Voice AI for Banking and Financial Services in 2026

Banking is the second-largest voice AI vertical after support, and it’s the highest-stakes one for compliance. Every call touches non-public personal information, every transaction is a regulated event, and every recorded turn is an artifact regulators can subpoena. The five production-ready workflows in 2026 are account servicing, fraud verification, loan qualification, payment processing, and dispute intake. The hard part isn’t picking the runtime. It’s the eval, guardrail, and audit layer that lets the deployment ship.

TL;DR (the five production banking workflows)

1. Account servicing. Balance inquiry, recent transactions, simple transfers. Largest volume, highest containment.
2. Fraud verification. Outbound transaction confirmation, inbound card lock, dispute initiation. Time-sensitive, identity-sensitive.
3. Loan qualification. Pre-screen, document collection prompts, application status. Structured capture, long-horizon.
4. Payment processing. Bill pay, scheduled transfers, payee management. PCI-scoped where cards are present.
5. Dispute resolution intake. Capture the dispute details, set expectations, route to the right team.

The runtime layer is Vapi, Retell, ElevenLabs Agents, LiveKit, or Pipecat. The eval, observability, simulation, and guardrail layer is Future AGI. The dedicated section below explains how that lands.

Why banking is harder than general support

Four constraints make banking voice fundamentally different from generic customer support.

First, every call is in scope for SOC 2, GLBA, and depending on the workload, PCI-DSS. The control surface is wider than support. Vendor risk reviews are deeper. The audit cadence is annual at minimum and continuous for the most regulated workflows.

Second, identity verification is the gate to every transaction. The agent has to know who it’s talking to before it can do anything. Caller ID is not enough. Knowledge-based authentication adds friction. Voice biometrics is the trend but it carries its own audit surface. Whatever pattern you pick, it has to be uniform across the call path or social engineers will find the soft spot.

Third, the audit trail isn’t optional. Every action the agent takes has to be reconstructable: who called, when, what they asked, what the agent said, what tool calls fired, what the customer of record now sees. The trace has to survive the call, the QA cycle, and the regulator’s request three years later.

Fourth, the cost of a single bad call is asymmetric. A wrong balance read is a customer service issue. An unauthorized transfer is a regulator filing. The guardrail layer has to assume the worst case on every turn.

Workflow 1: account servicing

This is the highest-volume workflow at most retail banks. Balance inquiry, last-five-transactions read-back, internal transfer between linked accounts. Bounded scope, fast resolution, the workflow most likely to deflect successfully.

Design pattern

The agent opens with identity verification (the bank’s standard layered auth). After identity is confirmed, the agent reads back the action menu (balance, transactions, transfer, something else). For balance, the agent reads the available balance and offers to read the ledger balance. For transactions, the agent reads the last five with date, merchant, and amount. For transfers, the agent confirms source, destination, and amount, then asks for explicit voice confirmation before executing.

Eval rubrics

• task_completion: did the agent complete the action.
• conversation_resolution: was the call resolved without transfer.
• is_polite and is_helpful: tone and CSAT proxies.
• pii: catch the agent from echoing back full account numbers or SSN digits beyond policy.
• is_compliant: did the agent stay within scope.

A 500,000-call/month account-servicing workflow typically lands above 75% containment after six to eight weeks of post-launch tuning. The contained-call savings are denominated in agent minutes, which translates directly to operational expense.

Workflow 2: fraud verification

Fraud verification has two flavors. Outbound: the agent calls a customer when the fraud system flags a suspicious transaction. Inbound: the customer calls to lock a card, dispute a charge, or report a lost card. Both flavors are time-sensitive and identity-sensitive.

Outbound pattern

The agent calls the customer, identifies itself and the bank, asks the customer to confirm or deny the flagged transaction, and acts on the response. Confirm: release the hold. Deny: lock the card, initiate the dispute, schedule a replacement card. The script has to handle the customer’s natural anxiety (caller is being asked about a possibly fraudulent transaction on their own account) without giving them a phishing tell.

