Banking has a protocol problem.
A risk analyst at a tier-one bank submits a credit decision request. The answer requires querying the core banking system, pulling transaction history from the data warehouse, checking the sanctions database, retrieving the customer's KYC documents, running the credit scoring model, cross-referencing the regulatory capital requirements, and coordinating with the compliance agent to verify the decision is within policy bounds.
Eight systems. Multiple AI agents. Dozens of custom API integrations — each built separately, each maintained separately, each a point of failure in a regulatory environment where failures have legal consequences.
This is the integration debt that most BFSI AI initiatives are currently buried under. And it is exactly what MCP and A2A were built to solve — at the protocol level, not the application level.
This is the complete implementation guide for deploying MCP and A2A in production BFSI agentic systems — from the architecture rationale to the compliance considerations to the specific patterns that work in regulated financial environments.
Table of Contents
- Why BFSI Needs Protocol-Level Standards
- MCP in BFSI: Connecting Agents to Financial Systems
- A2A in BFSI: Connecting Agents to Each Other
- The Regulatory Layer: DORA, EU AI Act, and Basel III
- BFSI Architecture: The Complete Reference Stack
- Implementation Pattern 1: Credit Decision Automation
- Implementation Pattern 2: Fraud Detection and Response
- Implementation Pattern 3: Regulatory Reporting
- Implementation Pattern 4: Wealth Management Advisory
- Security Architecture for Financial Agent Networks
- Observability and Audit Requirements
- Implementation Roadmap and Decision Framework
1. Why BFSI Needs Protocol-Level Standards
The IMF published a formal note in April 2026 on how agentic AI will reshape payments. Its central technical finding: MCP standardizes agents' access to external data and tools, while A2A protocols enable interoperability and coordination among agents developed by different vendors. The x402 standard builds on HTTP 402 and allows agents to embed payment requirements directly within HTTP requests, enabling automatic negotiation of paid services.
This tripartite stack — MCP for tool connectivity, A2A for agent coordination, x402 for payment negotiation — is not an academic proposal. It is the emerging infrastructure of financial services automation in 2026, documented by the IMF, adopted by PayPal and major payment networks, and backed by every major AI provider through the Linux Foundation's Agentic AI Foundation.
The scale context: BCG research identifies banking and fintech as the industries with the highest concentration of AI leaders. Nearly half of financial institutions already report regular use of advanced AI systems. The adoption of agentic architectures is accelerating as institutions seek differentiation through automation at scale.
Without protocol standards, financial institutions face three compounding problems.
The first is the N times M integration problem. A bank with 15 AI agents and 40 financial data sources needs 600 custom integrations. Each breaks when either side updates. Each represents a compliance surface that must be independently audited. MCP reduces this to 55 connections — 15 agents plus 40 MCP servers, each built and audited once.
The second is the cross-vendor agent coordination problem. A credit decisioning workflow may involve an LLM from Anthropic, a risk scoring model from a specialist vendor, a KYC verification agent from a compliance technology provider, and an internal fraud detection system. Without A2A, coordinating these systems requires custom orchestration code that is brittle, opaque to auditors, and impossible to replace without a full rewrite. A2A makes each agent replaceable without rewriting the coordination layer.
The third is the auditability problem. DORA, effective January 17, 2025, requires EU financial institutions to continuously monitor and control ICT systems with management-level accountability. AI agent decisions affecting customers, transactions, or regulated outcomes must be logged, classified, and reportable. Protocol-level standardization makes this tractable — when every agent interaction follows a defined wire format, audit logging can happen at the protocol layer rather than being bolted onto each application individually.
2. MCP in BFSI: Connecting Agents to Financial Systems
MCP is the vertical layer — it connects each AI agent downward to the tools, data sources, and systems it needs to interact with. In BFSI, these systems are more numerous, more sensitive, and more tightly regulated than in almost any other industry.
MCP reached 97 million monthly SDK downloads by late 2025 and has been adopted by every major AI provider: Anthropic, OpenAI, Google, Microsoft, and Amazon. The April 2026 shift is that the ecosystem is now acting like real infrastructure — registries, working groups, auth, task lifecycle, and enterprise rollout are getting more serious attention than protocol hype. The three-layer AI protocol stack — MCP for tools, A2A for agents, WebMCP for web access — is becoming the consensus architecture for enterprise deployments.
