Merchant Regulation Roadmap Q3

Q3 2025 marks a turning point for UK merchant payments, with new enforcement powers, fraud liability rules, and regulatory mergers reshaping compliance priorities. This roadmap distils the most pressing obligations, deadlines, and strategic risks to help payments leaders navigate a rapidly evolving legal and operational landscape.

Introduction

About the roadmap

The UK merchant payments landscape enters a critical Q3 2025 phase, with regulatory developments creating immediate compliance obligations and strategic challenges. The Competition and Markets Authority’s direct enforcement powers, activated in April 2025 with penalties up to 10% of global turnover, fundamentally shift how payment practices face scrutiny and enforcement.

Three developments demand immediate attention. First, ongoing Payment Services Regulator (PSR) interchange fee caps litigation leaves £150-200 million in potential annual savings uncertain whilst merchants continue paying post-Brexit rates of 1.15-1.5% on cross-border transactions. Second, the APP fraud reimbursement rules implemented in October 2024 show strong reimbursement rates, creating new operational considerations for payment acceptance. Third, the announced PSR-FCA merger consolidates payments oversight under a single regulator by 2026, potentially streamlining compliance but raising questions about specialised payments expertise.

The regulatory agenda extends beyond traditional processing concerns. BNPL services face mandatory Financial Conduct Authority (FCA) authorisation by July 2026, requiring fundamental changes to merchant checkout processes and provider relationships. PCI DSS 4.0 introduces 64 new security requirements with full compliance now mandatory. Meanwhile, stablecoin regulation proposals draw significant industry criticism over capital requirements and operational feasibility, potentially limiting UK market participation.

This roadmap examines regulations most relevant to payments teams, focusing on transaction processing, payment acceptance standards, and operational costs. Each section identifies specific compliance requirements, implementation timelines, and practical steps, prioritising actionable intelligence to enable payments leaders to allocate resources effectively through 2026 and beyond.

Foreword

The regulatory environment facing UK merchants is entering its most complex and consequential phase in over a decade. This roadmap is designed not only to highlight what is changing, but to help our members anticipate the operational, financial, and strategic implications of those changes. The coming 18 months will bring simultaneous shifts in enforcement powers, fraud liability, digital payments oversight, and cross-border compliance that will redefine competitive positioning across the sector. For payment leaders, success will depend on acting decisively, prioritising resources with precision, and embedding compliance excellence into core business strategy. This is not simply a regulatory update; it is an operational survival guide for a rapidly evolving market.
Benjamin David
Head of Intelligence

Recent and immediate developments: Q2-Q3 2025

Q2–Q3 2025 brings an unprecedented convergence of regulatory changes for UK merchants, from the CMA’s sweeping new enforcement powers to fraud prevention deadlines, payment disputes, and emerging digital currency rules. These developments carry immediate compliance obligations and high financial stakes, demanding rapid operational and strategic responses

CMA enforcement powers create unprecedented penalty risk

The Digital Markets, Competition and Consumers Act 2024 (DMCC), effective April 6, 2025, is fundamentally transforming consumer protection enforcement. The Competition and Markets Authority (CMA) now wields direct administrative enforcement powers without court involvement, imposing fines up to 10% of global annual turnover or £300,000 for individuals. This represents the most significant shift in UK consumer protection enforcement in decades.

Priority enforcement areas include drip pricing (unexpected charges at checkout), fake reviews, aggressive sales practices targeting vulnerable consumers, and misleading marketing claims. The CMA has announced a phased enforcement approach, with a 3-month grace period on fake review enforcement (until July 2025) and drip pricing enforcement to begin once final guidance is published in Autumn 2025. The CMA will initially focus on clear, egregious breaches whilst businesses adapt to the new requirements, with further consultation on drip pricing scheduled for Q3 2025 and final guidance expected in Autumn 2025.

Critical 22 October 2025 deadline: On 23 July 2025, the CMA provisionally proposed to designate Apple and Google with Strategic Market Status. The consultation is currently open and runs until 22 August 2025, with a final decision due by 22 October 2025. As of now, the CMA has already published detailed expectations for both companies, including reforms to app review processes, digital wallet access, and app store steering. These proposals are likely to have major implications for all merchants operating within their mobile ecosystems.

