Four Key Points
- DEFINITIONAL VACUUM Three jurisdictions are filling the same conceptual gap with incompatible frameworks: the EU reaches for gatekeeper obligations, the US defaults to fragmented agency guidance, and the UK experiments with platform co-regulation.
- LIABILITY ANCHOR ABSENT No jurisdiction has yet resolved whether an AI agent executing purchases autonomously is a payment intermediary or an autonomous commercial actor; this unresolved question is the operative source of arbitrage.
- FIRST-MOVER LOCK-IN The jurisdiction that publishes an enforceable autonomous-agent liability category first will attract platform incorporation and system-architecture decisions within a narrow window. The two-sided market structure of agentic commerce platforms [1] intensifies this effect: operators designing agent-behaviour profiles for a global transaction network face strong engineering incentives to commit early to a single compliance architecture, and the jurisdiction whose definition arrives first is the one that architecture will be built around.
- CBDC INTEROPERABILITY RISK Current agentic payment architectures are being designed before CBDC infrastructure is in place; definitional choices made now will determine whether those architectures can interoperate with sovereign payment rails later [4].
The Regulatory Moment
CONTEXT
The present regulatory activity in all three jurisdictions reflects pressure from two converging forces: the rapid commercialisation of large language model-based agent systems capable of executing purchases, and the unresolved liability questions that prior FinTech regulation left open when it addressed platform intermediation without anticipating autonomous execution [2].
In Brussels, the DMA's core gatekeeper obligations applied from 6 March 2024 for designated gatekeepers, with further obligation phases continuing to phase in thereafter. The AI Act passed into law the same year, with obligations phasing in through 2027. The European Commission is now under institutional pressure to demonstrate that this architecture governs emerging AI commercial conduct, not merely the platform categories it was designed for. The definitional work happening in working groups and consultation processes is therefore operating under a political timeline as much as a technical one [7].
In Washington, the change in FTC leadership and the ongoing jurisdictional contest between the FTC, CFPB, and OCC over FinTech oversight means that the first agentic commerce enforcement action will carry outsized definitional weight regardless of which agency files it. The absence of a federal statute creates a condition in which enforcement precedent substitutes for legislative definition.
In London, the FCA's post-Brexit positioning as a more innovation-receptive regulator than its EU counterparts has been deliberate [5]. The regulatory sandbox model, extended to AI-adjacent financial services, reflects a strategic choice to attract incorporation decisions by reducing the cost of early-stage definitional uncertainty. That choice is producing market entry, but it is also deferring the harder question of what liability standard applies once a platform exits the sandbox and operates at scale.
How Definitions Diverge
Agentic commerce refers to AI systems that autonomously select, negotiate, and execute transactions on behalf of a principal, without transaction-by-transaction human authorisation. The three major jurisdictions approach this category from structurally distinct legal traditions, producing definitions that differ on three axes: the scope of autonomous action covered, the entity assigned liability when an agent errs, and the trigger threshold that activates regulatory obligation.
In Brussels, the operative frameworks are the Digital Markets Act gatekeeper designation and the AI Act risk classification. The DMA assigns ex ante obligations based on quantitative thresholds (turnover, user numbers, platform intermediation volume) that were calibrated for search engines, app stores, and social networks [7]. An AI agent that routes purchasing decisions across third-party platforms does not map cleanly onto a gatekeeper, because the agent is neither the platform nor the end-seller; it occupies an intermediary position that the DMA's binary logic does not accommodate. The AI Act introduces risk tiers, but its high-risk categories are anchored in sector lists rather than functional definitions of autonomous commercial action, leaving a structural gap at the intersection of payments and AI autonomy.
In Washington, no single agency holds unambiguous jurisdiction. The FTC can address deceptive or unfair commercial practices by agents, the CFPB can reach payment-execution conduct, and state money-transmission licences may apply depending on how an agent holds or moves funds. This multi-layer fragmentation means that the operative definition of agentic commerce in the US is, at present, a composite of enforcement positions rather than a statutory text. That composite is negotiable on a case-by-case basis, which reduces compliance certainty but also reduces the friction cost of launching.
In London, the FCA's approach to FinTech regulation has been characterised by collaborative rule-making alongside platforms [5], a posture that has produced iterative guidance rather than categorical definitions. The sandbox model allows individual agentic commerce operators to test under bespoke regulatory conditions, but those conditions do not generalise into a stable liability standard that the market can rely on at scale. The result is a regime that is permissive for early entrants and ambiguous for the market as a whole.
Essential Reading
-
Langley & Leyshon (2023), FinTech platform regulation: regulating with/against platforms in the UK and China [5], documents the UK's co-regulatory posture and China's restriction model as the sharpest available empirical contrast for how jurisdictional philosophy shapes operative definitions.
-
Pastor Sempere (2025), Governance and Control of Data and Digital Economy in the European Single Market [7], provides the most current analysis of the EU's digital governance architecture, including the DMA's definitional gaps as they apply to autonomous intermediaries.
-
Sun et al. (2022), Behind the Scenes of Central Bank Digital Currency [4], grounds the CBDC interoperability risk: if agentic payment definitions solidify before retail CBDC infrastructure, current architectural choices become de facto monetary standards.
-
Boot et al. (2020), Fintech: What Is Old, What Is New [2], frames the financial intermediation theory context that underlies the payment-intermediary versus autonomous-actor definitional dispute regulators are now navigating.
Competitive and Operational Consequences
The definitional asymmetry across the three jurisdictions produces costs and opportunities that are already structurally present, even where the enforcement record remains thin.