The BFSI MCP Server Taxonomy
Every financial data source or system capability becomes an MCP server. The taxonomy for a typical tier-two bank implementation:
Core Banking MCP Server exposes account balances, transaction history, product holdings, and customer relationship data. This is the most sensitive server in the stack and requires the most rigorous access control — row-level security ensuring each agent only sees the customer records its task authorizes.
Credit Intelligence MCP Server exposes credit bureau data, internal credit scores, debt-to-income calculations, and credit limit recommendations. This server must be flagged as a high-risk AI use case under the EU AI Act, requiring additional transparency and human oversight mechanisms.
Sanctions and AML MCP Server exposes real-time sanctions screening, PEP checks, adverse media monitoring, and AML alert queues. Every call to this server must be logged with immutable timestamps — this is not optional observability but a regulatory compliance requirement.
Market Data MCP Server exposes real-time and historical price data, volatility surfaces, yield curves, and benchmark rates. Latency requirements for this server are significantly tighter than others — sub-100ms for trading applications.
Document Intelligence MCP Server exposes document parsing, OCR, entity extraction from financial documents, and KYC document verification. This server wraps the bank's document management system and handles the unstructured data layer that other servers do not cover.
Regulatory Capital MCP Server exposes Basel III/IV capital adequacy calculations, RWA data, LCR and NSFR metrics, and regulatory limit monitoring. This server is read-heavy — agents query it to verify that proposed decisions comply with capital constraints before acting.
Communication MCP Server exposes customer communication channels — email, SMS, secure messaging — and handles delivery tracking, consent verification, and communication preference checking. No agent sends customer communications without routing through this server.
The MCP Wire Format in BFSI Context
A credit decisioning agent querying customer transaction history through MCP:
{
"jsonrpc": "2.0",
"method": "tool.call",
"params": {
"tool": "core_banking_api",
"action": "get_transaction_history",
"arguments": {
"customer_id": "CUST-8847291",
"period_months": 24,
"include_categories": ["income", "regular_commitments", "irregular_debits"],
"requesting_agent": "credit_decision_agent",
"authorization_context": "CREDIT_ASSESSMENT_WORKFLOW_CR-20260608-001"
}
},
"id": 1
}
The authorization_context field is not in the base MCP spec — it is a BFSI extension that links every tool call to the specific workflow and regulatory purpose that authorized it. This linkage is what makes the audit trail coherent: a compliance officer reviewing the audit log can trace every data access back to the specific customer interaction and business decision that justified it.
BFSI-Specific MCP Security Requirements
Standard MCP security is insufficient for financial services. Three additional layers are required in production.
Mutual TLS for all MCP connections. Standard HTTP with bearer tokens is acceptable for low-sensitivity applications. In BFSI, every connection between MCP client and MCP server must use mTLS — both sides present certificates, both sides are verified. This is the minimum standard for connections touching regulated financial data.
Role-based tool authorization at the MCP server level. Not every agent should have access to every tool on every MCP server. A customer service agent should be able to read account balances but not initiate transfers. A fraud detection agent should be able to read transaction patterns but not modify credit limits. MCP server-level RBAC enforces this regardless of what the calling agent requests — the server rejects tool calls that the calling agent's role does not authorize.
Data minimization in tool responses. MCP servers should return the minimum data required for the tool's stated purpose. A credit assessment query should not return the customer's full transaction history — it should return the summarized income and commitment data the credit model needs. Returning excess data creates unnecessary exposure and complicates GDPR compliance.
3. A2A in BFSI: Connecting Agents to Each Other
A2A is the horizontal layer — it connects AI agents to other AI agents. In BFSI, this is where the most complex and high-value automation lives, because financial workflows are inherently multi-agent: credit decisions involve risk, compliance, and customer agents simultaneously; fraud response involves detection, investigation, and remediation agents in sequence; regulatory reporting involves data collection, validation, and submission agents in a governed pipeline.
A2A launched in April 2025 with 50-plus supporting companies including Salesforce, PayPal, Atlassian, and major consulting firms including Accenture, BCG, Deloitte, McKinsey, and PwC. IBM's Agent Communication Protocol merged into A2A in August 2025. A2A v1.0.0 was released in April 2026, stabilizing the specification for enterprise adoption.
