![Native[risk]](http://images.squarespace-cdn.com/content/v1/65704856a75e450a6d17d647/f3aa0ca7-8a4d-4034-992f-9ae514f1127e/Native+risk_logo-invert.png?format=1500w){kind=logo}
#64 - 3 Agentic Commerce questions nobody's asking
In recent weeks I’ve been thinking more and more about Agentic Commerce. And not for the first time.
Up till now, everyone - including myself - was talking about the liability framework and agent mistakes. But that’s something for the regulator, not us fraud fighters.
Then, I started asking myself how I would manage it as a fraud fighter? That was a big, floating question mark in my head.
But something changed last week. As I was thinking more about it, that big question mark started to dissolve into many smaller ones.
Questions like “how would X actually work given Y is likely?” started to appear.
I wanted to share with you three questions that I’m currently asking myself and I think any fraud team preparing for Agentic Commerce should too.
So let’s get right into it.
What happens to abandoned step-up flows?
Here’s a thought that sprang in my head as I was reading Grace Wu’s excellent article about Agentic Commerce (sign up for her Substack if you haven’t, it’s really good):
If an OTP is sent and nobody is there to respond to it, was it sent at all?
Think about it: as a user I may want my agent to buy a particular item only when it’s on sale. But what if it goes on sale while I sleep, am on a plane, or at the dentist’s? The OTP would likely expire.
Of course, this isn’t about OTPs alone, but any 2FA challenge, including 3DS.
So, what can happen?
Option 1 - The OTP expires and the cart is abandoned. Conversion rates take a hit, and both shoppers and merchants are left frustrated.
Option 2 - The OTP response time gets extended, maybe even for bots only (good luck with that). And then what? We give fraudsters more time to insert themselves into the user journey.
Option 3 - We entirely abolish real-time step-up flows, and count on the AI providers to verify the identity and card ownership at signup (good luck with that). And then what? How do we solve ATO or deepfake signup fraud?
I am not sure which of these scenarios would emerge triumphant, and it would likely be a combination of all three.
But what is clear is that they all create a meaningful risk for performance degradation.
Would traffic be routed to less safe flows?
According to a recent Capital One study, 85% of mobile shoppers prefer to shop via mobile apps rather than on mobile web.
As you might expect, mobile is the leading channel with 57% of all eCommerce orders. And it’s expected to reach 63% of all orders by 2028.
Why am I throwing all these stats at you?
Well, here’s my thinking: Agentic Commerce is done on web, not on shopping apps.
This means that mobile Agentic Commerce users would cannibalize what would have likely been an in-app purchase, converting it to a mobile-web one.
And why is that important?
Because mobile-web flows expose less data to merchants than what they could get through their native app.
Is it much worse than “regular” desktop-web? Not necessarily.
Would fraudsters find it a vulnerability to exploit? Not necessarily.
But it does mean that Agentic Commerce would be routed through a channel that offers less data than before. And less data usually means degraded performance.
How would fraud prevention systems break?
This one is less structured, but also the one that concerns me the most.
Payments and fraud prevention systems are a hot mess.
There are multiple roles in the payment flow: merchants, PSPs, acquirers, issuers, processors, and schemes. And each role can be played by multiple actors.
The fraud prevention vendor space is no different, and merchants often need to integrate multiple, different vendors.
Then you have the different flows: by region, payment method, device, and account or guest.
Now take this already often-broken spaghetti and add to it multiple AI providers with multiple AI agents.
Finally, sprinkle on top some urgency as all major players are rushing to be the first to roll out an Agentic Commerce solution.
What can possibly go wrong?
The sad truth is - many things: missing controls, broken data pipelines, monitoring gaps, misbehaving models and rules, outdated policies. Choose your poison.
And it’s all going to be very specific to how each merchant enables Agentic Commerce, and by which payment and fraud vendors they would partner with.
It will get messy.
How? It’s anyone’s guess.
Would Agentic Commerce be a hotbed for fraud?
Sure. Like every other newly-launched, under-regulated financial product.
I would be surprised if it doesn’t.
It’ll start as a naive, growth-optimized product and soon after we’ll see the pendulum shift to the other side: more friction, less acceptance, and limited experience.
And once things stabilize, the pendulum would swing again. Over and over.
But each time the swings will get smaller.
What can we do about it in the meantime?
Here’s one tip: do not buy into the hype big players are spreading around. Any talk about “secure systems” should not be taken seriously. And there’s plenty of it to spare.
Question everything, assume the worst, and mainly - think about how you’re going to monitor and manage this flow.
It’s coming.
Got concerns of your own? Questions you haven’t seen anyone address seriously? Hit the reply button and please share those. I’m working on a bigger piece and would love to get your thoughts on it.
In the meantime, that’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
Schedule a Discovery Call Now »
Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
Book a Consultation Call Now »
Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next.
Sign-up Now »
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!
