Home
News
Details

Tiger Research: KYA Standards Emerge as AI Agents Enter the Era of Autonomous Transactions

icon MarsBit
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
AI and crypto news highlights the rise of KYA standards as AI agents begin conducting autonomous transactions. On-chain updates report that AI agents can now sign contracts, make payments, and execute trades. However, verifying the identity of the counterparty remains a challenge. KYA is becoming essential in A2A interactions, where traditional KYC falls short. ERC-8004, Visa TAP, Trulioo, and Sumsub are competing to establish identity verification standards. Regulatory bodies in the EU, U.S., and Singapore are focusing on agent identity management, mirroring the impact of the FATF Travel Rule on crypto exchanges in 2019.

This report is written by Tiger Research. AI agents can now sign contracts, make payments, and execute trades on their own. But one problem remains unsolved: how do you know who the other agent really is? This article examines the differing strategies of four key players in the KYA standards debate and where regulation currently stands.

Key Points

  1. AI agents are entering an era of autonomous contract execution, payments, and transactions, but there is still no universal standard for identity verification. In A2A (agent-to-agent) scenarios, KYA is beginning to receive more attention than KYC.
  2. KYA isn't needed everywhere. On centralized platforms like Google, OpenAI, and Coinbase, existing KYC is sufficient. KYA is truly required when independently deployed agents connect to DEXs, A2A payments, or merchant payments.
  3. The standard war has begun. ERC-8004, Visa TAP, Trulioo, and Sumsub are each entering from four distinct directions: on-chain, payment networks, compliance verification, and risk detection—with entirely different approaches.
  4. Regulation has already moved. The EU AI Act, the U.S. NIST, and Singapore’s national framework have all prioritized agent identity management. In 2019, the FATF Travel Rule determined which crypto exchanges survived—KYA is likely to follow the same script.

1. Why now?

KYC has reshaped that layer of finance

Before 1989, there was no global standard for financial identity. This gap made it difficult to trace the origins of drug money and illicit funds. That year, the FATF was established, making KYC a mandatory requirement in the financial industry and keeping illegal funds at bay.

Over the next three decades, the impact of KYC expanded layer by layer. After 9/11 in 2001, anti-terrorism financing provisions were added, and the U.S. Patriot Act elevated KYC to a legal requirement. In the 2010s, EU AMLD, Basel III, and FATCA were gradually implemented, enabling automatic cross-border exchange of KYC information. In 2019, the FATF Travel Rule extended KYC to virtual asset service providers.

KYC

Each extension fills a gap.

Without an agent identity, the system is regressing.

Back to the present. AI agents can sign contracts, make payments, and execute trades without human supervision, but no one can verify their identity.

In an A2A environment, responsibility is unclear—no one can say who to hold accountable when issues arise. Users are also easily exposed to money laundering and various types of scams.

Comparing the financial system before 1989 with the agent market in 2026 reveals striking structural similarities. Back then, anonymous accounts moved across borders; today, unverified agents transact A2A. Then, verification responsibility rested with each individual bank; now, it rests with each individual platform. No common standards exist in either case.

KYC

This similarity is not a coincidence—it’s a pattern. Technology has moved ahead, but the identity layer hasn’t caught up.

What is KYC?

KYA (Know Your Agent) is a trust mechanism that verifies the source, permissions, and accountability of agents in advance.

Skipping this step exposes three risks simultaneously. First, unauthorized transactions: users authorize only payments, but agents move assets or sign contracts outside their scope. Second, identity spoofing: malicious agents impersonate legitimate ones to hijack payments, forge responses, and steal reputation. Third, accountability vacuum: after an incident, agents, developers, and principals blame each other, making compensation impossible to pursue.

KYC

KYA locks down these three things in advance: pre-register and verify permission scopes, and block any unauthorized actions outright. Verify identity and origin to allow only legitimate agents to enter. Each agent’s origin and principal are bound to the records, enabling traceability in case of incidents.

2. Where must KYA operate?

Not everywhere needs it.

Centralized platforms don’t really need KYA. Once users complete KYC and the platform itself provides backing, the entire process is closed-loop.

The open environment outside the platform is where KYC is needed. The agent must interact with DEXs, perform A2A payments, and pay merchants. At this point, no one is there to back it up or guarantee it.

For example, within a country, an ID card (KYC) is sufficient. But once you cross the border (leave the platform), the environment changes—you must undergo inspection at immigration (KYA) to explain your purpose and establish credibility.

Four-step process

The operation of KYA can be broken down into four steps. The first two steps are "passport issuance": register the agent’s identity and permissions, then issue a digital passport upon verification. The last two steps are "border control": confirm the other party’s identity when a transaction occurs, then update the records based on the transaction outcome.

KYC

Identity is not issued once and valid forever; it is re-verified for each transaction.

3. Four players are competing for the standard

There are currently four players in the standards battle, each with entirely different paths.

ERC-8004: Turning identity into an NFT

ERC-8004 follows a purely on-chain approach. It adds an identity layer on top of ERC-721, minting one NFT per agent as a unique identifier.

It is supported by three on-chain registries. Identity handles "who this agent is," using a unique AgentID based on ERC-721. Reputation handles "whether you can transact with it," recording ratings, tags, and evidence on-chain after each transaction. Validation handles "whether the agent actually did that thing," verified by third-party verifiers using plugins such as zkML and TEE.