The A2A Agent Card in BFSI
Every A2A-compliant agent publishes an Agent Card at a well-known endpoint. In BFSI, Agent Cards carry additional metadata beyond the base specification:
{
"name": "Credit Decision Agent",
"version": "2.3.1",
"description": "Evaluates retail credit applications against lending policy and regulatory requirements. Returns credit decisions with full rationale and confidence scores.",
"url": "https://agents.internal.bank/credit-decision",
"regulatory_classification": {
"eu_ai_act_risk": "HIGH",
"requires_human_oversight": true,
"oversight_threshold_gbp": 50000,
"regulated_activity": "CREDIT_ASSESSMENT",
"fca_registration": "FCA-AI-2026-00471"
},
"capabilities": {
"streaming": true,
"human_in_the_loop": true,
"audit_trail": "IMMUTABLE",
"data_residency": "EU_ONLY"
},
"skills": [
{
"id": "retail-credit-assessment",
"name": "Retail Credit Assessment",
"description": "Assesses retail credit applications up to 500,000 GBP against current lending policy. Returns decision, rationale, confidence score, and required disclosures.",
"input_schema": "CreditApplicationSchema_v4",
"output_schema": "CreditDecisionSchema_v4",
"avg_completion_seconds": 8,
"human_review_required_above_gbp": 50000
}
],
"authentication": {
"schemes": ["oauth2_client_credentials", "mtls"],
"required_scopes": ["credit.read", "customer.read"]
}
}
The regulatory_classification block is essential for BFSI A2A implementations. Any orchestrating agent consuming this Agent Card immediately knows that this agent is a high-risk AI system under the EU AI Act, requires human oversight for decisions above 50,000 GBP, and operates under a specific FCA registration. These constraints are machine-readable — the orchestrator can enforce them programmatically rather than relying on implementation-level guardrails.
A2A Task Lifecycle in Financial Workflows
A2A tasks progress through defined states: submitted, working, input-required, completed, canceled, and failed. The input-required state is particularly significant in BFSI — it is the protocol-level implementation of human-in-the-loop oversight. When a credit decision agent encounters a boundary condition that exceeds its autonomous authority, it transitions the task to input-required and surfaces the decision context to a human reviewer through a defined interface. The task resumes from exactly that state when the reviewer responds.
This is not a workaround. It is a first-class protocol feature designed for exactly the regulatory requirement that high-risk AI systems in financial services must support human oversight at defined decision points.
4. The Regulatory Layer: DORA, EU AI Act, and Basel III
Before implementing any agentic system in BFSI, three regulatory frameworks define the non-negotiable constraints.
DORA — Digital Operational Resilience Act
Effective January 17, 2025, DORA applies to all EU financial institutions and sets strict requirements for ICT systems including AI. Banks must assess AI failures under their incident classification process where they affect service availability, data integrity, confidentiality, authenticity, customers, or critical functions. Agentic workflows need documented fallback procedures, recovery objectives, and third-party exit plans — especially when they depend on a single LLM, cloud provider, or orchestration vendor.
The practical DORA requirement for MCP and A2A implementations: every agent interaction must be logged with sufficient detail to reconstruct what happened during an incident, classify the severity, and report it to regulators within required timeframes. Protocol-level audit logging at the MCP and A2A layers is the architectural implementation of this requirement.
EU AI Act
Creditworthiness assessment and credit scoring are explicitly listed as high-risk AI use cases under the EU AI Act. This means any AI agent involved in credit decisions — including agents that feed information into credit decisions without making them directly — must satisfy requirements for human oversight, transparency, and technical documentation. The regulatory_classification block in Agent Cards is the machine-readable declaration of these requirements.
Basel III and Model Risk Management
AI agents used in credit assessment, market risk calculation, or capital adequacy modeling are subject to model risk management requirements. This means model documentation, validation, backtesting, and ongoing performance monitoring — applied not just to the underlying ML models but to the agentic systems that deploy them.