  • CMA now has direct administrative enforcement powers to impose fines up to 10% of global annual turnover without requiring court approval
  • Strict liability offences requiring only an unfair act or omission to prove liability, with very low threshold for businesses to be liable
  • Enhanced investigative powers, including information requests, premises entry, test purchases, and Provisional Infringement Notices
  • 22 October 2025 CMA decision on Apple/Google Strategic Market Status affecting digital wallet access, app store terms, and mobile payment processing for all merchants
  • Audit existing pricing models to ensure total price transparency, including all mandatory fees, taxes, and charges in headline prices
  • Implement reasonable and proportionate steps to prevent fake reviews, including detection systems and content moderation processes
  • Establish robust internal compliance mechanisms and staff training programmes on new consumer protection rules
  • Monitor CMA’s Q3 2025 consultation on complex pricing scenarios and Q4 2025 final drip pricing guidance

Payment regulation deadlines and enforcement

Authorised Push Payment  (APP) fraud reimbursement requirements, implemented October 7, 2024, show 87% of victims reimbursed, totalling £66 million in six months, with consumers submitting around 109,000 claims, of which 77,000 were in scope for reimbursement. The £85,000 reimbursement cap and 50:50 payments service provider (PSP) cost sharing create operational uncertainty for merchants around payment acceptance standards. At the same time, only 3% of claims were rejected due to consumers not taking sufficient care over transactions.

For merchants, this creates direct operational risk: a customer makes a legitimate purchase and receives their goods, but later falls victim to a separate APP fraud incident. Under the reimbursement scheme, their bank may claw back funds from recent transactions to cover the fraud loss, leaving the merchant having delivered goods but losing payment through no fault of their own. This highlights the need for robust transaction monitoring and customer verification processes.

Ongoing litigation over the payment systems regulator’s (PSR) powers has paused cross-border interchange fee decisions, with no further updates expected until at least the end of Q3 2025. The PSR is pausing any further consultation or decision regarding a potential interim price cap until at least the end of Q3 2025 due to ongoing litigation over its powers. The confirmed increases from 0.2% to 1.15% for debit cards and 0.3% to 1.5% for credit cards cost UK businesses £150-200 million extra annually due to post-Brexit changes.

Financial conduct authority (FCA) operational resilience compliance requires banks, e-money institutions, and payment providers to demonstrate enhanced cybersecurity and incident response procedures. For merchants, this means potential service disruptions as PSPs implement final compliance measures, alongside possible fee adjustments to cover regulatory investment costs affecting payment processing reliability.

  • The APP fraud reimbursement cap of £85,000, with 50:50 cost sharing between sending and receiving PSPs, creates operational uncertainty for merchants around payment acceptance standards
  • Merchants face potential disputes where customers claim app fraud reimbursement, but the merchant has legitimately delivered goods/services, with both banks now required to share liability equally
  • Cross-border interchange fee increases from 0.2%-0.3% to 1.15%-1.5% post-Brexit cost UK businesses £150-200 million annually, with PSR expected to rule on caps by the end of 2025
  • Assess exposure to potential service disruptions as PSPs implement final operational resilience compliance measures and possible fee adjustments to cover regulatory investment costs

Digital currencies: Stablecoin and CBDC readiness

The UK’s approach to digital currencies creates both opportunities and compliance obligations for forward-thinking merchants. Following extensive industry consultation, HM Treasury has now published draft legislation with implementation expected by early 2026, though significant concerns remain about the regime’s competitiveness.

The FCA’s consultation papers CP25/14 and CP25/15, which closed 31 July 2025, propose a regulatory framework that industry views as “overly complex and significantly less supportive of innovation and growth than comparable international models, particularly the newly adopted U.S. regime.” The framework requires FCA authorisation for cryptoasset activities, including operating trading platforms, with stablecoin issuers facing minimum capital requirements of £350,000 and full reserve backing.

  • Industry feedback warns that “the totality of these proposals means that no UK-based stablecoin issuers launch at all,” leaving the UK market to overseas issuers, whilst UK firms miss revenue opportunities
  • The FCA’s modelling of the regime on IFPR creates unnecessary complexity, with K-factor volume-based capital requirements acting as “a very obvious disincentive to grow”
  • The US GENIUS Act represents “a genuine game-changer” that “cannot be ignored as to do so risks making the UK an uncompetitive jurisdiction for this sector”
  • Daily reconciliation requirements and next-day redemption obligations are viewed as “operationally unfeasible” when backing assets include instruments that are not immediately liquid
  • Monitor FCA’s response to industry concerns about overly prescriptive rules that “inhibit growth” compared to frameworks in Singapore, Hong Kong, and the Gulf States
  • Evaluate partnerships with overseas stablecoin providers who may find it “far more economically rational to access the UK market from offshore”
  • Prepare for potential regulatory recalibration, as there remains “a clear disjunction between the Chancellor’s Mansion House ambition” and the proposed restrictive regime
  • Consider that whilst the Digital Pound Lab launches later in 2025, CBDC implementation remains in the design phase, with launch not expected until late in the decade

Economic Crime Act fraud prevention requirements

From 1 September 2025, large organisations will face a new corporate offence under the Economic Crime and Corporate Transparency Act 2023 for failing to prevent fraud. This strict liability regime significantly expands corporate criminal exposure, applying even where senior management was unaware of the misconduct, and extending to employees, agents, subsidiaries, and other associated persons. With overseas companies also in scope if UK victims are targeted, businesses must urgently review fraud prevention controls, training programmes, and governance to meet the ‘reasonable procedures’ defence and avoid severe financial and reputational consequences.

