Back to Banking Insights

First AI-initiated payment in Spain

Latinia Latinia
14 de July de 2026 6 min read

Pago con IA en España

CaixaBank, BBVA, Bankinter and Abanca. The consent challenge

The first payment initiated by an AI agent in European banking is now a reality. The question it raises is not whether the technology works —it does— but how the bank confirms, at the exact moment, that it was really its customer behind that order.

A customer asks their AI assistant to book a flight and buy a suitcase before the trip. The agent searches, compares, chooses and pays. The transaction runs on the customer’s card, over the merchant’s usual systems, without anyone typing a number or pressing “confirm.” It all happens in seconds. And the cardholder finds out they’ve bought something once they’ve already bought it.

This is not a laboratory scenario. In July 2026, BBVA, CaixaBank, Bankinter and Abanca carried out real purchases in Spain made entirely by artificial intelligence agents on behalf of consumers, together with Visa, within the European Visa Agentic Ready programme. The transactions were carried out with real card credentials and at merchants open to the public —lastminute.com, Frasers, Cleverbridge or BrickDepot—, relying on the tokenisation, identity verification and real-time fraud monitoring that already underpin digital payments. And this is neither an isolated case nor a closed demo: it marks the leap from controlled testing to transactions where the agent operates directly with independent merchants. The programme, unveiled at the Visa Payments Forum in Paris, started with 21 institutions and already exceeds 30, with banks such as Commerzbank, HSBC UK, ING, Lloyds, NatWest, Revolut and Klarna.

In a matter of weeks, “an agent will buy for you” has stopped being a conference line and become a recorded transaction. And with it comes a question the industry hasn’t fully resolved: when the party initiating the payment is not a person but an agent acting on their behalf, at what point and through which channel does the bank confirm that the order is legitimate?

The shift in the point of risk

For two decades, digital payment security was built around an implicit assumption: at the end of the chain there is always a person who confirms. The customer enters their credentials, receives an OTP, approves an operation in the app. Authentication was designed to verify a human at the moment of deciding.

Agentic commerce breaks that assumption. The agent decides and executes; the human has delegated. Authorisation stops being a one-off act at the instant of purchase and becomes a framework of permissions defined beforehand: what the agent can buy, up to what amount, in which categories, under what conditions. Security is no longer decided solely in the “is it you?” at the moment of payment, but in consent: did the customer authorise this action, within these limits, and do they know now that it has happened? In the European pilot, that authorisation relies on Visa Payment Passkeys, a mechanism that links each agent-initiated transaction to a verified user and an explicit authorisation, aligned with Europe’s Strong Customer Authentication (SCA). It is proof that consent, not the interface, is the true foundation of this new model.

That shift is precisely the ground where fraud will look for its opening. If an attacker manages to insert instructions into an agent’s flow, manipulate its permissions or impersonate the identity that authorises it, fraud no longer needs to deceive the person: it only needs to deceive the agent acting for them. And the person may not find out until the loss is already done, just as happens today with synthetic identities, which operate without generating a victim who reports in time.

The industry itself is flagging it: the keyword of 2026 is not “AI,” it’s governance.

Agentic payments need consent governance; banking agents need escalation governance. The advantage will not belong to whoever has the most capable agent, but to whoever can demonstrate —to the customer and to the regulator— what was authorised, who authorised it, within what limits and with what result.

Real-time confirmation as a security layer

This is where critical communication stops being the end of the process and becomes part of the security mechanism itself.

When an agent acts on behalf of the customer, the real-time notification serves a function that is no longer merely informative: it is the last line of human control over a chain that has been automated. If, at the instant the agent initiates a purchase —or exceeds a threshold, or operates in a sensitive category— the legitimate cardholder receives an immediate alert through a channel with a verified sender, they have the chance to validate or stop the operation before it materialises. The person re-enters the loop exactly at the point where it matters.

But for that layer to work, not just any notification will do. It has to meet three conditions that define the difference between an alert and a decision:

  • Decided intelligently and in real time. Not every agent action deserves the same response. The Real-Time Decision Engine must interpret the event —amount, context, risk, customer profile— and decide what to communicate, through which channel and under what conditions, in fractions of a second. An alert for every micro-operation creates noise; no alert when it matters creates fraud. Part of that relevance comes from giving the customer control over which alerts to receive, through which channel and under what conditions.
  • Travelling over a verifiable channel. In an environment where AI-powered smishing replicates the tone of any institution with precision, confirming an agentic operation cannot depend on an SMS indistinguishable from the one an attacker sends. Channels with sender verification —RCS, native in-app push— remove that ambiguity: the customer sees the bank’s identity authenticated, and the fake message cannot imitate that.
  • Always arriving. A confirmation that isn’t delivered protects nothing. The resilience of the notification layer —load balancing across providers, real-time failover, automatic channel fallback, managed by the Critical Alerts Engine— has to be resolved before the operation happens, not after. In agentic commerce, the speed of the alert has to match the speed of the machine that acts.

From processing the payment to deciding on it

Agentic commerce is, at its core, the clearest confirmation of an idea we have been holding: banking’s next competitive advantage lies not in processing more operations or sending more notifications, but in applying intelligence to the decision that accompanies each operation.

When an agent pays for the customer, each of those operations becomes a real-time decision point: do I confirm? do I alert? do I escalate to human validation? do I block? It is the Event-to-Decision logic taken to its most demanding expression. The event is no longer generated solely by the customer or the bank’s system: it is generated by an autonomous agent acting on their behalf. And the bank’s response —to communicate, validate, stop— must happen in time, through the right channel and with full traceability, for both security and regulatory compliance.

The banks that emerge stronger from the agentic era will not be the ones that connect agents to their payment rails fastest. It will be those that, in doing so, have built the decision and confirmation layer that guarantees that, behind every automated order, the customer kept control —and the certainty— that it was them.

Because when the agent decides and pays, trust no longer rests on the transaction. It rests on the decision that accompanies it.

At Latinia, we have spent more than 25 years developing technology for managing critical communications in banks across Europe and Latin America. Our Real-Time Decision Engine and our Critical Alerts Engine turn every financial event into a decision that happens on time and securely. If you want to prepare your decision and confirmation infrastructure for agentic commerce, let’s talk.

Related articles

Contact

Tell us about your challenge
Solutions
Technology
Use cases
Resources
Partners
ES EN
Let’s talk