Inbound pattern

The customer calls. Identity verification is the first step. The agent confirms the reason for the call (lock card, dispute charge, report lost). For lock, the agent confirms the card last-four and locks it. For dispute, the agent captures the transaction details and routes to the dispute team. For lost-card report, the agent locks and schedules a replacement.

Guardrail rubrics

This workflow needs every Protect rubric on every turn:

• pii: no echoing of full card numbers, account numbers, or SSNs.
• data_privacy_compliance: policy-class privacy violations are flagged.
• is_compliant: the agent stayed within the disclosure-required script.
• prompt_injection: the agent did not respond to injection attempts.

The agent must read the bank’s standard fraud-disclosure prompt every call. Drift on disclosure language is a regulator filing. Score every call on prompt_adherence against the canonical disclosure text.

ProtectFlash on the critical path

from fi.evals import Protect

p = Protect()
out = p.protect(inputs=test_case)

ProtectFlash is the single-call binary classifier mode of Future AGI Protect. It returns harmful/not-harmful in one API call rather than running per-rule loops. The Gemma 3n foundation with LoRA-trained adapters per arXiv 2510.13351 is fast enough that the inline check fits inside a sub-1-second voice budget. Run ProtectFlash on every turn. Run rule-based Protect on every Nth turn for richer eval signal.

Workflow 3: loan qualification

Loan qualification is the long-horizon workflow on this list. The agent runs a pre-screen conversation (income, employment, intended loan use, desired amount, credit-pull consent), captures the structured data into the loan origination system, and either schedules a follow-up with a loan officer or sends a document-collection link.

Design pattern

The conversation is templated by loan product (mortgage, auto, personal, small business). Each section has a prompt, an expected schema, and a validation step. Disclosure language for credit pull, fair lending, and consumer protection is read verbatim at the appropriate points. The structured output feeds the LOS.

Eval rubrics

• task_completion: the pre-screen covered all required sections.
• is_compliant: the disclosure-required script was followed.
• prompt_adherence: the agent did not paraphrase the disclosure language.
• is_factually_consistent: the summary-back of captured data matches what the customer said.

Loan qualification is where most banks introduce custom evaluators on top of the built-ins. The custom evals encode the bank’s specific policy on what the agent can and cannot say (preliminary qualification language, no rate quotes outside a quoted range, no commitment to lend). FAGI’s ai-evaluation supports custom evaluators authored by an in-product agent: describe the policy in plain English, the agent produces a runnable evaluator.

Workflow 4: payment processing

Bill pay, scheduled transfers, and payee management. The PCI-scope question dominates this workflow.

PCI-scope minimization

If the workflow touches card data (PAN, CVV), the recording path is in scope. The standard mitigation is suppress-and-tokenize: when the agent needs a card number, it hands off to a PCI-compliant capture pane (DTMF or third-party tokenization). The recording is paused during capture. The token comes back. The recording resumes.

If the workflow only touches account data (already in scope under GLBA, not PCI), the recording stays continuous. The agent can confirm the source account last-four and the destination payee, but never reads back full account numbers.

Eval rubrics

• task_completion: payment processed.
• pii: no echoing of sensitive identifiers.
• is_compliant: the agent stayed within payment scope.
• prompt_injection: the agent did not respond to injection attempts during payment.

Workflow 5: dispute resolution intake

The agent captures the dispute (transaction details, what happened, customer’s expected resolution), sets expectations (timeline, evidence needed, callback), and routes to the dispute team. The hard part is the customer is usually frustrated. Tone matters more than usual.

Eval rubrics

• is_polite: tone in the face of customer frustration.
• task_completion: the dispute was captured with the required fields.
• conversation_resolution: the customer understood the next steps.
• is_compliant: the agent set realistic expectations per Reg E or Reg Z timelines.
• tone: no defensive, dismissive, or sales-toned responses.