  • Organisations could face fines from 1 September 2025 for failing to prevent fraud committed by employees, agents, subsidiaries or associated persons intending to benefit the organisation
  • Strict liability offence applies to organisations meeting two of: 250+ employees, £36m+ turnover, or £18 million plus balance sheet total, with no need to prove senior management knowledge
  • Overseas companies can be liable if the fraud is committed under UK law or targets UK victims

  •  
  • Implement six core fraud prevention principles: top-level commitment, risk assessment, proportionate procedures, due diligence, training and communication, and ongoing monitoring
  • Conduct comprehensive fraud risk assessments, identifying vulnerabilities across all associated persons, including employees, agents, subsidiaries and third-party service providers
  • Review and update existing policies, procedures and internal controls to address fraud prevention rather than just fraud detection
  • Assess the scope of “senior managers” under the broader ECCTA definition beyond traditional Senior Managers and Certification Regime requirements

Short to medium-term impact: Q4 2025 through 2026

The final quarter of 2025 and the year ahead will see a wave of regulatory changes reshape merchant operations, from cost and compliance pressures to shifts in payments oversight and sustainability reporting. With new packaging obligations, suspended but high-impact interchange reforms, BNPL authorisation, and intensified cybersecurity standards all on the horizon, merchants must prepare for a period of complex, overlapping demands.

Q4 2025 regulatory milestones reshape merchant operations

Extended Producer Responsibility (EPR) for packaging takes effect on 1 October 2025, introducing new waste management fees charged directly to packaging producers. This delayed implementation from 2024 creates a single point of compliance for packaging waste collection and management costs.

The PSR proposed Stage 1 cross-border interchange fee caps following its December 2024 final report, which would reduce merchant processing costs for EEA card transactions from 1.15% to 0.2% for debit cards and 1.5% to 0.3% for credit cards – returning to pre-Brexit levels. The regulator’s consultation period closed in Q1 2025, with Stage 1 price caps potentially saving UK businesses £150-200 million annually. However, ongoing litigation over the PSR’s powers has paused implementation, with the regulator providing no further updates until at least the end of Q3 2025. A longer-term Stage 2 methodology with regular reviews remains under development, though implementation timelines are now uncertain due to the legal proceedings. Separately, the PSR continues its review of domestic card scheme fees, launched in 2023, which could deliver additional cost reductions for UK merchants processing domestic transactions.

  • EPR obligations apply to large producers (turnover over £2 million and over 50 tonnes of packaging annually) from October 2025, requiring payment of Local Authority Waste Management Fees directly to the Scheme Administrator, with civil sanctions and criminal prosecution for non-compliance
  • Businesses must submit granular packaging data twice yearly, including recyclability assessments under the Recyclability Assessment Methodology from 2025
  • PSR interchange fee cap implementation suspended due to legal challenges from Revolut and Visa over the regulator’s statutory powers, creating ongoing uncertainty affecting payment processing cost planning, with potential £150-200 million annual savings dependent on litigation outcomes
  • Merchants face an increased compliance burden under the Economic Crime and Corporate Transparency Act’s “failure to prevent fraud” offence from September 2025, alongside new digital accessibility standards and evolving open finance frameworks, creating operational risks
  • Register on the EPR packaging online service and prepare for twice-yearly data submissions with the next deadline 1 October 2025, budgeting for base fees ranging from £43-£510 per tonne, depending on packaging material type
  • Submit nation data by 1 April 2026, showing where UK packaging was supplied and discarded, implementing the Recyclability Assessment Methodology for all household packaging to prepare for modulated fees from 2026
  • Monitor PSR litigation developments and regulatory updates expected by the end of Q3 2025 regarding interchange fee cap implementation, whilst assessing exposure to new fraud prevention obligations and digital accessibility requirements

BNPL regulation transforms payment landscape

Buy now, pay later regulation will reach full implementation by 15 July 2026, following HM Treasury’s confirmation on 19 May 2025 of its final regulatory position and publication of draft statutory instruments. Third-party BNPL lenders will require FCA authorisation, conduct mandatory affordability assessments, and provide Financial Ombudsman Service access. Crucially, Section 75 protection will apply to BNPL credit agreements over £100, making BNPL lenders jointly liable for merchant breaches of contract or misrepresentation. Notably, merchant-provided BNPL remains exempt under RAO Article 60F(2), but this exemption is currently under review by HM Treasury but faces ongoing review. This creates enhanced consumer confidence in BNPL services while potentially changing provider relationships and compliance costs for merchants offering direct BNPL arrangements.

