Q1 2026 marks a critical phase for merchant regulation, with developments across contactless payment flexibility, BNPL oversight, APP fraud reimbursement schemes, and mobile ecosystem competition moving from policy design to implementation. This roadmap highlights the key reforms, timelines, and compliance risks that merchant payment leaders must navigate to stay ahead in an increasingly complex regulatory landscape.
Spanning payment acceptance, fraud liability, digital commerce, and platform economics, regulation touches every part of the merchant payments value chain. The UK/EU market is regulated by several authorities with each initiative having consultation periods, policy statements, and often staggered implementation windows. Add rapidly evolving payment technologies and competitive dynamics, staying on top of regulatory changes becomes challenging.
Payments Intelligence produces regulation roadmaps twice yearly—in Q1 and Q4—to address this complexity, setting out consultation papers and policy initiatives chronologically, summarising the change brought by each, the legal issues they pose, and suggested next steps to take in response.
The roadmaps draw directly on the papers published by the UK’s and EU disparate regulatory bodies, as well as our membership of senior compliance leads and legal professionals. This edition covers reforms to contactless payment limits, the introduction of BNPL regulation, and the evolution of APP fraud reimbursement schemes. The roadmap also tracks developments in mobile ecosystem competition, payment account termination rules, and open finance initiatives, alongside updates to payment infrastructure standards including ISO 20022 migration.
Emerging payment methods and international developments are a further area of emphasis. The report maps cryptoasset, stablecoin, and AI regulation in the UK, EU, and US, helping merchants understand potential implications for payment infrastructure and fraud systems. Taken together, these themes illustrate a regulatory agenda that is increasingly focused on reducing checkout friction, clarifying fraud liability, constraining platform power, and ensuring payment system resilience.
Payments regulation is moving from policy to implementation. This roadmap highlights what matters, when it matters, and why it matters.
Regulatory change rarely arrives in isolation. Overlapping initiatives, staggered timelines, and varying levels of certainty can make it difficult for firms to assess what genuinely requires attention. This roadmap is intended to reduce that complexity by providing a clearer line of sight across developments.
By setting developments out by timing and theme, the roadmap helps teams distinguish between what is imminent, what is emerging, and what can be monitored. This enables more informed internal discussions and better sequencing of regulatory work.
This roadmap is designed for merchant teams involved in understanding, planning for, and responding to regulatory change across payment acceptance and commerce. Personas include:
While the roadmap is relevant across functions, it is particularly useful for teams responsible for translating regulatory change into business action. It can be used as a shared reference point across departments to align understanding and expectations.
The roadmap should be used as a planning and orientation tool alongside existing internal processes and external advice. It is intended to support discussion, prioritisation, and forward planning rather than replace detailed legal or regulatory analysis.
The timeline below sets out the sequencing of key regulatory developments affecting merchant payments, highlighting anticipated milestones, areas of regulatory change, and points of operational impact. It is intended to support planning by indicating where merchants should prioritise assessment, mobilisation, and delivery across near, medium, and longer-term horizons.
Why it matters « Previous
The FCA is advancing cryptoasset regulation, removing the £100 contactless limit from march 2026, and accelerating open finance. Merchants should monitor developments and assess readiness.The FCA is introducing cryptoasset regulation, removing the £100 contactless limit from march 2026, and accelerating open finance with a roadmap due march 2026. Merchants should monitor developments and assess payment partner readiness.
While the FCA’s consultations on cryptoasset regulation (covering new regulated activities, disclosure, market abuse, and prudential requirements) are aimed primarily at crypto firms, merchants should be aware of the potential long-term implications for payments systems and embedded financial services. The rules under discussion could, in the future, affect how merchants interact with stablecoins, crypto-enabled payments, and other emerging payment methods.
Key points for merchants:
• Indirect impact on payment systems and providers handling crypto or stablecoin transactions.
• Operational or compliance implications from partners adapting to new regulations.
• Monitor FCA crypto and stablecoin regulations.
• Check readiness of payment and fintech partners for upcoming changes.
• Consider potential effects on fraud controls and operational processes.
The FCA has confirmed rule changes that will give banks and payment service providers greater flexibility to set contactless payment limits. From March 2026, banks and payment providers with strong fraud controls will be able to set their own contactless payment limits, rather than being restricted by a single industry-wide cap.
The change reflects the growing dominance of contactless in the UK. Nearly 95% of eligible in-store card transactions were contactless in 2024, highlighting consumer demand for faster, frictionless payments. Merchants can also offer customers the option to set personalised limits or disable contactless entirely.
