
Consumer behaviour 2026 report
New research uncovers the payment habits, preferences and priorities shaping the future of payments in the UK.
Q3 2025 marks a turning point for UK merchant payments, with new enforcement powers, fraud liability rules, and regulatory mergers reshaping compliance priorities. This roadmap distils the most pressing obligations, deadlines, and strategic risks to help payments leaders navigate a rapidly evolving legal and operational landscape.
The UK merchant payments landscape enters a critical Q3 2025 phase, with regulatory developments creating immediate compliance obligations and strategic challenges. The Competition and Markets Authority’s direct enforcement powers, activated in April 2025 with penalties up to 10% of global turnover, fundamentally shift how payment practices face scrutiny and enforcement.
Three developments demand immediate attention. First, ongoing Payment Services Regulator (PSR) interchange fee caps litigation leaves £150-200 million in potential annual savings uncertain whilst merchants continue paying post-Brexit rates of 1.15-1.5% on cross-border transactions. Second, the APP fraud reimbursement rules implemented in October 2024 show strong reimbursement rates, creating new operational considerations for payment acceptance. Third, the announced PSR-FCA merger consolidates payments oversight under a single regulator by 2026, potentially streamlining compliance but raising questions about specialised payments expertise.
The regulatory agenda extends beyond traditional processing concerns. BNPL services face mandatory Financial Conduct Authority (FCA) authorisation by July 2026, requiring fundamental changes to merchant checkout processes and provider relationships. PCI DSS 4.0 introduces 64 new security requirements with full compliance now mandatory. Meanwhile, stablecoin regulation proposals draw significant industry criticism over capital requirements and operational feasibility, potentially limiting UK market participation.
This roadmap examines regulations most relevant to payments teams, focusing on transaction processing, payment acceptance standards, and operational costs. Each section identifies specific compliance requirements, implementation timelines, and practical steps, prioritising actionable intelligence to enable payments leaders to allocate resources effectively through 2026 and beyond.
Q2–Q3 2025 brings an unprecedented convergence of regulatory changes for UK merchants, from the CMA’s sweeping new enforcement powers to fraud prevention deadlines, payment disputes, and emerging digital currency rules. These developments carry immediate compliance obligations and high financial stakes, demanding rapid operational and strategic responses
The Digital Markets, Competition and Consumers Act 2024 (DMCC), effective April 6, 2025, is fundamentally transforming consumer protection enforcement. The Competition and Markets Authority (CMA) now wields direct administrative enforcement powers without court involvement, imposing fines up to 10% of global annual turnover or £300,000 for individuals. This represents the most significant shift in UK consumer protection enforcement in decades.
Priority enforcement areas include drip pricing (unexpected charges at checkout), fake reviews, aggressive sales practices targeting vulnerable consumers, and misleading marketing claims. The CMA has announced a phased enforcement approach, with a 3-month grace period on fake review enforcement (until July 2025) and drip pricing enforcement to begin once final guidance is published in Autumn 2025. The CMA will initially focus on clear, egregious breaches whilst businesses adapt to the new requirements, with further consultation on drip pricing scheduled for Q3 2025 and final guidance expected in Autumn 2025.
Critical 22 October 2025 deadline: On 23 July 2025, the CMA provisionally proposed to designate Apple and Google with Strategic Market Status. The consultation is currently open and runs until 22 August 2025, with a final decision due by 22 October 2025. As of now, the CMA has already published detailed expectations for both companies, including reforms to app review processes, digital wallet access, and app store steering. These proposals are likely to have major implications for all merchants operating within their mobile ecosystems.
Authorised Push Payment (APP) fraud reimbursement requirements, implemented October 7, 2024, show 87% of victims reimbursed, totalling £66 million in six months, with consumers submitting around 109,000 claims, of which 77,000 were in scope for reimbursement. The £85,000 reimbursement cap and 50:50 payments service provider (PSP) cost sharing create operational uncertainty for merchants around payment acceptance standards. At the same time, only 3% of claims were rejected due to consumers not taking sufficient care over transactions.
For merchants, this creates direct operational risk: a customer makes a legitimate purchase and receives their goods, but later falls victim to a separate APP fraud incident. Under the reimbursement scheme, their bank may claw back funds from recent transactions to cover the fraud loss, leaving the merchant having delivered goods but losing payment through no fault of their own. This highlights the need for robust transaction monitoring and customer verification processes.