  • Third-party BNPL lenders must obtain FCA authorisation by 15 July 2026 or cease regulated activities, with mandatory affordability and creditworthiness assessments disrupting the fast, frictionless model and increasing compliance costs
  • Substantial regulatory uplift required moving from an unregulated to an FCA-regulated environment, requiring investments in systems, controls and personnel that will pressure margins and fees
  • Merchant-provided BNPL remains exempt under Article 60F(2), creating a competitive disadvantage for third-party providers, whilst authorised persons must approve financial promotions by unauthorised merchants offering third-party BNPL
  • Consumer Credit Act sanctions disapplied but borrowers gain section 75 protections and FOS access, creating new liability exposure for lenders with anti-avoidance provisions preventing circumvention through reseller arrangements
  • Register for the Temporary Permissions Regime two months before 15 July 2026 if currently offering BNPL without authorisation, then apply for full authorisation within six months
  • Implement mandatory creditworthiness assessment systems and redesign user journeys to incorporate affordability checks, develop Consumer Duty-compliant disclosure regimes, moving away from Consumer Credit Act requirements
  • Establish complaints handling procedures, including FOS access, set up credit reporting systems to share BNPL agreement data with credit reference agencies, and review financial promotions arrangements with merchants
  • Monitor FCA consultation feedback (closing 26 September 2025) and prepare for final rules expected early 2026, assess competitive positioning against merchant-provided BNPL exemptions and strategic implications of two-tier regulatory system

PSR-FCA consolidation reshapes payments oversight

The UK government announced on 12 March 2025 that the PSR will be abolished and its operations merged with the FCA as part of Prime Minister Sir Keir Starmer’s government drive to reduce regulatory complexity. The decision follows complaints from businesses that payment system firms had to engage with three different regulators, costing them time, money and resources.

The government has confirmed that a consultation on the PSR’s integration into the FCA will begin in Q3 2025, with legislation expected to be introduced to formalise the merger in late 2025. During the interim period, the PSR and FCA will work closely together to facilitate a smooth transition, with the recent appointment of a joint PSR/FCA Payments Executive Director expected to help align the two regulatory bodies.

The consolidation directly impacts the Joint Regulatory Oversight Committee (JROC), which has coordinated open banking development between the FCA, PSR, CMA and HM Treasury since 2022. The government’s National Payments Vision, published in January 2025, confirms that “JROC will be wound down at the earliest opportunity” with the FCA becoming “the UK’s regulator in the future” for open banking oversight.

The government expects the FCA to engage as appropriate with the PSR on the interaction of Open Banking overlay services with underlying payment rails, which remain PSR-regulated payment systems. This represents a fundamental shift from JROC’s collaborative model to FCA-led supervision, potentially accelerating decision-making but raising questions about specialised payments expertise concentration within merchant oversight structures.

  • The PSR will retain statutory powers and continue regulatory functions independently until legislation formally enacts the merger, creating potential transitional compliance uncertainty with unclear transfer of specific directions and enforcement regime from PSR to FCA
  • Risk that the merger could result in a period of internal focus, causing regulatory slowdown and potential loss of pockets of excellence, with JROC dissolution removing the collaborative oversight model for open banking development
  • No immediate changes to the PSR remit during transition, but uncertainty over long-term regulatory approach and priorities under FCA-led supervision
  • Monitor Q3 2025 consultation on PSR integration and submit responses to influence final regulatory structure, review current PSR reporting requirements to assess potential changes under the FCA regime integration
  • Prepare for revised memorandum of understanding between FCA, PSR, BoE and PRA on payments regulation expected by Q2 2025, adjust open banking compliance strategies for FCA-led smart data scheme regulation
  • Engage with FCA’s accelerated work on variable recurring payments commercial model following JROC wind-down, assess the impact of FCA’s expanded international presence plans on UK payments oversight priorities

Sustainability reporting becomes mandatory

UK Sustainability Reporting Standards are currently under consultation, with exposure drafts published on 25 June 2025 and the consultation closing on 17 September 2025. Final standards are expected in Q4 2025. While initially voluntary, mandatory adoption may follow separate regulatory consultations—led by the FCA for listed companies and by the UK Government for other large or economically significant entities. If implemented, the UK SRS would apply to accounting periods beginning on or after 1 January 2026.

Based on ISSB-aligned standards, UK SRS will require mandatory reporting of Scope 1 & 2 emissions from Year 1, with Scope 3 emissions required but with phased relief periods and transition plans required. This represents a unified approach consolidating current requirements under the SECR and TCFD frameworks.

  • UK SRS consultation closes 17 September 2025; final standards due Q4 2025. FCA and the government may mandate use from 1 January 2026 for listed and large entities.
  • No delayed reporting in year one; “climate-first” phased approach requires Scope 1 & 2 from year one, Scope 3 from year three.
  • UK SRS will replace SECR, TCFD, and CRFD with a unified regime focused on economically significant entities.
  • Separate consultations on assurance providers and transition plans add further compliance requirements.
  • Respond to the consultation by 17 September 2025. Assess current reporting against ISSB S1 and S2 standards.
  • Prepare to report Scope 1 & 2 emissions from year one; plan for Scope 3 from year three.
  • Monitor FCA’s consultation on mandatory requirements and assurance regulations.
  • Improve data collection and controls for third-party assurance. Begin transitioning from SECR and TCFD to UK SRS.

