Payments rails have an agent-identity story. Regulated commerce doesn't. IDCanopy builds the consent, creditworthiness and audit-grade receipt layer that every regulated regime will need — CCD2 first, then PSD3, IDD, MiFID II, and every regime the next decade of compliance produces.
KYC verifies a human. KYA verifies the software agent that acts on their behalf. Agentic commerce works without KYA in free retail; regulated commerce doesn't. These four questions define the layer. Click each to expand.
A layer above payment. A receipt primitive that answers the four questions cryptographically. The compliance scaffold regulated regimes will increasingly demand of any agent-mediated transaction.
Not a substitute for KYC of the principal. Not an agent reputation score. Not a payment protocol. Not an LLM safety layer. KYA attests the result of the agent's action, not its reasoning.
Authority moves through a verifiable chain — principal mandates agent, agent acts at counterparty, counterparty calls IDCanopy, decision engine fires. Click each actor to see their role and the attestation they carry.
Receives the agent's payload from the counterparty, verifies the mandate chain, fires the regime-specific human-in-the-loop gate where required, runs the compliance engine (bureau check, suitability, disclosure rendering), and mints a cryptographic receipt that survives a regulator audit.
For CCD2 credit, IDD insurance, MiFID II suitability and any regime requiring "specific consent by the consumer": a push to the principal's wallet renders the regime-specific disclosure (SECCI, IPID, suitability summary) and the principal taps confirm before the regime engine fires. Generic agentic checkout cannot enforce this. We can — and that is what makes the receipt regulator-grade.
A W3C Verifiable Credential issued by IDCanopy per transaction. BBS+ signed for selective disclosure. One receipt carries mandate proof, regime compliance, decision evidence, and a revocation handle. Regulators bookmark one URL.
consent.humanConfirmed = true without seeing the principal DID. GDPR data-minimisation by construction.
ccd2_credit · psd3_payment · idd_insurance · mifid_suitability · procurement · subscriptionFour payment-side protocols launched in Q1 2026. None of them cover disclosure, specific consent, creditworthiness or suitability. IDCanopy stays neutral on the rail and owns the compliance layer above.
Vouched's MCP-I framework (donated to DIF, March 2026) defines three tiers for agent identity. Picking the right tier is a one-shot decision — too low and regulated regimes reject us, too high and we chase a governance framework that doesn't exist yet.
Bearer-token agent authentication. Fine for consumer retail; cannot prove a delegation chain. Regulated regimes reject it.
Agents carry DIDs. Mandates are Verifiable Credentials. Delegation chain cryptographically verifiable, end to end. Interoperable with AP2, OpenID4VP, EUDI Wallet.
Adds key rotation, attestation lifecycle, formal accreditation, external audit bodies. Governance framework forming at DIF now — not stable for v1.
Operator registry has version + lifecycle fields ready for accreditation events. Agent attestations are structured for external auditor verification. HSM-backed key infrastructure supports lifecycle events. Audit log captures everything an L3 audit body would want. When DIF crystallises L3, our migration is configuration, not rebuild.
Mandate VC · disclosure rendering · human-in-the-loop gate · regime engine · receipt · revocation. Build the infrastructure once, add a regime template per vertical. No architectural change. This is what makes "the next decade of compliance primitives" concrete, not hand-waving.
First vertical. CCD2 consent layer is the reference deployment. Per-purchase specific consent + creditworthiness + audit-grade receipt.
IPID disclosure, suitability, demands-and-needs test. Agent-mediated comparison + bind use case crystallising fast.
Internal delegation: employee → agent under policy. Purchase approval ceilings, CSRD category tagging, SOX-compatible audit trail.
Adapter-ready in v1.1. Mandate-based SCA exemption schema designed to align with expected EBA guidance.
Agent-led signup with explicit renewal + cancellation mandate ceilings. Auto-renewal dark-pattern alignment.
Suitability assessment as a regime template. Reasoning-chain requirements fit the KYA receipt model natively.
