The Agentic Economy's Fintech Moment

Mapping the stack that's changing commerce, payments and agentic finance

The first wave of artificial intelligence in financial services was about insights. Models scored credit risk, flagged anomalous transactions, classified support tickets, and routed leads. The architecture was familiar: a human-driven application called a model, got an output, and used it to make a decision. AI was an input. The decision was a person's.

That wave is transitioning. The next one, what Fiat's 2026 trends report calls the shift from individual agents to a full interactive agent economy, is about execution. AI agents are not just scoring credit applications; they are routing them, negotiating with counterparties, calling external services, and increasingly transacting on behalf of users. Humans are moving from operators to approvers. The application layer is moving from human-driven to agent-driven.

Three things have changed in the last eighteen months to make this real. First, the Model Context Protocol (MCP) gave agents a standardized way to reach tools and data. Second, the Agent-to-Agent Protocol (A2A) gave them a way to coordinate across organizational boundaries. Third, a new generation of commerce protocols, the Agent Payments Protocol (AP2), the Universal Commerce Protocols (UCP), OpenAI's Agentic Commerce Protocol (ACP), gave them a way to transact. The infrastructure layer is now built, increasingly governed under the Linux Foundation, and deployed at production scale across 150+ organizations.

For fintech, this changes the question. It is no longer “when will the model layer be good enough?”, but rather it is “where does the agent economy bind hardest on the regulatory and operational frameworks finance actually runs on?” 

That is what this piece maps. The stack, the pace, the pressure points where fintech-specific dynamics make this harder than the generic infrastructure story, the categories of company the stack now makes possible, and the signals worth watching over the next twelve months.

The stack, as it stands in May 2026

A common reading of the current agent infrastructure landscape is that several protocols are competing to define the future. That reading is wrong. 

MCP, A2A, AP2, UCP, and OpenAI's ACP are not competitors. They are complementary layers in an emerging stack, each solving a distinct problem, each maintained by a different organization, each designed to interoperate. A production fintech agent system in late 2026 will likely use at least three of them simultaneously.

Three layers matter for fintech operators trying to build on it.

Tool access. MCP at the foundation. Anthropic released the Model Context Protocol (MCP) in November 2024. Eighteen months later, it has crossed 97 million monthly SDK downloads, the public registry has surpassed 9,400 servers, and enterprise adoption sits at 78% in production AI teams. It now ships with every major AI platform and is governed by the Agentic AI Foundation under the Linux Foundation, co-founded by Anthropic, Block, and OpenAI. MCP did not displace a competing protocol, there was none. What it standardized was the patchwork that came before it: vendor-specific function calling, framework-specific tool wrappers like LangChain's, and isolated plugin stores. The relevant signal for fintech is not that MCP won a protocol war. The signal is that the integration layer below the model is now a commodity standard, freeing operators to spend their thinking elsewhere.

Agent coordination. A2A as the horizontal bus. Google released the Agent-to-Agent Protocol (A2A) in April 2025. By mid-2026, more than 150 organizations had deployed it in production, IBM's earlier Agent Communication Protocol had folded into it under Linux Foundation governance, and competing standards had stopped emerging. A2A solves the harder problem MCP does not: how agents from different organizations discover each other, negotiate task ownership, and exchange context without a human routing every handoff. For fintech, this is the critical layer. Most production financial workflows already involve multiple specialized systems; KYC, fraud detection, underwriting, servicing, collections. A2A is the substrate that lets those systems compose as agents rather than as point-to-point integrations.

Commerce. AP2, UCP, and OpenAI's ACP, still differentiating. This is the layer where the protocol landscape is still actively being shaped. Google's Agent Payments Protocol (AP2), released September 2025 with backing from Mastercard, PayPal, Coinbase, American Express, and more than sixty other partners, uses cryptographically signed mandates to authorize agent-initiated payments, and treats stablecoin rails as first-class alongside cards and bank transfers. The Universal Commerce Protocol (UCP), co-developed by Google and Shopify and released January 2026, handles the full merchant transaction journey from discovery to post-purchase. OpenAI's Agentic Commerce Protocol (ACP) covers checkout semantics from a different angle. The three are not yet fully reconciled. Each addresses a real and distinct sub-problem; the question for fintech is which layer a given workflow exposes and which protocol best fits it.

