Search
Choose a style
Dark
Light
Time to read: 5 min

Why payments firms are being pulled into AI accountability debates

Depicting a deepfake, Portrait of attractive businessman with face recognition hologram on blurry blue background. Face ID and password concept
Image credit: Shutterstock

When Visa and Mastercard severed ties with Pornhub in 2020, it marked a watershed moment in digital commerce. For the first time, major payment networks had exercised what amounted to editorial judgment, cutting off a legal business based on allegations about content hosted on its platform.

Five years later, that decision looks lmore like the beginning of a fundamental shift in how society views the role of financial infrastructure in the digital economy.

The latest evidence comes from Visa’s 2026 shareholder meeting, where investors will consider a proposal asking the company to report on how its payment systems might facilitate AI-generated child exploitation material and deepfake pornography.

The proposal, backed by shareholder advocacy group Bowyer Research, reflects an emerging consensus among regulators, advocates, and investors: that payment companies cannot simply process transactions neutrally when those transactions may enable harm.

Why payment companies?

The targeting of payment processors represents a pragmatic evolution in content enforcement strategy. When harmful content proliferates across countless websites and jurisdictions, traditional enforcement mechanisms struggle. Platform-by-platform takedowns resemble an endless game of whack-a-mole. Payment networks, by contrast, represent natural chokepoints – a small number of companies through which the vast majority of online commerce must flow.

This strategy gained momentum after the Pornhub controversy demonstrated its effectiveness. Within days of Visa and Mastercard withdrawing service, Pornhub removed millions of videos and implemented stricter content verification.

The AI acceleration

The emergence of generative AI has dramatically escalated these concerns. According to the Department of Homeland Security, offenders increasingly use AI tools to create synthetic child sexual abuse material, distributing it through hidden payment channels on the dark web. A 2025 Europol operation uncovered a platform distributing exclusively AI-generated exploitation content, with users paying for access through what investigators described as “symbolic online payments.”

This technological shift creates new complications for payment companies. Traditional content moderation focuses on verifying that people depicted in images consented and were of legal age. AI-generated imagery depicting non-existent children occupies murkier legal territory. Federal law criminalises some AI-created material, but enforcement relies partly on obscenity statutes that have faced constitutional challenges.

Five states and Washington DC still lack explicit laws addressing AI-generated exploitation material.

The legal ambiguity creates a dilemma for payment processors. Visa’s response to the shareholder proposal argues its existing prohibitions on illegal activity are sufficient. But critics contend that waiting for clear legal violations ignores reputational risks and emerging harms that may not yet be fully codified in law.

The regulatory drumbeat

Pressure on payment companies is intensifying from multiple directions. In 2025, a bipartisan coalition of state attorneys general sent letters to Visa and other payment platforms explicitly asking how they identify and remove payment authorization for deepfake tools and exploitative content. The letters reflect growing impatience with what officials view as insufficient action from the industry.

Meanwhile, financial regulators have flagged deepfakes as an emerging fraud vector, with FinCEN warning banks about deepfake identity fraud enabling criminals to circumvent controls. The convergence of fraud prevention and content concerns suggests payment companies may face regulatory requirements that explicitly address AI-generated harms.

The shareholder proposal at Visa also points to a significant SEC decision involving Apple. When the American Family Association submitted a proposal asking Apple to report on its decisions regarding child safety scanning technology, the SEC rejected Apple’s attempt to exclude it as “ordinary business.”

The precedent problem

Every decision payment companies make in this space creates precedent. If Visa reports on its strategies for detecting payments linked to AI-generated exploitation material, it implicitly accepts responsibility for monitoring how its network is used beyond simple transaction processing.

Other payment companies would face pressure to match or exceed those commitments.

This may raise concerns among the industry about payment companies becoming de facto content arbiters. Unlike platforms which host content, payment processors sit further removed from what users actually do. A transaction labelled as payment for ‘digital content’ or ‘online services’ reveals little about the underlying material. Expecting payment companies to investigate the nature of every transaction raises questions about privacy, feasibility, and the appropriate scope of private sector enforcement.

Yet the counterargument – that payment companies should remain neutral infrastructure – has been eroding. These companies already make extensive judgments about risk, refusing service to industries from cannabis to online gambling based on legal uncertainty, reputational concerns, or regulatory pressure.

If payment networks can decline entire business categories, why not specific practices that facilitate exploitation?

The broader implications

The pressure on payment companies reflects a larger recalibration of responsibility in digital ecosystems. For years, internet platforms operated under the principle they were neutral intermediaries, not publishers. This framework has been steadily eroding, with platforms facing growing pressure to moderate content, verify users, and prevent misuse.

Payment companies represent the next layer of infrastructure being drawn into these debates. If the trend continues, we might see similar scrutiny of cloud hosting providers, domain registrars, or internet service providers – each layer of digital infrastructure potentially required to monitor and control how its services enable downstream harms.

This raises fundamental questions about the architecture of internet governance. Should responsibility for content diffuse throughout the infrastructure stack, or concentrate on platforms that directly host it? What happens to innovation and accessibility when every layer of infrastructure must serve as a gatekeeper? How do we balance enforcement effectiveness against concerns about privatised censorship?

Subscribe to our newsletter