Konsentus Powering Trust in Open Ecosystems

Agentic AI : And the Evolution of Consent in Open Banking

Agentic AI is transforming how Open Banking services are executed, challenging static PSD2 consent models. This white paper explores how policy-based authorisation, explicit delegation and continuous validation can support secure, accountable agentic execution while preserving trust and regulatory alignment.

Share This Post

1) Executive summary

Agentic AI is beginning to change how Open Banking services are delivered and consumed. Autonomous agents are increasingly able to monitor, decide and act on behalf of users without direct, continuous human involvement. This shift enables new classes of products and services, reduces friction for consumers and allows third party providers to deliver value in more proactive and responsive ways.

At the same time, it challenges assumptions embedded in existing PSD2 consent and authorisation models. Current Open Banking consent standards were largely designed for a world in which activity is initiated by users, occurs in predictable interaction patterns and is executed directly by a regulated third party provider (TPP) using account servicing payment service provider (ASPSP) APIs. Although these standards have evolved over time, they do not yet fully address the implications of delegated and autonomous execution.

This paper explores the limitations of existing consent models in an agentic context, explains why agentic execution changes the risk profile for ASPSPs and outlines how emerging agentic consent models, such as those proposed within OpenID, can extend existing standards in a controlled and transparent way. It argues that Open Banking should be viewed as a continuously evolving trust framework, in which consent and authorisation mechanisms must adapt alongside technology and threat models.

Central to this evolution is the ability to maintain visibility, accountability and regulatory alignment, supported by continuous validation of TPP identity and authorised activities. As a specialist provider of third party provider identity, regulatory verification and Open Banking trust infrastructure, Konsentus works closely with ASPSPs and ecosystem participants to support secure, compliant access to Open Banking APIs, as explored in the importance of thorough TPP checking under PSD2.

2) Introduction: Open Banking as a living trust framework

Open Banking was introduced to promote competition, innovation and consumer choice while maintaining high standards of security and trust. PSD2 established a regulated ecosystem in which third party providers can access ASPSP APIs with customer consent, supported by strong customer authentication and clearly defined liability models, as outlined in Konsentus’ overview of PSD2 and Open Banking.

Since its introduction, Open Banking has not remained static. Security profiles, authentication methods and fraud controls have evolved in response to operational experience, emerging threats and advances in technology. These adaptations reflect an important reality: Open Banking is not a one-off implementation exercise, but a living trust framework that must continue to evolve.

Agentic AI represents the next major inflection point in this evolution. It does not invalidate the foundations of Open Banking, but it does challenge assumptions about how, when and by whom actions are executed. Addressing these challenges requires an extension of existing consent and authorisation models, rather than their replacement, ensuring that trust is preserved as execution models become more autonomous.

3) The rise of agentic AI in Open Banking ecosystems

In a financial services context, agentic AI refers to systems capable of acting autonomously to achieve defined goals within constraints set by humans. Unlike traditional automation, agentic systems can make decisions, adapt behaviour over time and delegate tasks to sub-agents, allowing complex objectives to be achieved with limited ongoing human input.

Third party providers are increasingly exploring agentic approaches to continuously monitor accounts and transactions via ASPSP APIs, optimise financial outcomes on behalf of users, respond automatically to market or account conditions and orchestrate complex workflows across multiple services. These capabilities enable services that are more proactive, personalised and responsive than traditional user-driven models.

In practice, agentic systems are often composed of multiple specialised components. A primary agent may be responsible for achieving a broader objective, such as optimising a user’s cash flow or managing payments, while delegating discrete tasks to sub-agents designed for specific functions.

Sub-agents are typically designed to perform narrowly defined activities, such as monitoring account balances, categorising transactions or executing a payment when specific conditions are met. They operate under tighter constraints and with more limited authority than the primary agent, allowing responsibilities to be distributed in a controlled way.

This decomposition is intentional. By separating responsibilities, third party providers can limit the authority of individual components, reduce the impact of errors and improve auditability. Rather than granting a single system broad access, sub-agents allow permissions to be constrained according to purpose and risk.

As a result, Open Banking API usage becomes increasingly decoupled from direct user interaction, even though the underlying regulatory and consent relationships remain unchanged. This shift has important implications for how activity is monitored, authorised and understood.

4) Changing Open Banking activity patterns

Traditional Open Banking activity is often characterised by short bursts of API calls closely aligned to user actions, such as logging into an application or initiating a payment. These patterns tend to be relatively predictable in timing and frequency, and many monitoring and risk models have been built around these assumptions.