The compliance architecture principle: regulatory compliance in agentic BFSI systems is most tractable when it is implemented at the protocol layer rather than the application layer. MCP servers that enforce data minimization and authorization, A2A Agent Cards that declare regulatory classifications, and audit logs generated from protocol-level events — these provide compliance coverage that scales across all agents rather than requiring each application to implement compliance controls independently.
5. BFSI Architecture: The Complete Reference Stack
The reference architecture for a production BFSI agentic system in 2026:
HUMAN OVERSIGHT AND GOVERNANCE LAYER
|-- Compliance Dashboard
|-- Human Review Queue (A2A input-required tasks)
|-- Audit Log Viewer
|-- Regulatory Reporting Interface
|
v
ORCHESTRATION LAYER (A2A Horizontal)
|-- Customer Journey Orchestrator
|-- Risk Workflow Orchestrator
|-- Regulatory Reporting Orchestrator
|
A2A Protocol (HTTPS + JSON-RPC 2.0 + mTLS)
|
------+----------------------------------------
| | | |
v v v v
CREDIT FRAUD COMPLIANCE WEALTH
DECISION DETECTION AGENT ADVISORY
AGENT AGENT AGENT
| | | |
MCP (vertical) MCP (vertical) MCP(vertical) MCP(vertical)
| | | |
+----+---------+---------+----+-------+-------+
| | |
v v v
CORE BANKING SANCTIONS MARKET DATA
MCP SERVER AML SERVER MCP SERVER
| | |
v v v
Core Banking Sanctions Market Data
System Database Feed
Every agent uses MCP downward to its specialized financial data sources and every agent uses A2A horizontally to coordinate with peer agents. The human oversight layer sits above everything — accessible through A2A task state management rather than bolted on as an afterthought.
6. Implementation Pattern 1: Credit Decision Automation
The credit decision workflow is the highest-value and highest-risk automation in retail banking. It is also the pattern that most clearly demonstrates why both MCP and A2A are needed simultaneously.
The Workflow
A customer applies for a 25,000 GBP personal loan through the bank's digital channel. The following sequence executes entirely through the MCP and A2A stack:
Step 1 — Application intake. The Customer Journey Orchestrator receives the application via A2A task submission from the digital channel agent. It validates the application schema and routes to the Credit Decision Agent.
Step 2 — Data gathering via MCP. The Credit Decision Agent uses MCP to call four servers in parallel: Core Banking for 24-month transaction history, Credit Intelligence for bureau data and internal score, Sanctions for PEP and watchlist screening, and Document Intelligence to verify the submitted income documents.
Step 3 — Risk assessment coordination via A2A. The Credit Decision Agent sends an A2A task to the Fraud Detection Agent requesting a fraud risk score for this application. Simultaneously it sends an A2A task to the Compliance Agent requesting confirmation that the proposed loan terms comply with responsible lending requirements.
Step 4 — Decision synthesis. When both A2A tasks complete, the Credit Decision Agent synthesizes the bureau data, transaction analysis, fraud score, and compliance confirmation into a credit decision with rationale and confidence score.
Step 5 — Human oversight gate. This loan is below the 50,000 GBP human review threshold in the Agent Card. The decision proceeds automatically. The full decision rationale is logged immutably against the application reference.
Step 6 — Outcome delivery. The Credit Decision Agent returns the decision to the Customer Journey Orchestrator via A2A. The orchestrator calls the Communication MCP Server to deliver the decision to the customer through their preferred channel.
End-to-end elapsed time: 6 to 12 seconds for a decision that previously required 24 to 48 hours.
The architecture delivers this without a single custom integration between any two systems. Every connection is through a standard protocol. The audit trail — which DORA requires — is generated automatically at every protocol boundary.
7. Implementation Pattern 2: Fraud Detection and Response
Fraud detection in banking is a naturally multi-agent problem. Detection, investigation, customer communication, and remediation are four distinct capabilities requiring four distinct agents — and they must coordinate in real time, often within the time window of a suspicious transaction.
The Workflow
A transaction monitoring system flags a 3,400 GBP card transaction as anomalous — unusual merchant category, unfamiliar geography, atypical amount for this customer.
Step 1 — Alert routing. The fraud monitoring infrastructure sends an A2A task to the Fraud Detection Agent with the transaction details and the anomaly signals that triggered the flag.
