A Power of Attorney Is Not an Access-Control Policy

A legal mandate can be valid while the systems are unsafe—or technically impossible to use. Translate authority into bounded, revocable access.

The answer

A power of attorney can authorise a person to act. It does not create the accounts, limits, evidence or revocation needed to act safely. Institutions often treat the legal document as the whole control.

A power of attorney can authorise a person to act. It does not create the accounts, limits, evidence or revocation needed to act safely. Institutions often treat the legal document as the whole control. The delegate then borrows the principal’s login because the platform has no role for them. A bank recognises the mandate but uses a broad operational profile. A technology administrator grants access without understanding the legal scope. The law and the system describe different authority. The gap is where abuse and paralysis appear.

Translate authority into decision objects

A mandate may contain broad legal language. Operations require specific actions. Identify the objects the delegate may affect:

  • Accounts, entities, properties, records or relationships.
  • Permitted actions: view, instruct, approve, transfer, disclose, appoint or terminate.
  • Limits: value, jurisdiction, counterparty, purpose and duration.
  • Conditions: incapacity, absence, second approval or professional opinion.
  • Prohibitions: gifts, self-dealing, new beneficiaries, public statements or destruction.

These objects can then be represented in bank mandates, application roles and operating procedures.

Value object — The Mandate-to-Access Matrix

For every material delegated power, record:

  • Legal source and current version.
  • Authority holder and identity proof.
  • Decision scope and prohibited actions.
  • Systems and counterparties required to exercise it.
  • Technical role, transaction limit and approval workflow.
  • Evidence generated by use.
  • Revocation trigger, owner and confirmation.

The matrix reveals legal authority with no execution route and technical access with no current legal basis.

Never solve delegation by sharing identity

Using the principal’s account collapses attribution. The system records the principal, the provider cannot distinguish delegate from attacker and revocation may require disabling the principal too. Use named delegated access wherever available. If a platform cannot represent the mandate, consider whether it is suitable for consequential work or add a controlled intermediary process.

Design partial failure

A delegate may remain legally authorised while their device is compromised. A mandate may be revoked while the technical role persists. A platform may be unavailable while the legal obligation to act continues. Define which source governs each conflict and how counterparties are notified. Revocation must reach both the legal record and the access layer.

Preserve evidence of interpretation

Mandates are not always self-executing. Someone decides that a condition has occurred, a limit applies or an action fits the purpose. Record the interpretation for consequential use: the operative provision, supporting evidence, approving person and action taken. This protects the principal, delegate and institution.

Exercise the real route

A legal review confirms validity. An operational exercise confirms usability. Ask the delegate to perform a harmless representative action through the actual systems and counterparties. Identify demands for unavailable documents, personal attendance, obsolete contacts or shared credentials.

Authority must be executable and containable

A mandate that cannot be exercised fails continuity. Access that exceeds the mandate fails control. Build the translation layer so the institution can let the right person act, see exactly what they did and end that authority without collateral damage.

Sources

  1. NIST SP 800-207: Zero Trust ArchitectureNIST SP 800-207: Zero Trust Architecture

    Primary authority

  2. NIST Digital Identity GuidelinesNIST Digital Identity Guidelines

    Primary authority

  3. FINMA: Revised circular on operational risks and resilienceFINMA: Revised circular on operational risks and resilience

    Primary authority

Adam J. De CollibusFounding Partner, Svperior / Systems Engineering

Ross Belhomme

Ross leads Legal within Svperior GmbH. His work draws on more than two decades across international fiduciary, wealth-structuring, and private-client environments, combining legal, financial, and technical judgment around governance, privacy, assets, authority, and cross-border operating conditions.

Legal strategy / Governance / Private-client structuring / Digital assets

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry