The conversation is the new branch: customer-facing generative AI in banking.

Retail banking has, for thirty years, competed on rate, branch, app, and call-centre wait time. The last of those competitions is the one drawing to a close. Customer expectations have been reset by a generation of consumer AI assistants, and anyone who has had a meaningful conversation with a general-purpose model in the past year now arrives at a bank’s chat channel with the expectation that it will be at least that fluent. Most of the time, it is not. The firms that close that gap will rebuild their customer relationship around the conversation, and the firms that do not will watch their disengaged accounts drift away to firms that have.

This piece is about the shape of that opportunity, and more importantly about what the risk regime around it has to look like. Generative AI on the customer-facing channel is not a tooling exercise. It is a regulated communication, a brand surface, and, in a meaningful number of cases, a transactional capability that moves real money. It deserves the operating model of a regulated business line, not the operating model of a product backlog.

The opportunity, framed in money

The competitive logic is uncomfortably clear, and the public data points are starting to stack up.

Klarna’s generative AI customer service assistant, launched in early 2024, was reported to handle the equivalent of around 700 full-time customer service roles within its first month of operation, with average resolution times falling from eleven minutes to under two. The firm later moderated its initial “AI-only” framing, restoring more human contact for complex inquiries, but the underlying economics held. Lower service cost, faster resolution, broader language coverage. The lesson is not that human agents are replaceable. The lesson is that a well-engineered conversational layer materially changes the economics of customer service.

Bank of America’s Erica, the longest-standing virtual financial assistant in mainstream US banking, passed two billion interactions in 2024 and continues to serve as the chassis the bank now layers generative capabilities onto. Erica’s value sat for years in lightweight, deterministic flows: balances, alerts, bill reminders. The addition of LLM-grounded answers, drawn from the bank’s policy and product documentation, extends what the assistant can credibly do without expanding the failure mode.

NatWest’s Cora+, launched in 2024 in partnership with IBM Watsonx, is one of the most visible UK examples of a regulated bank deliberately moving its assistant from intent-and-flow logic to grounded generative responses, with the bank’s curated knowledge base as the source of truth and a layered safety regime around the model’s output. The shift in tone, in coverage, and in the range of issues the assistant can resolve without human intervention is the kind of operational delta that competitors will be forced to match within twelve to eighteen months.

Useful benchmarks exist outside banking too. Shopify’s Sidekick gives merchants a conversational interface to their store data, retrieving the firm’s records and acting within a bounded set of capabilities rather than improvising. Stripe’s customer-facing assistants combine the firm’s documentation and policy with the customer’s account context to handle the long tail of merchant questions. These adjacent commercial contexts show what good looks like when an assistant is constrained, grounded, and given a defined action surface.

Each of these examples answers the same commercial logic. A well-built conversational layer lowers cost-to-serve on routine inquiries, shortens resolution time on complex ones, broadens language and accessibility coverage at near-zero marginal cost, and, where it is allowed to act, enables small but meaningful actions (an internal transfer, a card freeze, a limit change) without the customer queueing for an agent. None of this is a “platform” outcome. Each of them is a P&L line.

What is different about banking

The constraints that distinguish customer-facing banking from a general consumer assistant are real, well-understood, and structural. They are also the reason most banking deployments are more cautious than the public Klarna numbers suggest they could be.

A bank’s customer-facing conversation is a regulated communication. Under the FCA’s Consumer Duty in the UK, the EU’s emerging implementation of the AI Act, and the established regimes around Reg E, RESPA and TILA in the US, a bank’s assistant is held to the standards of a representative of the firm, not the standards of a search engine. Every answer is, in principle, recordable, replayable and accountable.

The conversation also intersects with money. A misunderstanding of a fee, a balance, an authorisation, or an instruction is not just a customer-experience issue; it can become a complaint, a redress event, an AML signal or a fraud loss. The cost of a bad answer is asymmetric. A good answer is invisible, and a bad answer goes on the regulator’s desk.

The conversation is, finally, a brand surface. A single screenshot of an assistant hallucinating a customer’s mortgage balance, posted on a social network, carries reputational weight that the firm’s marketing budget cannot reverse. The brand fragility of the conversational channel is materially higher than the brand fragility of the call centre, because the conversation is captured, screenshot-able and shareable in a way that a phone call is not.

