Protected: How AI-powered banking tools are failing vulnerable customers
June 15, 2026
No Comments
There is no excerpt because this is a protected post.
Q4 2025 ushers in a critical phase for merchant compliance, with definitive deadlines now set for ISO 20022 migration, payment safeguarding, and BNPL regulation. This roadmap outlines key regulatory milestones through to 2027, including mandatory protections for settlement funds, extended contract notice periods, and stricter fraud accountability measures. It provides payments leaders with clear next steps to mitigate legal exposure, maintain operational continuity, and position their payment strategies for regulatory resilience.
Merchant payment leaders face an unprecedented regulatory convergence through 2025-2027. Critical deadlines arrive with minimal warning: the ISO 20022 migration becomes mandatory on 22 November 2025, whilst payment safeguarding rules, contract termination protections, and buy now pay later (BNPL) regulation all take effect within Q1-Q2 2026. Historically, in some instances, payment service providers (PSPs) have left merchants with limited shortfalls in settlement funds. New regulations aim to protect your business, but only if you verify provider compliance immediately.
This roadmap prioritises actions by urgency, distinguishing between regulations requiring immediate attention and longer-term preparations. Each section identifies specific legal risks, operational impacts, and concrete next steps. The 22 November ISO 20022 deadline demands verification of PSP readiness within days. Payment safeguarding and contract termination rules arriving in Q2 2026 require preparation now to avoid cash flow disruptions and sudden loss of payment acceptance capability. Strategic decisions around BNPL, digital wallets, and emerging payment methods depend on understanding regulatory trajectories.
The closing months of 2025 bring deadlines with immediate impact on payment operations and compliance exposure. ISO 20022 migration, APP fraud rules, and enforcement triggers require urgent verification of provider readiness and internal system alignment. This section sets out the most time-sensitive risks and actions.
The 22 November 2025 deadline marks the mandatory retirement of legacy message type (MT) formats for cross-border payments. Merchants must verify that their PSPs and acquiring banks have completed end-to-end testing to ensure seamless payment processing continues after the deadline. Critical preparations include confirming PSP system readiness, validating payment gateway compatibility, and ensuring your enterprise resource planning systems can handle enhanced payment data.
For merchants processing cross-border B2B payments, ISO 20022 delivers significant operational benefits. The new standard introduces structured remittance data fields, purpose codes, and detailed originator information that dramatically improve automated reconciliation processes. Payment matching rates increase, manual intervention decreases, and straight-through processing becomes more reliable. Enhanced data transparency also supports better fraud detection and reduces false positives in sanctions screening.
Merchants should verify their payment providers’ migration status immediately. Approximately 50% of institutions have completed migration, but those relying on Swift’s translation services will face penalty charges from January 2026. Payment acceptance delays, failed transactions, or incomplete remittance data could disrupt your accounts receivable processes if your PSP remains unprepared.
Prepare for structured address requirements effective November 2026 to prevent future disruptions.
The PSR has commissioned an independent programme-level evaluation by Frontier Economics to assess the effectiveness of APP fraud policies, with a core focus on the reimbursement requirement and balanced scorecard. Using theory-based contribution analysis, the evaluation will determine whether benefits outweigh negative impacts and compliance burdens, with results expected by May 2026. Early data show 88% of APP fraud losses were reimbursed within nine months, with over £112 million returned to victims by Q2 2025. The evaluation employs mixed-methods assessment combining quantitative PSP data, existing regulatory datasets, and 20 hours of stakeholder interviews across banks, PSPs, consumer groups, and fraud technology firms.
For merchants, this regime creates operational implications through PSPs, including increased fraud prevention investment costs (recovered via faster payments system in 2025-2026, then direct PSP billing), stricter KYC requirements, enhanced transaction monitoring, and risk of account suspension if receiving fraudulent payments.
The first half of 2026 brings a concentration of regulatory change that demands early operational alignment. New requirements on contract termination, safeguarding, and BNPL authorisation begin to take effect from late April through July, leaving Q4 2025 and Q1 2026 as the critical window for preparation. This section outlines the actions required to minimise disruption and ensure compliance.
