PSD2, MiCA, and the Agent Economy: Simultaneous Compliance at Scale

Cross-border agent transactions must satisfy FCA, PSD2, and MiCA simultaneously. We examine how programmable compliance changes the regulatory calculus entirely.

A UK-based AI agent, operating on behalf of a British business, executes a payment to a supplier in Germany. The transaction involves a UK bank account, a euro-denominated payment, and potentially a stablecoin bridge. In the time it takes a human to read this sentence, the agent has simultaneously triggered obligations under the FCA's Payment Services Regulations, the EU's Payment Services Directive 2, and — if stablecoins are involved — MiCA.

Under the current compliance architecture, meeting all three simultaneously is either impossible or prohibitively expensive. Each framework requires its own documentation, its own verification processes, and its own reporting obligations. They were designed to be met sequentially by compliance teams, not simultaneously by software.

The architecture of the problem

PSD2 requires strong customer authentication for most payment initiation. In an agentic context, there is no customer present at transaction time — the customer is the principal who authorised the agent at setup. PSD2 does not currently recognise pre-authorised agent delegation as satisfying SCA requirements. The regulation is under review, and the European Banking Authority has published discussion papers on AI in payments — but no updated guidance exists.

The FCA's Payment Services Regulations implement PSD2 in UK law, with some divergence post-Brexit. The FCA has been more active than many European regulators in engaging with AI and fintech, publishing its AI and Machine Learning discussion paper and establishing a regulatory sandbox that has included some agentic payment experiments. But the core regulations have not been updated to address agent-initiated transactions.

MiCA, which came into full effect in December 2024, regulates crypto-asset service providers and issuers of asset-referenced tokens. If an agentic payment uses a stablecoin as a settlement mechanism — increasingly common in cross-border B2B transactions — MiCA obligations are triggered. These include CASP licensing requirements, consumer protection rules, and AML obligations that are distinct from those under PSD2.

Programmable compliance as the solution

The emerging answer to simultaneous multi-jurisdiction compliance is to make compliance programmable — to encode regulatory requirements as executable rules that travel with the transaction and can be verified by any counterparty or regulator without manual intervention.

The technical mechanism most commonly proposed is a combination of verifiable credentials and zero-knowledge proofs. The agent carries a set of verifiable credentials attesting to the compliance status of its principal: the principal is FCA-regulated, PSD2-authorised, and MiCA-registered. Zero-knowledge proofs allow these credentials to be verified without exposing the underlying data — the counterparty knows the principal is compliant without learning the details of its regulatory filings.

This approach mirrors what is already happening in decentralised finance with on-chain compliance protocols. Several protocols now allow wallets to carry compliance attestations that satisfy KYC requirements across multiple DeFi platforms without requiring each platform to run its own KYC process. The extension to traditional payment rails is not trivial, but the architecture is proven.

The regulatory change required

Programmable compliance can solve the technical problem of simultaneous multi-jurisdiction verification. It cannot, on its own, solve the legal recognition problem. For a verifiable credential attesting to FCA authorisation to be accepted by a German counterparty as satisfying PSD2 requirements, regulators in both jurisdictions need to agree that it does.

This requires regulatory coordination — either bilateral agreements between the FCA and European regulators, or a multilateral framework under the auspices of FATF or the Financial Stability Board. The precedent exists: the passporting arrangements under the original Payment Services Directive allowed firms authorised in one EU member state to operate across the EU without separate authorisation in each jurisdiction. A similar arrangement for AI agent credentials is theoretically achievable.

The firms that will win in agentic payments will be those that build compliance infrastructure now — before the regulatory frameworks are finalised — and engage actively with regulators to shape those frameworks. The window for that engagement is open. It will not stay open indefinitely.