Is KYA required by EU regulation?

KYA is not yet a single codified legal term, but multiple EU regimes already require its components. The EU AI Act, whose high-risk obligations take full effect on 2 August 2026, mandates human oversight, automatic record-keeping (Article 12) and transparency (Article 50) for high-risk and certain AI systems. PSD2 Strong Customer Authentication, the incoming PSD3, DORA third-party risk rules and the MiCA Travel Rule for crypto transfers all push toward verifiable agent identity, authorization chains and tamper-resistant logs. Building KYA now is cheaper than retrofitting it under a deadline.

What does the EU AI Act require for AI agents in payments?

For high-risk AI systems, the EU AI Act requires human oversight (Article 14), automatic and tamper-resistant logging over the system's lifecycle (Article 12), risk management and transparency. Annex III classifies AI used in creditworthiness, fraud detection, AML risk profiling and automated financial decision-making as high-risk. In practice that means a payments operator must be able to reconstruct which agent acted, on whose authority, within what limits, and why — exactly the record KYA produces. Full effect is 2 August 2026.

What is the difference between inbound and internal KYA?

Inbound KYA governs external customer agents that pay you or act on accounts you hold — verifying the agent before it transacts. Internal KYA governs the AI agents your own organization deploys in fraud, KYC, AML, onboarding and financial decisioning — the high-risk systems the EU AI Act regulates directly. Inbound KYA is largely crypto-native or in pilot today; internal KYA is where the regulatory need is immediate.

← Learn

Know Your Agent (KYA) compliance in Europe: EU AI Act, PSD3 and agent-payment liability

Q: What is Know Your Agent (KYA)?

Know Your Agent (KYA) is an identity and authorization framework for AI agents that transact autonomously. Before a payment completes, KYA verifies the agent's identity, the delegation chain from the human or organization that deployed it, the capability boundaries it is permitted to operate within, and produces an audit trail of the decision. KYA extends KYC (Know Your Customer) and KYB (Know Your Business) to the new class of autonomous software actors that neither framework was designed for.

Q: What is the difference between KYC, KYB and KYA?

KYC verifies a human customer's identity. KYB verifies a business entity. KYA verifies an autonomous AI agent: who deployed it, the delegation chain authorizing it to act, the spending and category limits it must stay within, and a record of what it did. KYC and KYB assume a legally responsible person or company behind every action; KYA addresses software that can spin up new identities at zero cost and act without a human in the loop.

Q: What are the four checks in a KYA verification?

1) Identity — the agent has a verifiable on-chain or cryptographic identity (e.g. ERC-8004) bound to its operator. 2) Delegation chain — proof the human or organization authorized this agent to act on its behalf. 3) Capability boundaries — declared and enforced limits on spend per transaction, per day and per category, enforced at the payment layer rather than inside agent code. 4) Audit trail — a tamper-resistant log of identity, authorization and the decision, sufficient to attribute liability if a payment goes wrong.

Q: How does AsterPay implement KYA?

AsterPay runs KYA on every agent payment it facilitates: an open 0-100 trust score across seven components (wallet age, activity, sanctions screening via Chainalysis, ERC-8004 identity, operator KYB, transaction history and an optional trust bond), mapped to five payment tiers with enforced limits. Sanctions screening runs in under 100ms, the Travel Rule is automated for transfers over EUR 1,000, and the KYA v1 schema is published openly so other facilitators and merchants can adopt it as a shared trust language.

By Petteri, Co-founder of AsterPay · Published: 13 June 2026 · Last updated: 13 June 2026 · 10 min read

Answer Know Your Agent (KYA) is an identity and authorization framework for AI agents that transact autonomously. Before a payment completes, KYA verifies the agent's identity, the delegation chain from the human or organization that deployed it, the capability boundaries it may operate within, and produces a tamper-resistant audit trail. KYA is not yet a single codified law, but its components are already required in Europe by the EU AI Act (high-risk obligations take full effect 2 August 2026), PSD2/PSD3, DORA and the MiCA Travel Rule. KYA is to autonomous agents what KYC is to humans and KYB is to businesses.

What is Know Your Agent (KYA)?

Know Your Agent (KYA) is a four-part verification that a payment system runs before authorizing an agent-initiated transaction: identity, delegation chain, capability boundaries and audit trail. It extends the familiar Know Your Customer (KYC) and Know Your Business (KYB) regimes to a new class of actor — autonomous software that can open new wallets at zero cost, act without a human in the loop, and scale activity horizontally faster than any human attacker.

The core shift is the question being asked. KYC asks "who is this person?" KYA asks "what is the operational reputation and authority of this agent?" — is it sanctions-clean, does it have a verifiable identity, did a real principal authorize it, and is it staying inside the limits it was granted.

Why does KYA matter now? The 2 August 2026 deadline

The forcing function is regulatory. The EU AI Act's obligations for high-risk AI systems take full effect on 2 August 2026. The law mandates human oversight for high-risk systems, which in payments effectively requires a human-binding approach to agent authority — exactly what a delegation chain provides. At the same time, US standards bodies are moving: NIST's AI Agent Standards Initiative published a concept paper on agent identity and authorization in March 2026, proposing to adapt OAuth, OpenID Connect and SPIFFE for agents.

