PSD3 and instant payments

The payment authorization frameworks that PSD2 established, and that PSD3 refines, were designed around a specific sequence: a human customer forms an intention, authenticates that intention through a device or credential they control, and issues a payment instruction to a PSP. Every compliance obligation in the chain, from SCA to consent recording to unauthorized payment liability, presupposes that sequence.

Agentic commerce breaks that sequence at the instruction step. A consumer who configures an AI purchasing agent and defines a spending envelope has authorized a class of future transactions, rather than a specific transaction. The agent then executes within that class, selecting counterparties, amounts, and timing autonomously. The payment instruction that reaches the PSP was not issued by the consumer at the moment it arrives; it was issued by software acting within parameters the consumer set at an earlier, separate point.

This structural displacement is a material systemic concern. As AI orchestration layers become embedded in retail, travel, utilities, and subscription commerce, the proportion of payment instructions arriving at PSPs without a concurrent human act will grow. PSD3 must eventually define the credentialing, liability, and consent-withdrawal conditions under which delegated agency in payments is governed. Those conditions are not yet in the text [1][3].

PSD3 and the companion Payment Services Regulation restructure the authorization chain by separating the framework directive (PSD3) from the directly applicable conduct rules (PSR), moving key technical standards into EBA-issued regulatory technical standards and anticipated delegated acts. Consent, authentication, and liability allocation each receive treatment, but the treatment proceeds from the same foundational assumption embedded in PSD2: that a natural person issues an instruction at or near the point of transaction.

For machine-initiated transactions, the existing MIT exemption requires that the payer has authenticated the initial mandate and that all subsequent payment orders execute within the parameters of that mandate. This model accommodates gym subscriptions and utility direct debits. It does not accommodate an AI purchasing agent that dynamically selects a supplier, negotiates a price, and initiates a payment within a pre-authorized spending envelope, because the specific counterparty and amount are not known at mandate creation. The payee-initiation condition, which requires that subsequent payment orders originate with the payee rather than the payer's own infrastructure, applies specifically in the card-based MIT context; in direct-debit arrangements, payer-side initiation within agreed parameters is permitted. An agentic orchestrator sits on the payer side, initiating from within the consumer's own systems, and does not satisfy the card-MIT payee-initiation condition; it also exceeds the direct-debit model because the counterparty and amount are determined by the agent at runtime rather than fixed in the original mandate.

Authentication under PSD3 carries forward from the RTS on SCA under PSD2 the same three-factor framework: possession, knowledge, and inherence, each bound to a legal person or a device in that person's control. PSD3 does not revise this inheritance in ways that create a statutory home for delegated-authority credentials. A delegated authority model, whereby a consumer pre-authorizes an agent to authenticate on their behalf within defined parameters, therefore has no explicit statutory basis in current PSD3 draft language. The practical implication is that a PSP processing a machine-initiated payment faces a binary choice: apply a SCA exemption whose conditions are not fully met, or require a full SCA step that interrupts the autonomous flow the agent was built to execute.

The liability allocation gap aggravates both the authentication and exemption deficits. PSD3 assigns unauthorized payment liability to the PSP unless the payer acted fraudulently or with gross negligence. An AI orchestrator sits outside this bilateral structure. When the orchestrator acts outside the consumer's instructed parameters, no provision in current draft text specifies whether the PSP, the orchestrator's operator, or the consumer bears the resulting loss. Delegated acts could address this, but no published EBA mandate confirms they will do so.

For payment service providers, the immediate operational consequence is a compliance classification problem. Every machine-initiated transaction in an agentic commerce flow must be assigned to an existing exemption or authentication pathway. Where the MIT exemption is applied to transactions that do not satisfy its payee-initiation or pre-agreed-amount conditions, the PSP carries the unauthorized payment liability exposure that PSD3 assigns when a valid exemption is not in place. Fraud detection systems built on behavioral biometrics and device-bound signals will receive transactions with no human behavioral signature; the anomaly models these systems rely on will require architectural revision, not parameter adjustment.

For merchants, the consent recording obligation becomes both more demanding and structurally ambiguous. A merchant receiving a payment from a consumer's AI agent must satisfy itself that the original mandate covers the specific transaction. Where the agent has exercised discretion on amount or counterparty selection, the audit trail linking the payment to the consumer's original authorization is attenuated. If a consumer disputes the transaction on the grounds that the agent exceeded its instructed scope, the merchant's position in the chargeback process under PSD3's shifted liability framework is untested.

Transaction monitoring obligations under anti-money laundering rules and PSD3's fraud-reporting requirements attach to the PSP in the first instance. When the initiating actor is an orchestration platform operating across many consumers simultaneously, the monitoring unit of analysis shifts: a single suspicious behavioral pattern may present as distributed micro-transactions across thousands of accounts. The aggregation and escalation logic built for individual account monitoring does not accommodate this architecture without deliberate redesign.

Regulation (EU) 2024/886 introduces instant payment obligations in phased timelines: euro-area PSPs are required to receive instant credit transfers from January 2025 and to send them from October 2025, with non-euro-area timelines following later. As each phase comes into force, the ten-second settlement window progressively closes the time available to intervene before funds move. That compression arrives precisely when the payment initiation model is most opaque, and PSPs whose agentic transaction volumes grow in step with the rollout schedule will face the narrowest fraud-detection window at the point of highest operational uncertainty [2].