Enhanced cybersecurity obligations

The cybersecurity landscape for payment data protection has presented unprecedented complexity for UK merchants in 2025. The draft Cyber Security and Resilience Bill, expected to be introduced towards the end of Q4 2025, remains in development and is not yet law as of Q3 2025, with provisions subject to change during the parliamentary process. Once enacted, it will ensure firms providing essential IT services to public services and the wider economy are no longer an easy target for cyber criminals, with 1,000 service providers falling into scope.

Payment-specific security requirements have intensified with PCI DSS 4.0 coming into effect on 1 April, impacting all companies that handle cardholder data. The update introduces 64 new requirements for organisations to comply with, fundamentally reshaping merchant compliance obligations.

  • Of the 64 requirements, 13 came into effect immediately on 1 April. The remainder became mandatory on 31 March 2025, meaning all operational resilience requirements are now in full effect.
  • Organisations that fail to comply with the UK-GDPR may be penalised by a maximum fine of up to £17.5 million (€20 million) or 4% of their overall annual turnover.
  • The Cyber Security and Resilience Bill will bring enhanced regulatory powers and increased incident reporting. It will bring mandatory reporting of ransomware payments to the government.
  • PCI DSS v4.0.1 brings a mix of enhanced technical requirements and more flexible implementation options, reflecting a shift from prescriptive checklists to outcome-based security.
  • Organisations must carry out an annual review to confirm and document the scope of their operations, and therefore, which of the four compliance levels they should maintain.
  • Implement 12 core PCI DSS requirements, including: install and maintain a firewall, encrypt payment card data transmitted across open networks, restrict access to cardholder data, and regularly test security systems.
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, train staff on handling of medical information, PII, and other sensitive data.
  • Prepare for 24-hour incident reporting (versus current 72 hours), stricter technical security standards, and regulatory fees to fund enforcement under the new Cyber Security and Resilience Bill.
  •  

Future impact monitoring: 2026 and beyond

From 2026 onwards, the regulatory horizon will be defined by the phased implementation of major financial services, digital markets, and AI governance reforms. With Basel 3.1, stablecoin authorisation, open banking expansion, and cross-jurisdictional digital regulation all advancing in parallel, merchants must prepare for a prolonged period of structural change that will reshape operational, compliance, and competitive dynamics.

Financial services regulatory evolution

Basel 3.1 implementation shifts to January 2027 (delayed from 2026), while cryptoasset regulation undergoes progressive implementation through 2025-2026. The FCA’s crypto regulatory framework consultations closed on 31 July 2025, with stablecoin regulations and market abuse provisions expected by 2026 amid significant industry concerns over competitiveness. Open Banking evolution continues with transitioning oversight as the PSR consolidates into the FCA, focusing on Variable Recurring Payments expansion and account-to-account e-commerce payments development.

  • Basel 3.1 implementation delayed to 1 January 2027 due to US timeline uncertainty; transitional periods shortened to keep full implementation by 2030; firm data collection paused.
  • FCA stablecoin and crypto custody consultations closed 31 July 2025; final rules expected in 2026. FCA authorisation will be required, with stablecoin issuers facing £350,000 minimum capital and full reserve backing. Industry concerns focus on complexity and high capital demands, possibly deterring UK entrants.
  • Industry feedback highlights that the proposed K-factor capital requirements and IFPR prudential regime may hinder growth and reduce UK competitiveness, especially compared to the US GENIUS Act.
  • Redemption requirements may be operationally difficult due to asset liquidity limits and preference for intermediated platforms over direct redemption.
  • Variable Recurring Payments (VRP) expansion requires commercial model development and the setup of an independent operator. Open Banking evolution continues under FCA, transitioning as PSR consolidates, aiming at e-commerce by 2026.
  • Review potential regulatory adjustments based on industry feedback on capital, redemption, and operational challenges.
  • Consider alternative compliance or offshore structuring if the FCA holds its current stance.
  • Monitor final rules expected in 2026 and adjust implementation plans accordingly.
  • Continue Basel 3.1 planning while tracking US regulatory progress.
  • Watch for further FCA consultations on trading platforms, intermediation, lending, staking, and conduct standards due Q3-Q4 2025.
  • Prepare for VRP Wave 1 implementation targeting regulated utilities from mid-2025.

