CINDR.LA STRATEGIC ADVISORY
ADVISORY BRIEF · 2026 PoPEye / KYARA · DELOITTE DIALOGUE
Prepared for strategic dialogue with Deloitte advisory partners

PoPEye / KYARA — regulated evidence architecture for agentic commerce.

Building on Deloitte's 2026 perspective on agentic commerce and payments, PoPEye / KYARA extends the architecture into the regulated evidence layer: consent, disclosure, identity evidence, creditworthiness / affordability, and audit-grade receipt infrastructure.

CCD2 is the first deadline. PoPEye is the product that answers it. KYARA is the receipt authority it grows into. KYA-OS is the protocol layer that keeps it interoperable.

Deloitte · 2026 perspective
$17.5T
Agentic commerce by 2030
Deloitte's 2026 agentic commerce perspective projects that agentic commerce could drive up to $17.5 trillion in commerce by 2030 — and identifies payments networks as the layer most immediately transformed by the shift to AI-mediated transactions.

The transformation is named. The next question for regulated clients is how to operationalize it safely.
Deloitte, "Agentic AI is transforming commerce and payments," 2026
01 · Deloitte's 2026 Thesis

Agentic commerce is transforming payments. Deloitte has named the scale.

Deloitte's 2026 financial services perspective piece — "Agentic AI is transforming commerce and payments" — frames the commercial and infrastructure shift that every payments, digital commerce, and banking advisory engagement will need to navigate.
$17.5T
Commerce by 2030
Deloitte's own research frames agentic commerce as a multi-trillion-dollar shift. The question for every regulated client in that stack is not whether the transformation is happening, but how to operationalize it safely across compliance-heavy product categories.
Payments-first
Network transformation
Deloitte's perspective centers the payments network as the layer most immediately disrupted — machine-to-machine settlement patterns, agent-initiated payment flows, new value-added service surfaces emerging across BNPL, consumer credit, and financial products.
Upstream shift
Commerce architecture
Commerce is shifting upstream — from human-led search and browsing to AI agents that research, recommend, and increasingly transact on behalf of consumers. Brand discovery, product selection, and checkout are being re-mediated at scale.

Deloitte's analysis is analytically complete at the commerce-and-payments transformation layer. The next implementation question — the one regulated clients will bring into every advisory engagement — is evidentiary: who proves the transaction met its regulatory obligations when the buyer is an AI agent?

02 · The Next Implementation Question

When the agent-mediated transaction becomes regulated — who provides the proof?

The transformation Deloitte names is the context. The implementation layer that follows is evidence architecture.

Deloitte's 2026 agentic commerce perspective frames the scale of the shift for commerce and payments. The next implementation question is evidentiary: when an agent-mediated transaction becomes regulated, who proves the consumer received the required disclosure, gave specific consent, presented sufficient identity evidence, and passed the required assessment?

1
Disclosure Pre-contractual disclosure (SECCI) must be delivered, confirmed received, and evidenced — at the moment of the agent-mediated transaction. A post-purchase email is not sufficient under CCD2.
2
Specific consent Consumer-credit and financial-product frameworks mandate unbundled, specific consent — not a blanket terms-acceptance. The agent cannot absorb this obligation on behalf of the consumer.
3
Identity evidence Regulated transactions require identity verification anchored to qualified trust infrastructure — not browser-session inference or behavioural scoring passed from the brand layer.
4
Creditworthiness / affordability Every BNPL and consumer-credit transaction after 20 November 2026 requires a fresh, per-transaction creditworthiness assessment. CCD2 Article 18 makes behavioural scoring and blanket pre-assessment insufficient.
5
Audit-grade receipt The regulator needs a verifiable record that all of the above occurred — portable, machine-readable, tamper-evident. No current payment rail, commerce platform, or brand-experience layer ships this receipt.

This is not a gap in Deloitte's analysis — it is the next layer to operationalize. Deloitte's regulated-commerce clients will ask for it. PoPEye / KYARA is the concrete implementation answer.

