A banking model where approved third parties provide limited financial services on behalf of a bank. The model extends reach beyond branches, but it also expands the trust boundary, so governance must cover agent onboarding, permissions, monitoring, and revocation as carefully as employee access.
Expanded Definition
Agent banking is a distribution model in which a bank authorises third-party locations or individuals to perform limited customer-facing services, such as cash-in, cash-out, account opening support, balance enquiries, and bill payment. The bank retains responsibility for governance, while the agent acts under tightly scoped authority rather than as an independent financial institution. That distinction matters because agent banking is fundamentally about extending the bank’s operational reach without outsourcing accountability.
Definitions vary across jurisdictions on exactly which services an agent may provide, but the security pattern is consistent: the bank must control onboarding, credentialing, transaction limits, supervision, exception handling, and revocation. For NHIMG, the risk lens is identity-centric. Every agent is effectively a delegated identity with a constrained trust boundary, so access should be governed with the same discipline used for privileged third parties, including strong authentication, auditability, and rapid deactivation when risk changes.
Authoritative financial and identity guidance often frames this kind of delegation through assurance and control expectations in NIST AI Risk Management Framework, even though agent banking itself is not an AI concept. The most common misapplication is treating an agent as a low-risk field partner, which occurs when banks issue broad permissions without verifying the exact services, limits, and revocation process attached to that agent role.
Examples and Use Cases
Implementing agent banking rigorously often introduces operational friction, requiring organisations to weigh customer reach against tighter supervision, more frequent reviews, and stronger evidence of control.
- A rural bank appoints local merchants to accept deposits and withdrawals, but caps each agent’s daily volume and requires transaction alerts for unusual activity.
- A microfinance institution uses agents to support account onboarding, while keeping final approval, identity verification, and exceptions with the bank’s central team.
- A bank expands through mobile agents who visit customers on-site, using device-bound credentials and logging every service request for later review.
- An agent relationship is suspended after repeated reconciliation mismatches, showing why revocation needs to be immediate, not scheduled for the next review cycle.
- A financial institution maps agent access to a zero-trust style operating model, where trust is never implied by location and each service action is revalidated against policy. Guidance on delegated access and adversarial abuse patterns is increasingly discussed alongside resources such as the OWASP Agentic AI Top 10 and the CSA MAESTRO agentic AI threat modeling framework, even though the business model predates agentic AI.
Why It Matters for Security Teams
Agent banking expands the attack surface because the bank is no longer securing only employees and core systems. It must also secure third-party people, devices, physical points of service, and the procedures that bind them to the bank’s authority. The central security question is not whether the agent is trusted in a business sense, but whether the agent’s identity, permissions, and activity remain continuously bounded. That makes onboarding quality, least privilege, monitoring, and revocation non-negotiable control points.
This model also creates a governance bridge to identity security. If an agent is compromised, coerced, or over-permissioned, the bank can inherit fraud, data leakage, and customer harm through a pathway that looks operational but behaves like privileged delegated access. The same logic appears in modern AI governance, where delegated execution must be constrained, logged, and recoverable. NHI Management Group treats that as a control design issue, not a mere vendor-management issue. The most relevant control thinking is reinforced by the NIST AI Risk Management Framework, the MITRE ATLAS adversarial AI threat matrix, and the NIST AI Risk Management Framework when translated into delegated-access governance.
Organisations typically encounter the real cost of weak agent banking controls only after fraud, unauthorised withdrawals, or a disputed transaction wave, at which point identity revocation and transaction traceability become operationally unavoidable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Defines identity and access governance needed for delegated third-party banking access. |
| NIST SP 800-63 | IAL2 | Identity proofing strength matters when onboarding external agents into bank workflows. |
| OWASP Non-Human Identity Top 10 | Agent banking mirrors non-human delegation risks around scoped credentials and revocation. | |
| NIST AI RMF | Provides governance language for bounded, accountable delegation and monitoring. | |
| NIST SP 800-53 Rev 5 | AC-2 | Account management controls map directly to agent onboarding, modification, and removal. |
Use account lifecycle controls to provision, restrict, and disable agent access quickly.