AI governance and digital markets

The UK maintains its pro-innovation, sector-specific approach to AI regulation, contrasting with the EU AI Act’s comprehensive framework. The Digital Regulation Cooperation Forum coordinates guidance across ICO, Ofcom, CMA, and FCA, with ongoing development continuing through 2025 and beyond. Meanwhile, the Digital Markets Act implementation affecting UK merchants serving EU customers continues evolving, with established business user rights, data access provisions, and advertising transparency requirements for gatekeeper platforms now in the active enforcement phase following the first DMA penalties imposed in April 2025 (Apple €500m, Meta €200m)

  • The UK’s principles-based AI regulatory framework lacks statutory backing, creating potential regulatory gaps and inconsistent enforcement across sectoral regulators, whilst the reintroduced AI Regulation Bill passed its first reading on 4 March 2025, but remains unlikely to pass in its current form, given time constraints and lack of government backing
  • EU AI Act prohibitions have been in effect since 2 February 2025, with UK businesses now operating under established compliance frameworks for EU market access, whilst DMA enforcement continues with penalties totalling €700m in H1 2025
  • UK CMA Strategic Market Status investigations launched in January 2025, with Google’s general search investigation progressing to provisional designation proposals published 24 June 2025, with final decision due 13 October 2025
  • CMA proposed Apple and Google for Strategic Market Status in mobile ecosystems on 23 July 2025, with final decisions expected by 22 October 2025 and potential interventions to begin from Q4 2025
  • Monitor potential delay of UK government AI Bill to Q3 2025 as government appears to be aligning with US pro-innovation stance following joint UK-US AI agreement announced 27 February
  • Await CMA final decisions on Google search (13 October) and Apple/Google mobile ecosystem designations (22 October 2025), prepare for potential conduct requirements consultations from autumn 2025
  • Monitor ongoing DMA enforcement developments, including March 2025 preliminary findings against Alphabet for search favouritism and Google Play steering restrictions
  • Evaluate readiness for potential AI statutory regime implementation following AI Opportunities Action Plan published 13 January 2025 and expected sectoral guidance publications from regulators through Q4 2025

International developments: EU cross-border compliance

Shifting EU regulations on data protection, product safety, VAT, and customs are set to redefine how UK merchants trade across borders. With GDPR adequacy renewal uncertain, new product safety oversight, and complex import VAT reforms on the horizon, businesses must act now to secure compliance and safeguard market access.

GDPR adequacy decision faces critical deadline

The UK-EU GDPR adequacy decision is set to expire on 27 December 2025, creating potential disruption for data flows between UK merchants and EU customers. The European Commission has indicated, by publishing its draft adequacy decision of 22 July 2025, that the level of protection for personal data ensured by the United Kingdom remains essentially equivalent to European standards, following the UK’s adoption of the Data (Use and Access) Act 2025 on 19 June 2025.

The European Data Protection Board adopted a positive opinion on the proposed six-month extension in May 2025, recognising this as an “exceptional” extension due to ongoing UK legislative developments. Subject to successfully negotiating these stages, the Draft Adequacy Decision will apply for a period of six years from its entry into force, i.e., until December 27, 2031, after which time it may be renewed for a further period of four years.

While the extension provides short-term legal certainty, the long-term renewal of the adequacy agreement remains uncertain. Therefore, contingency planning becomes essential for UK merchants processing EU personal data. This includes preparation for Standard Contractual Clauses as a backup mechanism and the adoption of data minimisation strategies to reduce reliance on EU data processing. Businesses should prioritise establishing Standard Contractual Clauses with the UK Addendum as an operational fallback, ensuring continuity of EU data transfers should the adequacy renewal face delays or potential revocation beyond 2031.

  • UK-EU adequacy decisions expire 27 December 2025 following a six-month extension, with EDPB emphasising the exceptional and time-limited nature.
  • DUAA 2025 introduces a “not materially lower” transfer standard, potentially impacting adequacy status with new legitimate interests and relaxed automated decision-making.
  • Without an adequacy decision, UK organisations require additional legal safeguards for EU transfers, increasing compliance costs and administrative burden
  • ICO becomes Information Commission with enhanced powers and PECR fines up to £17.5 million or 4% global turnover.
  • Monitor the European Commission’s DUAA assessment, prepare Standard Contractual Clauses backup using the UK International Data Transfer Agreement or the UK Addendum to EU SCCs.
  • Conduct transfer risk assessments for UK-EU data flows, review current arrangements and update contracts with Article 46 transfer mechanisms.
  • Implement data minimisation strategies, update privacy notices and documentation to reflect DUAA changes, including new lawful bases.
  • Monitor DUAA phased implementation timeline (June 2025-2026), evaluate dual EU-UK compliance requirements and engage legal counsel for contingency plans.

Product safety and CE marking requirements

The General Product Safety Regulation (GPSR) came into effect on 13 December 2024, introducing a uniform framework for the safety of non-food consumer products sold to EU consumers. Under the GPSR, UK merchants must appoint an EU Responsible Person for any goods entering the EU market. This representative is responsible for ensuring that products meet safety requirements, carrying out documented risk assessments and maintaining full technical documentation and traceability systems.

