In the space of about twelve months, "agentic AI in banking" went from a slide in an innovation deck to a production feature. Fiserv's agentOS is already running in beta at two financial institutions ahead of a planned August 2026 general release. FIS has partnered with Anthropic to put an autonomous financial-crimes investigator inside BMO and Amalgamated Bank. Google's Agent Payments Protocol has been donated to the FIDO Alliance and is being folded into card-network rails by Visa and Mastercard. None of this is a pilot deck anymore. It is live infrastructure, and it is arriving faster than the rules that are supposed to govern who is accountable when it moves a customer's money.
Most of the industry commentary on agentic banking still frames the challenge as a capability question — can the model reason well enough, plan far enough ahead, hold enough context to be trusted with a task. That question is largely settled. The harder question, and the one that will actually determine which institutions come through this transition intact, is who is authorised to instruct a payment, how that authorisation is proven after the fact, and who carries the loss when it turns out to be wrong. That is not a machine-learning problem. It is an authorisation and liability architecture problem wearing an AI costume, and treating it as the former is how a bank ends up with a very capable agent and no defensible answer for the regulator, the ombudsman, or the customer whose account it just drained.
What "agentic" actually means once you strip the marketing
The word is used loosely enough that it is worth being precise about what has actually changed. A useful frame, set out by the Payments Association, splits agentic deployments in banking into four operating models of increasing autonomy. Copilot checkout keeps a human confirming the final action — the agent does the work, the customer clicks pay. Delegated autopay lets an agent execute within pre-set rules — amount, category, merchant, geography — without a human present at the moment of execution, which is the pattern for subscription management and repeat purchases. A network agentic environment extends that delegation across tokenised, cross-border rails. And business-to-business agentic procurement applies the same delegated-autonomy logic to corporate purchasing, against budget rules and approval matrices rather than a personal spending limit.
The first model is automation with a chat interface. The other three are something categorically different: a standing grant of authority to an autonomous system to initiate a payment with no human in the loop at the moment of execution. That is the part of "agentic banking" that is actually new, and it is the part that current payment law was not written to handle.
The infrastructure is arriving before the authorisation layer
The industry's response has been to build a trust layer under the agent rather than wait for regulation to define one. Google's Agent Payments Protocol (AP2), announced in September 2025 with more than sixty launch partners including Mastercard, PayPal, Amex, Coinbase and Adyen, is now the most widely adopted attempt at this. AP2 does not move money itself; it wraps a payment in three cryptographically signed mandates — an Intent Mandate capturing what the user actually authorised, a Cart Mandate binding the specific price and item the agent selected, and a Payment Mandate that hands the transaction to whatever rail settles it, card, real-time bank transfer or stablecoin. The design goal is to answer, after the fact and non-repudiably, what a human authorised, what the agent decided, and what was actually charged — which is precisely the evidentiary gap that opens the moment a human stops clicking "confirm."
As of May 2026, AP2 has been handed to the FIDO Alliance for vendor-neutral governance, with Mastercard and Visa co-chairing the new Payments Technical Working Group tasked with reconciling it against their own network-level schemes — Mastercard's Agent Pay and Visa's Trusted Agent Protocol. The direction of travel across the card networks is toward composability rather than a single winner: Mastercard's Chief Data Officer confirmed in January 2026 that Mastercard participates in every major agentic protocol on the table, which is itself a signal that no institution should be betting a payments architecture on one horse. PayPal, for its part, has positioned itself through its 2026 acquisition of Cymbio as a "trust layer" for the agentic web, letting independent agents settle through its transaction graph while it retains merchant-of-record status — a reminder that the institutions racing hardest into this space are competing for exactly the position a bank would otherwise hold.
The crypto rails are moving in parallel and faster than most banks are watching. The x402 protocol, an HTTP-layer stablecoin payment standard built by Coinbase and Cloudflare, had processed more than 150 million agent-initiated transactions worth roughly $50 million within nine months of its May 2025 launch, entirely outside the card-network conversation. Whatever a bank's own agentic roadmap looks like, it is being built in a market where an alternative, non-bank settlement rail for agent-to-agent payment already has meaningful transaction volume.
Where UK and EU payments law has not caught up
Here is the gap that actually matters. PSD2 and the UK's Strong Customer Authentication regime were built around a simple assumption: a human is present at the moment of payment and gives explicit consent to that specific transaction. Nothing in the current framework treats an AI agent's mandate as equivalent to that human authorisation, and nothing defines what happens when the agent acts inside a delegated scope the human never reviewed transaction-by-transaction.