03 · Compliance Architecture

PoPEye / KYARA supplies the regulated evidence layer.

Two products, one protocol, one regulatory forcing function. Each layer has a distinct role — and the layer separation matters.

PoPEye creates the consumer-side evidence at checkout. KYARA turns that evidence into a portable, agent-aware, regulator-verifiable receipt layer.

PoPEye

Transaction-moment evidence engine

At the moment of purchase, PoPEye captures consumer identity evidence, standardised pre-contractual disclosure (SECCI), specific and unbundled consent, creditworthiness and affordability evidence, decision provenance, and a signed receipt — all in under three seconds, delivered through existing rails. The operational artifact that makes regulated transactions possible in an agent-mediated environment.

KYARA

Receipt authority for agentic commerce

KYARA — Know Your Agent Receipt Authority — is the receipt authority layer PoPEye grows into. Where PoPEye answers CCD2, KYARA answers the broader agentic-commerce question: who acted, under whose authority, against what mandate, with what compliance result. Portable, machine-readable, regulator-verifiable. The decade-long category position.

KYA-OS — the open agent-identity and delegation protocol stewarded through DIF — is the interoperability layer that keeps the architecture oriented toward open standards across the emerging agentic-payments infrastructure: Mastercard Agent Pay, Google AP2, Visa Trusted Agent Protocol, and what follows. The architecture does not build a proprietary silo; it builds against the protocol layer that enterprise agentic commerce will converge on.

The layer separation matters: CCD2 compliance funds the build. KYARA is the decade-long position. KYA-OS keeps the architecture interoperable.

04 · Client Delivery Framework

How Deloitte clients operationalize this architecture.

Three delivery surfaces. Each one builds directly on Deloitte's existing regulated-transformation practice — not a parallel engagement.
Workshop

Category mapping + consent architecture

A structured advisory engagement that maps the client's product portfolio against regulated evidence requirements — consent flows, disclosure obligations, identity-evidence sources, affordability-assessment paths, and receipt requirements per regulated surface.

  • CCD2 product-category exposure map
  • Consent architecture per product type and channel
  • Evidence-source registry (bureau, AIS, identity providers)
  • Receipt requirements by regime and market
Reference Architecture

Reusable across the regulated-commerce stack

A reference architecture that extends across regulated transaction surfaces — not a single-regulation deliverable. Clients who engage with CCD2 compliance today receive an architecture that already anticipates the surfaces that follow.

  • CCD2 — consumer credit, BNPL, instalment
  • PSD3 / PSR — payments mandates, SCA, agent-initiated patterns
  • FIDA — financial-data access and consent infrastructure
  • IDD — insurance distribution channel compliance
  • MiFID II — suitability and appropriateness
Implementation Roadmap

Built on Deloitte's transformation framework

An implementation roadmap structured so Deloitte practitioners can build directly on the agentic-commerce transformation engagement already in delivery — regulated evidence architecture as a specialist module within a larger client programme, not a competing workstream.

  • Integration with Deloitte's agentic-commerce transformation work
  • Phased rollout by product category and launch market
  • Governance model for ongoing compliance posture
  • Expansion path as additional regulated surfaces emerge
05 · Operating Model

A specialist regulated-evidence-architecture module designed for co-delivery with Deloitte advisory.

Two entities, full-stack depth. Neither operates as a generalist advisory firm — both supply what the regulated-transaction boundary requires.
CINDR.LA designs and packages the PoPEye / KYARA engagement. IDCanopy supplies the identity, bureau, KYA, and receipt-infrastructure depth.
CCD2

First regulated forcing function

Mandatory per-transaction creditworthiness evidence, specific consent, and audit-grade receipts by 20 November 2026. The deadline-driven entry point for any client with BNPL, instalment, or consumer-credit exposure.