Agentic execution changes this model. Autonomous agents may access ASPSP APIs continuously in the background, monitor payment accounts at regular intervals, act immediately when predefined conditions are met and generate event-driven spikes in activity that are not tied to user sessions.

From an ASPSP perspective, this represents a shift towards more frequent and less predictable legitimate access patterns. Importantly, this does not mean agentic AI is inherently riskier. Rather, it means that traditional behavioural heuristics based on human interaction become less reliable indicators of intent or misuse.

In this environment, understanding why an action is being taken and under what authority becomes as important as observing when it occurs. Visibility into consent and delegation therefore becomes critical to effective monitoring and risk management.

5) Where PSD2 consent models begin to fall short

PSD2 consent models were designed with a set of implicit assumptions that are increasingly strained by agentic execution. Consent is typically defined as a fixed scope at a point in time, focused on access to specific payment account data or individual payment initiation and granted to a TPP rather than to specific agents.

These models provide limited ability to express purpose, constraints or delegated authority, and offer limited lifecycle control beyond renewal or revocation. While sufficient for user-driven interaction models, they struggle to reflect more dynamic execution patterns.

In an agentic context, this creates gaps. Consent does not capture who is acting on behalf of the TPP, there is no formal representation of delegation or inheritance, static scopes struggle to align with adaptive behaviour and auditability across distributed execution becomes harder.

These limitations do not reflect failures of PSD2, but rather the fact that the standards were designed for a different execution paradigm. As execution models evolve, consent frameworks must evolve alongside them.

6) Consent evolution in existing PSD2 and Open Banking API standards

It is important to recognise that PSD2 API standards have already evolved in response to operational experience. Across major European Open Banking standards, consent has increasingly been treated as an explicit, managed resource rather than an implicit by-product of authentication.

Standards such as those published by the Berlin Group NextGenPSD2 framework have progressively formalised consent objects as first class resources within API specifications, with defined lifecycles and clearer links to the PSU.

These developments represent meaningful progress towards more expressive and manageable consent models. However, they largely remain rooted in a single actor assumption, where a TPP acts directly on behalf of a user.

They do not yet provide interoperable mechanisms for representing agent identities, delegated authority chains or machine-readable consent policies that can be progressively constrained across autonomous actors. Agentic execution therefore exposes the next set of limitations that standards must address.

7) Why agentic execution changes the risk profile for ASPSPs

Agentic execution does not remove or transfer regulatory responsibility. ASPSPs remain accountable for protecting payment accounts and managing access to their APIs, regardless of how execution is automated.

However, agentic models change the shape of risk. Execution is increasingly decoupled from user interaction, legitimate automation can resemble anomalous behaviour and delegated execution can obscure accountability without sufficient visibility.

This can amplify existing risks, such as consent misuse or fraud, if ASPSPs lack context about who is acting and under what authority. Conversely, overly restrictive controls risk generating false positives and undermining legitimate innovation.

The challenge is therefore not to restrict automation, but to improve visibility and clarity around delegation, consent and regulatory alignment.

8) From static consent to policy-based authorisation in Open Banking

One way to address these challenges is to reframe consent as a policy rather than a static scope. Policy based authorisation allows consent to be expressed as a set of rules, constraints and permissions that can be enforced and audited.

These policies can evolve over time, reflecting changes in user intent, risk appetite or regulatory context. In an agentic environment, policies provide a natural mechanism for expressing delegated authority, purpose and constraints, inheritance and limitation and ongoing lifecycle management.

This approach aligns closely with emerging work within the OpenID Foundation to extend OAuth and OpenID-based authorisation models to better represent delegation, policy constraints and autonomous execution.

9) Agentic consent models for Open Banking

At a high level, agentic consent models introduce three core principles: explicit delegation, inheritance with constraint and visibility of delegated authority.

Explicit delegation ensures authority is passed intentionally and transparently rather than implicitly assumed. Inheritance with constraint ensures that each delegation step is a subset of upstream permissions and cannot expand authority. Visibility ensures ASPSPs can understand who is acting, under whose authority and within which constraints.

Together, these principles form a consent chain. A consent chain describes the sequence of delegated authority from the consumer, through the third party provider and on to agents and sub-agents, with each link constrained by the one above.

For ASPSPs, visibility of the full consent chain provides a coherent view of who is acting, under what authority and within which constraints, even when execution is distributed across autonomous components.

