Who Is the Client When the Client Is a Machine? AI Agents, Three Payment Protocols, and the Four Compliance Gaps MiCA Cannot Currently Close

On 10 June 2026, Mastercard launched Agent Pay for Machines, extending its agentic payments framework from consumer-delegated transactions to fully machine-to-machine commerce with multi-rail settlement across cards, accounts, and stablecoins. Three months earlier, on 2 March 2026, Banco Santander and Mastercard completed Europe's first live end-to-end payment executed by an AI agent within a regulated banking framework. Between those two dates, Stripe and Tempo launched the Machine Payments Protocol and submitted it to the IETF, and the x402 Foundation moved under the Linux Foundation.

The infrastructure for autonomous AI agents transacting in crypto-assets and stablecoins is no longer a roadmap item. It is deployed, processing transactions, and in at least one case operating inside a regulated European bank.

The EU regulatory framework was not built for this. MiCA assumes a client who is a natural or legal person. The Transfer of Funds Regulation requires an originator with a name and an address. The AML framework assumes a customer who can be subjected to due diligence. The AI Act, whose high-risk provisions become applicable on 2 August 2026, requires human oversight of exactly the autonomous decision-making that agentic payments are built to remove.

ESMA's own data confirms this is not hypothetical. Its TRV Risk Analysis on AI adoption in EU securities markets, published 20 February 2026 and based on a summer 2025 survey, found that roughly 17% of reported AI use cases already involve agentic AI, which ESMA defines as LLMs endowed with access to external tools including the ability to execute trades. The agents are already inside the regulated perimeter. The rules that would identify, authorise, and hold them accountable do not exist.

This article maps the problem in four layers: the compliance frameworks that apply, the three protocol architectures that now carry agentic payments, the four specific gaps where the frameworks and the protocols fail to meet, and what a Know Your Agent framework would need to contain to close them.

Layer 1: The Compliance Frameworks That Assume a Human

Four EU instruments govern the activity that agentic payments now perform. Each was drafted on the assumption that a human or a registered legal entity sits behind every transaction.

MiCA (Regulation (EU) 2023/1114). The CASP framework regulates services provided to clients. Article 70 requires safeguarding of client assets. Article 66 requires CASPs to act in the best interests of clients. The conduct architecture presumes a client capable of receiving disclosures, giving consent, and bearing rights. MiCA contains no provision contemplating that the counterparty initiating a transaction through a CASP's infrastructure might be software acting autonomously.

The Transfer of Funds Regulation (TFR). Every crypto-asset transfer between CASPs must carry originator and beneficiary information with no minimum threshold: full name, account number or unique transaction identifier, and address, date of birth, or national identity number. For legal entity originators, the LEI is a mandatory data field. The data model has exactly two categories of originator. An autonomous agent is neither.

The AML framework in transition. AMLD6 obligations on beneficial ownership register access take effect 10 July 2026. The Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) replaces the directive structure with a directly applicable single rulebook from July 2027, under AMLA supervision. The customer due diligence architecture in all of these instruments identifies, verifies, and risk-scores customers who are natural or legal persons. There is no CDD category for an autonomous software principal, and no guidance on whether the agent, its operator, or its beneficiary is the customer.

The EU AI Act (Regulation (EU) 2024/1689). High-risk provisions become applicable 2 August 2026. AI systems used in financial services contexts listed in Annex III, including creditworthiness assessment and, by extension under EBA's November 2025 factsheet analysis, transaction monitoring systems, face mandatory requirements: human oversight under Article 14, explainability, data governance, and audit trails. The standardisation process supporting these requirements has slipped. CEN-CENELEC missed its deadline for harmonised standards, forcing the European Commission to draft contingency guidelines while the enforcement date stands. The European Parliament's resolution of 25 November 2025 explicitly flagged the unresolved overlaps between the AI Act and financial services legislation as a source of legal uncertainty that the Commission has been asked to address through the digital omnibus package.

Both things are true: each framework is individually coherent, and collectively they have no answer to a machine that transacts.

Layer 2: Three Protocols, Three Compliance Profiles

The agentic payments layer has consolidated around three major standards. They are complementary rather than competing, solving different parts of the same problem, and they create three categorically different regulatory exposures.

x402

x402 revives the HTTP 402 "Payment Required" status code. An agent calls an API, receives payment terms, pays in USDC, and retries with a payment header. No login, no subscription, no human in the loop. The protocol has processed over 35 million transactions on Solana since mid-2025, AWS launched Amazon Bedrock AgentCore Payments with native x402 support in May 2026, and Cloudflare built it into pay-per-crawl tooling. A necessary caveat on scale: CoinDesk's March 2026 analysis of on-chain data found roughly $28,000 in daily volume, much of it testing activity, against an ecosystem valuation near $7 billion. The narrative is ahead of the adoption. The regulatory exposure is not. Every x402 payment that touches an EU CASP is a crypto-asset transfer under the TFR, and the originator field cannot be completed for an agent that has no name, no address, and no date of birth.