Consumer protections remain unchanged. Customers will continue to be reimbursed for unauthorised transactions, including lost or stolen cards. The FCA views this reform as a way to encourage investment in fraud controls, balancing flexibility with safety.
Adoption of higher limits will be voluntary, but firms choosing to participate must clearly communicate changes to customers. The move is expected to benefit high-street and hospitality businesses by enabling faster, smoother checkout experiences.
Key dates:
The FCA is accelerating open finance initiatives, with a formal roadmap expected by March 2026. While much of the programme is aimed at banks and fintechs, merchants should pay attention, as open finance will influence how customer financial data can be accessed and used across services.
The Smart Data Accelerator, launched in September 2025, tests real-world data-sharing use cases in a controlled environment. Lessons from these trials could affect merchants offering subscriptions, BNPL, or other embedded payment options, particularly around customer consent, data security, and operational readiness.
TechSprints on mortgages and SME finance are also exploring practical consumer benefits from open finance. For merchants, these highlight the broader trend: more accessible, structured financial data is coming—and it may touch your payment flows, loyalty programmes, and customer interactions.
Key dates
The 2026 medium-term agenda covers merchant payment acceptance, platform competition and fraud liability. BNPL regulation, mobile ecosystem reform and contract termination rules tighten merchant compliance requirements, while APP fraud scheme evolution, AI governance expectations and ISO 20022 updates increase operational complexity and cost pressures.
These measures balance transparency and fairness with the need to preserve financial crime controls and regulatory compliance.
The Digital Markets, Competition and Consumers Act came into force in January 2025, granting the Competition and Markets Authority new powers to designate firms with Strategic Market Status in digital markets. In October 2025, the CMA designated both Apple and Google’s mobile ecosystems—covering iOS, App Store, WebKit, Android, Google Play, and Chrome—as having Strategic Market Status until October 2030.
Following publication of its roadmap in July 2025, the CMA began consulting on conduct requirements from autumn 2025, with further consultations on additional measures expected throughout the first half of 2026. These conduct requirements could mandate opening access to key device functionality, enabling app downloads outside official app stores, permitting alternative payment systems without platform fees, and removing restrictions on in-app payment communication.
Unlike the EU’s Digital Markets Act, the DMCC framework gives the CMA the flexibility to impose bespoke conduct requirements tailored to UK market conditions. For merchants operating e-commerce apps with in-app purchases, these changes could fundamentally alter payment routing and fee structures. Non-compliance carries penalties of up to 10% of global turnover, making early preparation essential.
Following CP25/23 on deferred payment credit (DPC), better known as buy now pay later, regulation will come into force in 2026. Third-party lenders offering interest-free DPC agreements (repayable in 12 or fewer instalments within 12 months) to finance purchases from merchants will fall within the FCA’s regulatory perimeter. Merchants offering DPC directly to customers will remain exempt.
The consultation responds to rapid growth in the sector, which has increased from £0.06bn in 2017 to over £13bn in 2024, according to FCA data. Additionally, there are concerns that unregulated DPC lending may expose consumers to affordability risks, insufficient pre-contract information, and poor outcomes for borrowers in financial difficulty. Around 20% of UK adults used DPC in 2024, with usage higher among consumers already experiencing financial stress.
The FCA proposes a proportionate regime that largely leverages existing consumer credit rules and the Consumer Duty, rather than creating a bespoke framework. Proposals cover pre- and post-contract information requirements, proportionate creditworthiness assessments, complaints handling and access to the Financial Ombudsman Service, and new data-reporting obligations (including Product Sales Data).
A Temporary Permissions Regime (TPR) will allow currently unauthorised DPC lenders to continue operating while their applications are assessed.
Key dates
The UK’s mandatory authorised push payment fraud reimbursement scheme, which came into force in October 2024, requires payment service providers to reimburse scam victims up to £85,000 per claim, with costs split equally between sending and receiving PSPs. This creates indirect effects for merchants through potential fee changes or enhanced verification requirements from their payment providers.
The scheme creates operational complexity for PSPs managing reimbursement obligations. Reimbursement disputes can be escalated to the Financial Ombudsman Service (£430,000 cap), where “fair and reasonable” standards may differ from PSR scheme criteria, creating regulatory uncertainty that PSPs may manage through stricter controls or higher fees.
Data shows that 97% of claims from APP scams, approximately £112 million, were reimbursed to victims within 35 days of the scheme launching. An independent review by Frontier Economics, which began in October 2025, will assess the scheme’s effectiveness and could lead to changes in reimbursement caps, liability allocation, or compliance requirements. The PSR proposed a December 2026 deadline for Reporting Standard B adoption (subject to final confirmation following late 2025 consultation).
