The Bot That Carries Your Wallet

by Sean Murphy

Agentic Commerce and the Identity Gap

Every March, like clockwork, the emails arrive. Barclays wants to know if you would like an ISA (Individual Savings Account). Perhaps the special savings variety, or something more adventurous. For millions of people across the UK, the ritual is the same: skim the subject line, feel a mild pang of financial guilt at the missed tax benefits, and do absolutely nothing. Not because they do not care, but because choosing the best ISA requires a depth of comparison that few have the time or training to undertake. It is precisely this kind of decision, mundane yet consequential, that Dave Birch believes will be among the first to fall to agentic commerce.

Birch, a widely recognised authority on digital identity and electronic payments, has spent decades thinking about the plumbing beneath financial transactions. I was lucky enough to catch up with him at MPE in Berlin, where he was characteristically direct about where AI agents will gain traction first. "If I need some new socks, the sooner a bot does that instead of me, the better," he said, before pivoting to more interesting terrain: not retail trivia, but financial products whose entire business models often depend on consumer confusion.

Car insurance is a prime example. Even with comparison websites, the average consumer cannot meaningfully evaluate two policies. The documentation runs to thousands of pages, the pricing structures are opaque, and so most people simply renew year after year because the cognitive cost of switching outweighs any potential saving. An AI agent could parse both policies in seconds. The same logic applies to mortgages, health insurance, and savings products.

Birch is clear about the limitations. Large language models hallucinate; it is, he notes, part of how they work, not a bug to be patched out. Techniques such as retrieval augmented generation can anchor outputs in real documents, and cross-referencing between models offers some safeguard, though recent research suggests models trained on similar data tend to converge rather than genuinely check one another. None of this disqualifies AI from regulated environments. It simply means proper processes must be built around it. "I would rather pay a pound to the Martin Lewis money supermarket agent," he said, "rather than pay nothing and have AIs that might be promoting particular products."

But if the commercial case is becoming clearer, the infrastructure beneath it remains alarmingly thin. For an AI agent to act on your behalf, to compare ISAs or negotiate an insurance renewal, it needs an identity. Not just yours, but its own. The system must verify which agent is acting, which version is running, on whose authority it operates, and within what limits. Birch describes it as a cascading identity problem, one he frames through a familiar regulatory lens. Before you can know your agent, KYA, you need to know your business, KYB: which company built it, who authorised its deployment, who bears liability. And to truly know the business, you need KYC, the individuals behind it, the executive officers, the ultimate beneficial owners, the people with actual control. Each layer depends on the one beneath it, and none of them has been solved for a world of autonomous software.

– David G.W. Birch, Global Ambassador, Consult Hyperion, Consulting by Fime

Under protocols like Google's AP2 framework, an agent presents a digitally signed intent mandate to a merchant. Validating that signature requires functioning public key infrastructure, and the private keys must be stored somewhere network-accessible if the agent is to act autonomously, without waking you at two in the morning to press your thumb against a phone. That means hardware security modules or cloud-based secure elements, operating within a trust framework that does not yet exist. "It's easy to draw it as clouds on a whiteboard," Birch observed, "but as soon as you drop it down one layer, it gets complicated."

MasterCard, with whom Birch co-authored a paper on agent identity last year, has taken what he considers a rational first step: positioning its tokenisation platform at the centre of as many transactions as possible. Whether that proves optimal for global commerce remains an open question. Companies across financial services are, in his assessment, "just not geared up for the fact that customers are going to get a thousand times smarter." The ISA emails will keep arriving every March. A bot will answer them soon enough; the unresolved question is whether anyone in the chain, human or machine, will be able to prove who is really on the other end.