Agentic AI in the payments chain: regulatory challenges for financial institutions

This article was first published in the May issue of Butterworths Journal of International Banking and Financial Law.

Key Points 

• A rapidly emerging application of agentic AI is agentic commerce.
• Financial institutions will need to assess a number of areas when considering whether their existing compliance frameworks are sufficiently robust.
• This will include consideration of governance and oversight, cybersecurity, controls and permissions, audit trails and transparency.

AI “agents”, which combine the reasoning of generative AI with memory and execution capabilities, are the next frontier of AI risk and opportunity. One rapidly emerging application is agentic commerce, where agents autonomously execute tasks and make payments — whether operating alone or in multi-agent systems. For financial institutions, the question is not whether agentic commerce will arrive, but whether their existing compliance frameworks can absorb it. This article considers how firms can satisfy regulatory obligations, mitigate risks and allocate liability in this new landscape.

How agentic commerce works

 A typical agentic commerce cycle might proceed as follows: the user sets an objective, such as a request for their agent to “book me a holiday to Argentina that costs less than £x and pay using the most rewarding card in my wallet”. This triggers an autonomous workflow: the agent searches for available products across platforms, monitors price changes, manages checkout and delivery, and completes the payment — selecting the preferred payment method, initiating the transfer, and applying pre-set preferences such as price limits or repayment terms.

To facilitate such use cases, major payment providers are expanding capabilities to allow Al-mediated payment initiation. Various card networks have announced initiatives which replace sensitive card details with secure, single-purpose tokens for the AI agent, over which the consumer can set spending and usage controls. Open banking enables agents to initiate account-to-account payments directly.

Different models are emerging to manage security concerns. In some cases, only registered AI agents may access the relevant payment platforms. Other models include methods for verifying the consumers’ identity and incorporating intent-driven security measures, where the agent’s behaviour is analysed to determine the purpose of the agent’s visit. Alternatively, pre-funded “AI wallets” can enable autonomous action without per-transaction approval within a capped budget. Payment service providers (PSPs) can also deploy additional automated authentication layers that validate agent-initiated transactions by checking contextual data, like the user’s original instructions. Some of these models rely on automated decision-making (ADM) with no meaningful human review at the point of the transaction. Others, by contrast, retain a human-in-the-loop step which may require the customer to check and confirm the agent’s proposed action before execution. Where a model relies on ADM without meaningful human review, specific rules under data protection law may be engaged — in the UK, for example, individuals generally have the right to be informed that ADM is being used and to request human review of the relevant decision(s). Firms adopting ADM-based models must therefore ensure transparency and build systems that enable meaningful challenges to agentic decision-making.

Challenges across the payments chain

Agentic AI poses distinct questions for each participant in the payments chain. As AI agents increasingly mediate the purchasing relationship, banks risk losing (or weakening) the direct relationship with their customers. PSPs must determine whether they are ready to accept payments from an agent, how they will verify its legitimacy and whether they have the ability to ensure payments are consistent with the payer’s instructions. More broadly, PSPs must consider how they ensure agentic transactions are made consistently and safely.

Specific Regulatory Concerns

Strong customer authentication Under UK and EU rules, PSPs must apply strong customer authentication (SCA) where a user initiates an electronic payment transaction. SCA generally involves authentication based on two or more independent elements drawn from three categories: knowledge, possession and inherence. Agentic AI raises challenges for SCA. Traditional SCA assumes a human enters a PIN, provides a biometric, or responds to a push notification; an AI agent cannot do these things in the conventional sense. Practical solutions include issuing time-limited, scope-limited tokens that attest to the user’s prior SCA completion, or integrating SCA credentials via a limited-scope API so the agent can present proof of authentication without possessing raw credentials. None of the current rules explicitly contemplate non-human-initiated authentication, meaning firms may need to seek guidance from the regulators to ensure compliance.

Fraud assessments

Many fraud detection systems trigger alerts when numerous payment requests are made in quick succession, as that pattern is typically associated with compromised accounts. AI agents can legitimately generate precisely this pattern in seconds. Firms will therefore need to develop agent-aware fraud analytics that distinguish between an authenticated agent acting within its delegated parameters and genuinely anomalous activity. This might involve ingesting contextual metadata — such as the original user instruction, the agent’s identity token or its transaction history — as additional fraud assessment inputs.

Liability and risk allocation

A central question is how liability is assigned when an agent exceeds a customer’s pre-defined spending limit, or where a fraudulently initiated payment is processed via an agentic workflow.

In the absence of guidance on this point, the existing approach to authorised push payment (APP) fraud might indicate by analogy how regulators could allocate liability for agentic AI payment fraud. Under the Payment Systems Regulator’s mandatory APP fraud reimbursement requirement, the sending PSP must reimburse the consumer in most cases — even where fraud arises from a third party’s actions. Liability is then shared 50:50 between sending and receiving PSPs, up to a cap of £85,000 (subject to limited exceptions). If a similar approach is taken to agentic AI, the aggregate exposure of PSPs could be significant given the speed and scale at which AI agents can authorise payments. 

To mitigate that risk while there is regulatory uncertainty, institutions may wish to consider contractual risk-sharing with agent developers. Contractual risk-sharing will also need to align with the controller-processor analysis under data protection laws. Typically, a controller will have primary liability under data protection laws; however, if a processor acts outside the scope of its authority, it may be deemed to be a controller and attract primary liability.