The scheme’s evolution through 2026 focuses on assessing effectiveness and standardising compliance data reporting, affecting merchants through changes to payment acceptance costs and verification friction as PSPs adapt to reimbursement obligations.
Key dates
Q2 2026: Frontier Economics independent post-implementation review publishes findings
December 2026: Proposed deadline for Reporting Standard B adoption (subject to final confirmation)
The Bank of England plans to extend CHAPS settlement hours from 1.30am, ahead of the current 6am start, as part of its RTGS renewal. For most merchants, this change is handled by banks or PSPs, so day-to-day operations are unlikely to be affected. Merchants running their own rails or treasury operations may need to assess early access for cross-border payments or liquidity planning.
The UK government plans to legislate for artificial intelligence, with oversight delivered through existing regulators such as the FCA, PSR, ICO, CMA, and Ofcom. For merchants, this is relevant if AI is used in payments, fraud detection, credit scoring, or customer decisioning. The FCA emphasises a principles-based approach, covering safety, transparency, fairness, accountability, and redress.
In January 2026, the Treasury Select Committee published a report concluding that 75% of UK financial services firms now use AI, yet the Bank of England, FCA and HM Treasury risk exposing consumers to “potentially serious harm” through their “wait-and-see” approach. The committee received evidence of AI-driven decision-making in credit and insurance lacking transparency, AI financial decision-making threatening financial exclusion for disadvantaged consumers, unregulated financial advice from AI search engines, and AI usage increasing fraud. The FCA and ICO announced in June 2025 they will create a joint statutory code of practice for firms deploying AI for automated decision-making.
Key dates
The Bank of England has signalled caution on a UK digital pound, suggesting commercial bank-led digital payments may reduce the need for a central bank-issued alternative. While a digital pound remains technically feasible, plans are effectively on hold, creating strategic uncertainty for merchants exploring CBDC-related services.
International developments directly affect UK merchants with EU operations or cross-border euro payments. EU instant payments mandate ten-second settlement for euro transfers, while the AI Act restricts fraud detection systems and PSD3 strengthens merchant liability. The Digital Euro proposes capped merchant fees, and mandatory Verification of Payee increases payment friction across European markets.
The EU Instant Payments Regulation, adopted in March 2024, makes instant euro credit transfers the default across the EU. Funds must be credited to recipients within ten seconds, 24/7, with fees capped at standard credit transfer rates.
Verification of Payee and daily sanctions checks are mandatory, enhancing fraud protection.
The EU Artificial Intelligence Act entered into force on 1 August 2024 with phased implementation through 2027. Prohibited AI practices came into effect on 2 February 2025, including a ban on AI systems assessing risk of criminal activity based solely on profiling of natural persons or personality traits. This creates compliance challenges for AI-based fraud detection and anti-money laundering systems, which must now implement human oversight to avoid falling under prohibited practices. High-risk AI fraud detection systems must provide explainability, implement human oversight, maintain high data quality, and be auditable under the Act’s requirements.
For platforms and marketplaces, AI systems that affect users’ earning ability are classified as “high-risk” under the Annexe III employment provisions, which require stringent compliance, including conformity assessments and CE marking. Credit-scoring and fraud-detection AI systems are subject to documentation, transparency, and cybersecurity requirements, and financial institutions using AI for payment fraud detection must comply by 2 August 2026. Non-compliance carries penalties up to €35 million or 7% of global annual turnover.
The EU’s upcoming PSD3 Directive and PSR Regulation will overhaul payments law, replacing PSD2 and the Electronic Money Directive. Key changes include mandatory Verification of Payee for all credit transfers, stronger fraud and liability rules, enhanced consumer controls, and expanded obligations for platform and technology providers.
PSD3 will govern licensing and supervision, while the PSR applies directly across all member states.
MiCA establishes the EU’s first comprehensive framework for cryptoassets, covering issuance, custody, trading, and marketing. Cryptoasset service providers (CASPs) must be authorised from 1 July 2026, and issuers face stricter disclosure, prudential, and conduct obligations. The regulation also sets rules for stablecoins and market abuse.
The European Central Bank (ECB) and EU co-legislators are progressing a retail digital euro, designed to coexist with cash and private payment solutions across the euro area. It will support online and offline payments, with holding limits, capped merchant fees during an initial five-year transition, and requirements for fair access to mobile hardware and software. The digital euro could become operational around 2029, subject to EU legislative adoption and ECB testing.
