Stripe launched Machine Payments Protocol in March 2026. AI agents can now make autonomous payments. But here's what nobody built: AML screening for agents.
When a human pays someone, the bank checks sanctions lists. When an AI agent pays someone -- nothing. The agent has an API key and it pays whoever it wants. No KYC. No sanctions check. No Travel Rule.
We just changed that.
The Problem
An AI procurement agent operating for a UK company is authorised to buy cloud services. It has a $5,000/day spending limit. It's trusted.
Today, nothing stops that agent from:
- Paying a sanctioned Russian bank
- Transferring funds to an entity on the OFAC SDN list
- Making payments to recipients in Iran, North Korea, or Syria
- Structuring transactions to avoid reporting thresholds
The agent's API key works everywhere. Sanctions are meaningless to a machine that doesn't check them.
What We Built
AgentPass now screens every agent payment against 75,784 live sanctions entries in real time:
- UK HMT Sanctions List (FCDO) -- 57,197 entries
- OFAC SDN List (US Treasury) -- 18,587 entries
- Sanctioned country blocking -- Iran, Russia, North Korea, Syria, Cuba, Belarus, Myanmar, and others
The screening happens before the payment touches any payment network. Not after. Before.
# Screen any entity in one call
curl https://agentpass.co.uk/api/sanctions/screen/SBERBANK
{
"status": "HIT",
"matchCount": 26,
"matches": [
{
"name": "PJSC SBERBANK",
"source": "UK_HMT",
"regime": "The Russia (Sanctions) (EU Exit) Regulations 2019"
}
]
}
If the recipient is sanctioned: payment blocked, agent trust score penalised -25, critical anomaly flagged, event logged in tamper-evident audit trail.
If the recipient is clean: payment proceeds normally with ECDSA signature and hash-chained receipt.
How It Works in the Payment Flow
Agent requests payment to "SBERBANK"
|
v
AgentPass screens "SBERBANK" against 75,784 entries
|
v
HIT: 26 matches on UK HMT + OFAC SDN
|
v
PAYMENT BLOCKED
- Trust score penalised -25
- Critical anomaly flagged
- Forensic event logged
- Money never moves
For clean payments:
Agent requests payment to "aws.amazon.com"
|
v
AgentPass screens -- CLEAR (0 matches)
|
v
Trust check: score 68, L3, ALLOW
|
v
Spend limit check: $50 < $1,000 limit -- PASS
|
v
Payment signed (ECDSA P-256), hash-chained, Stripe PaymentIntent created
Jurisdictional Screening
Beyond entity screening, AgentPass checks the jurisdiction of every payment:
curl https://agentpass.co.uk/api/sanctions/screen/test?country=RUSSIA
# Status: COUNTRY_SANCTIONED
curl https://agentpass.co.uk/api/sanctions/screen/test?country=GB
# Status: CLEAR
An agent operating in the UK (L3 permissions) that tries to interact with a platform in a sanctioned country is automatically blocked -- regardless of the entity name.
Why This Matters
FATF flagged AI as an emerging AML risk in their October 2025 horizon scan. The EU AI Act becomes applicable in August 2026. PSD2 doesn't cover agent-initiated payments. Nobody has published guidance on how KYC/AML applies when the payer is a machine.
We have:
- UK patent GB2606543.3 covering agent AML/KYA framework (filed today)
- IETF Internet-Draft (draft-sharif-agent-payment-trust) specifying the protocol
- FCA Regulatory Sandbox application submitted for testing
- EBA position paper on PSD2 compliance for agent payments
- Working code screening 75,784 entries in production
The Full Stack
AgentPass isn't just sanctions screening. It's the complete compliance infrastructure:
| Layer | What It Does |
|---|---|
| Identity | Per-agent ECDSA P-256 keys, challenge-response verification |
| Trust Scoring | 5-dimension behavioural score (L0-L4) with spend limits |
| AML Screening | UK HMT + OFAC SDN, 75K+ entries, real-time |
| Jurisdictional Compliance | Country-level permissions, most-restrictive-applies |
| Forensic Chain | Hash-chained audit trail, 7-year retention, court-admissible |
| Anomaly Detection | Structuring, layering, smurfing, probing, self-dealing |
| Signed Receipts | ECDSA non-repudiable proof of every transaction |
Try It
Screen any entity right now:
# Sanctioned entity
curl https://agentpass.co.uk/api/sanctions/screen/SBERBANK
# Clean entity
curl https://agentpass.co.uk/api/sanctions/screen/aws.amazon.com
# Sanctioned country
curl https://agentpass.co.uk/api/sanctions/screen/test?country=IRAN
# Sanctions database stats
curl https://agentpass.co.uk/api/sanctions/stats
Demo store with real Stripe payments + sanctions screening: cloudbyte-store.fly.dev
npm: @proofxhq/agentpass
iOS SDK: Swift Package (CryptoKit + Keychain)
Docs: agentpass.co.uk/docs
IETF: draft-sharif-agent-payment-trust + draft-sharif-mcps-secure-mcp
Top comments (0)