None of these constraints argues against deployment. They argue for a particular shape of deployment, in which generative capability is wrapped in a risk regime designed for it, and in which the architecture distinguishes clearly between answering, advising and acting.

The four properties to design for

The right summary of what a regulated firm needs from its customer-facing AI is four properties, designed in rather than bolted on.

Fair. The assistant should treat customers equivalently, with explicit monitoring of outcome variance across the demographic surface the firm reports on. Bias in answers, in response speed, or in escalation rates is a Consumer Duty issue and a regulatory finding waiting to happen. Fairness is measurable, and it has to be instrumented like any other service-level commitment.

Accurate. The assistant should ground every factual claim in a retrievable source, with the source available for inspection. Hallucination is the failure mode the public will remember, and in a regulated context it is also the failure mode that the redress regime will price.

Secure. The assistant is a new attack surface. Prompt injection, jailbreaking, data exfiltration via crafted inputs, and model-mediated social engineering are real, current and adversarial. The security posture cannot be borrowed wholesale from web-application security; it requires new categories of testing and continuous adversarial review.

Explainable. Every assistant response should be reconstructable. The prompt, the context retrieved, the model version, the policy snapshot, the safety filters and the output should all be content-addressed and retrievable. When the regulator asks why the assistant said what it said to a specific customer at a specific time, the firm should be able to re-run it deterministically.

These four properties are not a compliance overlay. They are the architecture. A firm that treats them as something to retrofit after launch will find that adding any of them touches every layer of the stack and rebuilds half of what was built.

Guardrails, human handoff, and supervisors on the agents

The risk regime around customer-facing generative AI is best understood as three layers, each with a distinct role, each instrumented and observable.

The first layer is the deterministic guardrail. Input filtering on the customer’s message, output filtering on the model’s response, refusal patterns for categories of action that the assistant cannot take. These are the unglamorous, high-coverage controls. They are non-negotiable, and they are also insufficient on their own. Deterministic filters miss the contextual failure modes that matter most, and they create a false sense of safety if treated as the entire control surface.

The second layer is the human in the loop. Every action that crosses a defined money, risk or sensitivity threshold should require human review or human authorisation. The threshold is a policy decision, not a technical one, and the policy should be debated explicitly between the product team, the risk function and the relevant regulator’s expectations. The handoff itself is part of the product. A clumsy handoff destroys the customer experience and recreates the very service cost the assistant was meant to eliminate. The best implementations make the handoff effectively invisible to the customer, with the human agent receiving the full conversation context, the assistant’s draft response, and a recommended action.

The third layer, and the one most relevant at scale, is the supervisor agent. This is a separate model, typically smaller and more constrained, whose job is to evaluate the customer-facing agent’s output against an explicit set of criteria: tone, factual grounding, regulatory phrasing, bias signals, escalation triggers. The supervisor runs in parallel with the customer-facing agent, scores every response before it is sent, and can block, annotate, escalate or simply log the response according to policy.

The supervisor pattern is sometimes described as “LLM-as-judge” in the engineering literature, but for a regulated firm it is more usefully thought of as a continuous control. It is an agent designed to fail loudly when the customer-facing agent fails quietly. It is the surface on which the second line of defence can attest, monthly or quarterly, that the channel is operating within its declared envelope. It is also an evolving control: the supervisor’s criteria can be updated as the firm’s policies change, as new failure modes are discovered, and as regulatory expectations move. The customer-facing agent does not need to be retrained to incorporate a new fairness criterion; the supervisor does.

In a mature deployment, the architecture looks broadly as follows.

• A customer-facing agent that retrieves the firm’s grounded data and generates responses against a defined policy.
• A supervisor agent that scores every response on a defined rubric before it is sent, with the authority to block, annotate or escalate.
• A deterministic guardrail layer that catches the failure modes the supervisor and the customer-facing model are both poor at detecting, including regex-detectable PII leaks, hard-prohibited topics and malformed outputs.
• A human review queue for any response above a confidence or risk threshold defined in policy.
• A continuous evaluation harness that replays sampled conversations against new model versions, new prompts and new policies, with regressions caught before they reach production.
• A drift dashboard, available to the second line and to the regulator on request, showing the supervisor’s score distribution, escalation rates and outcome variance over time.