PoPEye

Transaction-moment evidence engine

Consent, disclosure, affordability evidence, and signed receipt at checkout latency — delivered through existing rails, in under three seconds. The operational product that makes regulated transactions possible in an agent-mediated environment.

KYARA

Receipt authority for agentic commerce

The receipt authority layer that PoPEye grows into — portable, machine-readable, regulator-verifiable proof that scales beyond any single regulation across CCD2, PSD3/PSR, FIDA, IDD, and MiFID II client engagements.

KYA-OS

Open agent-identity protocol

The DIF-stewarded interoperability layer. Keeps the architecture oriented toward open standards rather than a proprietary silo as the agentic-payments infrastructure matures across enterprise and payment-network clients.

CINDR.LA
AI automation venture builder

Engagement design + architecture leadership

CINDR.LA designs and packages the PoPEye / KYARA engagement — evidence architecture, consent flows, receipt schema, category mapping, and integration leadership. The consulting-layer counterpart that structures the module for co-delivery with Deloitte advisory teams.

IDCanopy
Regulated identity & compliance infrastructure

Identity, bureau, KYA + receipt infrastructure

IDCanopy supplies the identity-infrastructure depth, bureau orchestration, KYA protocol layer, and receipt-infrastructure stack. The regulated-evidence and trust-services specialist that sits at the downstream transaction boundary where compliance obligations become mandatory.

The module sits downstream at the regulated transaction boundary — where consent, disclosure, affordability, identity evidence, and audit-grade receipts become mandatory — and operates as a complement to brand, experience, and AI-commerce activation layers already in delivery.

06 · Collaboration Shape

Three ways PoPEye / KYARA integrates with Deloitte advisory work.

Scope and structure depend on engagement context, client portfolio, and market. No commercial floors in this document.
Mode I — Workshop & Architecture
Deloitte advisory frames and leads the engagement

Client workshop + reference architecture

The PoPEye / KYARA team supplies the regulated evidence architecture and category mapping within a Deloitte-framed client advisory engagement. Deloitte brings the transformation context and client relationship; CINDR.LA / IDCanopy brings the compliance-layer depth. Delivered as a structured client workshop with a reference architecture output and a product-category exposure map.

Mode II — Implementation Roadmap
Within a Deloitte-led transformation engagement

Implementation roadmap + co-delivery

A reference build for one regulated product category and one launch market, co-delivered as a module within a Deloitte-led agentic-commerce transformation engagement. The PoPEye / KYARA architecture is positioned as the regulated-transaction specialist layer of the larger Deloitte programme — not a separate engagement.

Mode III — Practice Integration
Joint go-to-market

Joint advisory + practice integration

The PoPEye / KYARA module integrated into Deloitte's regulated-commerce transformation practice — joint go-to-market across the financial services, payments, and regulated retail client portfolio. The deepest integration path: a co-branded specialist module that Deloitte practitioners activate across regulated-transaction client engagements as the agentic-commerce market matures.

CINDR.LA designs and packages the PoPEye / KYARA engagement. IDCanopy supplies the identity, bureau, KYA, and receipt-infrastructure depth.
07 · Expansion Runway

CCD2 is the first wedge. The architecture extends across the regulated-commerce stack.

CCD2 is the first wedge; PSD3/PSR, FIDA, and adjacent regulated transaction surfaces extend the same architecture.

Every capability built for CCD2 compliance — signed consent, verified identity, bureau-fresh affordability, audit-grade receipt — is precisely what PSD3/PSR, FIDA, IDD, and MiFID II engagements require downstream. The architecture does not need to be rebuilt for each regulatory surface. It needs to be applied to each new regulated transaction boundary. For Deloitte's clients, that means a single architectural investment that compounds across every regulated digital transaction in the portfolio — from consumer credit today to the full agentic-commerce compliance stack as the market matures.

Continue the conversation

Reach CINDR.LA to go deeper.

Architecture scope, client category mapping, regulatory surface analysis, or collaboration shape — we are available for the conversation in whatever format is most useful for the Deloitte team.