Ongoing litigation over the payment systems regulator’s (PSR) powers has paused cross-border interchange fee decisions, with no further updates expected until at least the end of Q3 2025. The PSR is pausing any further consultation or decision regarding a potential interim price cap until at least the end of Q3 2025 due to ongoing litigation over its powers. The confirmed increases from 0.2% to 1.15% for debit cards and 0.3% to 1.5% for credit cards cost UK businesses £150-200 million extra annually due to post-Brexit changes.
Financial conduct authority (FCA) operational resilience compliance requires banks, e-money institutions, and payment providers to demonstrate enhanced cybersecurity and incident response procedures. For merchants, this means potential service disruptions as PSPs implement final compliance measures, alongside possible fee adjustments to cover regulatory investment costs affecting payment processing reliability.
The UK’s approach to digital currencies creates both opportunities and compliance obligations for forward-thinking merchants. Following extensive industry consultation, HM Treasury has now published draft legislation with implementation expected by early 2026, though significant concerns remain about the regime’s competitiveness.
The FCA’s consultation papers CP25/14 and CP25/15, which closed 31 July 2025, propose a regulatory framework that industry views as “overly complex and significantly less supportive of innovation and growth than comparable international models, particularly the newly adopted U.S. regime.” The framework requires FCA authorisation for cryptoasset activities, including operating trading platforms, with stablecoin issuers facing minimum capital requirements of £350,000 and full reserve backing.
From 1 September 2025, large organisations will face a new corporate offence under the Economic Crime and Corporate Transparency Act 2023 for failing to prevent fraud. This strict liability regime significantly expands corporate criminal exposure, applying even where senior management was unaware of the misconduct, and extending to employees, agents, subsidiaries, and other associated persons. With overseas companies also in scope if UK victims are targeted, businesses must urgently review fraud prevention controls, training programmes, and governance to meet the ‘reasonable procedures’ defence and avoid severe financial and reputational consequences.
The final quarter of 2025 and the year ahead will see a wave of regulatory changes reshape merchant operations, from cost and compliance pressures to shifts in payments oversight and sustainability reporting. With new packaging obligations, suspended but high-impact interchange reforms, BNPL authorisation, and intensified cybersecurity standards all on the horizon, merchants must prepare for a period of complex, overlapping demands.
Extended Producer Responsibility (EPR) for packaging takes effect on 1 October 2025, introducing new waste management fees charged directly to packaging producers. This delayed implementation from 2024 creates a single point of compliance for packaging waste collection and management costs.
The PSR proposed Stage 1 cross-border interchange fee caps following its December 2024 final report, which would reduce merchant processing costs for EEA card transactions from 1.15% to 0.2% for debit cards and 1.5% to 0.3% for credit cards – returning to pre-Brexit levels. The regulator’s consultation period closed in Q1 2025, with Stage 1 price caps potentially saving UK businesses £150-200 million annually. However, ongoing litigation over the PSR’s powers has paused implementation, with the regulator providing no further updates until at least the end of Q3 2025. A longer-term Stage 2 methodology with regular reviews remains under development, though implementation timelines are now uncertain due to the legal proceedings. Separately, the PSR continues its review of domestic card scheme fees, launched in 2023, which could deliver additional cost reductions for UK merchants processing domestic transactions.
Buy now, pay later regulation will reach full implementation by 15 July 2026, following HM Treasury’s confirmation on 19 May 2025 of its final regulatory position and publication of draft statutory instruments. Third-party BNPL lenders will require FCA authorisation, conduct mandatory affordability assessments, and provide Financial Ombudsman Service access. Crucially, Section 75 protection will apply to BNPL credit agreements over £100, making BNPL lenders jointly liable for merchant breaches of contract or misrepresentation. Notably, merchant-provided BNPL remains exempt under RAO Article 60F(2), but this exemption is currently under review by HM Treasury but faces ongoing review. This creates enhanced consumer confidence in BNPL services while potentially changing provider relationships and compliance costs for merchants offering direct BNPL arrangements.
The UK government announced on 12 March 2025 that the PSR will be abolished and its operations merged with the FCA as part of Prime Minister Sir Keir Starmer’s government drive to reduce regulatory complexity. The decision follows complaints from businesses that payment system firms had to engage with three different regulators, costing them time, money and resources.
The government has confirmed that a consultation on the PSR’s integration into the FCA will begin in Q3 2025, with legislation expected to be introduced to formalise the merger in late 2025. During the interim period, the PSR and FCA will work closely together to facilitate a smooth transition, with the recent appointment of a joint PSR/FCA Payments Executive Director expected to help align the two regulatory bodies.
