For something launched in November, the Model Context Protocol (MCP) has begun amassing a large number of users, all but guaranteeing the mass adoption needed to make it an industry standard. 

But there is a subset of enterprises that are not joining the hype for now: regulated industries, especially financial institutions. 

Banks and other enterprises offering access to loans and financial solutions are not strangers to AI. Many have been pioneers in machine learning and algorithms, even playing an essential role in making the idea of investing using robots extremely popular. However, it doesn’t mean financial services companies want to jump into the MCP and Agent2Agent (A2A) bandwagon immediately. 

While many regulated companies, such as banks, financial institutions, and hospitals, have begun experimenting with AI agents, these are typically internal agents. Regulated companies do have APIs. Still, so much of the integration these companies undertake has taken years of vetting to ensure compliance and safety. 

“It’s very early days in a quickly accelerating domain, but there are some fundamental building blocks that are missing, at least as standards or best practices related to interoperability and communication,” said Sean Neville, cofounder of Catena Labs. “In the early days of the web, there was no e-commerce because there was no HTTPS, and no way to transact securely, so you can’t build Amazon. You need these basic building blocks in place, and now those building blocks on the web exist, and we don’t even think about them.”

Increasingly, enterprises and AI platform providers are establishing MCP servers as they develop multi-agent systems that interact with agents from external sources. MCP provides the ability to identify an agent, allowing a server to determine the tools and data it has access to. However, many financial institutions want more assurance that they can control the integration and ensure only approved tasks, tools, and information are shared.

John Waldron, senior vice president at Elavon, a subsidiary of U.S. Bank, told VentureBeat in an interview that while they are exploring the use of MCP, there are a lot of questions around the standard. 

“There are not a lot of standard solutions emerging, so we are still exploring a lot of ways to do that, including maybe doing that connection without an MCP exchange if the agent technology is common between the two and it’s just two different domains,” Waldron said. “But, what is the traceability of the data exchange without another exposure in that message? A lot of what’s happening within MCP evaluation right now is figuring out if the protocol is just handling the exchange and doesn’t provide any further risk leakage. If it is, then it’s a viable path we’ll explore for handling that exchange.”

Models and agents are different

Financial institutions and other regulated businesses are no strangers to AI models. After all, much of passive investing grew when roboadvisers—where algorithms made decisions on financial planning and investments with little to no human intervention—became popular. Many banks and asset managers invested early in natural language processing to enhance document analysis efficiency. 

However, Salesforce Vice President and General Manager of Banking Industry Solutions and Strategy, Greg Jacobi, told VentureBeat that some of their financial clients already have a process in place to assess models, and they’re finding it challenging to integrate AI models and agents with their current risk scenarios. 

“Machine learning and predictive models fit pretty well with that risk framework because they’re deterministic and predictable,” Jacobi said. “These firms immediately take LLMs to their model risk committees and found that LLMs produce a non-deterministic outcome. That’s been an existential crisis for these financial services firms.”

Jacobi said these companies have risk management frameworks where, if they give inputs to models, they expect the same output every time. Any variances are considered an issue, so they require a method for quality control. And while regulated companies have embraced APIs, with all the testing involved there, most regulated entities “are afraid of openness, of putting out something so public-facing” that they cannot control. 

Elavon’s Waldron, however, doesn’t discount the possibility that financial institutions may work towards supporting MCP or A2A in the future. 

“Looking at it from a business perspective and demand, I think MCP is a very critical part of where I think the business logic is going,” he said. 

Waldron said his team remains in the evaluation stage and “we haven’t built a server for pilot purposes yet, but we’re going to see how to handle that bot-to-bot exchange of messages.”

Agents can’t KYC another agent

Catena Lab’s Neville said he is watching the conversation around interoperability protocols like MCP and A2A with great interest, especially since he believes that in the future, AI agents will be as much of a customer for banks as human consumers. Before starting Catena Labs, Neville cofounded Circle, the company that established the USDC stablecoin, so he has firsthand experience with the challenges of bringing new technology to a regulated business. 

Since MCP is open source and new, it is still undergoing constant updates. Neville said that while MCP offers agent identification, which is key for many companies, there are still some missing features, such as guardrails for communication and, most importantly, an audit trail. These issues could either be solved through MCP, A2A or even an entirely different standard like LOKA. 

He said one of the biggest problems with the current MCP revolves around authentication. When agents become part of the financial system, even MCP or A2A, there’s no real way to do “know-your-customer” on agents. Neville said financial institutions need to know that their agents are dealing with licensed entities, so the agent must be able to point to that verifiably. 

“There needs to be a way for an agent to say, ‘this is who I am as an agent, here’s my identity, my risk and who I am operating on behalf of.’ That verifiable identity in a way all these different agentic frameworks can understand would be key.”