permissions does it have? Can it initiate a payment, or only read balances? What happens when the agent’s token expires? Who is liable if the agent executes a transfer the customer didn’t intend?

Accenture’s Top Banking Trends for 2026 report recommends that banks establish an agent identity framework with authentication, authorization, and permission controls across operations. BNY Mellon is already building this through their Eliza platform, which lets employees design AI agents with defined task scopes. Capgemini’s World Cloud Report for Financial Services 2026 found that nearly 50% of banks and insurers are creating dedicated roles to supervise AI agents.

Slash, a fintech offering agentic commerce via MCP, shows one approach to solving this. Their MCP server uses RSA-OAEP encryption so agents never see raw card numbers. Write operations create pending requests that require human approval before executing. Every action is logged. It’s a read-propose-approve pattern rather than full autonomy. For banking, that’s probably the right starting point.

What this means for your API strategy

AI agents will interact with your systems. That’s settled. Accenture reports that 57% of banking executives expect AI agents to be fully embedded in risk, compliance, and fraud detection within three years. Another 56% expect broad adoption in credit assessment and KYC.

The open question is whether those agents interact through infrastructure you control, or work around you.

Banks that expose well-designed, permissioned APIs (and eventually MCP servers) get to set the terms: what data agents can access, what actions they can take, how sessions are audited, where human approval gates sit. Banks that don’t will find that fintechs and middleware providers fill the gap and capture the customer relationship in the process.

Three things worth doing now:

Audit your existing open banking APIs for agent readiness. Can they handle high-frequency, programmatic access patterns? Do they return structured data that an LLM can parse without ambiguity? Are rate limits and auth flows designed for machine clients, not just human-driven apps?

Define an agent identity and permissions model. It doesn’t need to be perfect on day one, but you need a framework for granting scoped, time-limited, auditable access to non-human clients. The MCP spec includes tool annotations for read-only vs. destructive operations, which is a reasonable starting taxonomy.

Pick one high-value, low-risk workflow and build an agent integration. Grasshopper started with read-only account queries. That’s a fine place to begin. The point is to learn what breaks when AI agents hit your infrastructure at scale, before you’re forced to discover it in production.

The banks that move first will set the standard

McKinsey’s David Deninzon estimates that 50 to 60 percent of bank FTEs are tied to operations that agentic AI could transform. That number explains why every major consultancy published an agentic banking report in Q1 2026. BCG, McKinsey, Accenture, and Deloitte all see the same opportunity.

But the consultancy reports tend to focus on internal automation: back-office processing, compliance workflows, credit decisioning. The bigger strategic question is external. When your customers’ AI agents can talk to your bank’s systems directly, the API becomes the product. The branch and the mobile app matter less than how well your infrastructure supports autonomous financial workflows.

We track which banks have shipped MCP servers and agentic banking capabilities at the Open Banking Tracker’s agentic banking directory. The list is short today. It won’t stay that way for long.