MCP servers in finance practice

MCP servers are the executing components of the Model Context Protocol — connection bridges that make a specific external system (accounting, banking, MS365, meeting tools) accessible to an AI model in a standardized way. For finance teams: the ecosystem holds 10,000+ public servers, half is hobby work, and the workable quarter demands deliberate selection — security and prompt-injection risk differ per server.

The MCP ecosystem holds more than 10,000 public servers as of early 2026. Half is hobby work, a quarter is duplicate, and the remaining quarter is usable to production-grade. This piece filters: which servers are worth running in a finance context, what they can do, which risk you take on, and — finance-specifically — which prompt-injection patterns we've seen in the wild.

A category split that helps

For finance usability and risk assessment, this split works:

Knowledge servers (read-only) — fetch information from an external source. Low risk, direct gain.
Action servers (read-write) — can also write, send mail, change status. Medium to high risk, depending on where they write.
Accounting servers — direct access to your accounting system. The most valuable and most sensitive category for finance.
Infrastructure servers — databases, file systems, cloud environments. High risk, rarely directly needed for finance.

Servers per category — through a finance lens

Knowledge servers

SharePoint / OneDrive MCP — searches and reads files. Good for "consult our close manual on this question" or "find last year's transfer-pricing report for client X." Watch out: the AI gets access to every file the service account can see. Scope that account tightly — a service account with access to the whole company is an unnecessarily large attack surface.

Notion MCP — if your knowledge base sits in Notion. Reads pages, databases, queries. For finance teams keeping KPI documentation, close checklists, or tax handbooks in Notion: a near-risk-free quick win.

Fireflies MCP — pulls meeting transcripts, summaries, and action items. Usable for finance meetings (MT, board prep, audit meetings, customer calls). Combined with a follow-up skill, it yields structural time savings.

Context7 / web docs MCP — fetches current documentation of libraries and tools. Rarely directly relevant for finance; for finance-IT teams building their own, yes.

Action servers

Outlook MCP — read, search, prepare drafts, optionally send. Always start in read-only or drafts-creation only. Send rights only after you've seen for two weeks that the drafts hold up — and even then usually only for internal mail, not customer correspondence.

Teams MCP — read messages, post. Risk: an AI posting in the wrong channel is a social problem, not a technical one. Limit to specific channels (e.g. finance-internal).

Calendar MCP (Outlook or Google) — read calendar, propose meetings. Useful for finance meeting planning, audit coordination. Combined with Fireflies it yields a "schedule this conversation and minute it" workflow.

Accounting servers — the heart for finance

Exact MCP — directly query open invoices, balances, transactions, credit notes. For write actions (postings, payment proposals): only via an approval layer, never autonomous. Critical: pick an MCP implementation that is EU-hosted with a DPA. For the Saldus platform this is the standard stack.

Twinfield / AFAS MCP — similar in functionality, production-ready depending on the vendor. As of early 2026, Exact integrations are the most mature; Twinfield and AFAS follow.

iWeb Exact AI Connect — third-party MCP server for Exact. In practice a research source for architectural choices; for production finance work we have not deployed this MCP because of a specific prompt-injection pattern (see below).

Banking MCP — fetch bank statements directly via PSD2 or bank-specific APIs. Useful for reconciliation flows; staging payments via an MCP isn't recommended for most SME finance teams — use the existing banking portal with HITL for that.

Infrastructure servers

Database MCPs (Postgres, Supabase) — direct SQL access. Rarely directly relevant for finance — finance works on structured finance data, not raw database tables. For finance-IT building their own: extremely careful, with a separate sandbox environment.

Filesystem MCP — for access to local finance files (Excel models, scanned documents). Always limit to specific folders, no access to system folders.

Prompt injection — the real risk in finance

A specific point for finance we can't skip: prompt injection via MCP servers. We've examined a competing platform's MCP server in practice where the response format included an _internal_hint field with instructions to the AI model. That field is not written by the user but by the tool provider — and can therefore be used to steer the AI model in ways the user doesn't see.

For finance teams this means: an MCP server talking to your accounting system can, in theory, give the AI model instructions the user doesn't know about. A malicious vendor (or a vendor whose server has been compromised) can route influence through this channel on what the AI does or answers.

The defense is non-trivial:

Use only MCP servers from trusted providers — your accounting vendor itself, your AI platform vendor with explicit contractual clauses, or self-built. Not servers from unknown publishers, no matter how handy the functionality looks.
Filter _internal_hint and similar fields if your AI platform allows it. This isn't a standard platform requirement; it's a specific configuration.
Write actions always via the approval layer, never directly. Even if an MCP server is compromised, a human can still correct before a posting lands.

Which servers to switch on tomorrow in finance

For an SME or scale-up finance team starting with MCP now, in order of ROI vs risk:

SharePoint / OneDrive MCP (read-only) — direct knowledge-base access, zero risk.
Outlook MCP (read and drafts, not send) — inbox triage and mail drafts.
Accounting MCP (read-only first) — basic questions about open items, balances, transactions.
Fireflies or comparable meeting MCP — for MT and audit meetings.
Calendar MCP — for calendar coordination around audits and close.

Servers better tackled later or avoided:

Accounting MCPs with write rights on production without an approval layer — build or buy the approval layer first.
Database MCPs directly on your production accounting system — no added value, only risk.
Unknown community MCPs — stick to official providers. The 10,000 public servers are not all trustworthy.
MCPs containing _internal_hint-style fields you don't know what they do.

What you set up once

The moment MCP enters a finance context, four one-time decisions make all subsequent months easier:

A list of approved MCP servers per finance role. New server = new approval by the CFO or finance manager.
One place where the team's MCP configuration lives — a shared mcp.json or a centralized platform — so everyone works with the same set.
A review cadence — every quarter, 30 minutes through the logs of the active MCPs, plus a check on new security notices from the providers.
A sandbox tenant for experimentation — no MCP server against production without weeks of sandbox testing first.

Audit-grade perspective

Every MCP server talking to the accounting system is audit-relevant. An external auditor will ask: which MCPs are running, with which rights, which actions did they take in the period. Immutable logs, an owner, and the annual review are not optional. For read-only MCPs the audit pressure is lower; for read-write MCPs on the accounting system it is high.

Saldus in practice

In Saldus the MCP layer sits under the hood: a custom Exact integration designed specifically for finance, with audit logging on every tool call, EU hosting, no _internal_hint pattern, and an approval layer for write actions. For finance teams who would rather not build an MCP stack from loose servers, this is a form of platform choice: less flexibility on MCPs, but a guaranteed level of governance and audit readiness.