For platforms designing agentic commerce systems, the UK and US regimes currently impose lower upfront definitional compliance costs than the EU. A platform can incorporate in a UK sandbox or operate under US agency guidance without committing to a liability category that regulators have not yet formalised. The EU, by contrast, requires compliance with both the DMA and the AI Act risk tiers, neither of which fits agentic commerce precisely, generating a dual-framework burden without producing the liability clarity that would justify that burden. This cost differential, even before a specific enforcement action quantifies it, is sufficient to influence where early-stage agentic commerce platforms domicile their operating entities and where they make their initial system-architecture decisions [2]. The two-sided market structure of these platforms [1] sharpens that pressure: a platform connecting consumers, merchants, and payment networks across jurisdictions cannot easily maintain separate agent-behaviour profiles for each regulatory environment; the incorporation decision therefore tends to front-run the compliance build rather than follow it.
The graver risk runs through CBDC interoperability. A substantial majority of IMF member states are at some stage of retail CBDC evaluation, though operational pilots remain limited [4]. If agentic payment platforms standardise on settlement and authentication protocols before CBDC rails are live, the definitions embedded in those protocols will determine which sovereign currencies can participate in agentic commerce at all. The EU's ambition for euro-zone monetary sovereignty over digital payments is therefore not separable from the question of whether Brussels produces an operationally grounded agentic commerce definition before a competing jurisdiction does. A de facto standard set in Washington or London will not automatically accommodate ECB design constraints.
For incumbents, the fragmentation creates a specific opportunity in compliance services: a platform that achieves legal clarity in one jurisdiction and can demonstrate regulatory passport-ability to a second jurisdiction gains a structural advantage over competitors operating under ad hoc sandbox conditions. The first institution to hold a cross-jurisdictional agentic commerce liability framework will price that clarity into its partnership terms with merchants and payment networks, because merchants and payment networks will pay a premium to operate under defined liability exposure rather than open-ended enforcement risk.
The EU's failure to produce a technically grounded, enforceable liability category for autonomous commercial agents before the first major FTC enforcement action or FCA guidance note resolves that question externally will transfer to Washington or London the authority to set agentic commerce architecture standards globally, foreclose the Brussels Effect window for this domain, and embed compliance costs into EU operators that compound with each subsequent CBDC deployment cycle.
The Harmonisation Argument
The strongest case against the arbitrage thesis is that the structural conditions for regulatory convergence on agentic commerce are more robust than they appear from the current divergence.
All three jurisdictions share a core liability concern: when an AI agent executes a transaction that harms a consumer or counterparty, a responsible legal person must be identifiable. That shared concern, not any bilateral agreement, drove convergence on data protection standards following the GDPR, and it is already generating parallel consultations on AI liability in Brussels, Washington, and London simultaneously. If the underlying legal problem is the same and the institutional pressure is comparable, the outcome may be three frameworks that differ in procedural form but converge on the substantive liability anchor, reducing the effective arbitrage opportunity to a narrow transitional window rather than a durable structural condition.
Furthermore, the two-sided market architecture of agentic commerce platforms [1] creates its own harmonising pressure. A platform that routes transactions across jurisdictions cannot maintain jurisdiction-specific agent-behaviour profiles at acceptable operational cost; the engineering incentive runs toward a single compliance posture calibrated to the most demanding jurisdiction, following the precedent of GDPR-driven global data-handling standardisation. On this reading, the EU's definitional ambition, even if it arrives late, may still achieve Brussels Effect export because the compliance-cost structure of globally operating platforms rewards a single standard over jurisdictional fragmentation. The falsifiability condition is whether post-enforcement data show a statistically significant domicile shift; absent that evidence, the harmonisation trajectory remains a serious alternative to the arbitrage scenario.
Unresolved Questions
-
It remains an open empirical question whether the DMA's gatekeeper framework, as currently written, applies to an AI agent that autonomously selects, negotiates, and executes purchases across third-party platforms; if it does not apply, the nearest existing EU legal category in functional terms has yet to be authoritatively identified.
-
The specific agentic commerce platform operators that have already made jurisdiction-selection or system-architecture decisions on the basis of definitional gaps, and the documented scale of those decisions, remain undocumented in the public record.
-
The measurable compliance-cost differential at which the EU definitional burden triggers domicile migration rather than in-place compliance is not yet established, nor is it known whether that threshold varies by platform size or transaction type.
-
Whether current agentic payment architectures are being designed in ways structurally incompatible with future retail CBDC rails, and whether any such incompatibility is an incidental engineering outcome or a deliberate design choice, remains an open question subject to ongoing technical and regulatory scrutiny [4].
Sources
[1] Rysman, M. (2009). The Economics of Two-Sided Markets. American Economic Association.
[2] Boot, A. W. A., Hoffmann, P., Laeven, L., & Ratnovski, L. (2020). Fintech: What Is Old, What Is New?. Elsevier BV.
[3] Davidson, N. M., & Infranca, J. (2016). The Sharing Economy as an Urban Phenomenon.
[4] Sun, T., Kiff, J., Bossu, W., Che, N., Mancini Griffoli, T., & Davidovic, S. (2022). Behind the Scenes of Central Bank Digital Currency. International Monetary Fund.
[5] Langley, P., & Leyshon, A. (2023). FinTech platform regulation: regulating with/against platforms in the UK and China. Oxford University Press.
[6] Molnár, J. (2018). What does financial intermediation theory tell us about fintechs?. Corvinus University of Budapest.
[7] Pastor Sempere, M. del C. (2025). Governance and Control of Data and Digital Economy in the European Single Market. Springer International Publishing.