KYA is a horizontal pattern — disclosure, specific consent, a human-in-the-loop gate where the regime demands it, a regime-specific decision step, and a cryptographic receipt that survives audit. Reusability across verticals only holds if the first regime is a hard one. Directive (EU) 2023/2225 (CCD2) is the hard one. Application date 20 November 2026 [Directive (EU) 2023/2225, Art. 48; OJEU 30 Oct 2023], live enforcement teeth under Directive 2020/1828, and — critically — silent on who or what initiates the transaction. The obligations hold whether a human clicks, an agent routes, or a wallet presents. That is why CCD2 is the forcing function for KYA, not just the first regime KYA happens to cover. What follows is the regime walked through as the design constraint for a KYA-ready orchestration layer. Primary-source citations at first mention.
CCD1 (2008/48/EC) carved out short-term, low-value, no-interest credit. BNPL grew into that exemption. CCD2 closes it [Directive (EU) 2023/2225, Recitals 15–16, Art. 2]. In scope: BNPL Pay-in-3 / 4 and 6 / 12 / 24-month plans; consumer credit €200–€100,000 (CCD1 capped at €75,000); revolving, credit cards with deferral, overdraft; P2P consumer lending and crowdfunding credit; consumer leasing with purchase option or acquisition obligation. Pure operational leasing stays out [Art. 2(2)(d)]. The "large online supplier, no-interest, no-fee credit" CCD1 carve-out is materially narrowed [Art. 2(2)(h)].
Design implication. Multi-product scope, not BNPL-only. A layer that reasons only about BNPL rebuilds within twelve months. The v1 consent envelope carries a product_mode field — BNPL, instalment credit, leasing with purchase option, revolving, overdraft, P2P — from the first commit, with per-mode policy bands. One orchestration layer serves six verticals (see §07), not six products.
Pre-contractual disclosure (Arts. 10–12). The updated SECCI on durable medium, sufficiently in advance, with CCD2 APR, schedule, total cost, warnings, withdrawal right, and data-protection information. Digital delivery is permitted. Adequate explanation (Art. 12) requires explaining the agreement in enough depth for the consumer to judge appropriateness.
Creditworthiness (Art. 18). The centre of gravity. Assessment must rest on relevant, sufficient, proportionate information, verified where necessary through independently verifiable documentation. Pure behavioural scoring is specifically insufficient. If assessment is negative, the creditor shall not grant the credit; Art. 18(6) creates liability for granting credit the consumer could not plausibly repay. Automated adverse decisions carry human-review rights (GDPR Art. 22). Re-assessment is mandatory on material changes.
Consent (Art. 18 read with GDPR Arts. 6, 9). Specific to the assessment at hand — blanket authorisation does not satisfy CCD2. Freely given; bundling creditworthiness consent with marketing consent is prohibited. Each fresh assessment implies a fresh consent object. The consumer retains the right to know what was accessed, from where, with what consequence, and to contest.
Enforcement (Arts. 37–46 + Directive 2020/1828). BaFin, FMA, ACPR, Banca d'Italia gain supervisory powers. BaFin precedent under CCD1 sits in the €250k–€5M band for material violations. Contract-voiding and interest reclaim are available to consumers. CCD2 breaches are representative-action-eligible under 2020/1828 — a new vector most BNPL legal teams are underweight on.
Design implication. Each obligation maps to receipt fields. Disclosure → consent.secciAcknowledged, consent.withdrawalRightNotified. Creditworthiness → decision.article18Applied, decision.evidenceIds, decision.reasoningChainHash. Consent → consent.receiptId, consent.humanConfirmed, consent.confirmedAt. Enforcement → cryptographic proof, revocation.statusListUrl, public verify-receipt endpoint. The receipt is the evidence base a regulator, counterparty, or plaintiff queries directly.
As of April 2026: France transposed September 2025 [Ordonnance n° 2025-…, Journal Officiel]. Germany passed 17 April 2026 [Bundestag, Verbraucherkreditrichtlinien-Umsetzungsgesetz; Bundesrat expected May]. Austria, Italy drafting through Q2/Q3 2026. Spain, Netherlands, Belgium in draft or consultation. Application is 20 November 2026 across all of them.
Cross-border merchants face a window where the application date is fixed but national rulebooks are not. That asymmetry is the buying trigger. Waiting for clarity means the penalty surface goes live in the first enforcing market before the vendor has shipped.