UK regulators have started to say this out loud rather than assume the existing rulebook covers it. The FCA's March 2026 Payments Regulatory Priorities report committed the regulator to reviewing payments and e-money regulation specifically to determine whether new rules are needed for agentic AI payments — a departure from its longstanding position that existing frameworks are sufficient for emerging technology. Matthew Long, the FCA's Director of Payments and Digital Assets, framed it as a natural extension of ongoing PSR modernisation work rather than a standalone project, which suggests any change will be folded into the broader payments-law overhaul HM Treasury is expected to consult on in the second quarter of 2026, alongside stablecoin and SCA reform. Nikhil Rathi went further in a June 2026 speech, naming agentic systems as the first of the two developments he expects to reshape financial markets, and stating plainly that accountability for regulated activities and outcomes has to remain clear even as the decision-making moves into systems investors do not fully understand.
UK Finance has already flagged the specific mechanism regulators will need to grapple with: the combination of agentic AI and Open Banking data access could create AI intermediaries acting on a consumer's behalf across products and providers, which is a materially different risk surface from a single bank's own chatbot. And the IMF's own 2026 note on agentic payments raises a genuinely uncomfortable design tension: the instinctive regulatory response — a human-in-the-loop approval step, or a kill switch that can interrupt an autonomous flow — can itself introduce liquidity risk if it delays a payment inside a multi-leg, cross-border chain that was optimised end-to-end on the assumption of no manual intervention. Safety controls borrowed from algorithmic trading, where kill switches are well established, rely on centralised, accountable intermediaries in a way that a genuinely autonomous agent-to-agent payment chain does not necessarily have.
The CMA is asking the same question from the other side
It is worth noticing that the FCA is not the only UK regulator that has arrived at authorisation and accountability as the central issue. The Competition and Markets Authority's March 2026 paper on agentic AI and consumers approaches the same technology from consumer and competition law rather than payments law, and reaches a strikingly similar conclusion: UK consumer protection law, sharpened by the Digital Markets, Competition and Consumers Act 2024, applies to an outcome regardless of whether a person or an AI agent produced it, and that principle does not soften just because the decision-maker is autonomous.
Two parts of the CMA's analysis translate directly onto banking. The first is what it calls the "faithful servant" risk — that an agent optimising for the interests of the business that built it, rather than purely for the consumer who delegated to it, can steer that consumer toward a more profitable but less suitable outcome without the steering being visible. A bank's own agent recommending the bank's own products carries exactly this conflict, and it is a conflict consumer law already treats as a form of harm, agent or no agent. The second is what the CMA terms "agentic collusion": where multiple institutions deploy autonomous agents that optimise pricing independently, those agents can arrive at coordinated-looking outcomes without ever communicating, which is a live competition-law exposure for any bank using agentic tools to personalise pricing or credit terms at scale. The CMA's own illustrative case study of a personal finance agent ends on a line that could sit unchanged in a payments-regulation paper: safeguards should include clear accountability, including liability, when an agent acts outside the customer's actual instructions.
The practical takeaway is that a bank building agentic capability now is answering to two regulatory flanks at once, not one, and they are converging rather than competing. The Digital Regulation Cooperation Forum, which brings the CMA together with the FCA, ICO and Ofcom, has a joint report on agentic AI in progress — worth watching for precisely because it is likely to be the point where the payments-authorisation view and the consumer-protection view get reconciled into a single expectation.
The liability question nobody has actually answered
Strip away the protocol diagrams and one question remains open across every jurisdiction currently looking at this: when an agent initiates an incorrect or fraudulent payment, who is responsible — the customer who delegated the task, the developer of the agent, the bank or platform that made the agent available, or the merchant on the other end of the transaction? Existing consumer-protection and payment-services law was not drafted with a non-human decision-maker in the chain, and current commentary is consistent that this ambiguity, not model capability, is the actual barrier to broader autonomous deployment.
This is not an argument for waiting. It is an argument for building the audit trail before the regulator asks for it, because the institutions that will be able to answer the liability question quickly and credibly are the ones that can point to a signed, timestamped chain of exactly what was authorised, by whom, within what limits, and what the agent actually did — which is precisely what a mandate-based architecture like AP2 is designed to produce, and precisely what a bank's own bilateral agent deployment will not produce by accident.
What this means for a bank building now
Do not wait for the FCA's consultation to decide where to start, but do not confuse "we shipped an agent" with "we have an agentic banking strategy" either. Three decisions matter more than the choice of model or vendor.
Match autonomy to reversibility, deliberately. The Payments Association's four-model framework is a reasonable ladder: start with copilot checkout, where a human still confirms, and only extend to delegated autopay and network-level agentic environments once the audit trail, the revocation mechanism and the exception-handling workflow have been tested under real volume. The instinct to jump straight to full autonomy because the technology allows it is exactly the instinct that produces a liability question with no answer.