None of these components is exotic. The architectural work, as so often, is in the composition.

What it costs to get UX wrong

The risk regime is only half the conversation. The other half is the product. A conversational assistant that is safe but slow, accurate but tonally wrong, or compliant but unable to do anything useful will lose customers as effectively as one that hallucinates. The competitive bar has moved, and is still moving.

Latency matters. A customer who has just asked a general-purpose model a complex question and received a fluent answer in under two seconds will not patiently wait six seconds for the bank’s assistant to start typing. The implication is that retrieval latency, model latency, supervisor latency and rendering latency together have to fit inside a budget that was unimaginable five years ago.

Tone matters. Every bank has a brand voice, written in a style guide that almost nobody reads. The assistant is the moment that brand voice becomes operational, and is consumed by customers thousands of times per day. A bank whose assistant is helpful but tonally generic loses the relational ground that the assistant was meant to deepen.

Recovery matters. The assistant will misunderstand customers. It will give answers that are technically correct but unhelpful. It will, occasionally, fail. The product question is what happens next. The best assistants apologise gracefully, offer a clear alternative path, and, when handing off to a human, do so without making the customer repeat themselves. The worst ones loop, deflect, or escalate without context, all of which amplify the original failure.

Personalisation matters. The bank has the data. A customer-facing assistant that treats every user as if it has never met them before is throwing away the firm’s most expensive asset. The careful use of context (recent transactions, product holdings, support history, expressed preferences) is the difference between a generic helpdesk and a relationship.

The product opportunity is meaningful. Banks that succeed here will report acquisition uplift driven by the channel itself, retention uplift driven by the relational depth, and cost-to-serve reductions driven by the assistant’s handling of routine work. The banks that do not will report the inverse.

Sequencing the build

The familiar sequencing applies. Start narrow, with the highest-value, lowest-risk surface. Prove the architecture. Expand only as the supervisor regime can credibly attest to the new surface.

A defensible progression looks like this.

1. Retrieval and answering. The assistant answers customer questions against the bank’s curated knowledge base. No action, no personalisation beyond the customer’s identity, no transactional capability. Even at this stage the value is meaningful: contact deflection on routine inquiries, faster onboarding, better self-service. The supervisor regime can be proved on this surface before it ever sees more sensitive content.

2. Personalised answering. The assistant retrieves the customer’s own context, with explicit consent, and answers questions about it. Balance enquiries, transaction lookups, product explanations, fee discussions. The data-handling and privacy surface is now larger, and the supervisor’s bias and accuracy rubric has more work to do, but the action surface is still bounded to information.

3. Bounded action. The assistant is allowed to take a small number of pre-authorised actions on the customer’s behalf: an internal transfer, a card freeze, a limit change within a pre-approved range, a fraud confirmation. Each action has an explicit authorisation flow, pre-trade controls, and a logged trail through the customer’s identity, the agent’s tool call, and the resulting transaction. This is the point at which the architectural arguments above become non-optional.

4. Advisory adjacency. The assistant moves towards genuinely helpful financial guidance: budgeting suggestions, savings prompts, mortgage affordability framing. The regulatory line between guidance and advice is sharp, varies by jurisdiction, and is where most of the productive arguments inside the firm will happen. The supervisor’s role expands to include adherence to the firm’s “guidance, not advice” boundary.

Each step is gated on the previous step’s supervisor regime demonstrating it can monitor effectively, and on the second line agreeing that the new surface is observable to the same standard.

Closing

The conversation is the new branch. For thirty years, the digital front door was a screen; for the next ten, it will be a dialogue. The firms that recognise this and rebuild their customer relationship around it will pull ahead, both on the cost-to-serve numbers that the CFO cares about and on the relational depth that the CMO cares about. The firms that treat it as a chat widget on the corner of the app will not.

The discipline that makes the channel safe is, in the end, the same discipline that makes any other regulated capability safe. Design the risk regime in. Layer the controls. Put a supervisor on the agent and an auditable trail on every interaction. Sequence the surface area carefully. Treat the channel as the regulated communication it already is, rather than the experimental tool it sometimes looks like internally.

The banks that get this right will not just have a better assistant. They will have a better business.