The regulation also strengthens enforcement by requiring accessible technical files, which must include safety analysis, applicable standards, and declarations of conformity. These measures apply regardless of whether the product is new, refurbished, or used.

Meanwhile, European Conformity (CE) marking remains a legal requirement for accessing the EU market in key product categories including electronics, machinery, medical devices, toys, and personal protective equipment. UK merchants benefit from regulatory updates in October 2024 that indefinitely accept CE marking in Great Britain, making UK Conformity Assessed (UKCA) marking optional rather than mandatory. However, for sales within the EU, the CE mark remains mandatory.

  • GPSR requires UK merchants to appoint an EU Responsible Person for compliance oversight, creating new operational liability with enhanced labelling requiring electronic addresses.
  • GPSR introduces mandatory accident reporting through the Product Safety Gateway portal, with Member States able to set unlimited penalties.
  • GPSR increases class action risk by amending the EU Representative Actions Directive to allow representative actions for compliance breaches
  • Appoint an EU Responsible Person if manufacturing outside the EU, and conduct documented risk assessments covering physical, mechanical, chemical and digital hazards.
  • Update product labelling with electronic addresses and responsible person details, implement mandatory complaint handling systems and internal safety registers.
  • Update online marketplace listings with all GPSR-required information, including business details, product identification and safety warnings.
  • Prepare for cybersecurity requirements under the Radio Equipment Directive by 1 August 2025, implementing EN 18031 standards, and utilise indefinite CE marking acceptance for the UK market while maintaining CE compliance for EU sales.

VAT and customs compliance complexity

From 2025 onwards, the EU plans to overhaul the Import One-Stop Shop (IOSS) regime for low-value goods (under €150). Council Directive (EU) 2025/1539, adopted on 18 July 2025, shifts primary liability for import VAT from customers to suppliers or deemed suppliers, with implementation required by Member States by 30 June 2028 and application from 1 July 2028

Alongside VAT reform, customs obligations are tightening. All imports into the EU now require full customs declarations and pre-arrival safety and security declarations. The EU’s Import Control System 2 (ICS2) mandates submission of a complete Entry Summary Declaration (ENS) with safety/security data before departure from the origin country. From 1 April 2025, these ENS requirements were extended to road and rail carriers, with full ICS2 deployment—including maritime and inland shipping—scheduled by 1 September 2025.

  • Council Directive 2025/1539 makes non-EU sellers liable for import VAT if not registered under IOSS from 1 July 2028, requiring EU fiscal representative appointment for third-country businesses.
  • IOSS reform prevents sellers from shifting import VAT responsibility to customers, mandating local registration in each EU member state if not using IOSS.
  • Enhanced joint and several liability provisions with IOSS usage growing over €6.3 billion VAT declared in 2024, up 62% from 2023.
  • ICS2 requires a complete Entry Summary Declaration for all transport modes, with road/rail mandatory from 1 April 2025 and full compliance from 1 September 2025.
  • Evaluate IOSS registration benefits versus fiscal representative costs ahead of 1 July 2028 implementation.
  • Appoint an EU fiscal representative or an IOSS intermediary for non-EU sellers and implement systems for enhanced IOSS reporting requirements.
  • Prepare for the unique IOSS transaction number system from 2028 under VAT in the Digital Age reforms adopted on 11 March 2025.
  • Develop an IT infrastructure for Entry Summary Declaration filing, complete mandatory self-conformance testing before connecting to ICS2.
  • Collect complete supply chain data, including six digital HScodes, full party addresses, and EORI numbers for all consignments. 

Required legal actions and compliance steps

The next six months demand both immediate regulatory action and longer-term strategic positioning from merchants. With powerful new enforcement regimes, imminent fraud prevention deadlines, and pivotal payment system decisions on the horizon, businesses must move quickly to secure compliance while preparing for structural shifts in payments oversight, liability, and infrastructure.

Immediate priority actions (July-September 2025)

Between July and September 2025, businesses must conduct urgent compliance reviews in response to expanding regulatory enforcement powers. Under the Digital Markets, Competition and Consumers Act 2024, the Competition and Markets Authority (CMA) has new direct enforcement powers to issue fines of up to 10% of global turnover for breaches of consumer law. Reviews should prioritise pricing transparency to prevent drip pricing breaches and evaluate marketing practices for compliance with unfair commercial practices and hidden fees rules.

Organisations must also address direct marketing compliance, particularly around consent. The Information Commissioner’s Office (ICO) has intensified enforcement in this area, making consent validation audits essential. Businesses should review how consent is collected, stored, and refreshed to ensure alignment with UK GDPR and PECR.

Fraud risk must also be addressed ahead of the 1 September 2025 implementation of the new offence under the Economic Crime and Corporate Transparency Act 2023. This includes the new corporate offence of “failure to prevent fraud”, which imposes criminal liability on organisations that fail to have reasonable fraud prevention procedures in place. To comply, businesses must document risk assessments, implement staff training programmes, and strengthen internal fraud detection capabilities, in line with government guidance on fraud prevention.

