Edition #38 regtech

The processing layer no one consented to: why Open Finance now needs a trust layer for AI, not just for data

Consent in the Account Aggregator world governs which data moves. It was never built to govern what an AI agent does with that data after it arrives. That gap is now the most important unregulated surface in Indian finance.

open-financeaccount-aggregatorconsent-architectureagentic-aisahamatiindia-fintech

FinSaAIstra Intelligence | Open Finance and Agentic AI Series | June 2026

Executive Signal

The Account Aggregator framework solved a hard problem: financial data moves only under signed, revocable consent, to entities a regulator accredited. That promise covered the pipe. It never covered the processor. AI agents now sit inside lenders and read consented bank statements to classify income, screen fraud, and recommend credit. The consent that authorised the data said nothing about the agent. This is a processing-accountability problem, and the rails were never designed to see it.

The Consent-Compute Gap — The ungoverned space between the data an Account Aggregator consent authorises an institution to fetch and the AI processing that institution then performs on it, where authorisation ends and accountability disappears.

Verified Market Signals

🧭 The Account Aggregator specification covers consented data flow between providers and users but does not cover the AI processing layer that now reads and acts on that data inside the user’s perimeter. Every agentic underwriting or fraud pilot running today operates in a space the consent artefact does not describe and the regulator cannot currently inspect.

🧭 A framework now proposes four extensions to existing Account Aggregator primitives: Processing-Aware Consent, an Agent Class Registry, signed Processing Receipts, and a Conformance Library, with agentic processing confined to a Trusted Execution Environment the operator cannot read at runtime. The architecture to close the gap is specified and public before it is mandated — the cheapest moment to align procurement and roadmap to it.

🧭 Under the proposed model, deploying a new agentic product shifts from “build a complete governance stack and defend it to the regulator” to “register a class, pass conformance, deploy.” Institutions building bespoke per-product governance now are building a cost the ecosystem is about to socialise.

Source: Sahamati Labs, A Framework for AI Agents in the Account Aggregator Ecosystem, 2026.

Structural Shifts

Per-institution governance → Shared trust infrastructure — Audit logging, consent enforcement, model versioning, and decision traceability stop being rebuilt by each lender and become ecosystem primitives.

Consent to access → Consent to process — The consent artefact declares not just what data may be fetched, but which agent classes may act and what processing is permitted.

Self-attested internal logs → Infrastructure-signed receipts — Evidence of what an agent did is emitted by a runtime the agent cannot suppress, not reconstructed from the institution’s own logs.

Data travels to the model → Model runs where the data lives — Cleartext exists only inside an attested enclave for the life of the consent, not at the institution’s perimeter.

Systemic Implications

The assumption that breaks first: accreditation of the entity equals governance of the processing. An accredited lender running an unobservable agent is compliant on paper and opaque in practice.

This is where systems break: when a customer disputes an agentic credit decision, the lender today defends itself by reconstructing the decision from internal logs that are partial, mutable, and self-attested. That is assertion with a timestamp, not evidence.

Most exposed: the Chief Risk Officer who attests, the grievance function that must answer a customer, and any institution leaning on a third-party service provider whose agent reads raw financial data on infrastructure the institution does not control. Named failure modes: purpose drift, lineage breaks, scope violations, and unregistered processing — none visible until something fails.

The problem is not that agents make wrong calls. It is that wrong calls made on consented financial data are currently unattributable.

CXO Action Layer

Board-level Treat agentic processing of consented data as a distinct risk category with its own oversight, separate from model-governance generally. Ask at every review: for AI decisions made on customer financial data, can we produce externally verifiable evidence of what the agent did, or only our own logs? Make the answer a tracked metric.

Procurement reality Rewrite service-provider terms before the standard arrives. Require that any agent acting on consented data be a registered, certified class, that processing evidence be emitted by infrastructure the vendor cannot alter, and that raw financial data never land on the vendor’s own infrastructure.

Architecture implication Separate the data-access decision from the processing-authorisation decision in your own consent and policy stack now, so you are not re-architecting when processing-aware consent becomes the baseline. Design so agentic processing runs inside an attested boundary and emits signed receipts, rather than running in your perimeter and logging to yourself.

FinSaAIstra Law: In Open Finance, consent that governs data access but not data processing is not consent. It is a blind spot with a signature.