Agentic payments: Who clicked buy?

Introduction

Agentic payments are no longer hypothetical. AI agents are starting to shop, buy, and make payments on consumers’ behalf. This evolution in commerce raises new questions about data access, payment compliance, contract formation, and accountability in a setting where a human may not be present at the time of the transaction. For example, threshold legal questions include how the agent obtains the consumer’s payment credentials and financial data, whether the agent decides which payment method to use on behalf of the consumer, and which compliance regime and consumer protections follow that choice. From there, the analysis broadens to governance and fraud controls, whether an electronic agent can bind a consumer to checkout terms, and how liability will be allocated among the consumer, merchant, network, and platform if things go wrong. These are just some of the questions companies need to consider as they start to engage with agentic payments tools, whether as providers of agentic payments solutions, financial institutions and fintechs operating within payment systems that include agentic payments, or merchants accepting payments in an environment that includes AI payment agents.

I. How AI Agents Obtain Payment Credentials and Financial Data and the Obligations That Follow

An AI agent cannot pay without first obtaining the consumer’s payment credentials, and access to other types of the consumer’s financial information may be important to the agentic payment solution’s value proposition. When an agent retrieves account data via a bank, the open-banking framework will ultimately come into play. The Consumer Financial Protection Bureau’s proposed Personal Financial Data Rights Rule under Section 1033 of the Consumer Financial Protection Act and New York’s proposed open-banking framework are built on the idea that a consumer can direct a financial institution to share covered data with an authorized third party. Both frameworks remain in flux, but the current definitions of “authorized third party” under those regimes could reasonably be read to include agentic payment providers and, by extension, their agents. While we wait for final open-banking rules in the US, many agentic payment solution providers will rely on negotiated arrangements with data aggregators to connect to bank payment credentials and financial information for their customers.

If the customer provides multiple payment methods to an agentic payment tool, and the tool has autonomy to select among those payment methods at the time of the transaction, the payment method selected by the agentic payment tool can have real consequences for the customer in terms of available consumer protections. For example, if the agentic payment tool chooses to pay with a credit card, the consumer has protection under Regulation Z and the card network rules for unauthorized transactions and chargeback rights. But if the tool chooses a crypto wallet, the consumer may have little to no protection after the payment is completed. Further, the agentic payment tool’s decision-making about which payment method to use may not align with the consumer’s risk tolerance for different types of transactions with different risk factors.

II. Trusting the Agent: Emerging Know-Your-Agent Frameworks and Their Limits

The second issue is governance. Card networks are some of the first movers to promulgate a governance framework around agentic payments within their ecosystems. For example, Visa’s Trusted Agent Protocol (TAP) requires registration of agents before they transact on the network. While registration can identify which agent acted, it does not show whether the agent was manipulated. That gap matters because the signature risk in agentic commerce is not just unauthorized access but also corrupted decision-making. For example, a prompt-injected merchant page could cause an otherwise valid agent to alter quantities, prices, or destinations while still appearing to operate normally. At the same time, institutions may find that transaction patterns long treated as fraud signals now look indistinguishable from ordinary agent behavior requiring a modified approach to transaction and fraud monitoring. Critically, TAP is currently a Visa network rule and not a cross-network standard. Agents operating on other rails may be governed by distinct, and not necessarily interoperable, verification frameworks.

III. Contract Formation and Electronic Agents

The third issue is contract formation. If an AI agent accepts checkout terms, merchants will argue the consumer authorized the agent to act in ways the checkout flow required, including accepting those terms. Some consumers, by contrast, may argue that authorizing an agent to buy a product is not the same as authorizing it to waive rights through arbitration clauses, refund limits, or other buried terms.

Under Specht v. Netscape Communications Corp., 306 F.3d 17 (2d Cir. 2002), online contract formation requires conspicuous notice and unambiguous assent, which assumes human presence. The use of agentic payment tools to make purchase and payment decisions could call into question whether a consumer can be deemed to have unambiguously agreed to terms and conditions that were accepted on the consumer’s behalf by an AI agent when the consumer did not see the terms and conditions prior to the transaction. These types of questions may put new strains on questions of e-commerce and agency law. However, the Uniform Electronic Transactions Act (UETA), which has now been adopted in varying forms in almost every state, points the other way. UETA § 14 recognizes that some contracts can be formed through the actions of an electronic agent, even when no person is reviewing each step in real time. That gives merchants a real argument that a consumer may still be bound by terms accepted by a shopping agent at checkout. Merchants may also look to general agency law and argue that the consumer appointed the agentic payment tool (or its provider) as the consumer’s agent, and so the merchant was entitled to rely on the actual or apparent authority of the agentic payment tool to act for and on behalf of the consumer.

IV. The Legal Asymmetry: Centralized Providers vs. Open Platforms

The final issue is accountability. A company that builds the agent, stores the credentials, chooses the payment logic, and owns the consumer relationship will be the natural target for regulators, payment networks, and plaintiffs in the event of bad conduct or bad results involving an agentic payment solution. On the other hand, open platforms that allow users to build tools such as agentic payment solutions may try to characterize themselves as neutral infrastructure, but that framing does not eliminate the underlying risk. Rather, it makes responsibility harder to assign.

That creates a potential asymmetry: firms that internalize compliance early bear real costs, while open-platform actors may delay those costs by arguing they are only tool providers. But as agentic payments and the governing regulatory frameworks mature, centralized providers may gain a trust advantage. And like Visa and other card networks have done with non-compliant participants, infrastructure owners may ultimately exclude open-platform agents that cannot meet compliance standards.

__________

If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work.