Here are the condensed bullet points with a maximum of four per section, focusing on the most valuable items for payments merchants:

  • CMA gains direct enforcement powers under DMCCA 2024 from 6 April 2025, enabling fines up to 10% of global turnover without requiring court orders.
  • New prohibitions target drip pricing practices and fake reviews, with potential criminal prosecution and imprisonment of up to two years.
  • Failure to prevent fraud offence comes into force on 1 September 2025, creating criminal liability for large organisations without reasonable fraud prevention procedures.
  • PECR enforcement includes fines up to £17.5 million or 4% of annual worldwide turnover for serious direct marketing compliance breaches.
  • Conduct urgent pricing transparency reviews to prevent drip pricing violations, ensuring all fees and charges are disclosed upfront
  • Complete fraud risk assessments by 1 September 2025, focusing on “associated persons”, including employees, agents, and subsidiaries.
  • Implement six fraud prevention principles from Home Office guidance: top-level commitment, risk assessment, proportionate procedures, due diligence, training, and monitoring.
  • Audit direct marketing consent collection, storage and refresh processes to ensure compliance with UK GDPR and PECR requirements.

Strategic preparation requirements (Q4 2025-2026)

  • Critical payment system decisions: Monitor the  22 October 2025 CMA decision on Apple and Google Strategic Market Status, which will directly reshape digital wallet access, app store payment terms, and mobile ecosystem costs for all merchants. Simultaneously, the implementation of the PSR interchange fee cap remains suspended due to ongoing litigation between Revolut and Visa, leaving £150-200 million in potential annual savings uncertain. Meanwhile, merchants continue to pay post-Brexit cross-border rates of 1.15%-1.5%.
  • APP fraud operational impact: The 50:50 PSP cost-sharing model, with 87% reimbursement rates and £66 million paid out in six months under the £85,000 cap, creates ongoing disputes. This is because customers claim fraud, while merchants have legitimately delivered goods/services. Payment acceptance standards require continuous review as both sending and receiving banks now share liability equally.
  • Payment infrastructure transitions: The PSR-FCA merger (consultation Q3 2025, legislation late 2025) will consolidate payment system oversight by 2026, potentially streamlining compliance but raising questions about specialised payments expertise. BNPL regulation by 15 July 2026 requires third-party provider authorisation whilst merchant-provided BNPL remains exempt, creating competitive positioning opportunities.
  • Cybersecurity and fraud prevention convergence: PCI DSS 4.0’s 64 new requirements are now fully mandatory, whilst the 1 September 2025 Economic Crime Act deadline demands comprehensive fraud prevention procedures focusing on “associated persons”, including payment processors, acquiring banks, and third-party providers.

Long-term compliance framework development

The payments regulatory landscape has undergone its most significant transformation since the introduction of open banking, with enforcement capabilities, fraud liability models, and market structure investigations creating unprecedented complexity for merchant payment operations.

Key strategic shifts:

  • Payment system volatility: Suspended PSR interchange fee caps highlight regulatory uncertainty whilst APP fraud reimbursement shifts liability between merchants, PSPs, and consumers. PSR-FCA merger by 2026 concentrates payments expertise under a single regulator.
  • BNPL market split: July 2026 regulation creates a two-tier system with merchant-provided BNPL exempt, whilst third-party providers require FCA authorisation, presenting strategic opportunities for direct financing capabilities.
  • Cross-border uncertainty: Stablecoin regulation final rules expected in 2026, though industry warns current proposals may drive UK issuers offshore. Combined with suspended interchange caps, international payment strategy planning faces ongoing complexity.
  • Infrastructure investment escalation: The full implementation of PCI DSS 4.0, along with enhanced cybersecurity obligations, necessitates investment in payment infrastructure to account for regulatory compliance costs, fraud prevention capabilities, and improved incident reporting.

Conclusion

For merchant leaders, this regulatory convergence demands immediate attention to fraud prevention deadlines, strategic positioning around BNPL regulation opportunities, and comprehensive planning for mobile payment ecosystem changes. The suspended interchange fee caps and ongoing APP fraud liability evolution require continuous monitoring, whilst the PSR-FCA merger will reshape the entire payments oversight framework by 2026.

Success in this transformed landscape requires embedding payment compliance excellence into core operations, not as an overlay but as a strategic differentiator in an increasingly regulated but ultimately more trusted payments ecosystem.

Read more Payments Intelligence

Upload your profile photo

You need to be logged in to do this!

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Continue reading

Q3 2025 marks pivotal changes in UK merchant payments, escalating regulatory demands and reshaping compliance strategies. Join The Payments Association to read the full article.

Become a member to continue reading

Member of The Payments Association? Log in to continue reading