AI Agents Crack Open Banks' Money-Moving Blind Spot

AI agents moving money expose a bank-security problem that login screens were never built to solve: the party entering the account may look exactly like the customer, while actually being software acting on the customer’s behalf.

That was the warning from Chris Ward, head of enterprise payments at Truist, and Meena Athinathan, banking lead at Cognizant, during American Banker's Digital Banking conference in Orlando, according to American Banker. Their argument was direct: banks built fraud and identity controls around humans, not autonomous tools using a customer’s own credentials.

The issue is no longer theoretical. Robinhood launched agentic trading and an agentic credit card in May, while Mastercard’s Agent Pay lets approved agents make card transactions. That puts banks in a new position. They don’t just need to know whether the password, device and login are valid. They need to know whether the software behind the action is authorized, limited and doing what the customer actually intended.

Why bank customers should care before AI agents get payment authority

The risk is shifting from fake-bank phone calls to valid-looking digital actions. Banks have spent years teaching customers to hang up on suspicious callers and dial the number on the back of the card. AI agents flip that problem. The account access may be real. The device may be familiar. The instruction may still be wrong.

Ward framed the fraud fight as structurally lopsided:

"We have to stop every transaction that is fraudulent getting through," Ward said. "The fraudsters just have to get one through."

The stakes are already high without agentic payments. U.S. consumers reported losing $12.5 billion to fraud in 2024, a 25% increase from the prior year, with investment scams accounting for $5.7 billion, according to the Federal Trade Commission's Consumer Sentinel Data Book cited by American Banker. The FBI's Internet Crime Complaint Center put total 2024 losses above $16.6 billion.

XOOMAR analysis: AI agents moving money make those numbers more troubling because they blur the core fraud question. If a customer authorizes software to act, and that software initiates a transaction, the bank may see a valid customer action even when the outcome is not what the customer wanted.

For context on how financial software is already taking more routine work away from manual processes, see XOOMAR’s coverage of digital banks with accounting integrations. The same convenience logic is now moving closer to payment authority.

Chatbots answer questions, AI agents act with credentials

A chatbot can explain a balance. An AI agent can take steps toward a goal. That distinction matters in banking because action creates liability. A tool that only gives information is annoying when it gets something wrong. A tool that can trade, pay or move funds can create losses.

American Banker’s report cites tools that are already moving into this territory. Robinhood’s agentic accounts isolate funds, set hard spending limits and include a one-tap kill switch. Mastercard’s Agent Pay allows approved agents to make card transactions. These are not generic customer-service bots sitting inside a bank app. They are software actors with delegated authority.

The identity puzzle has several layers. Athinathan said banks need to confirm four things:

• Human identity: Is this the right customer?
• Agent identity: Is this the right agent acting for that customer?
• Permission: Does the agent have authority to act?
• Intent: Did the customer actually mean for the agent to do this specific thing?

That last point is the hard one. A traditional login check can say someone got in. It cannot always prove that the customer meant for an agent to execute a particular transaction at a particular moment.

Login-based fraud controls break at the intent layer

The weak link is not always authentication. It is intent verification. Ward said he had recently built working agents in about ten minutes and doubted his own bank’s systems would identify the activity as anything other than him. That is the core danger: software using the customer’s phone, internet address and login can look like the customer.

Athinathan pointed to aging systems as part of the problem, especially identity checks done only at login and limits on how freely banks can share fraud signals with one another. Her proposed response included breaking down internal silos, pooling intelligence across the industry and adding AI-driven monitoring that weighs probabilities rather than relying only on rigid yes-or-no checks.

Here is the contrast banks now face:

The strongest counterpoint is that banks already have some models for controlled software access. Ward said corporate treasury systems give software limited, logged authority to move money through direct connections. That matters. It shows the industry is not starting from zero.

But consumer AI agents are a different risk surface because they may operate in more varied contexts and with less institutional oversight. Ward’s own warning captured the boundary:

"It's not going to be a 'just let the agents rip' kind of thing," he said.