Identity verification across the call

Three layers, each with its own trade-off.

Layer 1: ANI and caller ID

Fast, free, low-confidence. Use as a routing signal, not as authentication.

Layer 2: KBA

Knowledge-based questions. The agent asks two or three questions from a bank-managed question pool. The friction is real (customers do not always remember their KBA answers). The audit-defensibility is strong.

Layer 3: voice biometrics or OTP push

For high-risk actions (large transfer, payee add, card lock), require an additional factor. Voice biometrics matches the live audio against a stored voiceprint. OTP push sends a code to the customer’s enrolled phone or banking app. Each carries its own audit surface and its own bypass policy.

The agent never echoes back the answers to KBA or the OTP. Run pii and data_privacy_compliance on every turn that touches identity data.

The voice stack: runtime selection for banking

The five-runtime field narrows by call volume, latency requirement, and compliance posture.

Retell for hosted latency

For high-volume retail banking (10,000+ inbound calls per day), Retell’s hosted pipeline lands first-response p50 around 600ms on US-East. SOC 2 Type II ships as standard. DPAs and BAAs available on the enterprise tier.

Vapi for BYO model flexibility

For banks routing across multiple LLMs (cheap for FAQ, premium for fraud), Vapi’s BYO routing wins. Native SIP, broad telephony integration, OpenInference tracing via traceAI.

ElevenLabs for premium brand voice

For private banking, wealth management, or premium consumer banking where the voice brand matters, ElevenLabs Agents lands the best voice quality. Custom cloned voices with consistent identity across languages.

LiveKit for engineering-heavy banks

If your bank has the engineering bench to assemble the audio pipeline, LiveKit’s open-source plus cloud option gives full control. Dedicated traceai-livekit pip package for OpenInference tracing.

Pipecat for Python-native deployments

Daily’s open-source voice framework. Strong async primitives, pipeline-as-code in Python. Dedicated traceAI-pipecat package.

How Future AGI fits the banking voice stack

Future AGI is the eval, observability, simulation, and guardrail layer underneath all five runtimes. The five products map cleanly to the banking workload.

traceAI for distributed tracing

30+ documented integrations across Python and TypeScript, OpenInference-compatible, Apache 2.0. Every banking call becomes a trace with ASR span, retrieval span (KBA lookup, account state retrieval), LLM span, tool spans (transfer execute, dispute initiate, card lock, OTP verify), TTS span, and conversation ID linking the whole thing.

from fi_instrumentation import register
from fi_instrumentation.fi_types import ProjectType
from traceai_pipecat import enable_http_attribute_mapping

register(
    project_type=ProjectType.OBSERVE,
    project_name="Banking Voice Agent",
    set_global_tracer_provider=True,
)
enable_http_attribute_mapping()

ai-evaluation for scoring

70+ built-in rubrics including pii, data_privacy_compliance, is_compliant, prompt_injection, task_completion, conversation_resolution, is_polite, is_helpful, prompt_adherence. All Apache 2.0. Custom evaluators authored by an in-product agent for bank-specific policy.

Native voice observability for Vapi, Retell, LiveKit

Add the provider API key plus Assistant ID to a FAGI Agent Definition. Every banking call gets separate assistant and customer audio download, auto transcript, and the full eval engine. No SDK required. “Enable Others” mode covers any voice provider via mobile-number simulation.

Simulation for pre-launch testing

18 pre-built personas plus unlimited custom. Build personas across age, accent, fluency, anxiety level (relevant for fraud verification), and background-noise condition. Workflow Builder auto-generates branching scenarios (20, 50, or 100 rows) from a banking agent definition. Error Localization pinpoints the failing turn when a scenario fails. Programmatic eval API for configure plus re-run as part of CI.

