7 May 2026

Mercury migrated away from Synapse before it collapsed and took thousands of fintech customers' funds with it. That timing looks less like luck when you understand why they left: Synapse's infrastructure couldn't support the product complexity Mercury needed. They saw the architectural ceiling and moved. Most BaaS-dependent fintechs never look up until they hit it.

This matters enormously for anyone building on third-party banking infrastructure in the UK right now. The BaaS model is seductive. You get to market fast, you outsource the regulatory complexity, and you tell a clean story to investors. But you are also inheriting someone else's technical debt and someone else's relationship with the regulator. When that counterparty runs into trouble, your customers feel it first.

The Synapse collapse is the starkest recent example, but the underlying tension is structural. BaaS providers are simultaneously trying to serve dozens of fintechs with divergent product roadmaps while managing their own capital and compliance pressures. At some point those priorities conflict. Mercury understood this and built the internal capability to move. Most fintechs lack either the engineering resource or the commercial leverage to do the same.

For UK consumer credit specifically, the question is whether firms building on embedded finance infrastructure are genuinely stress-testing their dependency. The FCA's operational resilience rules require firms to identify important business services and set impact tolerances. A BaaS provider failure almost certainly breaches those tolerances for any firm that has outsourced core payment or account functionality. Whether firms are treating that dependency with the same rigour they apply to their own systems is another matter.

Mercury's $650M revenue and 300,000 customers are impressive numbers. The more instructive figure is the three years of consecutive profitability, which suggests they built something with real unit economics rather than growth-at-any-cost subsidies. That discipline probably also explains why they had the organisational clarity to recognise a failing dependency and act on it.

The question worth sitting with: if your primary infrastructure partner ran into serious difficulty tomorrow, how long would it actually take you to know?

The interesting problem Google Cloud Fraud Defense is solving is not fraud prevention. It's identity verification for non-humans.

For twenty years, fraud tooling in consumer credit has been built around one question: is this a real person? reCAPTCHA, device fingerprinting, behavioural biometrics — all of it designed to confirm human presence. Google's announcement quietly retires that framing. The new question is: is this actor, human or otherwise, legitimate and authorised?

That shift matters enormously for anyone building loan origination infrastructure right now.

Agentic AI is arriving in consumer finance faster than most compliance teams have noticed. Customers will soon instruct AI agents to shop for credit on their behalf, submit applications, negotiate terms. On the broker side, automated decisioning pipelines already touch large volumes of applications with minimal human review. When two AI systems are transacting with each other, the fraud surface changes completely. Stolen credentials used by a human attacker look different from a compromised AI agent acting at scale with perfect behavioural mimicry.

The FCA's Consumer Duty has a direct bearing here. If a customer's AI agent is manipulated or spoofed during a credit application journey, who carries the liability? The broker almost certainly does, because the customer will argue — reasonably — that the outcome was not in their interest and they were not in control of what happened.

Two things UK technology leaders should be thinking about:

• How your origination platform will authenticate agentic clients, not just human ones
• Whether your fraud controls can distinguish a legitimate automated journey from a malicious one when both look identical at the behavioural layer

Google building this at infrastructure level is significant. It suggests the industry believes agentic web traffic will be substantial enough to need its own trust model, and soon.

The lenders and brokers who treat this as a 2027 problem will find themselves retrofitting fraud controls into platforms that were never designed for agent-to-agent transactions. That is an expensive position to be in.

Google and Meta building always-on agents that operate in the background without prompting is not a consumer productivity story. For UK consumer finance, it is a consent and liability story that the industry is almost entirely unprepared for.

Think about what an autonomous agent actually does. It observes behaviour across apps, anticipates needs, and takes action. In a credit context, that means an agent could initiate a loan application, compare products, or accept terms on a customer's behalf. The customer's intent might be genuine. The agent's interpretation of that intent might be wrong. Who owns that transaction?

The FCA's consumer duty framework is built on the assumption that a human being made a decision, even if that decision was poorly informed or nudged. Agentic AI breaks that assumption completely. When an agent books a holiday, orders groceries, or triggers a buy-now-pay-later checkout, the lender on the other end has no reliable way to know whether a person chose that action or software did.

Two things will define how this lands for credit businesses:

• Consent architecture will need to be rebuilt. The current model of a customer clicking through a journey assumes a present, active human. Delegated consent, where a person authorises an agent to act within defined limits, requires entirely new legal and technical frameworks.
• Fraud and affordability signals will degrade. Behavioural data used in decisioning is calibrated on human behaviour. Agent-driven applications will look systematically different, and models trained on historical human patterns will misread them.

The FCA has been watching open banking and screen-scraping closely enough to understand data intermediaries. Agentic AI is a different order of problem. The regulator will eventually catch up, but the gap between product launch and regulatory clarity is where consumer harm happens.

The question credit leaders should be asking now is not whether to use AI agents internally. It is what happens when your customers already have one acting on their behalf.