The plane-ticket problem exposes the liability gap

The hardest question is who pays when the agent is wrong. Chana Schoenberger, American Banker’s editor-in-chief and the panel moderator, used a simple example:

"What if the agent comes back to me and says, 'I bought the plane ticket you wanted,' but that's a hallucination?" asked Schoenberger. "I get to the airport. There's no ticket. Whose fault is that?"

That example is useful because it strips away technical noise. The customer asked for an outcome. The agent claimed to complete it. The bank or payments provider may have processed something that looked legitimate. Yet the customer is left with a failed result.

Robinhood has put one answer into the market. Its agentic accounts keep money in a separate account, let customers set hard spending limits and include a one-tap shutoff. But its terms also put risk on the user, who assumes "all risk for orders placed by your AI agent," according to American Banker.

XOOMAR analysis: That model may work as an early controlled experiment, especially with separated funds and spending limits. It is less likely to settle the broader banking question. If AI agents moving money become common across banks, cards and fintech apps, the industry will need rules that customers can understand before a dispute starts.

For a separate view of how fast AI risk can outrun policy responses, XOOMAR has covered dangerous AI models and Washington’s regulatory scramble. The parallel is not identical, but the timing problem is similar: technology ships before accountability is fully defined.

Agent money movement needs narrower permissions, not blanket trust

Banks need a permission model built for agents, not a workaround bolted onto customer logins. Athinathan’s “know-your-agent” idea points in that direction. The bank should know the customer, the agent, the agent’s scope and the customer’s specific intent.

A safer model would borrow from what Ward described in corporate treasury: limited authority, logged actions and bank-set boundaries. Based on the panel’s remarks, the core controls should include:

• Separate agent authority: The agent should not simply inherit the full power of the customer’s login.
• Spending limits: Customers and banks need hard caps before money moves.
• Action logs: Banks need records showing what the agent did and under what permission.
• Kill switches: Customers need a fast way to shut the agent off.
• Risk scoring: Monitoring has to evaluate probabilities, not just pass or fail at login.

The strongest counterpoint is user friction. If every agent action triggers a fraud alert, customers may avoid the feature or disable protections where they can. But the opposite choice is worse. A system that treats autonomous software like a normal customer click invites confusion at the exact moment money leaves the account.

Rules will be written by design or after accidents

Banks are running out of time to decide how AI agents moving money should be authenticated, limited and disputed. Ward expects regulation to arrive through "a new set of accidents." That is a blunt forecast, but it matches the panel’s core concern: the market is already testing agentic transactions while liability remains unsettled.

Athinathan said banks should route agents through a controlled “choke point” until regulators set clearer rules. That phrase matters. A choke point gives banks a place to verify identity, apply limits, monitor behavior and stop activity before losses spread.

At the end of the session, Ward and Athinathan were asked to choose the biggest security threat to banks over the next year: AI-enabled fraud, internal systems that cannot talk to one another, or unclear rules and regulations. Ward answered, "AI is absolutely the biggest." Athinathan also chose AI.

The practical takeaway is narrow but urgent. AI agents can make banking faster, but banks should not treat them as ordinary users with better automation. Before these tools get broad authority to move money, banks need to prove three things on every sensitive action: who is acting, what that actor was allowed to do, and whether the customer truly meant it.

Disclaimer: This XOOMAR analysis is for informational and educational purposes only. It is not financial, investment, legal, tax, or professional advice. It does not provide buy, sell, hold, price-target, portfolio, or personalized recommendations. Verify information independently and consult qualified professionals before making decisions.

Impact Analysis

• AI agents could make payments or trades that appear legitimate even when they do not reflect the customer’s true intent.
• Banks’ existing fraud systems were designed around human authentication, not autonomous software using valid credentials.
• Fraud losses are already rising, with U.S. consumers reporting $12.5 billion lost in 2024.