Future AGI Protect for inline guardrails

Gemma 3n foundation with LoRA-trained adapters per safety dimension per arXiv 2510.13351. Multi-modal across text, image, and audio. Two surfaces: rule-based Protect across the 4 documented safety dimensions (Content Moderation, Bias Detection, Security, Data Privacy Compliance) and ProtectFlash (single-call binary classifier). Sub-100ms inline. Run ProtectFlash on every turn for sub-100ms binary harm check. Run rule-based Protect on every Nth turn for richer eval signal.

Error Feed for failure clustering

Auto-clusters trace failures into named issues. Auto-writes root cause plus quick fix plus long-term recommendation. For a banking agent that means 30 failed transfer-confirmations caused by a backend timeout cluster as one issue. The audit response is one document per cluster, not one per call.

Agent Command Center for hosting and governance

RBAC, SOC 2 Type II + HIPAA + GDPR + CCPA + ISO 27001 certified, AWS Marketplace, multi-region hosted, BYOC self-host, 15+ provider routing. Per-team RBAC and per-tenant attribution tags so regulatory reviews segment by line of business.

Common failure modes in banking voice deployments

The failure patterns repeat across banking voice deployments. Knowing them in advance shortens the cutover.

• Identity verification friction. Layered auth feels slow on a voice channel. Customers abandon when KBA takes more than two questions or when OTP delivery lags. Mitigation: cache successful identity in a short-lived session token, score task_completion against drop-off rate at each auth layer, simulate the auth flow under realistic latency conditions.
• Disclosure language drift. The required Reg E or Reg Z language slips out of the prompt during a refactor. Mitigation: a custom evaluator authored on top of the canonical disclosure text, run in the regression suite every release and on every Nth live call.
• PII echo-back. The agent reads back a full account number to confirm capture. Mitigation: prompt-level rule forbidding full-PII echo, plus pii rubric flagging any echo turn, plus inline ProtectFlash blocking on the critical path.
• Cross-account confusion. The agent mixes up a primary account and a joint account when the caller is on both. Mitigation: explicit account-selection step before any transaction, plus is_factually_consistent rubric on the summary-back step.
• Fraud-disclosure scripting mismatch. Outbound fraud verification says something slightly off from the regulator-approved script. Mitigation: prompt_adherence rubric against the canonical fraud-disclosure text, plus daily Error Feed cluster review during the first 60 days.
• Tool-call partial failure. The transfer authorization passes through Protect, the agent confirms to the customer, the backend silently fails. Mitigation: confirmation turn after every transactional tool call, plus traceAI capture of the whole chain with explicit failure handling.
• Recording-pause gap on PCI capture. The recording pauses for DTMF card capture but resumes a beat late, capturing partial PAN. Mitigation: server-side recording control linked to the capture-pane lifecycle, plus a post-call eval that scans the recording for PAN regex matches.

Each of these has a clean mitigation in the FAGI stack. The simulation suite catches the predictable ones pre-launch; the observability stack catches the long tail post-launch.

Designing the regulator-ready dashboard

Bank examiners and internal audit ask the same questions every cycle. The dashboard that pre-empts those questions saves weeks of audit-prep time.

Top-of-dashboard KPIs

Three KPIs go above the fold:

1. Compliance violation rate per 10,000 calls. Drift below 1 per 10,000 is healthy. Above 5 per 10,000 means the rubric set or the prompt is drifting.
2. PII echo rate per 10,000 calls. A direct measure of the redaction layer plus the prompt discipline. Above 1 per 10,000 is a fix-now signal.
3. Identity verification success rate. First-try success above 85% is healthy. Below 75% means the auth UX is fighting the customer.

Per-intent breakdowns

Every intent class gets its own row: account servicing, fraud verification, loan qualification, payment processing, dispute resolution. Each row shows call volume, task_completion rate, conversation_resolution rate, compliance violation count, and average handle time.

Per-region and per-language breakdowns

For banks with multi-region or multi-language coverage, the same metrics segment by region and language. The translation_accuracy and cultural_sensitivity rubrics surface as separate cards for any non-English call segment.