MPP (Machine Payments Protocol)

MPP addresses the consumption pattern x402 handles poorly: continuous, high-frequency usage where per-request payment creates friction. The agent opens a session, consumes services, and settles at close. Stripe and Tempo launched it on 18 March 2026, the same day Tempo's mainnet went live. Tempo raised $500 million at a $5 billion valuation, runs ISO 20022 compliant infrastructure, and was incubated by Stripe and Paradigm. Visa extended MPP to card payments across its network; Lightspark extended it to Bitcoin Lightning. Twelve days after launch, the IETF draft was submitted, making MPP the first of the three protocols to reach an international standards body. The EU problem is the multi-rail design itself. A single MPP session can settle in stablecoins (EMTs under MiCA) and in fiat via cards (payment services under PSD2). The EBA's No Action letter on the PSD2/MiCA interplay already requires CASPs transacting EMTs on behalf of clients to obtain PSD2 authorisation from 2 March 2026, with streamlined procedures. That letter resolves the dual-authorisation question for human-initiated EMT transfers. It says nothing about a machine-opened session that streams value across both regimes simultaneously.

Mastercard Agent Pay

Mastercard Agent Pay is the compliance-forward architecture. Agentic Tokens issued through MDES bind a tokenised card credential to a specific agent, a specific merchant scope, and a specific consent policy. The agent never holds the raw card number. The network knows which agent is transacting, who authorised it, and what it is permitted to do. The rollout has been methodical: US launch with Citi and US Bank cardholders, PayPal wallet integration in October 2025, Commonwealth Bank of Australia in January 2026, Westpac New Zealand in February 2026, and the Santander pilot on 2 March 2026 as the European premiere, conducted inside Santander's regulated payment framework with predefined limits and permissions. On 3 June 2026, Mastercard expanded settlement to six regulated stablecoins (USDC, RLUSD, PYUSD, USDG, USDP, SoFiUSD) across eight blockchains including Solana, Base, and Tempo, following its $1.8 billion acquisition of stablecoin infrastructure provider BVNK in March. And on 10 June 2026, Agent Pay for Machines extended the framework to autonomous machine-to-machine commerce, with multi-rail settlement and registered-agents-only access.

The pattern worth naming: the only protocol that European regulators have so far permitted to operate inside a regulated banking framework is the one that built agent identity, scoped authorisation, and consent governance into its architecture before launch. That is not a coincidence. It is a preview of what a KYA framework will require. Two adjacent protocols complete the landscape without changing the analysis. Google's Agent Payments Protocol (AP2, September 2025) uses upfront signed spending mandates and is backed by over 60 organisations including Mastercard, Amex, and PayPal; it remains at the partner integration stage with no documented live consumer deployments. Visa's Trusted Agent Protocol issues Verified Agent IDs with issuer-signed consent records, converging on the same identity-bound mechanics as Agent Pay.

Layer 3: The Four Gaps

Gap 1: The Travel Rule Originator Problem

The TFR requires every crypto-asset transfer between CASPs to carry originator data: name, account number or unique identifier, and address, date of birth, or national identity number. For legal entities, the LEI. There is no de minimis threshold for CASP-to-CASP transfers.

An x402 payment initiated autonomously by an AI agent has an on-chain address and a payment header. It has no name. The agent is not a natural person. It is not a legal person; no EU jurisdiction confers legal personality on software. The operator behind the agent may be identifiable in principle, but the protocol does not carry that information, and nothing in the TFR's data model maps "the human or entity that deployed the software that signed this transaction" onto the originator fields.

A CASP that receives or processes x402 flows today faces a compliance obligation it cannot operationally satisfy. The available responses are all unsatisfactory: block agent-originated transfers entirely (commercially destructive and increasingly impractical as agent traffic grows), attribute the transfer to the operator without protocol-level verification (a compliance fiction that fails the verification requirements in the EBA's Travel Rule guidelines), or process the transfer with incomplete data (a direct breach). One mitigation exists at the edges: World's AgentKit, launched March 2026, attaches cryptographic proof of human identity to agent transactions and integrates directly with x402. It is a voluntary overlay, not a regulatory standard, and its coverage is a fraction of agent traffic.

