top of page

Know Your Agent: The Liability Gap in Agentic Payments in the UAE

Agent-initiated payments moved into live operation over the course of 2026, and the UAE is not watching from the sidelines. Globally, the pace is comparable. FIS launched the payments industry's first dedicated agentic commerce offering in January 2026. In March, Mastercard and Santander, with PayOS orchestrating, completed Europe's first live end-to-end payment executed by an AI agent in a controlled environment, and Visa extended support for machine-to-machine payment protocols across its acceptance platform. McKinsey estimates agentic commerce could orchestrate up to $1 trillion in orchestrated US retail revenue by 2030, with the global opportunity reaching $3-5 trillion, a scale Everest Group's modelling broadly matches.


The compliance frameworks governing these transactions, however, were built for a human initiator. For institutions operating in the UAE, that gap is now a live risk-management question, not a future one.


Existing Frameworks Assume a Human Initiator


Current rules are structured around a person who authenticates a payment they have personally authorised. Agent-initiated flows do not fit that model.


The International Monetary Fund set out the underlying tension in an April 2026 analysis: payment systems must reconcile the adaptive, probabilistic behaviour of agentic AI with the deterministic, rule-based logic that gives payment rails their legal certainty. Consent records, audit trails, dispute rights and model-risk controls were not specified for an actor operating under a standing mandate.


In Europe, agent-based models remain subject to PSD2 and Strong Customer Authentication with no dedicated regime, leaving unresolved which party provides the payment service, who controls the customer's funds, and where liability sits once authority has been delegated to software that acts while the account holder is offline. The UAE faces the same structural question under its own framework.


What the CBUAE Expects on AI Accountability


The UAE's supervisory position is now on record. In February 2026, the Central Bank of the UAE issued guidance for licensed financial institutions on the responsible adoption and use of artificial intelligence and machine learning, built around five principles: governance and accountability, fairness and non-discrimination, transparency and explainability, effective human oversight, and data management and privacy.


The guidance is not legally binding, but it introduces the concept of a "high-impact decision" and signals that the CBUAE will assess AI through existing supervisory frameworks - conduct, credit, operational and cyber risk - rather than a separate AI regime.


One principle matters more than any other for agentic payments: regulatory responsibility stays with the institution. Accountability for an agent's actions cannot be delegated away, which raises rather than lowers the bar for the tooling around it. Institutions carrying that accountability need vendor and RegTech partners whose controls are transparent, auditable and built to evidence compliance - the value of a strong service provider grows precisely because the liability cannot be handed over.


Know Your Agent Emerges as a Control Layer


"Know Your Agent" describes the discipline forming in response, extending established KYC logic to a non-human actor. The objective is to authenticate that a payment request originates from a specific, authorised agent instance, bound to an identified user and provider.


The Aldar deployment shows what this looks like in practice: a consent-led flow that confirmed the customer's details before acting, with tokenisation through Visa's Token Management Service protecting the underlying credential. In January 2026, Mastercard and Visa partnered with FIS to give issuing banks agent authentication and credential tokenisation for agent-initiated transactions.


The operational requirements are specific. Agents require device-bound or permissioned tokens, defined limits on autonomy and spend, mandatory checkpoints for human approval, and a recorded chain of authority that a supervisor can reconstruct after a transaction. For payment institutions, this is best read as accountability established at the design stage, rather than reconstructed after a dispute arises.


Fraud Liability and the Delegation Risk


The fraud profile shifts in parallel. Loss is already migrating from attacks on the authentication step toward manipulation of the party that initiates a payment.

Delegation widens that exposure: an agent granted broad authority without constrained limits, continuous monitoring and stop-or-step-up mechanisms is a faster route to loss than a single compromised credential. Layered signals - spanning behaviour, device and network intelligence - now need to account for agent behaviour, not only the human behind it.


What UAE Payment Institutions Should Prioritise Now


For institutions positioning the UAE as a trusted payments hub, agent-readiness is a governance matter rather than a future roadmap item - and the rails are already AI-native.


The Central Bank's Financial Infrastructure Transformation programme spans the Aani instant payments platform, the Jaywan domestic card scheme, the Nebras open finance platform and the Digital Dirham, and in 2025 the CBUAE formed a sovereign-AI joint venture with Presight to embed AI across that infrastructure. The UAE's open finance regulation is regarded as one of the most ambitious implementations globally.


The firms positioned to capture agent-initiated volume are those whose infrastructure already supports tokenised credentials, agent-aware acceptance and account-to-account rails, and whose compliance design resolves the questions of liability, consent and auditability before industry standards are finalised. The immediate priorities are defined delegation limits, established agent authentication, and a complete, examinable record of an agent's authority.


The Conversation at the Forum


Join over 250 senior payments, risk and compliance leaders from Mastercard, First Abu Dhabi Bank Misr (FABMISR), Mashreq, Banque Saudi Fransi, Bank of Muscat, Banque du Caire, Jingle Pay, Pay10, XTransfer, Transak, MANTRA Finance, ARP Digital, InvestGB and more at the NextGen Payments & RegTech Forum, 8 October 2026, Fairmont Hotel, Dubai, UAE.



For sponsorship or registration enquiries, contact info@qubevents.com


This article is general commentary and does not constitute legal or regulatory advice.


By: Zinah Abdaki, CMO at QUBE Events


Sources: McKinsey · Everest Group · IMF, April 2026 · Visa, December 2025 · CBUAE, February 2026 · Osborne Clarke, March 2026 · Forrester, April 2026


QUBE CONNECT

Subscribe to stay informed on the latest updates from QUBE Events

#qubevents

©2026 CIEL QUBE EVENT NETWORK LTD

United Kingdom | Greece | Cyprus | Malta | South Africa

Email: info@qubevents.com | Phone: +44 (20) 80732043 | +357 22010583
Privacy Policy

bottom of page