Agents Are Here, Trust Must Catch Up: Notes from Money20/20 Europe

Money20/20 Europe brought the payments, banking, and fintech world to Amsterdam for a week of infrastructure talk: payment sovereignty, open banking, stablecoin settlement, PSD3, the AI Act, and the rebuilt money stack underneath it all.

But one thread kept cutting across the entire floor: agents.

On day one, Mastercard, ING, and Worldline announced Europe's first end-to-end agentic payment in production. An AI assistant went looking for an anniversary gift, found concert tickets inside a set budget, and paid only once its owner said yes. The whole thing ran on live European rails across the Netherlands and Belgium. One transaction carefully staged…but real.

Gartner expects AI agents to intermediate more than $15 trillion in B2B purchases by 2028, and the floor certainly felt like the industry starting to build for it.

The rails are coming together. Trust has to catch up.

An agent that shops and pays for a customer breaks one of fraud detection’s oldest assumptions: that there is a human on the other end.

So the question that followed us around the floor, into sessions, and up to our booth was simple to ask and harder to answer: now that agents are here, how do you trust them?

TL;DR

• Agents were the theme of the year. On day one, Mastercard, ING, and Worldline ran Europe's first end-to-end agentic payment in production, and Gartner expects agents to intermediate more than $15 trillion in B2B purchases by 2028.

• The rails are arriving faster than trust. An agent that shops and pays as the customer breaks fraud detection's oldest assumption, that there is a human on the other end.

• On our panel, we discussed how trust is tested in three places: commerce readiness, regulation, and the risk system itself.

• "Was authorized" is not "is authorized right now." Trust must be be continuous and verified across the whole lifecycle. Detection, timing, and liability are all still open questions.

• The infrastructure has to be built in the open: portable, verifiable agent identity on open standards, with interoperability non-negotiable.

How trust can break when AI is the customer

We brought that same question to the MoneyPot Stage. On June 3, our co-founder and CEO, Neha Narkhede, sat down with Karan Katyal, who leads agentic commerce at Adyen, and Caroline Malcolm of Cambridge's Centre for Alternative Finance and Global Digital Finance, with Merusha Naidu of Paymentology moderating.

The session had a title that did not hedge: "AI Is the Customer: Trust in the Agentic Commerce Era."

Neha opened on the assumption underneath decades of fraud work:

"For decades, the question behind fraud and identity was simple: is this a human or not? The absence of a human meant fraud. In an agent-driven world, the absence of a human can mean a perfectly legitimate agent."

— Neha Narkhede, co-founder and CEO, Oscilar

Nobody on stage pretended the fully autonomous future had already arrived, and that restraint made the conversation more useful. It stayed close to the ground. What actually breaks as agents move from demo to checkout? Each panelist pointed at a different potential fault line.

For Karan, it was commerce readiness. Agent-led shopping is live, but cautious, mostly human-in-the-loop, where a person lets an assistant search and choose, then signs off before anything is bought. Fully autonomous and machine-to-machine flows are further out than the demos suggest. And the hardest part is not the payment. It is everything wrapped around it: merchant data, catalog depth, the post-purchase systems an agent has to reach into.

For Caroline, it was regulation. Agent-initiated payments are still edge cases, with delegated authority, authentication, and liability all unsettled. The internet, as she put it, was never built with an identity layer for agents to inherit.

For Neha, it was the risk system itself. Checking an agent once, at the front door, tells you nothing about the rest of the session. Agentic commerce turns trust into something continuous: who authorized this agent, what is it allowed to do, and is it still doing only that?

"We verify the agent's credentials and the scope of the mandate, and then we focus on drift monitoring, detecting the arc of agent behavior over a period of time."

— Neha Narkhede

For us, that is the moment the conversation stops being theoretical. Agentic commerce turns verification into an ongoing read on identity and intent, not a one-time check at the door.

"Was authorized" is not "is authorized"

Two gaps open up here. The first is detection. For years, "not human" was the gold standard of fraud detection. It is not anymore, not when a customer's own assistant is the non-human party, and the legitimate and the malicious arrive through the exact same automated door. Static rules and models retrained over months cannot keep up with adversaries that retool in hours. The better approach reads hundreds of signals at once, device, behavior, transaction history, because a fraudster can fake a few of them, but faking hundreds across a whole session is hard. The effort to pull that off becomes a signal in its own right.

The second gap is timing. A credential tells you an agent was authorized at setup. It tells you nothing about whether it is still inside its mandate ten minutes later, and a flag raised on one network may never reach the next. "Was authorized" is not "is authorized right now." Closing that gap means checking the agent, its mandate, and the person behind it continuously, and watching how it behaves through the session, not just waving it through at the start.

Then there is liability, which nobody has settled. Neha's example stuck with us. An agent reads a manipulated merchant listing and buys the wrong thing. The customer approved the agent. The merchant's page was poisoned. A third party wrote the agent. So who pays? The chargeback model, which sorts responsibility by who checked which credentials, is a place to start. It is not the whole answer.

Build in the open

On direction, the panel agreed: the trust infrastructure has to be built in the open. Easy to say, harder to live up to. The real test is whether networks, platforms, merchants, and agent builders can settle on enough shared plumbing before everyone's proprietary models harden. Karan made the case against closed loops, where each platform lays its own rail and keeps the value to itself, and pointed to real progress, like Google handing its AP2 agent-payments protocol to FIDO.

Caroline pushed from the regulatory side. The technical standards are still forming, the liability model even more so, and until both firm up, big institutions will be slow to put real volume through agent-led flows. Neha's answer was the most concrete: portable, verifiable agent identity with delegated authority, built on open standards. Make merchants wire up ten proprietary identity models for ten platforms, she warned, and the channel gets too heavy to ever really move. Interoperability, in her words, is non-negotiable.

At the booth, the questions were practical

Over three days, our EMEA team welcomed more hundreds of visitors: customers, partners, and a lot of new faces. Most came to talk about what is keeping them busy right now, fraud pressure, onboarding, AML, credit risk, and the constant push to move faster without breaking compliance.

The word that came up again and again was control. More automation, yes, but not another black box nobody can explain after the fact, and not a shortcut that opens a new door for fraud. That is where agents kept entering the conversation. A year ago we barely heard about them.

This year, people asked specific things: could their fraud stack tell an approved agent from a bot? What happens when an agent's mandate shifts mid-session? Who eats the loss when an agent follows bad merchant data? The questions no longer sounded hypothetical.

Agents are the sharp edge

Agents were not the whole story at Money20/20. But they made the bigger shift impossible to miss: money is moving faster, more decisions are being automated, and trust is getting harder to verify in real time.

Faster account-to-account rails like Wero, open banking pushing into recurring payments, stablecoin settlement: all of it speeds money up and sends it through more automated hands, and every step makes it a little harder to know who, or what, you are dealing with while the money moves. Agents just make that impossible to ignore.

The volumes are still small today, but the decisions about how much fraud rides along with them are being made right now. What Neha argued on stage holds just as well for every conversation at the booth. Trust cannot be a gate an agent clears once. It has to travel with the agent and get checked across the whole session, built on portable, verifiable identity and open standards the industry can actually share. Agentic commerce will not scale on payment credentials alone, and the time to build that in is before the volume arrives, not after.

To everyone who found us in Amsterdam, the customers who swapped notes between sessions, the partners we work with, and the people we met for the first time at the booth and beyond: thank you. Those conversations are the reason we make the trip.

If your team is wrestling with agent identity, mandate enforcement, or risk controls for AI-led transactions, we would love to talk.

NEW GUIDE

Agents in AML: A Production Playbook from the Investigator's Seat

Get your copy

->