Per-agent-version comparison

Every prompt change ships as a new agent version. The dashboard shows the rolling 7-day metrics for each version side by side. Regressions are visible the moment they ship rather than during the monthly review.

Compliance audit pattern

The audit pattern for a banking voice deployment uses three artifacts per call.

Artifact 1: the trace

Every span. ASR provider, model, confidence. LLM provider, model, prompt version, response. Tool calls and their outcomes. TTS provider, voice, latency. Conversation ID linking all of it. traceAI emits OpenInference-compatible spans that any OTel-compatible audit pipeline can consume.

Artifact 2: the eval history

Every score on every rubric for the call. The rubric set is configured per workflow (account servicing has one set, fraud has another). The score plus reasoning plus eval template ID plus version is stored per turn.

Artifact 3: the Protect log

Every guardrail check on every turn. The check, the score, the action taken (allow, block, redact, escalate). For ProtectFlash, the single binary outcome. For rule-based Protect, the per-rule output.

The three artifacts together reconstruct the call to a regulator’s satisfaction. The Error Feed clustering surfaces the patterns across calls (which intent class has the highest PII-echo rate, which agent definition version has the highest prompt-injection block rate, which time-of-day correlates with elevated fraud-verification escalation).

Three deliberate tradeoffs

Federal procurement runs via BYOC self-host. FedRAMP doesn’t appear on the trust page yet. Federal financial agencies and credit unions with federal posture deploy in their VPC via air-gapped BYOC. Same software, customer-owned audit boundary.

Async eval gating is explicit. agent-opt ships six prompt optimizers (Bayesian Search, Meta-Prompt per arXiv 2505.09666, ProTeGi, GEPA Genetic-Pareto per arXiv 2507.19457, Random Search per arXiv 2311.09569, PromptWizard) available in both the Dataset UI and the agent-opt Python library. The Dataset UI exposes the same six optimizers as a point-and-click optimization run against a chosen dataset plus an evaluator. FAGI never auto-rewrites a regulated banking prompt without an explicit run plus a human approval gate.

Native voice obs ships for Vapi, Retell, and LiveKit out of the box. Enable Others mode covers any other voice provider via traceAI SDK or mobile-number simulation, which covers the bulk of production banking voice stacks. Same eval engine, same Protect ruleset, same audit trail on every captured call.

A reference 14-week banking voice deployment

The cadence compresses for lowest-risk workflows (account servicing) and lengthens for highest-risk (fraud, lending). The constraint that doesn’t bend is the compliance review gate at week 9.

Related reading

• 7 Best AI Voice Agent Platforms for Inbound Customer Support in 2026: the inbound runtime field for retail banking.
• IVR Modernization: Migrate Legacy IVR to AI Voice Agents in 2026: the cutover playbook for replacing legacy banking phone trees.
• Voice AI for Healthcare and Clinical Workflows in 2026: the parallel playbook for HIPAA-regulated voice deployments.
• Voice AI Evaluation Infrastructure: Developer’s Guide: eval rubrics that score banking voice workloads.

Sources and references

• arXiv 2510.13351, Future AGI Protect model family (arxiv.org/abs/2510.13351)
• arXiv 2507.19457, GEPA Genetic-Pareto prompt optimizer (arxiv.org/abs/2507.19457)
• arXiv 2505.09666, Meta-Prompt bilevel optimization (arxiv.org/abs/2505.09666)
• arXiv 2311.09569, Random Search prompt baseline (arxiv.org/abs/2311.09569)
• Gramm-Leach-Bliley Act, Safeguards Rule
• PCI-DSS v4.0 scope and recording requirements
• Regulation E and Regulation Z customer protection timelines
• Future AGI trust page (futureagi.com/trust)
• traceAI repository (github.com/future-agi/traceAI)
• ai-evaluation repository (github.com/future-agi/ai-evaluation)
• Vapi, Retell AI, ElevenLabs Agents, LiveKit, Pipecat: vendor documentation and SOC 2 attestation pages (referenced in plain text per editorial policy)