One name collision worth flagging: IBM's earlier Agent Communication Protocol, launched March 2025, used the same "ACP" acronym as OpenAI's commerce protocol. IBM's version merged into A2A in August 2025; OpenAI's remains independent.

The composition pattern is the real story. A merchant in 2026 can expose its product catalog via MCP, be discovered by a shopping agent through A2A, and complete checkout under AP2 mandates with UCP merchant-side semantics. None of these protocols replace the others. Choosing one is not a strategic decision; building with all of them, layered correctly, is.

The pace, and what it means

The agent protocol stack did not exist eighteen months ago. In November 2024, Anthropic released MCP. Today the stack has five protocols, two of them under Linux Foundation governance, all with major-vendor commitments.

This pace is unusual for infrastructure standardization. The closest recent precedent is the container orchestration consolidation that followed Docker's release in 2013. From Docker's debut to Kubernetes becoming the de-facto enterprise standard took roughly five years. The agent stack is doing comparable work in eighteen months, with Linux Foundation governance already in place at the tool and coordination layers.

Two implications follow.

First, the foundation layers, MCP and A2A, are now stable enough to build on. The tool access and agent coordination layers are not still in flux at the foundational level. Adoption velocity, governance maturity, and major-vendor commitment all point in the same direction. Operators waiting for the protocols to settle before integrating are waiting for something that has already happened.

Second, the commerce layer is still differentiating, and committing to one protocol early carries real risk. AP2, UCP, and OpenAI's ACP each solve a real and distinct sub-problem, but the boundaries between them are still being negotiated. An operator-grade strategy hedges across them rather than picking a winner. That contrasts with MCP and A2A, where there is no equivalent fork; one protocol per layer, already consolidated.

For fintech operators, the practical implication is straightforward. MCP and A2A are now stable foundations; production-ready, governed, and unlikely to change beneath an integration built today. The commerce layer is not. 

Hedging across AP2, UCP, and OpenAI's ACP, rather than committing early to one, is the posture this stage of the layer calls for. Section 4 takes that distinction into fintech-specific terrain.

Where the pressure binds

What is not built is the regulatory and governance scaffolding that has to surround a multi-agent system in regulated finance. Three pressure points are already visible. They do not bind on every workflow equally; each lands hardest in a specific corner of fintech.

Pressure Point 1. Payment authorization and liability. AP2's signed Mandates solve the technical problem of cryptographically proving that a user authorized an agent to transact. They do not solve the legal question of who is liable when something goes wrong. Reg E (which sets consumer liability rules for unauthorized electronic transactions) and Reg Z (which governs consumer credit disclosures and billing dispute procedures) in the United States, PSD2 (the EU's payment services framework, which requires strong customer authentication and standardizes payment-initiation rules) in the European Union, were written for systems where a human authorized each transaction directly. Agent-initiated payments stretch those frameworks in ways the frameworks have not yet caught up to. The pressure binds first in two sub-spaces: consumer payments, where Reg E's liability rules govern unauthorized transactions; and SMB embedded finance, where merchant-side authorization flows have to compose cleanly with consumer-side protections. 

For example, Henry Labs is building the checkout and payment execution infrastructure that allows AI agents to complete transactions on behalf of users across existing merchant ecosystems. As agent-initiated commerce moves from experimentation to production, the company sits directly at the intersection of authorization, authentication, and payment execution, helping translate user intent into completed purchases while preserving the controls required by today's payment networks and merchants. This becomes increasingly important as regulatory frameworks such as Reg E, Reg Z, and PSD2 were designed around direct human authorization, creating new questions around liability, dispute resolution, and consumer protections when transactions are initiated by autonomous agents rather than consumers themselves.

