Liability and chargeback mechanics in agent-mediated transactions

Under Regulation E, a consumer's liability for an unauthorized electronic fund transfer turns on whether the consumer authorized the transfer and, if not, how quickly they reported the breach. The statute defines "unauthorized transfer" at 12 CFR § 1005.2(m) as a transfer initiated by a person other than the consumer without actual authority. An AI agent, however, acts with actual authority — the consumer delegated the buying task — yet the agent's commercially erroneous execution (wrong item, wrong vendor, wrong amount) is not what the consumer intended. That gap sits between "authorized" and "unauthorized" without a statutory home. The issuer cannot classify the dispute as fraud; the consumer cannot invoke the unauthorized-transfer liability ceiling; and the merchant, who delivered exactly what the agent ordered, has a facially valid transaction.

Regulation Z's billing-error procedures present a structurally similar fracture. Under 12 CFR § 1026.13, a cardholder may dispute a charge for goods or services not delivered as agreed, but the provision assumes the cardholder herself placed the order and can articulate the discrepancy against her own intent. When an agent places the order, the cardholder's intent exists only at the level of a delegated mandate — "buy the cheapest compatible ink cartridge" — not at the level of the specific transaction. Matching the mandate to the executed transaction requires interpreting agent behavior, not reading a receipt. Neither issuers nor card scheme dispute teams are currently equipped or contractually required to perform that analysis.

Scheme operating rules layer on a further problem. Chargeback reason codes map to defined triggering conditions: item not received, item significantly not as described, fraudulent transaction. A mistaken agent purchase may not satisfy any of these codes precisely, forcing an issuer to shoehorn the claim into the closest available code — a choice that distorts the evidentiary record and may itself constitute a misuse of the chargeback mechanism, exposing the issuer to acquirer rebuttal.

PSD3's proposed refund right — drawn from Article 59 of the draft Payment Services Regulation — applies specifically to payment transactions reported by the user as unauthorized; for those transactions, liability defaults to the PSP unless it can demonstrate user fraud or gross negligence. That track is distinct from consented-but-disputed transactions, where a shared-liability model applies. When the "user" is an AI agent, the unauthorized-versus-consented boundary dissolves: the agent's erroneous purchase was technically consented to at the mandate level but not at the transaction level. The PSP therefore cannot readily invoke the unauthorized-transaction refund right, yet the shared-liability track provides no clear mechanism for allocating loss across the agent stack either. Gross negligence, on whichever track it is invoked, becomes a question about operator configuration and model behavior — categories the regulation does not address and for which no defined behavioral benchmark exists [5].

SCA exemptions compound the fracture rather than resolve it. PSD2 and PSD3 built exemption criteria around risk-scoring the human session in which a payment is initiated: device fingerprint, behavioral biometrics, transaction history anchored to a human's pattern of life. An agent-initiated payment has none of those attributes. It may pass authentication at the credential layer — the agent holds a valid token — but the session-level risk signals that justify low-friction exemptions are absent or meaningless in a machine execution context. A PSP that applies a standard transaction-risk analysis exemption to an agent-initiated payment is extending a human-calibrated risk tolerance to a non-human originator, without a regulatory framework that either authorizes or constrains that extension. If the exempted transaction is later disputed, the PSP's SCA determination becomes part of the liability record without any settled standard against which to evaluate it.

UCC Articles 3 and 4, which govern negotiable instruments and bank deposits, assign liability through the properly-payable standard and forgery rules — both of which presuppose a human drawer. They offer no ready mechanism for a payment instruction that was technically authentic but commercially mistaken at the agent layer. UCC Article 4A, which governs electronic funds transfers, provides its own authenticity and error-correction framework: a payment order issued in compliance with a security procedure agreed upon by the parties is treated as authorized even if the customer did not actually transmit it, provided the bank acted in good faith. That security-procedure safe harbor addresses intrusion-based fraud adequately, but it does not address the agent-specific problem — an instruction that was authenticated within scope but commercially erroneous. Article 4A's error provisions (§ 4A-205) focus on duplicate orders, wrong beneficiaries, and transmission errors, not on the question of whether the originating system's commercial judgment was within its delegated mandate. The statute has no mechanism to reach that question.

Issuer exposure is the most immediate operational consequence. When a dispute arrives for an agent-initiated transaction that does not satisfy a scheme chargeback reason code cleanly, the issuer must choose between absorbing the loss provisionally under error-resolution timelines, forcing the dispute into a mismatched reason code with litigation risk, or denying the claim and exposing itself to regulatory action if the regulator later classifies the event as an unauthorized transfer. All three paths carry balance-sheet and compliance costs that issuers cannot currently model because no jurisdiction has published a classification standard for agent-execution errors.

Processor and acquirer liability uncertainty propagates downstream from that issuer exposure. Acquirers who have contracted with merchants on the assumption that scheme dispute rules define the outer boundary of chargeback exposure will find that assumption untested when agent-initiated disputes arrive in volume. Merchants, for their part, face representment difficulty: to rebut a chargeback, the merchant must demonstrate that the transaction was authorized by the account holder, but the account holder's authorization was filtered through an agent whose decision logic is not in the merchant's possession and may not be auditable under current scheme evidence rules. The merchant delivered what was ordered; proving that the order was within the agent's valid scope requires access to the operator's audit trail — data the merchant has no right to compel.

At scale, these friction points stress chargeback monitoring thresholds. Card schemes enforce dispute-ratio limits on merchants and, in some programs, on acquirers. As AI agent transaction volumes grow, even a modest error rate at the agent layer — errors that do not map cleanly to fraud codes — could elevate dispute ratios into program-violation territory without any underlying merchant misconduct, triggering remediation requirements that were designed for fraud-prone merchants, not for a structural gap in dispute taxonomy [3].

Agent operators face their own exposure in this environment. Those with sophisticated legal counsel embed indemnity clauses that transfer risk to consumers or merchants; those without equivalent resources bear it directly on their own balance sheets. The asymmetry does not resolve toward a stable equilibrium: as agent transaction volumes increase, the parties carrying uncontracted residual risk will seek either regulatory intervention or exit from the agent-commerce stack, neither of which produces the operational predictability that issuer credit models require.

Every layer of the current dispute stack was constructed with a human decision-maker at origination. Regulation E's liability caps and error-resolution timelines were calibrated against the behavior of a consumer who either recognized an unauthorized charge on a statement or failed to safeguard a PIN. Regulation Z's billing-error mechanism assumes a cardholder who can compare what she ordered against what she received and articulate the difference to her issuer. PSD2 and its successor PSD3 built SCA exemptions around risk-scoring the human session in which a payment was initiated — device fingerprint, behavioral biometrics, transaction history anchored to a human's pattern of life. An agent-initiated transaction produces none of those session signals, which means the exemption criteria either fail to apply or apply on the basis of credential-layer authentication alone, stripped of the behavioral risk context that makes low-friction exemptions defensible.

Scheme operating rules followed the same architecture. Chargeback reason codes reference the "cardholder," the "account holder," and the "authorized user" — always a natural person whose intent at the moment of transaction is either verifiable through authentication data or presumed from behavioral context. The UCC's properly-payable standard and its forgery doctrine similarly center on whether a human drawer's signature or instruction was genuine [1].

This is not an oversight in the original design; it was a reasonable constraint given the transactional technology of each era. The constraint only becomes a structural liability gap when the originating decision-maker is an autonomous agent whose authorization derives from a delegated mandate rather than a moment of human intent at the point of transaction.