Gap 2: Customer Due Diligence on a Non-Customer

The CDD framework in AMLD6 and the AMLR identifies and verifies customers, assesses the purpose of the business relationship, screens against sanctions lists, and monitors transactions against the customer's expected profile. Every one of those steps assumes the customer is a person.

When an agent opens an MPP session or holds a wallet that transacts via x402, the CDD question fragments. Is the customer the agent (impossible: no identity to verify), the operator (plausible, but the operator may be several contractual layers removed from the CASP, and the agent's behaviour may not match the operator's risk profile), or the ultimate beneficiary of the agent's activity (correct in principle, unworkable in practice when one operator runs thousands of agents serving thousands of end users)?

The behavioural monitoring layer breaks in a second way. Transaction monitoring systems flag deviations from a customer's expected pattern. An agent rebalancing liquidity across protocols at machine speed generates a pattern no human customer would, and one agent's behaviour can change discontinuously when its model is updated or its instructions are revised. The expected-behaviour baseline that AML monitoring depends on does not exist for a principal whose decision logic can be replaced overnight. AMLA, which begins direct supervision of the largest cross-border crypto firms, will inherit this problem with outcome-effectiveness supervision expectations and no framework to apply them to agentic flows.

Gap 3: The AI Act Collision With MiCA Article 70

From 2 August 2026, high-risk AI systems in financial services must operate under effective human oversight per Article 14 of the AI Act: humans must be able to understand the system, monitor it in real time, and intervene or override its decisions. Fully autonomous AI making final decisions without human review does not meet the standard.

The entire value proposition of agentic payments is the removal of the human from the transaction loop. An agent that pauses for human review before each x402 micropayment is not an agent; it is a notification system. The protocols are engineered for autonomy. The AI Act, for systems classified as high-risk, is engineered against it.

For CASPs the collision is concrete. A CASP deploying an agentic system that executes client transactions sits under MiCA Article 66 conduct obligations and Article 70 safeguarding obligations, and simultaneously under AI Act deployer obligations if the system is high-risk. The classification question itself is unsettled: the Commission's Article 6 guidelines were due by 2 February 2026, the draft guidelines for high-risk classification only went to consultation on 19 May 2026, and CEN-CENELEC's harmonised standards are not ready. ESMA's supervisory briefing on algorithmic trading (26 February 2026) extends MiFID II algorithmic trading expectations toward AI-driven systems but does not address autonomous payment execution. The EBA's factsheet (24 November 2025) maps AI Act implications for banking and payments but resolves nothing about agentic autonomy. A CASP building agentic execution today is building against a standard that will bind from August and has not been finalised.

Gap 4: The CASP as Sole Accountable Principal

MiCA's liability architecture has one accountable entity: the authorised CASP. Every action taken through the CASP's infrastructure is, regulatorily, the CASP's action. There is no concept of an agent as a distinct actor whose errors might be attributed elsewhere.

Consider the failure modes. An agent authorised by a client to rebalance a portfolio misreads an instruction and liquidates a position. An agent with a delegated spending mandate exceeds the client's intent in a way the consent policy did not anticipate. An agent is manipulated through prompt injection into transacting with a sanctioned counterparty. In each case, the client will say the agent was not authorised to do that. Under MiCA, the CASP executed an order; under what authority did it act? The chain of delegated authority from client to agent to CASP has no regulatory recognition, which means disputes resolve into a binary the framework was not designed for: either the client authorised everything the agent did, or the CASP processed an unauthorised transaction.

Mastercard Agent Pay's consent-policy architecture is, in effect, a private-law solution to this gap: the Agentic Token encodes what the agent may do, and transactions outside the scope fail at the network level. x402 and MPP have no equivalent. For those rails, the authorisation boundary exists only in whatever terms the CASP has drafted, and no NCA has opined on whether such terms are enforceable against MiCA's conduct obligations.

Layer 4: What a Know Your Agent Framework Must Contain

The industry term for the missing layer is Know Your Agent. Sean Neville, Circle co-founder and architect of USDC, framed it in a16z's January 2026 report: just as humans need credit scores for loans, agents need cryptographically signed credentials linking the agent to its principal, its constraints, and its liability, and the industry that built KYC infrastructure over decades now has months to build KYA. Until it exists, merchants and platforms keep blocking agents at the firewall.

The components are visible across the early frameworks even though no regulator in the EU has adopted any of them.

