Agentic Payments Are Coming: What European PSPs and Compliance Teams Must Do Before Regulators Catch Up

AI agents are already making payments on behalf of consumers. The compliance frameworks governing those payments do not exist yet.

That gap between what the technology can do and what regulation currently covers is the most pressing risk management challenge facing European PSPs and compliance teams in 2026. And it is one that will not wait for regulatory clarity before it starts creating real problems.

The Scale of What Is Already Happening

Google launched its "Buy for Me" feature in November 2025, enabling users to delegate purchases from major merchants without human involvement at the point of transaction. FIS followed in January 2026 with the payments industry's first dedicated agentic commerce offering, built in partnership with Mastercard and Visa to allow banks to identify, authorise and manage agent-initiated transactions at scale.

The numbers behind this shift are significant. McKinsey forecasts agentic commerce could generate up to $1 trillion in orchestrated transactions in the US alone. Global B2C sales through AI agents are projected to reach $3–5 trillion by 2030. AI drew nearly a quarter of all fintech funding in Q3 2025, according to CB Insights.

As Mastercard's chief digital officer noted recently: "Typically in payments, it takes 10 to 15 years to have a global technology adopted but the pace of this technology is something else." Regulators will not keep pace. The institutions building internal frameworks now will be ahead when they do.

Three Compliance Gaps Nobody Has Solved

Strong Customer Authentication was built for humans. PSD2's SCA requirements and the adaptive SCA framework being introduced under PSD3 assume a payer who is present, aware of the transaction, and able to authenticate. An AI agent acting autonomously meets none of those conditions.

Under PSD3, PSPs that delegate SCA functions to third parties, wallets, gateways, or platforms retain full liability for SCA failures and must maintain audit rights over the service provider. When the service provider is an AI agent transacting across multiple merchants simultaneously, that liability and audit trail becomes extremely difficult to manage.

Liability remains an open question. As AI agents take on a more active role in initiating payments, the question of responsibility becomes increasingly complex. If an agent overspends, pays the wrong merchant, or falls victim to a social engineering attack, existing frameworks offer limited guidance on where accountability sits, whether with the PSP, the consumer who granted access, or the company that built and deployed the agent. PSD3's platform liability provisions were designed with marketplaces and social media platforms in mind. Chargeback rights for agent errors and APP fraud liability in delegated payment scenarios are areas the regulation has yet to fully address.

AML frameworks were not designed for agents. KYC is Know Your Customer. KYB is Know Your Business. The industry is now confronting Know Your Agent, verifying what the agent is, who authorised it, what scope it holds, and whether each transaction falls within that scope. FIS built its January 2026 launch explicitly around KYA data, providing issuers with agent identity credentials alongside card details for every agent-initiated transaction. But KYA has no codified regulatory standard. PSPs processing agent transactions are doing so without a framework.

What to Do Before the Framework Arrives

Waiting for regulatory guidance is not a strategy. These five steps do not require it.

Define agent transaction policies now. Spending limits, permitted merchant categories, step-up triggers for human review, these are risk decisions PSPs are equipped to make internally today.

Build agent identity into transaction monitoring. Every agent-initiated transaction should carry metadata agent type, authorisation scope, consent timestamp as the foundation for AML screening and dispute resolution.

Map SCA delegation liability under PSD3. Identify where agent transactions sit in your delegation chain and who carries liability at each point before PSD3 enters force.

Bring agentic AI inside your model risk framework. Explainability and auditability are not optional features, they are the conditions under which regulators will permit autonomous AI to operate in regulated payments.

Monitor Visa's Trusted Agent Protocol and Mastercard's Verifiable Intent framework. These are the most developed industry-level responses to agent identity and authorisation, and the most likely forerunners of eventual regulatory standards.

Join the Conversation in Dublin

These questions, liability, SCA, Know Your Agent, model risk and agentic fraud, are on the agenda at the NextGen Payments & RegTech Forum, 11 June 2026, Conrad Hotel, Dublin.

Senior contributors from Stripe, JPMorgan Chase, Coinbase, Fexco, European Payment Initiative, Paysafe, Banking & Payments Federation Ireland, Corpay, Central Bank of Ireland, Mangopay, Fire, Flagstone and Dojo will address the practical steps Irish and European PSPs need to take - before regulators take them for you.

Attendance is free for qualified delegates.

Request the full agenda or secure your place →

For sponsorship or registration enquiries: info@qubevents.com

Sources: FIS Agentic Commerce Launch (January 2026) · McKinsey Agentic Commerce Forecast · CB Insights Fintech Funding Q3 2025 · Checkout.com Payment Trends 2026 · Norton Rose Fulbright PSD3/PSR Analysis (March 2026) · MPE 2026 Mastercard Keynote (April 2026)