3 Gaps Banks Must Close to Prepare for Autonomous Payments

Key Highlights 

• Autonomous payments are moving into live payment ecosystems, but most banks have not updated the infrastructure that receives, approves, and monitors agent-initiated transactions. 
• Banks face three infrastructure gaps: fraud detection that misses agent behavior, authentication that breaks without a human present, and APIs that can’t hold on to the volume agents generate. 
• As AI payments become more autonomous, banks need to test whether their transaction data, fraud models, authentication flows, API performance, and monitoring systems can support activity initiated by software, not people.  

How Autonomous Payments Are Changing Traditional Banking 

Autonomous payments are changing traditional banking by removing the need for human intervention at the moment of transaction and replacing it with AI agents - something few would have predicted even five years ago. The shift is already underway. In 2025, Visa, Mastercard, Stripe, Google, and PayPal launched agentic commerce frameworks within a six-month period, enabling software to discover, select, and purchase products on behalf of users. 

While most of the industry's attention has focused on the innovation itself and its impact on customer experience, another question remains: are banks ready to sit on the other side of those transactions? In many cases, the answer is no. 

This article examines three infrastructure gaps that prevent banks from supporting autonomous payments at scale and outlines practical steps to address each one and assess your organization's readiness. 

Gap 1: Fraud Detection Was Not Built to Evaluate an Agent's Behavior 

Fraud detection models have traditionally worked in a straightforward way: they assign risk to the customer behind every financial action. In payments, this means analyzing signals such as spending patterns, device usage, location history, and transaction velocity to determine whether a transaction is legitimate. 

That approach holds until AI agents change who is behind the action. The payment may be executed by software, but the fraud model still assesses the customer behind it. The system can determine whether the customer appears legitimate, but not whether the automated decision-maker is behaving as expected. As a result, a legitimate transaction and a compromised one can look equally valid when viewed through customer signals alone. 

Most banks will respond by adjusting thresholds and refining detection rules, convinced that better calibration will solve the issues. But the problem is not calibration. A simple test proves it: run known agent-initiated transactions alongside known automated fraud through your existing detection system. If it cannot reliably distinguish between them, the issue is that the model is evaluating the wrong actor.   

Closing that gap requires a fraud detection approach, that can assess the transaction context, behavioural patterns, and risk signals behind each action, not just the customer profile attached to it. For example, our AI-powered fraud detection solution uses machine learning to score transaction risk, explain each decision, and route suspicious cases by severity. As a result, banks can reduce false positives, catch more genuine fraud, and build fraud controls better suited to autonomous transactions.

Gap 2:  Your Authentication Flow Assumes a Human Is Always Present 

Every authentication flow is built around a customer being present at the moment of payment. They tap, scan, or enter a code. When an AI agent initiates the transaction instead, that moment disappears. The system waits for a human response that isn't coming, and most banks have no clear answer for what happens next. The authentication layer, designed for human interaction, has no graceful way to handle a non-human initiator. 

Current authentication rules and guidance in the UK and US still reflect a world where payment activity is initiated by a person, business, or authorized third party. They were not designed for agentic AI systems that act under delegated authority, initiate transactions later, and operate without the customer present. 

The practical response is to move authentication earlier in the transaction journey. Instead of confirming every transaction, the bank verifies the agent during onboarding and defines what it is authorized to do, under what conditions, and up to what value. Each subsequent request is then checked against that mandate. The confirmation step becomes unnecessary because the core authorization decision has already been made. 

As authentication spans security, product, and legal, assigning a single owner across the full scope of decisions is essential. The first task is concrete: within 30 days, map every point in the payment lifecycle that currently relies on human authentication and define how each one works when software initiates instead. The output is a decision architecture that specifies four parameters for every onboarded system: what transaction types it is authorized to initiate, the value thresholds above which a human review is triggered, the behavioral envelope it is expected to operate within, and the conditions under which its mandate is suspended or revoked. Those four parameters replace the per-payment confirmation step. They are defined once at onboarding, enforced at every subsequent transaction, and reviewed on a cadence your risk team sets. 

Gap 3:  APIs Cannot Handle the Volume AI Agents Create 

Banking APIs were not built for the speed, frequency, and orchestration demands of autonomous payments. As AI agents begin to execute chains of related transactions, API performance determines which payment ecosystems a bank can participate in. 

Replacing the core banking system is the wrong bet. It takes years, risk compounds at every stage, and the problem does not originate in the core itself. AI payments require an operational layer between customers and banking systems that generates, coordinates, and executes transactions at a pace and volume legacy platforms can’t handle.  

This is where banking API modernization needs to focus first. Banks need infrastructure capable of processing high request volumes, managing complex transaction sequences, enforcing permissions, and applying controls in real time. Goldman Sachs, for example, has publicly described making its APIs AI-agent-friendly as a strategic priority, framing the work as front-end modernization.  

To do so, start with an exposure assessment. Which payment flows are most likely to become software-initiated over the next two to three years? Which APIs support them today? Where would current infrastructure fail under autonomous transaction volume and orchestration requirements? More importantly, which of those flows are strategically important to the bank's future transaction volume and ecosystem participation?  

The answers define the modernization roadmap. Banks do not need to transform every API at once, but they do need to identify where agent-initiated transactions are most likely to appear first and focus efforts there. In most institutions, a small number of payment flows will carry most of this new volume. Those are the places where orchestration, control, and scalability need to be added first, while the rest of the estate continues operating as it does today. 

5 Questions to Test Whether Your Bank is Ready for Autonomous Payments 

Before commissioning another assessment, these five questions help you find out how prepared your bank's technology team is: 

• Can your transaction data distinguish between human-initiated, automated, and agent-initiated payments? 
• Can your systems detect when an agent’s transaction pattern changes from its approved mandate or expected behavior? 
• Can your authentication flow verify permissions before execution and enforce them on every following request? 
• Can your APIs handle higher request volumes, multi-step transaction sequences, and real-time permission checks without performance degradation? 
• Can your monitoring and case-management systems identify, prioritize, and contain suspicious activity before exposure spreads? 

The Path Forward to Agentic Payments 

Deloitte estimates agentic commerce could account for up to $17.5 trillion in global commerce by 2030. That means the infrastructure decisions you make in the next 12 to 18 months will determine which institutions are positioned to capture that volume and which aren't. 

If your bank is already processing agent-initiated transactions or expects to do so within the next 12 months, the gap between your current infrastructure and what autonomous payments require is worth mapping now. Talk to our financial consultants to identify where your architecture is exposed and what to prioritize first. 

This article was originally published by Dimitar Dimitrov, Managing Partner at Accedia, as a contribution to the Forbes Technology Council.