Design implication. National rules are configuration, not code. SECCI templates, product-band thresholds, consent-copy phrasing, bureau permissible-purpose language, and open-banking consent scope vary by market. Market is an envelope dimension from day one — tenant_hierarchy resolves to a market, market resolves to a rulebook — exactly like product_mode resolves to a policy band.
Art. 18 requires depth proportionate to the nature, value, duration, and consumer risk of the credit. A €50 Pay-in-3 does not need what a €5,000 24-month loan needs — but neither runs on nothing. Proportionality is a policy decision, not a runtime judgment. Bureau-only may satisfy Art. 18 for a clean-file, micro-ticket, short-duration case; it will not satisfy a larger, longer, thin-file, or stacking-prone one. The regime demands a written product-band policy [NEEDS SOURCE for any national-authority prescription of specific thresholds; principle comes from Art. 18, not regulator-set numbers].
Design implication. The layer's value is not the bureau call or the open-banking call. It is the policy engine that selects the right evidence provider for the product band, the consent object that binds the selection to the consumer's specific authorisation, and the receipt that proves both were correct at the decision moment. Consent, policy, evidence-provider selection, receipt — the Orchestration Layer shape.
Regulation (EU) 2024/1183 (eIDAS2) obliges member states to offer a European Digital Identity Wallet. Germany launches 2 January 2027 in production; others pilot through 2026–2027. A 2026-compliant CCD2 flow cannot assume a wallet is present. Wallets become baseline through 2027–2028 as issuance matures.
Design implication. Wallet mode is additive. The evidence-provider abstraction that routes to bureau and open-banking today accepts future EUDI/QEAA credentials as a provider upgrade — same session API, same receipt format, stronger provenance underneath — without re-contracting with PSPs, aggregators, or merchants. This makes "ship by the deadline and absorb wallets as they arrive" an engineering claim, not a roadmap hedge.
The directive assumes the consumer is the actor and does not mention agents. A conservative reading: an agent cannot receive SECCI and give specific consent on behalf of a consumer for CCD2 purposes. Art. 5 specifies the consumer receives the information; Art. 10's "in good time before the consumer is bound" implies human reading time; recital language on "informed decisions" has historically been read as human cognition.
That does not kill agentic commerce for regulated credit — it shapes it. The workable flow is agent-prepared, human-confirmed: the agent assembles the transaction, presents SECCI for fresh specific human confirmation in the wallet or equivalent durable-medium channel, then triggers creditworthiness and receipt. One cryptographic artefact captures agent identity, operator identity, mandate scope, human confirmation, and decision reasoning.
The regulation requires the human-in-the-loop gate that separates regulated KYA from generic agentic checkout. KYA is a v1.1 commercial line, but the v1 receipt must be agent-consumable unchanged so an MCP tool in 2027 reads it without reissue.
Primary sources. Directive (EU) 2023/2225 (EUR-Lex CELEX 32023L2225); German transposition (Bundestag, 17 April 2026); French Ordonnance n° 2025-…, Journal Officiel; forthcoming EBA guidelines on creditworthiness assessment. Nothing in this section is legal advice.
KYA is a horizontal trust layer. It ships in verticals. A regulatory deadline decides which vertical ships first. CCD2's 20 November 2026 application date [Directive (EU) 2023/2225, Art. 48] forces four product modes into the same compliance envelope at the same moment. One orchestration layer, four product modes — this is what the KYA pattern looks like when the regulation lands.
These are verticals where the KYA pattern ships first because a regulatory deadline forces the buy — not market segments picked for growth. CCD2 is the first forcing function; IDD, MiFID II suitability, PSD3 agent mandates, and EU AI Act deployer obligations follow on their own clocks. All four share one orchestration layer, one consent envelope, one receipt schema — they differ in product mode, evidence depth, buyer persona, and commercial band.
Scope. Short-term deferred-payment credit where the consumer owes more than 40 days after delivery, regardless of interest [Art. 2, closing CCD1 Art. 2(2)(f)]. Pay-in-3, Pay-in-4, 6 / 12 / 24-month BNPL, whether the provider is the creditor or the merchant grants credit directly.