The following diagram illustrates the policy hierarchy and consent chain that underpin agentic consent models.

diagrams-01

As shown in the diagram, authority narrows at each layer, from regulatory permission through to task-specific execution, while remaining enforceable by the ASPSP.

A critical element of this model is the relationship between operational consent policies and regulatory authority. National competent authority registers define the regulatory status and authorised activities of third party providers. These registers act as regulatory pseudo-policies that establish the outer boundary within which all operational policies must sit.

Agentic consent models must therefore bridge the gap between the regulatory pseudo-policy defined by the national competent authority and the executable consent policies enforced by the ASPSP’s authorisation infrastructure.

10)  Agentic consent in action: a practical Open Banking example

To illustrate how agentic consent models operate in practice, consider a third party provider, KiloAI, which offers autonomous agents to support the management of consumers’ financial activities.

The following example applies the agentic consent model described above to a practical Open Banking use case.

diagrams-02

KiloAI is authorised by its national competent authority to provide specific payment services. The regulatory register maintained by that authority defines the activities for which KiloAI holds regulatory authorisation. Any payment services offered by KiloAI must fall within the scope of that authorisation and must not exceed the authority granted by the national competent authority.

This regulatory authorisation acts as a binding outer boundary. It determines the activities that KiloAI is legally permitted to provide and constrains everything that follows, regardless of how services are implemented or automated.

Based on that regulatory boundary, KiloAI defines an operational policy with the ASPSP describing which authorised activities it supports through ASPSP payment account APIs. This policy represents the maximum authority that KiloAI is willing and able to exercise in practice and that the ASPSP is prepared to enforce.

In establishing this policy, the ASPSP aligns KiloAI’s permitted access with authoritative regulatory information held by the national competent authority. This ensures that operational permissions remain bounded by regulatory authorisation and remain suitable for continual reassessment as regulatory status changes.

A consumer chooses to use KiloAI’s service and grants consent for a KiloAI CashFlow Agent to act on their behalf. This Agent is operated by KiloAI and acts under KiloAI’s regulatory authorisation. The consumer’s consent is expressed as a policy that is explicitly bound to the consumer, is a constrained subset of KiloAI’s operational policy and is limited by purpose, scope and conditions defined by the consumer.

This consent becomes the first delegated link in the consent chain.

To perform specific tasks, the KiloAI CashFlow Agent delegates limited authority to one or more sub-agents, also operated by KiloAI. For example, a KiloAI Balance Monitoring Agent may be permitted to monitor payment account balances, while a KiloAI Payment Execution Agent may be permitted to initiate payments only when predefined conditions are met.

Each sub-agent operates under a further constrained policy. Authority is inherited from the KiloAI CashFlow Agent and cannot exceed it. In this way, the consent chain is extended without expanding scope or risk.

For the ASPSP, visibility of the full consent chain provides clarity that:

  • The entity performing the action is known
  • The action is being taken under KiloAI’s regulatory permissions
  • The action is being performed with the consumer’s consent
  • The action is constrained by clearly defined, enforceable policies

At every point, the consent chain remains bounded by the regulatory pseudo-policy defined by the national competent authority and aligned with KiloAI’s current regulatory status. If that status changes, the validity of downstream policies can be reassessed to ensure continued compliance.

11)  Standards’ currency and operational resilience in Open Banking

The emergence of agentic execution highlights an operational reality that has always existed within Open Banking but is now more pronounced. Neither regulatory permissions nor technical standards are static.

PSD2 API standards across Europe have continued to evolve since their initial publication. Many have moved from implicit consent assumptions towards explicit consent resources with defined lifecycles, recognising the need for improved auditability, transparency and operational control.

Standards published by organisations such as the Berlin Group illustrate this progression through successive iterations of their specifications, particularly in the way consent is treated as a managed, reviewable resource rather than an incidental outcome of authentication.

These developments demonstrate that Open Banking standards are living specifications. They must respond to new execution models, emerging threats and operational experience rather than remaining fixed at the point of initial implementation.

Agentic AI accelerates this need by increasing the scale, frequency and autonomy of API usage. In this context, version drift, partial adoption or delayed updates can create material gaps between regulatory expectations and operational controls.

For ASPSPs, maintaining standards’ currency should therefore be viewed as a core element of operational resilience rather than a compliance exercise completed once.

12) Liability, accountability and continuous validation in Open Banking

Greater transparency into delegation and consent chains does not alter regulatory responsibility. Agents and sub-agents do not hold independent regulatory status. They act under the regulatory authorisation of the third party provider that introduced them to the ecosystem.