Identity. The agent needs a verifiable, persistent identifier distinct from its wallet address. ERC-8004 proposes an on-chain identity layer: each agent receives a minted NFT as a unique ID, supported by three on-chain registries covering identity, reputation, and validation. Over 129,000 agents are registered for on-chain transaction management as of early 2026. The credential must bind machine identity (cryptographic keys) to human identity (the legally accountable owner).

Authorisation scope. The credential must encode what the agent is permitted to do: spending limits, counterparty scope, asset classes, jurisdictions. Mastercard's Agentic Tokens already do this on card rails. The crypto-native protocols do not.

Accountability chain. The framework must map every agent action to a legally responsible principal in a form that satisfies the TFR originator fields and the CDD customer concept. This is the layer that converts "an agent did it" into "this legal person is the originator, acting through registered agent X under consent policy Y."

Lifecycle governance. Agents are deployed, updated, repurposed, and decommissioned. The framework must cover the full lifecycle, because an agent whose model is replaced is, behaviourally, a different actor holding the same credential.

The benchmark exists outside the EU. Singapore's IMDA published the world's first cross-sector governance framework for agentic AI in January 2026. MetaComp built its StableX KYA Framework on top of it in April 2026, the first agent governance framework for regulated financial services authored by a licensed financial institution, covering identification, authorisation, monitoring, and accountability across the agent lifecycle, developed in direct engagement with IMDA. Singapore's Budget 2026 established a National AI Council chaired by the Prime Minister with finance as a national AI mission sector.

The EU has no equivalent. The AI Act regulates AI systems but contains no agent identity or transaction accountability framework. MiCA regulates CASPs but does not see agents. The MiCA 2.0 consultation launched 20 May 2026 puts DeFi and framework gaps on the agenda, with legislative proposals not expected before 2028. The Tiger Research framing is the correct historical analogy: as the 2019 FATF Travel Rule determined which exchanges survived the last regulatory cycle, KYA infrastructure will determine entry into the next one. The EU wrote the strictest Travel Rule implementation in the world and currently has nothing to say about the originators that rule cannot describe.

What Is Resolved and What Remains Open

Settled:

• Agentic AI is already operating in EU regulated markets. ESMA TRV Risk Analysis, 20 February 2026: roughly 17% of surveyed AI use cases involve agentic AI.
• The first regulated agentic payment in Europe is complete. Santander and Mastercard, 2 March 2026, within Santander's regulated payment framework.
• The three protocol architectures are live: x402 (Foundation under Linux Foundation, April 2026), MPP (launched 18 March 2026, IETF draft submitted 30 March 2026), Mastercard Agent Pay (Agent Pay for Machines launched 10 June 2026).
• CASPs transacting EMTs on behalf of clients require PSD2 authorisation from 2 March 2026. EBA No Action letter, with streamlined procedures and deprioritised supervision of specified PSD2 provisions.
• AI Act high-risk obligations apply from 2 August 2026 regardless of the standardisation delay. The Commission is drafting contingency guidelines after CEN-CENELEC missed its deadline.
• Singapore has a national agentic AI governance framework (IMDA, January 2026) and the first licensed-institution KYA framework built on it (MetaComp StableX, April 2026).

Open and unresolved:

• Who or what is the TFR originator when an agent initiates a transfer. No ESMA or EBA guidance exists.
• Whether the agent, the operator, or the end beneficiary is the AML customer for CDD purposes. The AMLR provides no category for autonomous software principals.
• How AI Act Article 14 human oversight requirements apply to autonomous payment execution by CASPs. The high-risk classification guidelines went to consultation 19 May 2026 and are not final.
• Whether MPP-style multi-rail sessions trigger simultaneous EMT and PSD2 obligations per session, and how a single agentic session is supervised across both regimes.
• How liability allocates between client, agent operator, and CASP when an agent acts outside its intended authorisation on rails that carry no consent policy.
• Whether the EU will adopt any KYA-equivalent framework, and through which instrument: MiCA 2.0, the AMLR technical standards, the AI Act implementation, or a new instrument entirely. Nothing is currently proposed.