The Payment Services and Payment Accounts (Contract Termination) (Amendment) Regulations 2025 come into force on 28 April 2026, applying to framework contracts for payment services entered into on or after that date. Critically for merchants, these regulations extend beyond consumer banking to cover merchant acquiring services, e-money accounts, and all payment acceptance contracts with indefinite duration.
Your PSPs and acquiring banks must give 90 days’ notice before terminating your merchant account—increased from two months—and provide sufficiently detailed explanations enabling you to understand termination reasons. This extended notice period provides crucial time to secure alternative payment acceptance arrangements before losing processing capability. However, the regulations only protect merchants classified as micro-enterprises (those with fewer than 10 employees and an annual turnover or balance sheet of under €2 million). Larger merchants may be excluded from these protections if PSPs exercise their right to disapply provisions for non-micro-enterprises.
The requirement for “sufficiently detailed and specific explanations” represents a significant shift for merchants who have historically received termination notices citing “commercial reasons” or “risk appetite changes.” PSPs must now provide substantive reasoning, though exceptions exist where providing explanations might prejudice financial crime investigations or constitute “tipping off” under money laundering regulations. PSPs face implementation challenges, including whether to repaper existing contracts or maintain dual frameworks for pre- and post-April 2026 agreements, which could create potential inconsistencies in how different merchant cohorts are treated.
The payment safeguarding rules come into force on 7 May 2026, fundamentally strengthening protections for merchant funds held by PSPs. These regulations apply to authorised payment institutions, authorised e-money institutions, small e-money institutions, and credit unions that issue e-money and handle merchant settlement funds, payment processing balances, and reserve accounts.
For merchants, these rules directly protect your money held by payment facilitators, acquirers, and PSPs between transaction processing and settlement into your business bank account. Historical data reveals failures: between Q1 2018 and Q2 2023, failed payment firms left average shortfalls of 65% in customer funds. Merchants lost substantial sums when PSPs collapsed without adequate safeguarding, with no protection from the Financial Services Compensation Scheme, as these funds fall outside deposit protection.
PSPs must now perform internal and external safeguarding reconciliations at least daily (excluding weekends and bank holidays), prepare resolution packs separate from wind-down plans, conduct diversification reviews of safeguarding providers, and establish formal governance structures with senior manager oversight. Firms holding less than £100,000 relevant funds over a 53-week period are exempt from annual audit requirements, though all firms must submit monthly regulatory returns to the FCA.
The European accessibility act came into force on 28 June 2025, requiring all providers offering e-commerce services to consumers in the EU to ensure accessibility regardless of where providers are based. For UK merchants operating in European markets, this directly affects your payment checkout processes, payment terminals, and customer-facing payment interfaces.
Payment services, consumer banking services, ATMs and payment terminals placed on the market after 28 June 2025 must meet accessibility requirements. If you deployed card machines or payment terminals before this date, transitional provisions apply until the end of their economically beneficial life (maximum 20 years from first use). Read more on POS implementation strategies here. However, any software updates, checkout redesigns, or payment flow modifications made after June 28, 2025, must comply immediately with WCAG 2.1 Level AA standards and EN 301 549 technical guidance.
Legacy products and services have until June 28, 2030, to achieve complete compliance. Merchant checkout experiences, payment pages, and mobile commerce interfaces require accessibility audits to identify compliance gaps. Member states enforce penalties that must be “effective, proportionate, and dissuasive”, with fines potentially reaching €1,000 daily until compliance is achieved. Non-compliance particularly affects merchants in Ireland, where penalties may include jail time for responsible officers.
The FCA will begin regulating deferred payment credit (commonly known as buy now pay later) from 15 July 2026. Third-party BNPL lenders, such as Klarna, Clearpay, and Affirm, require FCA authorisation, whereas merchant-provided credit remains exempt. For merchants offering BNPL at checkout, this regulation fundamentally changes your relationship with payment providers and introduces significant compliance obligations.