Consumer Duty

The FCA’s Consumer Duty requires firms to act to deliver good outcomes for retail customers. Applied to agentic commerce, this raises a number of questions.

One question is whether the Duty effectively requires institutions to take steps to accommodate autonomous payments if their customers wish to make such payments. Institutions should also consider whether they are required to accept different forms of payment that are more amenable to high-frequency agent-to agent payments, such as stablecoins.

However, institutions must balance the requirement to deliver good outcomes for consumers against their other regulatory obligations — namely, data protection requirements around the security and lawful use of personal data. The way an institution manages authentication, data sharing with third-party agents and the storage and processing of customer information will all be relevant to whether accommodating autonomous payments truly constitutes a “good outcome”. An institution that enables agentic payments, but exposes customers to disproportionate data protection risks, is unlikely to comply with the principles of the Consumer Duty, even though it offers greater choice.

Specific Consumer Duty outcomes create complexities for institutions involved in agentic commerce chains. For example, does the “consumer support” outcome require institutions to deploy their own agents to communicate with their customers’ agents? Regardless of the extent to which they accommodate agentic transactions, institutions will need robust systems and controls to ensure that customers are not exposed to disproportionate risk, which could, in some cases, mean restricting agent access altogether. The FCA’s Dear CEO letter dated 7 October 2024 (in the context of APP fraud) highlighted inadequate scam detection and prevention processes as a form of foreseeable harm under the Consumer Duty. The FCA may well apply a similar lens to firms that fail to adapt their fraud controls to agentic payment patterns.

SM&CR, responsibility and data protection

Even if firms do not develop or license agentic AI, their senior managers will still need to be Al-literate as they remain responsible for understanding and mitigating risks in the business areas relevant to them. Uncertainty over expectations for senior managers under the UK’s SM&CR in the context of AI was one of the areas flagged in the recent Treasury Select Committee’s Report on AI could threaten the stability of, or confidence in, the UK’s in Financial Services. That report recommended the FCA publish comprehensive, practical guidance for firms on accountability and the level of assurance expected from senior managers for harm caused through the use of AI. 

Despite the language of agency, AI agents do not remove organisational responsibility for processing data. Whether a firm is a controller or a processor will determine its obligations under data protection law, and in multi-agent systems, this will require a systemic understanding of the controllership status for every agent in each payments chain to ensure that controls are effective.

As firms integrate agentic systems that make autonomous decisions, they will likely need to update their data protection impact assessments and customer-facing disclosures to ensure compliance.

Operational resilience and cyber threats

Firms should determine whether agents may themselves constitute a critical component of an “Important Business Service”, which broadly captures the services a firm provides that, if disrupted, could pose a risk to the firm’s safety and soundness. Agentic AI may cause harm more quickly, or at larger scale, and firms therefore should factor this into scenario testing. Where agentic AI is delivered via third-party models, firms should assess outsourcing risk and ensure compliance with the rules and guidance on outsourcing and third-party risk management. These considerations are particularly acute where institutions rely on a single model provider. The risk of over-reliance by UK financial services firms on a small number of US technology firms has also been noted as a growing systemic issue by the Treasury Select Committee’s Report on AI in Financial Services.

From a cyber-security perspective, agentic AI also introduces novel risks of system compromise. Organisations have already started to map emerging agentic risks and potential mitigations. Novel attack vectors include tool misuse (manipulating agents to abuse their integrated tools through deceptive prompts), identity spoofing (exploiting authentication mechanisms to impersonate AI agents) and memory poisoning (introducing false or malicious data in the AI agent’s memory to exploit the agent’s context). Data protection law requires that organisations ensure the confidentiality, integrity and availability of the personal data they process using appropriate technical and organisational measures. What will satisfy this test of “appropriate” will depend on the risk landscape and the agentic AI’s role in the organisation. It will be important from both a data protection and financial regulation perspective for firms to understand these emerging risks and mitigate them.

Unregulated AI providers that become so significant that a failure or disruption in the provision of their services could threaten the stability of, or confidence in, the UK’s financial system may themselves be designated by Treasury as critical third-party service providers. At that point, they would become subject to the additional rules and oversight of UK financial services regulators.

Key Takeaways

Given the scale of agentic AI’s impact on financial institutions, the following areas should be prioritised:

• Governance and oversight: senior management will need to be aware of agentic AI risks that are relevant to their areas of responsibility. SM&CR accountability mapping should be reviewed, and firms should ensure that senior managers have sufficient knowledge and expertise to appropriately oversee AI use in their areas.
• Cyber-security: agentic-specific threat vectors should be incorporated into cyber risk frameworks and scenario testing.
• Controls and permissions: authentication and authorisation frameworks should accommodate non-human actors, eg via delegated token models or AI wallets with appropriate controls.
• Audit trails: end-to-end traceability of agentic transactions will be essential for compliance, dispute resolution and fraud investigation purposes.
• Transparency: the Consumer Duty, the UK GDPR’s ADM provisions and general regulatory expectations all require that customers understand when AI agents are acting on their behalf and retain meaningful ability to intervene. As such, firms should consider establishing clear disclosure standards.