The Right Questions for CASPs and Compliance Teams

1. Does any traffic reaching your platform originate from autonomous agents today, and can you detect it? ESMA's data says agentic AI is already operating in EU markets. If your transaction monitoring cannot distinguish agent-originated flows from human ones, you cannot assess your exposure, and you cannot answer an NCA that asks.
2. If you receive or process x402 or similar agent-originated transfers, what is your documented position on the TFR originator fields? There is no compliant answer available, which makes the documented risk position essential. A CASP that has analysed the gap, restricted the exposure, and recorded its reasoning is in a categorically different posture from one that processed the flows without noticing.
3. For any agentic execution capability you are building, has the AI Act high-risk classification analysis been done against the May 2026 draft guidelines? The obligations bind from 2 August 2026. The standards are late; the deadline is not. Building autonomous execution without a documented classification analysis is building liability.
4. If your platform supports multi-rail agent sessions, has the PSD2/MiCA dual authorisation question been resolved for your entity? The EBA No Action letter requires PSD2 authorisation for EMT transaction services from 2 March 2026. If agent sessions on your infrastructure settle across stablecoins and fiat rails, both regimes are in play and the streamlined procedure window is the cheapest path through.
5. What does your client documentation say about delegated authority to agents? When a client's agent does something the client did not intend, your terms of service are the only authorisation framework that exists. Draft them as if they will be tested, because they will be.
6. Are you tracking the Singapore IMDA and MetaComp frameworks as the de facto KYA benchmark? When the EU moves, it will not start from zero. It will start from the frameworks that exist, the same way MiCA borrowed from MiFID II. The institutions that have mapped their agent governance against the existing benchmarks will adapt in months; the ones that have not will start from the gap analysis.
7. Which of the three protocol architectures does your agent strategy depend on, and have you priced its regulatory profile? x402 is permissionless and carries unresolvable TFR exposure today. MPP is multi-rail and carries an unanswered dual-regime question. Mastercard Agent Pay is identity-bound and is the only one of the three that has cleared a European regulated pilot. The protocol choice is a regulatory posture choice, whether or not it was made as one.

The agentic economy will run on all three standards. The compliance question is not which protocol wins. It is whether your firm can demonstrate, for each agent-originated transaction it touches, who the legally accountable principal is. Today, for most of the volume, nobody can. The firms that close that gap before the regulator forces the question will be the ones the regulator points to as the standard.

References

• Mastercard, "Mastercard launches Agent Pay for Machines to unlock super-fast, always-on payments," press release, 10 June 2026. mastercard.com
• Banco Santander and Mastercard, "Santander and Mastercard complete Europe's first live end-to-end payment executed by an AI agent," press release, 2 March 2026. santander.com
• Stripe and Tempo, "Introducing the Machine Payments Protocol," 18 March 2026. IETF draft draft-httpauth-payment-00 submitted 30 March 2026. stripe.com
• Coinbase, "Introducing x402: a new standard for internet-native payments." x402 Foundation under the Linux Foundation from April 2026. coinbase.com
• ESMA, "AI adoption and trends in securities markets: EU evidence," TRV Risk Analysis ESMA50-481369926-30599, 20 February 2026. esma.europa.eu
• EBA, "No Action letter on the interplay between PSD2/3 and MiCA." eba.europa.eu
• EU AI Act, Regulation (EU) 2024/1689. digital-strategy.ec.europa.eu
• EBA, "Factsheet on the implications of the AI Act for the banking and payments sector," 24 November 2025.
• European Parliament, resolution on the impact of artificial intelligence in the financial sector, 25 November 2025.
• ESMA, supervisory briefing on algorithmic trading under MiFID II, 26 February 2026.
• EU Transfer of Funds Regulation (TFR), Regulation (EU) 2023/1113.
• Anti-Money Laundering Regulation (AMLR), Regulation (EU) 2024/1624, applicable from July 2027.
• Infocomm Media Development Authority (Singapore), Model AI Governance Framework for Agentic AI, January 2026.
• MetaComp, "StableX Know Your Agent (KYA) Framework," April 2026. prnewswire.com
• Neville, S. (Catena Labs, Circle co-founder), in a16z crypto, "AI in 2026: 3 trends," January 2026. a16zcrypto.com
• Tiger Research, "2026 Know Your Agent: Agent Identity Infrastructure," May 2026.
• Mastercard stablecoin settlement expansion, 3 June 2026. ledgerinsights.com
• CoinDesk, x402 on-chain volume analysis, 11 March 2026. coindesk.com
• AWS, "x402 and Agentic Commerce," Amazon Bedrock AgentCore Payments preview, 7 May 2026. aws.amazon.com
• ESMA, statement on the end of the MiCA transitional period, 17 April 2026.
• European Commission, MiCA 2.0 consultation, launched 20 May 2026, closes 31 August 2026.
• Fenwick, "Is 2026 the Year of Agentic Payments?", April 2026. fenwick.com

Cointegrity is a compliance-first infrastructure and advisory firm operating across digital assets, regulatory technology, and AI governance for financial institutions. This deep-dive article is published in June 2026.

Related internal resources: MiCA, AML, Stablecoin, Blockchain.