The GENIUS Act establishes the first comprehensive US federal regime for payment stablecoins, restricting issuance to licensed entities and imposing prudential, reserve, and audit requirements. It clarifies treatment under US law and defines payment stablecoins as fully backed, redeemable at par, with segregated reserves and monthly certifications. Foreign issuers can operate only if their home regime is judged “substantially similar” and reserves are held in the US. The regime takes effect on 18 January 2027, or earlier if implementing regulations are finalised.
Review financial reporting and accounting treatment to reflect clarified regulatory status.
Beyond payments-specific rules, merchants face new obligations across retail operations, environmental compliance, and digital accessibility. The Deposit Return Scheme reshapes payment flows and customer experience, Extended Producer Responsibility creates packaging cost obligations, and accessibility regulations mandate inclusive checkout journeys to prevent discrimination claims.
The UK Deposit Return Scheme launches in October 2027, requiring all physical retailers selling single-use drinks containers to charge consumers an additional deposit per item (amount not yet set). Consumers recoup deposits by recycling containers through Reverse Vending Machines (RVMs). The scheme affects all retailers selling drinks—from supermarkets to gym vending machines—creating new operational requirements for deposit collection, RVM installation, and refund processing.
The default retailer position involves printing millions of QR codes on thermal paper for redemption at point-of-sale or customer service desks. Payment providers are developing alternative solutions enabling consumers to tap cards or phones on RVM readers for instant refunds, avoiding paper-based systems. Retailers see RVMs as potential footfall drivers and differentiation opportunities, though many aim to redirect deposit value to closed-loop loyalty schemes rather than immediate cash refunds. The scheme represents a fundamental change to retail payment flows, inventory management, and customer experience design across the UK drinks retail sector.
Key date:
Extended Producer Responsibility for packaging came into force in 2023, with full compliance requirements phased through 2026-2027. The regime shifts packaging waste management costs from local authorities to businesses that place packaged goods on the UK market. Merchants pay fees based on packaging tonnage and material type, with higher fees for non-recyclable or hard-to-recycle packaging. The scheme covers all packaging—from primary product packaging to transit packaging and e-commerce shipping materials. Fee calculations require detailed data collection on packaging volumes, materials, and recyclability across supply chains.
Online merchants face particular complexity in tracking packaging used by third-party sellers or fulfilment partners. The regime aims to incentivise packaging reduction and recyclability improvements whilst funding UK waste collection infrastructure. PackUK (within DEFRA) operates the scheme administrator, with reporting via online portals that require integration with inventory and procurement systems. Non-compliance risks, enforcement action, and reputational damage as packaging sustainability becomes a consumer purchasing factor.
Key date
Website accessibility requirements under the Equality Act 2010 and Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 apply to e-commerce merchants, with enforcement increasing through 2025-2026 following high-profile legal cases. The regulations require websites and mobile apps to be perceivable, operable, understandable, and robust for users with disabilities, following Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standards. Critical areas for merchants include checkout flows, payment method selection, form completion, error handling, and screen reader compatibility. Inaccessible websites risk discrimination claims under the Equality Act, with the Equality and Human Rights Commission and individual claimants bringing enforcement action.
High-street retailers, including Co-op, Tesco, and Sainsbury’s, have faced legal challenges over inaccessible websites. Payment-related accessibility failures create a particular risk: inaccessible checkout flows directly prevent disabled customers from completing purchases, strengthening discrimination claims. Mobile apps face additional scrutiny as usage grows. The regulations cover all customer-facing digital touchpoints, including websites, progressive web apps, native mobile apps, and customer account portals.
Key date:
Merchants should expect higher compliance costs, greater supervisory scrutiny, and reduced tolerance for weak governance, operational controls, or consumer protection failures.
Operational readiness is now decisive. Extended contactless limits, open finance data-sharing, AI governance frameworks, deposit return schemes and accessibility compliance will test systems, people and third-party dependencies well before formal deadlines.
Early engagement with consultations and implementation planning will be critical. Merchants that move first will be better positioned to manage regulatory risk, protect customers and compete as the UK payments landscape continues to evolve.
UK merchants expect agentic commerce to grow rapidly, but uncertainty around liability, fraud, and standards is slowing readiness.
Stablecoins are moving into mainstream finance, reshaping payments, trade, and regulation as institutions explore faster, programmable settlement.
A forward-looking overview of key regulatory developments across payments, crypto and financial services, with timelines and practical implications.
You need to be logged in to do this!
