Compliance-grade identity
for financial services agents.
FINRA fined 16 firms $1.1B for communication attribution failures. SEC Rule 17a-4 mandates 6-year retention with full attribution. SOX 404 requires provable audit trails on every automated action. Mailgent gives your financial services agent the identity infrastructure regulators are already asking for — DKIM-signed emails, delegation chains, and audit trails on every action.
API Primitives used
mail.sendAttributable outbound email
Every client communication is DKIM-signed with agent identity headers. Recipients and regulators can verify exactly who sent it and who authorized the agent.
vault.getSecure credential retrieval
Access trading platform API keys, CRM tokens, and filing portal credentials from an encrypted vault — scoped per agent identity with full audit trail.
vault.totp2FA for regulated portals
Generate TOTP codes to authenticate with SEC EDGAR, FINRA Gateway, and trading platforms that require multi-factor authentication.
Financial regulators demand AI agent attribution.
Every AI agent operating in financial services faces the same regulatory wall: can you prove who authorized this action? FINRA Rule 3110 requires that every communication with the public be attributable to a registered person. SEC Rule 17a-4 mandates that records be retained with full attribution for 3-6 years. SOX Section 404 requires provable audit trails on automated internal controls.
Most financial firms work around this by routing AI agent communications through shared compliance@ inboxes or individual broker credentials. Shared inboxes break FINRA's attribution requirement. Shared credentials create supervision violations — when an agent sends an unauthorized communication under a rep's login, there's no trail distinguishing human from machine. Both are examination findings waiting to happen.
Mailgent solves this with per-agent identity. Every email is DKIM-signed with agent identity headers. Every action carries a delegation chain: Registered Rep > Firm > Agent. Every credential access is audit-logged. The infrastructure regulators are asking for — built in, not bolted on.
How to build it.
Create a compliant agent identity
Provision a dedicated identity with its own email address and isolated vault. The identity carries a delegation chain: Compliance Officer > Firm > Agent — provable in any examination.
vault.storeStore regulated credentials securely
Store API keys for trading platforms, CRM OAuth tokens, and filing portal credentials. AES-256-GCM encrypted, scoped to this identity only. Every access is audit-logged with timestamps.
mail.sendSend attributable client communications
Send portfolio updates, trade confirmations, and market commentary from the agent's own DKIM-signed address. FINRA can verify exactly which agent sent each email and who authorized it.
Example prompt
“Send the quarterly portfolio update to all clients in Segment A. Use my registered rep delegation. Log every send for FINRA 3110 compliance.”
What financial firms build.
Broker-dealer communication surveillance
Agent sends pre-approved communications to clients — portfolio updates, trade confirmations, research distribution. Each email is DKIM-signed with the registered rep's delegation chain, satisfying FINRA 3110 attribution requirements.
AML/SAR filing coordination
Agent identifies suspicious transactions, drafts SAR narratives, emails them to the BSA Officer for review, and logs every step with full attribution. FinCEN can trace every filing action back to the responsible compliance officer.
SOX internal controls testing
Agent emails control owners to request evidence, collects responses, evaluates results, and files documentation. Each interaction carries a delegation chain: CFO > Internal Audit Director > Agent — satisfying PCAOB AS 2201.
MiFID II research distribution
Agent distributes investment research to EU clients, ensuring each recipient receives only research they're entitled to under their MiFID II classification. Each communication is attributable and logged for ESMA examination.
Regulatory filing and correspondence
Agent authenticates with SEC EDGAR, FINRA Gateway, and state regulatory portals using stored credentials and TOTP codes. Files reports, submits amendments, and retains proof of every filing for SEC 17a-4.
Client onboarding KYC
Agent sends and receives KYC documentation via email, stores sensitive credentials for identity verification services in the vault, and maintains a complete audit trail of every document exchange for BSA compliance.
Why not use shared inboxes or broker credentials?
Shared inboxes (compliance@firm.com) break FINRA's attribution requirement — you can't prove which system or person sent a specific email. Using a broker's personal credentials creates FINRA 3110 supervision violations: there's no audit trail distinguishing what the human reviewed versus what the agent sent autonomously.
Mailgent gives each agent its own identity with a cryptographically verifiable delegation chain. Every email is DKIM-signed and attributable. Every credential access is logged. When FINRA examines your communications, you can trace every single message back through the authorization chain to the registered person who delegated authority.
Delegation chain
Human > Org > Agent. Every action traces back to the human who authorized it. Verifiable by regulators.
Complete audit trail
Every email sent, credential accessed, and TOTP code generated is logged with identity, timestamp, and delegation context.
AES-256-GCM encryption
Trading credentials, API keys, and client data encrypted at rest. Scoped per agent identity. No shared access.
Build compliant agents.
Identity infrastructure that satisfies FINRA, SEC, and SOX — out of the box.