KYC

This structure is not the first of its kind in Ethereum's history. ERC-20 standardized token issuance, with USDT, USDC, UNI, and AAVE all built on top of it. ERC-721 standardized NFT issuance, with CryptoPunks, BAYC, and ENS supporting the entire NFT market. ERC-8004 is set to play the same role as the third standard.

Visa TAP: Package with a payment network

Visa’s approach is completely different. It issues agents an identity credential (Agent Intent), essentially a key card. Without this key, an agent cannot even initiate a transaction. Visa pre-approves the request before issuing the key, and every transaction must include a signature for the merchant.

The merchant receives not one signature, but three. Agent Intent proves the agent’s legitimacy, endorsed by a key approved by VIC. Consumer Recognition indicates who the agent is acting for by transmitting the user identifier to the merchant. Payment Information provides payment assurance, authenticated using a payment token or hashed card information.

Visa bundled all of this into a larger package called Visa Intelligent Commerce (VIC), which includes TAP, Agent APIs (Visa’s proprietary technology for processing Visa card transactions), Tokenization (tokens specifically designed for AI), and Intelligent Commerce Connect (compatible with competing protocols such as AP2, ACP, and x402).

The logic is clear. Visa seized the entry point of the payment network back then, and now it wants to integrate the agent era into its own system. If agent payments continue to rely on card networks, and this bundle becomes the default option, Visa’s market share will remain secure.

Trulioo: Apply the same SSL setup

Trulioo is a player in the global KYC and KYB compliance space and has now expanded its verification stack to include KYA.

It draws inspiration from the website SSL certificate model, where a Certificate Authority (CA) issues TLS certificates to websites, verifying only the domain. Trulioo’s proposed Digital Passport Authority (DPA) issues Digital Agent Passports (DAP) to agents, verifying developer KYB combined with user KYC.

DAP is not a static certificate. It is a dynamic token that refreshes and revalidates with each transaction. If a delegation is revoked or an anomaly is detected, the DAP is immediately invalidated.

It has five checkpoints: Provenance (who developed it), User Binding (who authorized it), Permission Scope (what actions it can perform), Behavior Telemetry (what it is currently doing), and Risk Scoring (risk rating).

Banks and fintech are legally required to verify the identities of individuals and companies. Once agents enter the financial sector, Trulioo’s KYC and KYB solutions become even more secure.

Sumsub: Monitor for anomalies, do not issue certificates

Sumsub’s approach differs from the first three companies. It does not issue standards or certificates; instead, it re-verifies the individual behind an agent when abnormal transactions occur.

It has been operating compliantly since 2015, and that verification system is now used to detect anomalous behavior by agents. The process has three steps: first, automated detection to distinguish humans from machines using device and agent characteristics; second, risk scoring to assign a risk level based on context, amount, and historical data; and third, liveness verification, which is triggered only for high-risk, large-amount, or critical changes to reconfirm the registered real person.

Sumsub’s four features stand out sharply from those of other players. It starts with compliant operators rather than standards setters. Verification occurs at the time of risky transactions, not during pre-registration. The method involves human re-confirmation, not just data or tokens. Its philosophy ties agents to responsible parties rather than blocking agents outright.

Other players perform one-time identity verification before acting, while Sumsub conducts real-time verification after issuance. As agent permissions expand, anomaly detection becomes increasingly critical. Fraud techniques evolve alongside technology, making Sumsub’s real-time stack worth noting.

4. Before regulations are implemented

FATF Travel Rule script

When the FATF Travel Rule was introduced in 2019, the VASP industry immediately split. Those that could bear the cost of KYC and AML infrastructure survived; those that couldn’t shut down or moved to jurisdictions with lighter regulation. CryptoBridge and Deribit were both forced to adapt during that wave.

Regulation is not the end, but a turning point.

KYA might have the same script this time. The EU, Singapore, and the U.S. are already vying for the lead.

Article 12 of the EU AI Act explicitly requires that behavior logs of high-risk AI systems include operator identity. Singapore has released the world’s first national AI agent governance framework, extending identity management to agents by requiring each agent to have an accountable party. The U.S. NIST has identified AI agent identity management as a priority standard area.

The time window is closing.

There will be no single winner

The real variable in the standards battle is not technology, but combinations. Major players have entered the phase of collaboration and pairing. Who partners with which merchants, payment networks, and KYC customer bases will determine the ownership of each niche market.

This market will not have a single winner.

For on-chain autonomous trading, Ethereum is likely to lead. For payment-linked transaction scenarios, Visa has a clear advantage. In the regulated financial industry, Trulioo’s KYC and KYB capabilities are hard to replace. For transactions with fraud risk, Sumsub’s real-time detection is more suitable.

The four are not direct competitors; each holds its own territory. The real competition lies in which scenarios are assigned to which territory.

KYC has taken thirty years, since 1989, to complete the identity layer of global finance.

This round seems to be moving much faster. Regulators have already acted, major players have positioned themselves, and the window for large-scale deployment may be just the next few years.

By then, the ones that survive won't necessarily be the most technically advanced, but those that integrated identity infrastructure the earliest.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.