15 May 2025
by Payments Intelligence
What is this article about?
It outlines ten regulatory changes affecting merchants in the UK and EU between 2025 and 2026.
Why is it important?
These developments will impact merchant compliance, cost structures, customer experience, and operational risk.
What’s next?
Merchants should assess exposure, engage with providers, and begin implementation planning ahead of key deadlines.
The regulatory framework governing payments continues to expand in scope, with increasing implications for merchants operating in the UK and EU. Regulatory developments previously confined to financial institutions and payment service providers are now extending to the systems, practices, and commercial relationships of merchants—particularly where digital payments, cross-border transactions, and customer data are concerned.
Merchants may be affected directly, through obligations arising from new legislation, or indirectly, through revised requirements placed on their acquirers, platforms, and payment providers. Key areas of impact include fraud prevention, card fee structures, accessibility standards, stablecoin usage, and the treatment of consumer data in evolving open finance ecosystems. In several cases, enforcement activity and supervisory focus are accelerating, with implementation deadlines set for 2025 and 2026.
This report outlines ten regulatory developments that are expected to have a material impact on merchant operations, customer experience, and commercial planning. Each section includes an overview of the regulation, the legal and operational risks involved, and the practical actions required to support readiness and ongoing compliance.
The information presented is intended to support internal planning, vendor engagement, and risk management activities across legal, compliance, finance, and digital functions.
The Economic Crime and Corporate Transparency Act introduces a landmark corporate offence: failure to prevent fraud. Applicable to large organisations, the offence imposes criminal liability if firms do not have adequate fraud prevention procedures in place, even if senior leadership is unaware of the misconduct. The FCA’s final guidance, issued in April 2025, outlines “reasonable procedures,” including fraud risk assessments, internal controls, staff training, and governance oversight.
For merchants, particularly large retailers, platforms, or multi-channel businesses, this marks a significant shift in fraud liability. Whereas fraud was previously treated as an operational risk, it is now a matter of legal and regulatory accountability. Common fraud vectors such as refund abuse, loyalty scheme exploitation, and synthetic ID fraud must now be addressed through formalised prevention frameworks and board-level oversight.
The Act aligns with a broader shift towards proactive enforcement and corporate accountability, mirroring existing offences in bribery and tax evasion. As regulators sharpen their focus on financial crime, merchants must ensure that fraud controls are not only implemented but regularly reviewed and evidenced.
Merchants that fail to implement and maintain adequate fraud prevention procedures face potential criminal prosecution, financial penalties, and reputational damage. Liability can arise even if fraudulent actions are undertaken by third parties or junior staff.
Coming into force on 28 June 2025, the European Accessibility Act (EAA) introduces harmonised accessibility requirements across the EU for a wide range of digital products and services. Merchants operating in EU markets must ensure that customer-facing platforms, including e-commerce websites, mobile apps, payment terminals, and support channels, are accessible to users with disabilities. The EAA aims to ensure that all consumers can navigate and use essential services without barriers.
For merchants, this represents a fundamental compliance obligation with both legal and commercial dimensions. Non-compliance could lead to regulatory enforcement by national authorities, as well as reputational harm and potential exclusion from EU markets. Beyond legal exposure, accessibility has become a broader ESG and customer-experience priority, particularly as digital commerce becomes more central to retail strategy.
Merchants relying on PSPs, acquirers, or technology vendors must ensure that their third-party tools and services also meet EAA standards. Legacy platforms, especially those developed before 2019, are unlikely to be compliant without significant upgrade work. The transition period for existing contracts ends in June 2025, and the risk of enforcement will increase significantly after this date.
Failure to meet EAA accessibility requirements may result in national enforcement action, product restrictions, fines, and consumer litigation. Merchants may also face reputational risks and customer churn linked to perceived exclusion.
Although strong customer authentication (SCA) under PSD2 has been in force for several years, the regulatory focus in 2025 is shifting from implementation to optimisation. Merchants continue to face elevated abandonment rates, soft declines, and disputes linked to poor SCA execution, particularly for recurring transactions, mobile checkout, and low-value exemptions.