Step 2 — Enrichment via MCP. The Fraud Detection Agent calls five MCP servers in parallel: Core Banking for the customer's 90-day transaction pattern, the AML Server for any related alerts in the current period, the Market Data Server for merchant category intelligence, the Core Banking Server for the customer's device and location history, and the Document Intelligence Server for any recent account changes.
Step 3 — Multi-agent risk assessment via A2A. The Fraud Detection Agent sends an A2A task to the Compliance Agent to check whether the transaction pattern triggers any AML reporting thresholds. It simultaneously sends an A2A task to the Customer Intelligence Agent requesting the customer's current travel declaration status and recent contact history.
Step 4 — Decision and action. Based on the enriched risk picture, the Fraud Detection Agent determines this transaction exceeds the autonomous block threshold. It calls the Core Banking MCP Server to place a temporary hold on the card, then sends an A2A task to the Customer Communication Agent to send a real-time fraud alert with verification request via the customer's preferred channel.
Step 5 — Resolution routing. If the customer confirms the transaction is genuine, the Customer Communication Agent returns the confirmation via A2A and the Fraud Detection Agent calls Core Banking to release the hold. If the customer reports fraud, the A2A task routes to the Case Management Agent for investigation workflow initiation.
Elapsed time from flag to customer notification: under 90 seconds. Previous process: hours to days depending on manual queue depth.
8. Implementation Pattern 3: Regulatory Reporting
Regulatory reporting is one of the highest-cost, lowest-visibility functions in banking operations. A large bank may file hundreds of regulatory reports across multiple jurisdictions monthly, each requiring data from dozens of source systems, complex calculations, and multiple validation passes before submission.
The Workflow
End-of-month LCR (Liquidity Coverage Ratio) report generation for a mid-tier bank:
Step 1 — Report orchestration. The Regulatory Reporting Orchestrator receives a scheduled trigger via A2A and dispatches tasks to four specialist agents: Data Collection Agent, Calculation Agent, Validation Agent, and Submission Agent — each with defined dependencies enforced by A2A task state management.
Step 2 — Data collection via MCP. The Data Collection Agent calls the Regulatory Capital MCP Server for current RWA data, the Core Banking MCP Server for cash flow projections, the Market Data MCP Server for current haircuts on HQLA assets, and the Core Banking MCP Server for stressed outflow calculations.
Step 3 — Calculation via A2A coordination. The Calculation Agent receives the assembled data via A2A task result and executes the LCR calculation. Where the calculation touches model outputs — stress scenarios, behavioral assumptions — it calls the relevant model MCP servers to retrieve current approved parameters rather than using hardcoded values.
Step 4 — Validation. The Validation Agent receives the calculated report via A2A and performs three checks: internal consistency validation against prior periods, regulatory threshold verification, and reconciliation against source system controls. Any failed validation transitions the A2A task to input-required, surfacing the exception to the regulatory reporting team for resolution.
Step 5 — Submission. Once validation passes, the Submission Agent receives the final report via A2A and calls the Regulatory Submission MCP Server — which wraps the bank's regulatory portal connection — to file the report. The submission confirmation and timestamp are logged immutably.
Elapsed time: 2 to 4 hours for a report that previously took 3 to 5 days of analyst time. Error rate: reduced from a documented 3 to 8 percent manual error rate to under 0.5 percent through systematic validation.
9. Implementation Pattern 4: Wealth Management Advisory
Wealth management is where the personalization potential of agentic AI in BFSI is highest — and where the regulatory constraints around investment advice are most stringent.
The Workflow
A high-net-worth client asks their digital wealth assistant: "Given current market conditions and my upcoming house purchase in six months, should I rebalance my portfolio?"
Step 1 — Context assembly via MCP. The Wealth Advisory Agent calls the Core Banking MCP Server for the client's liquidity position, the Market Data MCP Server for current portfolio valuations and market conditions, and the Document Intelligence MCP Server for the client's latest Investment Policy Statement and suitability assessment.
Step 2 — Specialist analysis via A2A. The Wealth Advisory Agent dispatches three parallel A2A tasks: to the Market Analysis Agent for current macro environment assessment relevant to the client's holdings, to the Tax Optimization Agent for any tax implications of proposed rebalancing, and to the Risk Assessment Agent to verify the proposed rebalancing remains within the client's documented risk tolerance.