Merchants displaying BNPL products must ensure all financial promotions receive approval from authorised firms. Most merchants remain exempt from credit broking authorisation, except for domestic premises suppliers. However, you face liability risk during the temporary permissions regime period, as temporary permissions regime (TPR) providers can only approve their own promotions, creating gaps in promotion approval coverage between 15 July 2026 and when providers obtain full authorisation.
BNPL providers must implement creditworthiness assessments under the CONC 5.2a rules for all transactions, including those under £50, requiring real-time affordability checks at checkout. This introduces friction in the payment journey, potentially reducing conversion rates as customers complete open banking authentication or provide additional financial information. Section 75 Consumer Credit Act protections now extend joint liability to BNPL providers for faulty or undelivered goods over £100, fundamentally changing dispute resolution responsibilities. Providers facing disproportionate financial ombudsman service case fees relative to low-value transactions may exit the market or restructure offerings, forcing merchants to replace checkout payment methods mid-year.
Beyond the immediate deadlines, a wider set of regulatory developments is set to reshape the payments landscape through late 2026 and beyond. From digital wallet oversight to stablecoin rules and PSD3 implementation, these changes carry strategic implications for merchant acceptance, settlement practices, and cross-border compliance. This section highlights key developments to monitor and plan for now.
Digital wallet regulation remains under review, with the FCA and PSR having published feedback in February 2025 on their July 2024 call for information regarding big tech and digital wallets. The FCA will engage with HM Treasury to consider whether pass-through wallet providers, such as Apple Pay and Google Pay, should fall within the regulatory perimeter as part of the review of the payment services regulations 2017 and the electronic money regulations 2011.
For merchants, digital wallets represent critical payment acceptance channels, with Apple Pay and Google Pay accounting for significant portions of mobile commerce transactions. Stakeholder responses suggest that competition in the digital wallet supply is not working effectively, with potential issues surrounding operational resilience and consumer protection. The Competition and Markets Authority designated Apple and Google with strategic market status in their mobile ecosystems on 22 October 2025, enabling targeted interventions to improve competition. The CMA is now consulting on conduct requirements and pro-competition interventions, with roadmaps for potential actions expected in the first half of 2026.
Pass-through digital wallet providers currently operate outside the regulatory perimeter, creating potential gaps in operational resilience. Digital wallet operational failures may temporarily prevent customers from making payments for both online and in-store transactions, directly impacting merchant revenue and causing abandoned checkouts. Regulatory uncertainty around perimeter expansion may affect wallet provider business models and could lead to changes in merchant fees, integration requirements, or payment processing terms.
UK-issued stablecoins will be regulated as securities from Q2 2026, requiring prospectus-style disclosure, prudential backing, and redemption governance. Firms will be able to begin applying for authorisation from late 2025. HM Treasury published draft legislation in April 2025, creating new regulated activities for stablecoin issuance. However, the government confirmed that it will not proceed with amending the Payment Services Regulations 2017 to bring UK-issued stablecoins into regulated payments at this time.
For merchants considering stablecoin payment acceptance, this creates regulatory uncertainty and potential market fragmentation. Non-UK stablecoin issuers may circulate via authorised platforms without UK licensing unless they have a UK establishment, creating asymmetric treatment between UK-issued and non-UK stablecoins. Domestic sterling stablecoin projects may pause pending clarity on market abuse and disclosure regimes, potentially allowing offshore USDC-style coins to dominate sterling payment rails.
Payment service providers using stablecoins remain in regulatory limbo regarding business conduct standards. Merchants accepting stablecoin payments face questions about consumer protection, dispute resolution, and settlement finality that lack clear regulatory frameworks. The 6-12 month authorisation timelines mean early stablecoin payment adoption carries regulatory risk if chosen providers fail to obtain necessary licences.
PSD3 and the payment services regulation are expected to come into effect during 2026, following EU member states’ transitional period after finalisation in late 2024 or early 2025. For UK merchants with European operations or accepting EU customer payments, these regulations introduce stricter strong customer authentication protocols and mandatory IBAN name checking for all credit transfers. They also extend liability for authorised push payment fraud and enhance information-sharing about fraud between PSPs.