Who feels the deadline first. The long tail of EU-local and niche BNPL providers. Tier-1 players have been building since 2023 and reach 20 November 2026 with some compliance stack, however uneven. The long tail either builds in-house under time pressure without primitives or buys a layer designed against the directive. Merchants carrying BNPL in checkout share the exposure — the "which of us is liable" question between merchant and BNPL provider is genuinely unclear in many contracts.
Why they cannot wait. Application date is locked; national rulebooks are moving (Germany transposed 17 April 2026, France September 2025, Austria and Italy drafting through Q2/Q3 2026). Waiting for clarity means missing the deadline in the first market that enforces.
What breaks. Supervisory penalties under national law (BaFin precedent sits in the €250k–€5M band for material violations). Contract-voiding and interest reclaim. Representative-action exposure under Directive 2020/1828. Public-enforcement reputational damage.
KYA pattern fit. Highest-volume product mode in v1. Bureau-default with policy-triggered open-banking access for higher-assurance flows — thin files, large tickets, stacking signals, adverse bureau data — inside a single consent envelope.
Scope. Consumer credit agreements €200 up to €100,000 (CCD2 raises the ceiling from €75,000) [Art. 2]. Practical KYA-layer band: €1,000–€5,000 over 3–24 months — the range where point-of-purchase instalment financing is live at electronics retailers, home-improvement, automotive aftermarket, travel, and health.
Who feels the deadline first. Point-of-sale lenders, consumer-finance arms of banks, and PSPs whose merchant book carries instalment financing. The buyer is often not the BNPL product manager — it is the consumer-finance PM or credit-product PM. Different budget, different risk committee, same underlying regime.
Why they cannot wait. Art. 18 bites harder at larger tickets and longer durations. Proportionality supports bureau-only for micro-ticket clean-file cases; it does not support it for a €3,000 18-month agreement. Verified income evidence — policy-triggered open-banking access ahead of wider EUDI/QEAA — is the defensible default. Building that plumbing per-merchant against the deadline reliably misses a November go-live.
What breaks. BNPL enforcement surface plus sharper Art. 18(6) liability on individual decisions. A €5,000 18-month credit granted to a consumer who could not plausibly repay is a clean private-right-of-action claim. Class-action surface under 2020/1828 for systemic under-assessment. Supervisory attention tracks ticket size.
KYA pattern fit. Same orchestration layer as BNPL. Different product mode, different policy band — open-banking-first or bureau-plus-open-banking-on-trigger under the Art. 18 matrix. BNPL and instalment credit are one platform, two buyer-facing tracks. We do not collapse them. Collapsing them into a single "consumer credit" sell routes past the PM who signs, in both directions.
Scope. Leasing agreements with acquisition obligation or end-of-term purchase option [Art. 2(2)(d)]. Operational leases without acquisition obligation remain out; a KYA layer should not route those through CCD2 unless local counsel marks them in.
Who feels the deadline first. Consumer-leasing operators — automotive lease-to-own and lease-with-option, furniture, consumer electronics subscription-to-own, specialist asset lessors. Longer sales cycles than BNPL, smaller buyer populations, richer existing affordability practice. The question is not whether they assess — it is whether their assessment, consent capture, and receipt documentation are CCD2-shaped under the new regime.
Why they cannot wait. Thinner vendor tooling than BNPL. The market does not yet have a CCD2-aware consent-and-receipt layer built against leasing-specific SECCI and product-mode semantics; internal builds compete against the rest of the roadmap. Deadline is the same 20 November 2026.
What breaks. Contract-voidability is sharper because individual lease values are higher. Class-action exposure through 2020/1828. Supervisors concentrate attention where ticket sizes are visible.
KYA pattern fit — narrow-scope, design-partner framing. Declared in v1 as a separate product_mode with its own policy band and SECCI template, open-banking-heavy by default. Explicitly narrow-scope, design-partner, not mass-market. Validation runs parallel to the anchor BNPL deployment. Strong design-partner signal moves leasing into 2026 shipping scope; empty signal demotes gracefully to v1.1 roadmap. The architecture accommodates either outcome because product mode is a configuration dimension.