Step 3 — Recommendation synthesis. When all three A2A tasks return, the Wealth Advisory Agent synthesizes a rebalancing recommendation with full rationale, tax impact assessment, and liquidity timeline analysis.
Step 4 — Suitability gate. Before delivering the recommendation, the agent calls the Compliance MCP Server to verify the recommendation passes the bank's suitability assessment against the client's current profile. This is a non-negotiable gate — MiFID II requires that investment recommendations be appropriate for the client's circumstances and documented as such.
Step 5 — Human advisor loop. For clients above the private banking threshold, the recommendation routes to the A2A input-required state and is surfaced to the client's relationship manager for review before delivery. The relationship manager can approve, modify, or reject — the A2A task resumes from the review decision.
10. Security Architecture for Financial Agent Networks
Financial agent networks present a larger attack surface than any previous enterprise software architecture. Several security patterns are non-negotiable in BFSI deployments.
Agent identity and authentication. Every agent in the network must have a machine identity — not just a service account but a cryptographically verifiable identity bound to the agent's software version and deployment context. Agents authenticate to each other via OAuth 2.0 client credentials with short-lived tokens. A compromised agent should not be able to impersonate other agents or access systems beyond its authorized scope.
Prompt injection defense at the MCP boundary. In financial agent networks, prompt injection attempts can come through any channel where untrusted content reaches the agent — customer messages, document contents, database records. MCP servers should sanitize and structure their outputs before returning them to the calling agent, rather than passing raw external content directly into the agent's context. The MCP server is the appropriate boundary for content sanitization.
Least privilege at every layer. Each MCP server enforces its own authorization — the calling agent's identity determines which tools it can call and which data it can access. Each A2A agent publishes its authorization requirements in its Agent Card. No agent should have access to tools or data beyond what its defined role requires for its defined tasks.
Immutable audit logging. Every MCP tool call, every A2A task submission, every A2A task state transition, and every human oversight intervention must be logged to an append-only audit store. DORA requires that these logs be available for regulatory inspection and incident investigation. The logs must be tamper-evident — write-once storage with cryptographic integrity verification.
Circuit breakers for agent loops. Agentic systems can enter failure loops — an agent that keeps retrying a failing tool call, or two agents that keep delegating the same unresolvable task back and forth. Both MCP and A2A implementations should enforce circuit breakers: maximum retry counts per tool call, maximum task duration, and deadlock detection at the orchestration layer.
11. Observability and Audit Requirements
DORA and the EU AI Act together create specific observability requirements that go beyond standard application monitoring.
What must be logged:
Every MCP tool call with the calling agent identity, tool name, input parameters (sanitized of PII), output summary, latency, and authorization context linking to the business workflow. Every A2A task with submission timestamp, all state transitions with timestamps, the agent identities involved, the task payload schema, and the completion outcome. Every human oversight intervention with the reviewer identity, the decision made, the rationale provided, and the timestamp. Every agent-initiated customer communication with the content, channel, delivery status, and customer consent status at time of delivery.
Log retention requirements:
Under DORA, ICT-related incident records must be retained for a minimum of five years. Under GDPR, records containing personal data must not be retained longer than necessary for the stated purpose. These two requirements create a tension that must be resolved through log design — audit records that reference the business event without embedding the personal data, with separate personal data records that can be deleted independently on GDPR schedule.
Observability tooling:
OpenTelemetry instrumentation at both the MCP and A2A protocol layers generates traces that can be consumed by standard observability platforms. Every MCP tool call becomes a trace span. Every A2A task becomes a root span with child spans for each state transition. This trace structure makes it possible to reconstruct the complete causal chain of an agent-driven decision from the initial customer input to the final action taken — which is precisely what DORA incident investigation requires.
12. Implementation Roadmap and Decision Framework
Phase 1 — Foundation (Weeks 1 to 6)
Start with MCP. Choose one high-value, lower-risk data source and build the MCP server for it. The Core Banking MCP Server is the right starting point for most institutions — it is the most broadly needed by downstream agents and its security model is well-understood. Establish the security baseline: mTLS, RBAC, immutable audit logging. Do not build any agents yet. Validate the MCP server against your security and compliance review process before proceeding.