Pressure Point 2. Multi-agent audit trails. On April 17, 2026, the OCC, Federal Reserve, and FDIC jointly issued revised model risk management guidance, SR 26-2 (the framework governing how banks manage risks from quantitative models), superseding SR 11-7 (the 2011 predecessor that defined the three-pillar audit template used across the industry for fifteen years). The revised guidance carved generative AI and agentic AI explicitly out of scope, characterizing them as "novel and rapidly evolving" and signaling that tailored AI guidance is coming. Even as the formal framework is being rebuilt, OCC and Federal Reserve examiners have made AI part of every routine bank examination, pressing firms on data access, governance controls, kill switches, and third-party vendor chains, Reuters reported on June 12, 2026. The April SR 26-2 carve-out is the first US regulatory event to address, and exclude, agentic AI directly. SR 11-7's three-pillar template; independent validation, ongoing monitoring, documentation, assumed a single model with a documented input-output path. When five agents from three organizations contribute to a credit decision, the audit-lineage question becomes structural rather than procedural. The pressure binds first in lending and underwriting, where regulator-required decision lineage was the original target of SR 11-7's audit framework, and where agent-mediated decisioning has to reconstruct that lineage across orchestration boundaries the framework did not anticipate.

For example, Splitero enables homeowners to access home equity through Home Equity Investments (HEIs), providing upfront capital in exchange for a share of a home's future value rather than originating a traditional loan. To assess eligibility, property value, investment sizing, and risk, the company combines property data, valuation models, underwriting systems, and third-party information sources, creating a decision process that increasingly resembles a multi-agent workflow rather than a single underwriting model. As regulators focus on AI governance and model accountability, platforms like Splitero illustrate why future underwriting systems will require end-to-end decision lineage capable of documenting how data, models, and automated processes collectively influenced a financial decision.

Another example is Frontlands, who provides asset-backed credit products for owners of mineral rights and other natural-resource assets, using proprietary underwriting models to evaluate the future cash flows associated with those rights and determine borrowing capacity. As alternative lenders increasingly incorporate AI systems, third-party data providers, valuation engines, and automated decisioning tools into underwriting workflows, firms like Frontlands highlight the growing challenge of maintaining a clear audit trail across multiple models and data sources. In an environment where regulators increasingly expect explainability and decision lineage, every valuation assumption, data input, and automated recommendation contributing to a credit decision must remain traceable, particularly when underwriting relies on complex assets that fall outside traditional consumer credit frameworks.

Pressure Point 3. Cross-organization KYC/AML. A2A's Agent Cards provide identity for agents themselves. Financial regulation, written under a different assumption, cares about identifying the humans behind transactions. When an agent system orchestrates services across multiple regulated entities (payment processors, banking partners, FX providers, crypto rails), a single agent-initiated cross-border transaction can trigger independent KYC obligations across the originating institution, intermediate processors, recipient-side partners, and the regulatory regimes of every jurisdiction it touches. The cascade compounds across regimes as well as organizations. The EU AI Act classifies finance-sector AI systems as high-risk, which sharpens the documentation requirements without resolving the cascade. The pressure binds first in cross-border payments and stablecoin commerce, where the cascade crosses regulatory regimes as well as organizations. 

For example, Meru is building a stablecoin-powered financial platform that enables consumers across Latin America to save, move, and transact in U.S. dollar-denominated assets. As agent-initiated cross-border commerce becomes more common, platforms like Meru illustrate the growing challenge of maintaining compliant KYC, AML, and sanctions controls across multiple banking, payments, and digital asset partners while preserving a consistent understanding of the customer behind each transaction.

Another example is WalaPay, which provides cross-border payments infrastructure that helps businesses move money across emerging markets through a network of local and international payment rails. Because a single transaction may traverse multiple regulated financial institutions and jurisdictions, WalaPay exemplifies the increasing complexity of coordinating identity verification, compliance obligations, and transaction monitoring across organizations when payments are initiated and orchestrated by autonomous systems rather than individual users.

These three pressures do not bind on every fintech workflow, and they do not bind equally. What unifies them is that the protocols themselves do not solve them: payment-mandate cryptography does not resolve liability, agent-to-agent coordination does not produce regulator-required audit lineage, agent identity does not satisfy KYC. The unsolved layer is where the next categories of fintech infrastructure get built.

The companies the stack makes possible

The question for investors and operators is what categories of company the stack now makes possible, not as a complete map, but as a frame for where attention is moving.

Three categories are taking shape.