Revolving credit facilities, credit cards with deferral features, overdraft, P2P consumer lending, and credit via crowdfunding service providers are all in CCD2 scope [Art. 2 expansions]. They are continuous-obligation products, not per-transaction products — different consent shape (initial assessment plus mandatory re-assessment on material change), different rhythm of audit evidence. KYA primitives apply; envelope logic does not match BNPL or instalment credit. We name the scope so compliance readers know we see it; v1.1 or later, once per-transaction modes are proven in production.
Every vertical above buys the same primitives under a different regime template: a mandate (direct consumer consent, or an agent-mandate the human confirms at the decision moment); disclosure rendering (SECCI for CCD2; IPID for insurance; suitability summary for MiFID II); a human-in-the-loop confirmation where the regime requires it; evidence-provider selection driven by a product-band policy; a signed receipt with provenance fields a regulator, counterparty, or plaintiff can verify; revocation and audit infrastructure treating every receipt as independently verifiable.
The deadline is not why this layer is worth building. The deadline is why it gets bought first. The pattern — regulated trust where both humans and agents initiate transactions — is why the same layer still matters on 21 November 2026.
Anyone can spin up an agent. Only operators who pass IDCanopy's KYB-grade registration can transact through the layer. Counterparties get assurance every agent reaching them is accountable to a real legal entity. First-mover advantage compounds fast on both sides of the network.
Counterparty general counsel asks: if an agent transacts through your layer and something goes wrong, who pays? This is the matrix.
| Scenario | Primary liability | IDCanopy exposure |
|---|---|---|
| Agent acts within mandate, principal disputes as buyer's remorse | Principal | None — receipt proves authorisation |
| Agent acts outside mandate, our layer correctly rejects | None | None — system worked |
| Agent acts outside mandate, our layer fails to reject (bug) | IDCanopy (per SLA) | Capped per DPA |
| Mandate forged | Wallet provider | None |
| Mandate revoked but agent's cached copy presents | Operator | None — status list honoured |
| Bureau returns wrong decision | Bureau | None |
| Reasoning chain insufficient under regime audit | Counterparty (creditor/insurer) | Capped — we provide compliant template |
| GDPR breach in our infrastructure | IDCanopy | Capped per DPA |
PSD3 (Directive + PSR Regulation) is in trilogue early 2026. Expected adoption late 2026, transposition mid-2028. IDCanopy's KYA layer must be PSD3-aware — not retrofit.
Mandate-based exemptions formalised. Our receipt format is designed to satisfy the expected exemption schema.
Bureau orchestration extends to open-finance sources. Our adapter pattern already supports.
Schema may diverge from our VC mandate — track ECB/EBA drafts and align before finalisation.
EBA guidance expected late 2026. Position our receipt as the reference; engage EBA during consultation windows now.
Sharper PSP/ASPSP/consumer split. SLA + DPA to be updated at PSD3 transposition.
Reinforces the specific-consent requirement that already drives our human-in-the-loop gate design. Already aligned.
A general KYA strategy stands on its own architectural merit, independently of any single client deal. Five compounding claims — each with concrete actions behind it.
Defined product layer with first-mover positioning, working reference deployment (CCD2 reference deployment), standards-body engagement — components that compound across whatever commercial path follows.
From "KYC vendor" to "trust infrastructure for the agentic economy". Category creation, not just product addition.
Five-piece thought-leadership series built into the strategy: concept, mandates-as-login, regulated KYA, operator registry, adapter playbook. Content-OS friendly.
DIF · OpenID · EBA consultations. Regulator positioning, counterparty trust.
Operator registry as the network effect. 12–18 month window before Sumsub, Trulioo or Signicat assemble their version. Time-bounded, real.
External verification pass on open questions. DIF Trusted AI Agents WG + OpenID + EBA consultations. Operator registry MVP on its own delivery timeline. Five-piece content series on idcanopy.com. Per-vertical playbooks as opportunities crystallise.
Partnership discussions on KYA / KYARA, Namirial-anchored deployments, scoping a regulated agentic-commerce engagement, or extending the architecture into a vertical use case — open the conversation with IDCanopy.