The FCA and card schemes are now applying greater scrutiny to how exemptions are used. For example, Visa’s CE3 updates and Mastercard’s revised guidance limit the use of low-risk transaction exemptions, demanding more robust risk assessments and transaction monitoring. Merchants must ensure their SCA processes are not only compliant, but also commercially effective.
Poor SCA performance can increase chargebacks, reduce conversion rates, and impact acquirer relationships. Delegated authentication models, 3DS2 implementation, and real-time exemption management must now be standard features in merchant authentication strategy.
Improper or outdated SCA implementations may result in failed transactions, lost revenue, and potential non-compliance with scheme or regulatory expectations.
The Payment Systems Regulator (PSR) is expected to publish its final ruling on cross-border interchange fees by the end of 2025. These fees—charged by card schemes on EEA-issued cards used at UK merchants—rose sharply after Brexit, jumping from 0.2% to 1.15% for debit and from 0.3% to 1.5% for credit.
Merchant groups argue these increases are unjustified and ultimately borne by UK businesses and consumers. The PSR is weighing whether to reintroduce caps or impose disclosure requirements, in what could become one of the most financially significant regulatory changes for online merchants with international customers.
Depending on the ruling, PSPs and acquirers may adjust pricing models or renegotiate contracts, directly affecting merchant fees and pricing transparency.
Increased card acceptance costs may not be sustainable in cross-border sales. New rules could mandate pricing changes or new disclosure requirements under consumer law.
Alongside interchange, the PSR is reviewing the scheme and processing fees charged by Mastercard and Visa on domestic UK transactions. While merchants don’t pay these directly, they are passed down via acquirer pricing and can make up a substantial part of card acceptance costs.
The PSR’s interim findings in 2024 noted limited competition and opacity in pricing. The final report, due late 2025, may recommend increased transparency, new disclosure rules, or competition-based reforms to address merchant cost pressures.
For merchants, especially those with high card volumes or thin margins, these findings could influence contract renegotiation, surcharge decisions, and budgeting for 2026.
New requirements on fee transparency or contract clarity could reshape merchant-acquirer dynamics. Indirect cost increases may draw FCA scrutiny under Consumer Duty.
The UK government is progressing legislation to bring Buy Now Pay Later (BNPL) under the scope of regulated consumer credit. The proposed law, currently before Parliament, is expected to be passed in late 2025, with compliance obligations likely from mid-2026 onwards. The FCA will oversee this regime, requiring lenders to conduct affordability assessments, enforce clear disclosures, and ensure customers are treated fairly across the lifecycle of credit use.
While most obligations fall to BNPL lenders, merchants promoting or integrating BNPL solutions directly—such as through website messaging, checkout flows, or referral arrangements—will have responsibilities. These include ensuring that BNPL options are clearly described, not misleading, and supported by regulated providers.
The commercial appeal of BNPL remains strong, particularly in retail, travel, and digital services. But in a regulated environment, merchants must take care to ensure their role in credit journeys is compliant, particularly where incentives, cross-selling, or deferred payments are offered.
Merchants that misrepresent BNPL products or fail to disclose credit risks properly could be subject to FCA scrutiny, especially if they are deemed to influence credit decisions or present BNPL as risk-free.
The UK’s stablecoin regime is advancing rapidly, with HM Treasury confirming its intent to regulate fiat-backed stablecoins used for payments under the Financial Services and Markets Act. Implementation is expected in late 2025 or early 2026, bringing stablecoin issuers, custodians, and payment processors under FCA supervision.
While merchants won’t be regulated directly, accepting stablecoins as payment will require confidence in the legal status, settlement reliability, and AML compliance of the tokens and intermediaries involved. Merchants will need to ensure PSPs and platforms are authorised to handle regulated stablecoins and that cash flow and reconciliation processes can accommodate digital assets.
This is particularly relevant to sectors exploring crypto-native loyalty, cross-border sales, or programmable payments.
Using non-compliant stablecoin payment systems could expose merchants to financial crime risks, legal uncertainty in disputes, or operational losses from failed redemption.
The global migration to ISO 20022 as the standard for cross-border payments messaging becomes mandatory on 22 November 2025. This standard introduces structured, enriched data formats for payment messages—improving interoperability, fraud detection, and reconciliation. While merchants are not directly regulated, their back-office systems and payment operations will be affected.