Treat the mandate architecture as infrastructure, not a feature. Whichever protocol stack a bank settles on — AP2, a network-specific scheme, or both, since the card networks themselves are hedging across all of them — the non-repudiable record of intent, scope and execution is the asset that determines whether a dispute is a five-minute lookup or a six-month investigation. This is solution design and data governance work before it is an AI integration project, and it belongs in the same conversation as the bank's existing fraud, screening and case-management architecture rather than bolted alongside it as a separate agentic workstream.
Decide, explicitly, who owns key custody and credential issuance for the agents acting on the bank's behalf. An autonomous agent authorised to move money is, functionally, a set of cryptographic keys and signing credentials with a policy wrapped around them. Where those keys are generated, stored and attested — and whether that infrastructure can prove to a regulator or auditor that it was never exposed even to the bank's own operators — is quickly becoming as material a question as the authorisation protocol itself, particularly as agent workloads move onto shared cloud and neocloud infrastructure. It is not a coincidence that confidential computing is emerging as a serious topic in the same institutions building agentic payment capability; the two problems — proving what an agent was authorised to do, and proving that its credentials could not have been tampered with — sit closer together than most current agentic-AI vendor pitches acknowledge.
The institutions that get this right
The pattern from every adjacent domain that has already been through this — algorithmic trading, open banking, real-time payments — is the same. The technology arrives, the rules lag, and the institutions that treat the interim period as licence to move fast on capability while treating governance as a later phase are the ones that end up rebuilding under regulatory pressure, at a worse time and a higher cost, than the institutions that built the authorisation and audit architecture as the foundation from day one.
Agentic banking will not be won by whichever bank deploys the most capable agent first. It will be won by whichever institution can prove, cleanly and quickly, exactly what it authorised and exactly what happened — because that is the only currency that matters once something goes wrong, and something, eventually, will.
If you are scoping where agentic deployment fits your own payments and authorisation architecture, and which of the current protocol stacks is actually durable for your institution's risk profile, that is precisely the kind of question a short, confidential discovery conversation is built to answer.
Bibliography
- Fiserv — Fiserv Launches agentOS: The Operating System for Agentic AI in Banking (14 May 2026). https://investors.fiserv.com/news-releases/news-release-details/fiserv-launches-agentos-operating-system-agentic-ai-banking
- FIS — FIS Brings Agentic AI to Banking with Anthropic, Starting with Financial Crimes (4 May 2026). https://www.fisglobal.com/about-us/media-room/press-release/2026/fis-brings-agentic-ai-to-banking-with-anthropic-starting-with-financial-crimes
- Google Cloud — Announcing the Agent Payments Protocol (AP2) (16 September 2025). https://cloud.google.com/blog/products/ai-machine-learning/announcing-agents-to-payments-ap2-protocol
- AP2 Protocol — official documentation and specification. https://ap2-protocol.org/
- Agent Payments Protocol (EU informational resource) — AP2 governance transfer to FIDO Alliance (updated 18 May 2026). https://agentpaymentsprotocol.eu/
- Everest Group — Google's agent payments protocol (AP2): A new chapter in agentic commerce (12 January 2026). https://www.everestgrp.com/googles-agent-payments-protocol-ap2-a-new-chapter-in-agentic-commerce-blog/
- Fenwick — Is 2026 the Year of Agentic Payments? (22 April 2026). https://www.fenwick.com/insights/publications/is-2026-the-year-of-agentic-payments
- IMF — How Agentic AI Will Reshape Payments, IMF Notes 2026/004 (24 April 2026). https://www.elibrary.imf.org/view/journals/068/2026/004/article-A001-en.xml
- The Payments Association — Agentic commerce will be won on trust, not automation (11 May 2026). https://thepaymentsassociation.org/article/agentic-commerce-will-be-won-on-trust-not-automation-why-european-banks-must-become-the-control-layer-for-ai-driven-payments/
- Payment Expert — FCA eyes rule change as agentic AI comes to payments (25 March 2026). https://paymentexpert.com/2026/03/25/fca-2026-payments-regulatory-priorities-report/
- FCA — Rethinking regulation for the age of AI, speech by Nikhil Rathi at techUK (24 June 2026). https://www.fca.org.uk/news/speeches/rethinking-regulation-age-ai
- The Association of Corporate Treasurers — One year on: what the National Payments Vision means for corporate treasurers (28 April 2026). https://www.treasurers.org/hub/treasurer-magazine/one-year-what-national-payments-vision-means-corporate-treasurers
- Finextra (Nikita Zelezkins) — Agentic AI in Payments in 2026: What's Real, What's Pilot and What's Still Hype (23 February 2026). https://www.finextra.com/blogposting/30920/agentic-ai-in-payments-in-2026-whats-real-whats-pilot-and-whats-still-hype
- Competition and Markets Authority — Agentic AI and Consumers (9 March 2026). https://www.gov.uk/government/publications/agentic-ai-and-consumers/agentic-ai-and-consumers