The legal analysis is converging on two structural requirements. As Taylor Wessing's February 2026 review of agentic AI in payments noted, regulators will assess liability when agent payments go wrong using authorization chains and transaction logs. Without a KYA record — identity, authorization chain, capability limits — liability defaults to the deploying organization. Building KYA-compliant infrastructure now is materially cheaper than retrofitting it under a deadline.

What is the difference between KYC, KYB and KYA?

Dimension	KYC (customer)	KYB (business)	KYA (agent)
Subject	A human person	A legal entity	An autonomous AI agent
Core question	Who is this person?	Is this business real and beneficially owned by whom?	Who deployed this agent, and what is it authorized to do?
Permissions	Account-level	Account-level	Task-level: spending caps, categories, time limits
Driving regulation	AML/CFT, national financial law	AML/CFT, beneficial-ownership rules	EU AI Act, PSD3, DORA, NIST agent standards (emerging)
Identity lifetime	Long-lived	Long-lived	Can be ephemeral — new wallet at zero cost

Which EU regulations drive KYA?

No single rule says "do KYA," but four regimes each require a piece of it. Together they make KYA the practical way to comply.

EU AI Act — high-risk obligations from 2 August 2026. Article 12 requires automatic, tamper-resistant logging over the system lifecycle; Article 14 requires human oversight; Article 50 sets transparency duties. Annex III classifies AI used in creditworthiness, fraud detection, AML risk profiling and automated financial decisioning as high-risk. (artificialintelligenceact.eu)
PSD2 → PSD3 — PSD2 Strong Customer Authentication assumes a human authorizes each payment; it does not mention AI. PSD3 is expected to start formalizing delegated payment initiation by agents and Strong Customer Authentication for autonomous actors. Until then, fiat-side agent payments still need a human authorization anchor — which a delegation chain records.
DORA — the Digital Operational Resilience Act requires financial entities to manage third-party (including AI) operational risk, which means knowing and governing the agents in your flows.
MiCA Travel Rule — for crypto transfers, originator and beneficiary information must travel with the transaction above threshold. For agent stablecoin payments, that requires identifying the agent and its operator. AsterPay automates the Travel Rule for transfers over EUR 1,000.

What are the four checks in a KYA verification?

A KYA system runs four checks before a payment is authorized. Each maps to a regulatory requirement above.

Identity — the agent has a verifiable identity, ideally on-chain (e.g. ERC-8004) and bound to its operator. This satisfies the "who acted" question.
Delegation chain — cryptographic proof that the human or organization authorized this specific agent to act on its behalf, within stated scope. This is the authorization-chain requirement regulators will test.
Capability boundaries — declared and enforced limits: spend per transaction, per day, per category; allowed counterparties; prohibited actions. Crucially, these are enforced at the payment layer, not inside agent code, so a compromised or misaligned agent cannot exceed them.
Audit trail — a tamper-resistant log of identity, authorization and the decision, sufficient to attribute liability if a payment is later disputed. This is the Article 12 logging requirement.

Inbound KYA vs internal KYA

KYA splits into two deployments, and conflating them is a common mistake.

Inbound KYA — governing external customer agents that pay you or act on accounts you hold. You verify the agent before it transacts. This is largely crypto-native or in pilot today, because fiat-side Strong Customer Authentication still expects a human.
Internal KYA — governing the AI agents your own organization deploys in fraud, KYC, AML, onboarding and financial decisioning. These are the high-risk systems the EU AI Act regulates directly, so the need here is immediate, not future.

AsterPay's KYA is primarily an inbound control: it verifies the paying agent on behalf of the merchant, so the merchant inherits a compliant record without building agent governance themselves.

How does AsterPay implement KYA?

AsterPay runs KYA on every agent payment it facilitates. The model is an open 0-100 trust score across seven components, mapped to five payment tiers with enforced limits:

KYA component	What it checks
Wallet age	Time since first on-chain activity
Wallet activity	Volume and recency of legitimate transactions
Sanctions screening	OFAC / EU / UN lists via Chainalysis, in <100ms
ERC-8004 identity	On-chain agent identity bound to operator
Operator KYB	The company behind the agent has completed KYB
Transaction history	Settlement, dispute and refund rates over the agent's lifetime
Trust bond	Optional posted USDC bond, slashed on confirmed bad behavior

Sanctions screening runs on every transaction, the Travel Rule is automated for transfers over EUR 1,000, and the seven-component breakdown doubles as the explanation required under the EU AI Act's transparency duties. The KYA v1 schema is published openly at /.well-known/kya-schema-v1.md so other facilitators and merchants can adopt it as a shared trust language — the way FICO became a default credit-score language without being owned by a single bank. The full scoring rubric and tier limits are in What is KYA (Know Your Agent)?

How do I check an agent's KYA score?

A free, unauthenticated GET request returns the score, tier, component breakdown, sanctions status and recommended limits:

curl https://x402.asterpay.io/v1/agent/trust-score/0xYourAgent

{
  "score": 72,
  "tier": "trusted",
  "blocked": false,
  "sanctions": { "clean": true, "provider": "chainalysis" },
  "limits": { "maxPerTx": 5000, "maxDaily": 25000 }
}

Check any agent's trust score

Run a KYA trust-score lookup on any wallet address — free, no signup, no auth.

Open the KYA API docs →

Petteri Co-founder of AsterPay (AELIRA LTD). Building the EU-regulated trust and EUR-settlement layer for AI agent commerce, including the open KYA framework. @Asterpayment