While agentic consent models allow ASPSPs to see how authority is delegated and exercised, liability remains anchored to the authorised TPP. Visibility supports oversight and risk management, but it does not transfer responsibility.

This makes continuous validation essential. ASPSPs must be able to bridge the gap between regulatory pseudo-policies defined by national competent authority registers and the operational policies enforced by their authorisation infrastructure.

diagrams-03

National competent authority registers are authoritative, but they are not static. Authorisations can change due to licence variation, restriction, suspension or withdrawal. In an agentic environment, reliance on static or point-in-time checks introduces unacceptable risk.

Operational permissions derived from regulatory authority must remain aligned with current regulatory reality.

Services such as Konsentus Verify support this alignment by enabling ASPSPs to confirm third party provider identity, regulatory status and authorised activities and to re validate that information at key points, including consent creation and transaction execution, as explored in When AML meets Open Banking.

By supporting continuous validation, these services help ensure that agentic execution remains bounded by regulatory authority, even as consent chains and execution patterns evolve.

13)  Looking ahead: trust, explainability and sustainable innovation

As agentic systems become more common, expectations around trust and explainability will increase.

Consumers will expect clarity on how and why agents act on their behalf. Regulators and supervisors will expect stronger audit trails and clearer attribution of responsibility. ASPSPs will need to distinguish legitimate autonomous activity from misuse with confidence.

These expectations cannot be met through proprietary controls alone. They require standards-based approaches that balance innovation with interoperability and regulatory confidence.

Emerging work within the OpenID Foundation to support agentic and delegated consent models reflects this direction of travel. By extending OAuth and OpenID-based authorisation frameworks to better represent delegation, policy constraints and autonomous execution, these initiatives aim to provide common foundations for challenges that extend beyond Open Banking.

Alignment with such cross-industry standards reduces fragmentation and supports consistent implementation across markets.

14) Conclusion: Open Banking is never finished

Agentic AI is reshaping how Open Banking services are executed. Activity is becoming more autonomous, more frequent and less predictable, even as regulatory obligations remain unchanged.

This does not undermine Open Banking, but it does place new demands on consent and authorisation models. Static, point-in-time consent is increasingly misaligned with dynamic execution.

Agentic consent frameworks extend existing standards by supporting explicit delegation, policy-based constraints and full visibility of consent chains. They allow ASPSPs to understand who is acting, under what authority and within which boundaries, without altering established liability models.

Open Banking is not finished. It is an evolving trust framework that must continue to adapt as technology, execution models and threats change.

Maintaining visibility, accountability and continuous validation is essential to that evolution. By bridging the gap between regulatory authority, standards and operational enforcement, the ecosystem can support innovation without compromising trust.

As agentic AI continues to reshape Open Banking, consent, delegation and oversight must evolve in step. Static, point-in-time models are no longer sufficient for a world of autonomous, policy-driven execution. A resilient future depends on clear consent chains, policy-based authorisation and continuous validation of regulatory status and delegated authority. 

Konsentus works with ASPSPs and ecosystem participants to bridge the gap between regulatory registers, evolving standards and real-time operational enforcement. By strengthening third party verification, maintaining standards’ currency and supporting transparent, accountable access to Open Banking APIs, we help ensure that innovation in agentic execution remains securely bounded by trust. Get in touch to explore how we can support your agentic consent readiness and long-term Open Banking resilience. 

Get in touch
Picture of Dickie Smith

Dickie Smith

Head of Product

Subscribe To Our Newsletter

Keep up to date with all our news and publications.

More To Explore

Simplify Compliance, Strengthen Security

Discover how our trusted solutions ensure secure, compliant, and efficient interactions across open ecosystems

Find out more
Konsentus Rebrand Button - Konsentus Dot-23-23

Find out how our technology can protect your customers within open ecosystems.

This field is for validation purposes and should be left unchanged.
Name(Required)

Opt-in

On completion of this form you will be sharing your personal data with Konsentus Ltd (company number 1115059) (“Konsentus”/”we”/”us”). We will process such information for the purposes of sending you the requested information. We may also send you marketing communications and information which we consider may be of interest to you from time to time. This may include sending information by email, or us contacting you by telephone, where relevant details are provided. We rely on our legitimate interests as the lawful basis for processing your data in this way. Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to receive a copy of the data we hold about you. You also have the right to opt out of marketing communications at any time using the details in an email sent to you or by contacting us at insights@konsentus.com.