The consolidation directly impacts the Joint Regulatory Oversight Committee (JROC), which has coordinated open banking development between the FCA, PSR, CMA and HM Treasury since 2022. The government’s National Payments Vision, published in January 2025, confirms that “JROC will be wound down at the earliest opportunity” with the FCA becoming “the UK’s regulator in the future” for open banking oversight.
The government expects the FCA to engage as appropriate with the PSR on the interaction of Open Banking overlay services with underlying payment rails, which remain PSR-regulated payment systems. This represents a fundamental shift from JROC’s collaborative model to FCA-led supervision, potentially accelerating decision-making but raising questions about specialised payments expertise concentration within merchant oversight structures.
UK Sustainability Reporting Standards are currently under consultation, with exposure drafts published on 25 June 2025 and the consultation closing on 17 September 2025. Final standards are expected in Q4 2025. While initially voluntary, mandatory adoption may follow separate regulatory consultations—led by the FCA for listed companies and by the UK Government for other large or economically significant entities. If implemented, the UK SRS would apply to accounting periods beginning on or after 1 January 2026.
Based on ISSB-aligned standards, UK SRS will require mandatory reporting of Scope 1 & 2 emissions from Year 1, with Scope 3 emissions required but with phased relief periods and transition plans required. This represents a unified approach consolidating current requirements under the SECR and TCFD frameworks.
The cybersecurity landscape for payment data protection has presented unprecedented complexity for UK merchants in 2025. The draft Cyber Security and Resilience Bill, expected to be introduced towards the end of Q4 2025, remains in development and is not yet law as of Q3 2025, with provisions subject to change during the parliamentary process. Once enacted, it will ensure firms providing essential IT services to public services and the wider economy are no longer an easy target for cyber criminals, with 1,000 service providers falling into scope.
Payment-specific security requirements have intensified with PCI DSS 4.0 coming into effect on 1 April, impacting all companies that handle cardholder data. The update introduces 64 new requirements for organisations to comply with, fundamentally reshaping merchant compliance obligations.
From 2026 onwards, the regulatory horizon will be defined by the phased implementation of major financial services, digital markets, and AI governance reforms. With Basel 3.1, stablecoin authorisation, open banking expansion, and cross-jurisdictional digital regulation all advancing in parallel, merchants must prepare for a prolonged period of structural change that will reshape operational, compliance, and competitive dynamics.
Basel 3.1 implementation shifts to January 2027 (delayed from 2026), while cryptoasset regulation undergoes progressive implementation through 2025-2026. The FCA’s crypto regulatory framework consultations closed on 31 July 2025, with stablecoin regulations and market abuse provisions expected by 2026 amid significant industry concerns over competitiveness. Open Banking evolution continues with transitioning oversight as the PSR consolidates into the FCA, focusing on Variable Recurring Payments expansion and account-to-account e-commerce payments development.
The UK maintains its pro-innovation, sector-specific approach to AI regulation, contrasting with the EU AI Act’s comprehensive framework. The Digital Regulation Cooperation Forum coordinates guidance across ICO, Ofcom, CMA, and FCA, with ongoing development continuing through 2025 and beyond. Meanwhile, the Digital Markets Act implementation affecting UK merchants serving EU customers continues evolving, with established business user rights, data access provisions, and advertising transparency requirements for gatekeeper platforms now in the active enforcement phase following the first DMA penalties imposed in April 2025 (Apple €500m, Meta €200m)
Shifting EU regulations on data protection, product safety, VAT, and customs are set to redefine how UK merchants trade across borders. With GDPR adequacy renewal uncertain, new product safety oversight, and complex import VAT reforms on the horizon, businesses must act now to secure compliance and safeguard market access.
The UK-EU GDPR adequacy decision is set to expire on 27 December 2025, creating potential disruption for data flows between UK merchants and EU customers. The European Commission has indicated, by publishing its draft adequacy decision of 22 July 2025, that the level of protection for personal data ensured by the United Kingdom remains essentially equivalent to European standards, following the UK’s adoption of the Data (Use and Access) Act 2025 on 19 June 2025.
The European Data Protection Board adopted a positive opinion on the proposed six-month extension in May 2025, recognising this as an “exceptional” extension due to ongoing UK legislative developments. Subject to successfully negotiating these stages, the Draft Adequacy Decision will apply for a period of six years from its entry into force, i.e., until December 27, 2031, after which time it may be renewed for a further period of four years.
While the extension provides short-term legal certainty, the long-term renewal of the adequacy agreement remains uncertain. Therefore, contingency planning becomes essential for UK merchants processing EU personal data. This includes preparation for Standard Contractual Clauses as a backup mechanism and the adoption of data minimisation strategies to reduce reliance on EU data processing. Businesses should prioritise establishing Standard Contractual Clauses with the UK Addendum as an operational fallback, ensuring continuity of EU data transfers should the adequacy renewal face delays or potential revocation beyond 2031.