The first category is the governance and orchestration layer above the protocols. MCP gateways, agent identity and reputation systems, and regulated-workflow orchestrators that translate generic protocol behavior into specific compliance workflows. Some are horizontal infrastructure serving any vertical; others are vertical-specific, built for regulated finance from the start. MintMCP exemplifies the horizontal flavor, a gateway providing deployment, security, audit, and compliance controls for MCP deployments across industries. Fiserv's agentOS, announced May 2026 with six financial-institution partners, exemplifies the vertical flavor, an agentic operating system designed specifically for banking workflows with policy controls and auditability built into the architecture. This is the layer where the audit-trail, liability, and KYC-cascade pressures from Section 4 get operationalized.

The second category is agent-native financial primitives. Lending, insurance, treasury, payments, trading services designed with agents as primary actors from the foundation up, rather than bolted onto an existing fintech architecture. The architectural choices diverge meaningfully: state management, authorization granularity, audit trails, and orchestration are all designed around agent behavior rather than retrofitted to accommodate it. Catena Labs, founded by Circle co-founder Sean Neville, raised an $18M seed from a16z Crypto in May 2025 and a $30M Series A in May 2026 led by Acrew Capital and a16z Crypto, building what it calls "the first fully regulated AI-native financial institution", the canonical example of this category's thesis. Most existing fintech APIs assume a human-driven application layer; agent-native primitives assume the opposite, with meaningfully different regulatory exposure and competitive dynamics.

The third category is regulator-facing tooling. Audit-as-a-service for agent stacks, compliance demonstration tooling, evidence-pack generators for supervisory review. Credo AI, Holistic AI, and WitnessAI sit in the horizontal AI governance layer; Comply launched a financial-services-specific agentic compliance platform in April 2026, built on MCP. The trigger event is already on the calendar: the April 2026 SR 11-7 revision explicitly signaled that the federal banking agencies plan to issue a request for information on agentic AI model risk management. When that RFI lands, the tooling that helps regulated institutions demonstrate compliance with whatever framework emerges will move from "early but real" to a rapidly expanding category. The shape of that framework, and therefore the shape of the tooling,is being negotiated now, through the lobbying activity, regulatory engagement, and policy positioning of the AI firms and the financial institutions deploying their models. Companies positioning early in this layer are positioning against a regulatory landscape that has not yet been drawn.

What to watch

Three sets of signals will tell operators and investors how fast this stack is consolidating into a real fintech infrastructure layer over the next twelve months.

Regulatory triggers. The federal banking agencies publicly committed to a forthcoming request for information on agentic AI model risk management when they revised SR 11-7 in April. The RFI itself is the watchable event; when it is issued, what specific questions it raises about multi-agent governance, audit-lineage, and cross-organization decisioning, and how fast banks and tooling vendors mobilize around it. In parallel, the financial-services-specific AI standards work being pushed by the ABA, BPI, and CAISI will either crystallize into a published framework or stall at the advocacy stage. Either outcome is informative. EU AI Act enforcement on high-risk finance-sector AI systems is the second-half-of-2026 trigger that will set the international tone.

Production deployments. The first major bank or insurer to publicly disclose A2A or AP2 in a customer-facing workflow, not a pilot, not an internal experiment, will mark the transition from "deployable" to "deployed at scale." Fiserv's agentOS already has six financial-institution partners running in beta; the first of those to graduate to full production is a specific signal worth tracking. On the agent-native side, the first regulated agent-native institution to publish material operating metrics, loan volume, deposit base, loss rates, unit economics, will define whether the architectural thesis holds at scale.

Capital and consolidation. Funding rounds and M&A across the layers will tell us where investors are committing. Specifically: a $100M+ round in the MCP gateway or A2A orchestration layer would signal that the governance-and-orchestration category has produced a leader. Acquisition of an agent-native fintech primitive by a major incumbent (Stripe, Plaid, Mastercard, Visa, a major bank) would signal that incumbents see the architectural shift as competitive. Stablecoin transaction volumes routed through AP2 specifically, measurable through Coinbase, Circle, and the major card networks' reporting, will tell us whether agent-mediated commerce is becoming real or staying theoretical.

The architecture is built. The question of the next twelve months is whether fintech operators, regulators, and capital allocators move together fast enough to make the stack a real infrastructure layer for regulated finance, or whether the gap between protocol maturity and regulatory clarity slows the field to the pace of the slowest layer.