PSPs and acquirers will now transmit richer remittance information, structured payer/payee details, and standardised reference fields. Merchants relying on reconciliation automation or ERP integrations will need to ensure that systems can ingest and process ISO 20022-compliant data.
This transition is a technical one, but its impact is operational and commercial. If implemented correctly, enhanced payment traceability can reduce disputes and costs.
If systems are not ready, merchants may experience failed reconciliations, duplicate entries, or settlement delays. These can breach contractual SLAs or tax compliance timelines.
The FCA’s Consumer Duty came into force in 2023–24 and is now entering a second phase, with a mid-2026 review planned to assess embeddedness across firms. The Duty applies primarily to regulated PSPs and acquirers, but merchants, particularly microenterprise, can expect increased protection under the framework.
Firms must act in good faith, avoid foreseeable harm, and support customers in achieving their financial objectives. For merchant clients, this translates to higher expectations for pricing fairness, support responsiveness, and contract transparency. The FCA is expected to evaluate how the Duty applies in B2B contexts, especially where small businesses access financial services.
Merchants should understand how the Duty affects their rights, obligations, and ability to challenge poor service or unfair pricing in their commercial relationships.
Failure by PSPs to meet the Duty in merchant services may trigger FCA enforcement, contract reviews, or pressure to enhance communications and complaints handling. Merchants can also be indirectly affected by changes in how services are structured or priced.
Open finance builds on the UK’s open banking model by extending secure data access to a broader range of financial products, including savings, pensions, insurance, and credit. The Joint Regulatory Oversight Committee (JROC) is leading this evolution, which is expected to enter a formal implementation phase in 2026 and continue into 2027.
For merchants, this opens up possibilities for hyper-personalised credit offers, risk-based pricing, and new forms of loyalty or subscription services powered by richer data. However, it also introduces new responsibilities around consent management, data portability, and customer support.
Open finance is not a direct compliance burden yet, but merchants that work with fintech partners, or offer embedded finance, should begin preparing now.
Merchants may be caught by evolving data privacy obligations or inadvertently rely on non-compliant partners. Poor handling of financial data or consent flows could trigger ICO or FCA action.
As we move deeper into 2025, it is clear that merchants are no longer operating on the periphery of financial regulation. The historical assumption that compliance sits solely with banks, acquirers, or payment service providers is no longer tenable. From digital accessibility and fraud accountability to emerging crypto standards and open finance frameworks, merchants occupy a central position in the regulatory ecosystem.
What distinguishes this moment is the breadth of change and its depth. Many of the regulations outlined here require more than technical upgrades or policy reviews—they demand that merchants re-evaluate commercial models, reassess risk ownership, and establish closer integration between compliance, legal, finance, and technology teams. This regulatory cycle also shifts the focus from retrospective enforcement to proactive governance, emphasising continuous evidence, real-time monitoring, and the demonstrable pursuit of fair outcomes for both consumers and merchant clients.
Strategically, this presents an opportunity as much as a challenge. Merchants that take a forward-leaning approach to regulation—engaging early with providers, auditing internal capabilities, and embedding regulatory readiness into product planning and customer journeys—will gain not only resilience but commercial edge. Regulatory compliance, handled correctly, becomes a competitive differentiator: a signal of trust, credibility, and operational maturity in a crowded and cost-sensitive payments landscape.
For leadership teams, the task is twofold: ensure readiness for near-term regulatory obligations, and begin shaping a roadmap that anticipates longer-term structural shifts. That means budgeting for system upgrades (e.g. ISO 20022), refining third-party contracts (e.g. stablecoin acceptance), and elevating compliance from a functional concern to a board-level priority.
Above all, merchants should not treat these developments as isolated initiatives. The real advantage lies in connecting them, recognising that fraud controls, accessibility, data strategy, and consumer protection are increasingly interdependent. Those who align their operating model accordingly will be far better placed to absorb change and seize opportunity as the payments environment continues to evolve.
Ten key regulatory developments merchants must track in 2025–26, from fraud liability to fee reform, stablecoins, and accessibility.
Cross-border payments are being reshaped by new tech, regulation, and partnerships—but legacy risks still demand smarter compliance.
This report presents data-driven insights from a major industry survey, highlighting the key trends, risks, and priorities shaping payments in 2025.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