The General Product Safety Regulation (GPSR) came into effect on 13 December 2024, introducing a uniform framework for the safety of non-food consumer products sold to EU consumers. Under the GPSR, UK merchants must appoint an EU Responsible Person for any goods entering the EU market. This representative is responsible for ensuring that products meet safety requirements, carrying out documented risk assessments and maintaining full technical documentation and traceability systems.
The regulation also strengthens enforcement by requiring accessible technical files, which must include safety analysis, applicable standards, and declarations of conformity. These measures apply regardless of whether the product is new, refurbished, or used.
Meanwhile, European Conformity (CE) marking remains a legal requirement for accessing the EU market in key product categories including electronics, machinery, medical devices, toys, and personal protective equipment. UK merchants benefit from regulatory updates in October 2024 that indefinitely accept CE marking in Great Britain, making UK Conformity Assessed (UKCA) marking optional rather than mandatory. However, for sales within the EU, the CE mark remains mandatory.
From 2025 onwards, the EU plans to overhaul the Import One-Stop Shop (IOSS) regime for low-value goods (under €150). Council Directive (EU) 2025/1539, adopted on 18 July 2025, shifts primary liability for import VAT from customers to suppliers or deemed suppliers, with implementation required by Member States by 30 June 2028 and application from 1 July 2028
Alongside VAT reform, customs obligations are tightening. All imports into the EU now require full customs declarations and pre-arrival safety and security declarations. The EU’s Import Control System 2 (ICS2) mandates submission of a complete Entry Summary Declaration (ENS) with safety/security data before departure from the origin country. From 1 April 2025, these ENS requirements were extended to road and rail carriers, with full ICS2 deployment—including maritime and inland shipping—scheduled by 1 September 2025.
The next six months demand both immediate regulatory action and longer-term strategic positioning from merchants. With powerful new enforcement regimes, imminent fraud prevention deadlines, and pivotal payment system decisions on the horizon, businesses must move quickly to secure compliance while preparing for structural shifts in payments oversight, liability, and infrastructure.
Between July and September 2025, businesses must conduct urgent compliance reviews in response to expanding regulatory enforcement powers. Under the Digital Markets, Competition and Consumers Act 2024, the Competition and Markets Authority (CMA) has new direct enforcement powers to issue fines of up to 10% of global turnover for breaches of consumer law. Reviews should prioritise pricing transparency to prevent drip pricing breaches and evaluate marketing practices for compliance with unfair commercial practices and hidden fees rules.
Organisations must also address direct marketing compliance, particularly around consent. The Information Commissioner’s Office (ICO) has intensified enforcement in this area, making consent validation audits essential. Businesses should review how consent is collected, stored, and refreshed to ensure alignment with UK GDPR and PECR.
Fraud risk must also be addressed ahead of the 1 September 2025 implementation of the new offence under the Economic Crime and Corporate Transparency Act 2023. This includes the new corporate offence of “failure to prevent fraud”, which imposes criminal liability on organisations that fail to have reasonable fraud prevention procedures in place. To comply, businesses must document risk assessments, implement staff training programmes, and strengthen internal fraud detection capabilities, in line with government guidance on fraud prevention.
Here are the condensed bullet points with a maximum of four per section, focusing on the most valuable items for payments merchants:
The payments regulatory landscape has undergone its most significant transformation since the introduction of open banking, with enforcement capabilities, fraud liability models, and market structure investigations creating unprecedented complexity for merchant payment operations.
For merchant leaders, this regulatory convergence demands immediate attention to fraud prevention deadlines, strategic positioning around BNPL regulation opportunities, and comprehensive planning for mobile payment ecosystem changes. The suspended interchange fee caps and ongoing APP fraud liability evolution require continuous monitoring, whilst the PSR-FCA merger will reshape the entire payments oversight framework by 2026.
Success in this transformed landscape requires embedding payment compliance excellence into core operations, not as an overlay but as a strategic differentiator in an increasingly regulated but ultimately more trusted payments ecosystem.

New research uncovers the payment habits, preferences and priorities shaping the future of payments in the UK.

New research shows vulnerable customers are strong adopters of AI and digital banking, but are far more likely to experience failed payment journeys and poorer outcomes.

UK merchants expect agentic commerce to grow rapidly, but uncertainty around liability, fraud, and standards is slowing readiness.
You need to be logged in to do this!