Phase 2 — First Agent (Weeks 7 to 12)
Deploy one agent against the Phase 1 MCP server. Fraud detection or regulatory data collection are both good choices — they are high-value, relatively self-contained, and do not require human oversight gating in their initial form. Instrument the agent with OpenTelemetry. Establish your observability baseline. Run in shadow mode — generating outputs but not acting on them — before enabling live actions.
Phase 3 — Multi-Agent Coordination (Weeks 13 to 20)
Add A2A coordination between two agents. The credit decision pattern — with the Credit Decision Agent coordinating with the Fraud Detection Agent via A2A — is the right first multi-agent workflow for most retail banking institutions. Implement the human oversight gate at the protocol level using A2A input-required state before this phase goes live.
Phase 4 — Scale and Governance (Weeks 21 and beyond)
Add MCP servers for additional data sources and agents for additional workflows. Establish the Agent Registry — a catalogue of all deployed agents, their Agent Cards, their regulatory classifications, and their version histories. Implement automated compliance checking against the Agent Registry as part of your CI/CD pipeline.
The decision framework for prioritizing workflows:
High-value workflows with well-defined data requirements and clear regulatory compliance paths should be first. Fraud detection, regulatory reporting, and straight-through credit processing for standardized products satisfy all three criteria. Workflows requiring significant human judgment, operating in grey areas of regulatory guidance, or depending on data sources with poor quality or availability should come later — after you have established the operational discipline to manage agentic systems responsibly.
Closing Thought
The credit decision that used to take 24 to 48 hours and eight manual system queries now takes 8 seconds through a protocol-native agentic stack.
The regulatory report that took 3 to 5 days of analyst time and had a 3 to 8 percent error rate now takes 2 to 4 hours with under 0.5 percent errors.
The fraud alert that used to reach a customer hours after a suspicious transaction now reaches them in 90 seconds — before the fraudster has had time to use the card again.
These are not projections. They are the documented outcomes of the agentic BFSI implementations that informed this guide.
MCP and A2A are not new toys for financial services technology teams to evaluate. They are the protocol infrastructure on which the next decade of financial services automation will be built. The institutions that are implementing them now — carefully, with compliance built into the architecture rather than bolted on — are building a compounding operational advantage.
The institutions that are waiting are accumulating integration debt that will be harder to pay down with every quarter that passes.
Sources
- IMF Note 2026/004 — How Agentic AI Will Reshape Payments. April 2026. MCP, A2A, and x402 in payments infrastructure.
- Neontri — Agentic AI in Banking: 2026 Implementation Guide. DORA compliance, EU AI Act high-risk classification, Basel III model risk.
- DEV Community — MCP vs A2A: The Complete Guide to AI Agent Protocols in 2026. March 2026. Three-layer protocol stack architecture.
- Zylos Research — Agent Interoperability Protocols 2026: MCP, A2A, ACP and the Path to Convergence. March 2026. Enterprise deployment patterns.
- BuildMVPFast — 2026 AI Engineer Stack: MCP plus A2A Protocol Guide. April 2026. 97 million monthly MCP SDK downloads. A2A v1.0.0 release.
- Medium / Aftab — MCP and A2A: The Protocols Building the AI Agent Internet. February 2026. Adoption velocity, partner ecosystem.
- arXiv:2306.02781 — Automated Survey of Generative AI: LLMs, Architectures, Protocols, and Applications. A2A protocol specification and Agent Card architecture.
- arXiv:2601.02371 — Permission Manifests for Web Agents. MCP and A2A as complementary web interoperability standards.
- BCG Research — Banking and Fintech AI Leadership Index. 2025. Nearly half of financial institutions report regular advanced AI use.
- Linux Foundation Agentic AI Foundation — MCP and A2A governance documentation. December 2025.
- Boomi — What Is MCP, ACP, and A2A. November 2025. Enterprise integration patterns.
Top comments (2)
The BFSI angle makes the protocol split easier to reason about. MCP feels like the controlled tool/data surface, while A2A is closer to cross-agent delegation and accountability. In regulated systems, I would want both layers to emit boring audit events before I trusted any impressive orchestration demo.
Some comments may only be visible to logged-in visitors. Sign in to view all comments.