The regulations increase harmonisation and enforcement across member states whilst allowing non-bank payment service providers access to EU payment systems. Payment service providers may be given 2-3 years to obtain new authorisations and comply after PSD3 comes into force, with full compliance deadlines targeting 2026-2027. Extended surcharge bans prohibit charging customers extra fees for payments, requiring merchants to identify alternative revenue sources or absorb payment acceptance costs into pricing models.
Liability shifts fraud losses to providers who fail to properly apply strong customer authentication, including intermediaries like payment gateways. Providers will be liable for specific impersonation scams and must implement confirmation of payee name-check systems to prevent payments to fraudsters. For merchants, enhanced authentication requirements introduce additional checkout friction, potentially affecting conversion rates for EU customer transactions.
T+1 settlement implementation is confirmed for 11 October 2027 for UK cash equities, with the UK government accepting all recommendations. The accelerated settlement taskforce is committed to legislating through amendments to the UK central securities depositories regulation. This change has minimal direct impact on merchant payment operations but affects merchants with treasury operations, investment portfolios, or corporate finance activities involving securities trading.
The implementation plan includes 12 critical and 26 highly recommended actions for market participants. Asset management trade associations recommended in May 2025 that UK authorised funds investing predominantly in T+1 markets should move unit transactions to T+2 settlement from 11 October 2027. For merchants with significant cash management operations or corporate treasury functions trading securities, operational processes require acceleration to meet compressed settlement timelines.
The FCA may take action against firms not prepared for the October 2027 T+1 deadline to protect market integrity. Insufficient system preparation may result in settlement failures and operational disruption during the transition period. Firms need to accelerate up to 29% of post-trade instructions for UK trades, according to the February 2025 market survey.
Shifting EU regulations on data protection, product safety, VAT, and customs are set to redefine how UK merchants trade across borders. With GDPR adequacy renewal uncertain, new product safety oversight, and complex import VAT reforms on the horizon, businesses must act now to secure compliance and safeguard market access.
The European Accessibility Act came into force on 28 June 2025, requiring all providers offering e-commerce services to consumers in the EU to ensure accessibility, regardless of where the providers are based. For UK merchants operating in European markets, this directly affects your payment checkout processes, payment terminals, and customer-facing payment interfaces.
Payment services, consumer banking services, ATMs and payment terminals placed on the market after 28 June 2025 must meet accessibility requirements. If you deployed card machines or payment terminals before this date, transitional provisions apply until the end of their economically beneficial life (maximum 20 years from first use). Read more on POS implementation strategies here. However, any software updates, checkout redesigns, or payment flow modifications made after June 28, 2025, must comply immediately with WCAG 2.1 Level AA standards and EN 301 549 technical guidance.
Legacy products and services have until June 28, 2030, to achieve complete compliance. Merchant checkout experiences, payment pages, and mobile commerce interfaces require accessibility audits to identify compliance gaps. Member states enforce penalties that must be “effective, proportionate, and dissuasive”, with fines potentially reaching €1,000 daily until compliance is achieved. Non-compliance particularly affects merchants in Ireland, where penalties may include jail time for responsible officers.
PSD3 and the payment services regulation are expected to come into effect during 2026, following EU member states’ transitional period after finalisation in late 2024 or early 2025. For merchants with European operations or accepting EU customer payments, these regulations introduce stricter strong customer authentication protocols and mandatory IBAN name checking for all credit transfers. They also extend liability for authorised push payment fraud and enhance information-sharing about fraud between PSPs.
The regulations increase harmonisation and enforcement across member states whilst allowing non-bank payment service providers access to EU payment systems. Payment service providers may be given 2-3 years to obtain new authorisations and comply after PSD3 comes into force, with full compliance deadlines targeting 2026-2027. Extended surcharge bans prohibit charging customers extra fees for payments, requiring merchants to identify alternative revenue sources or absorb payment acceptance costs into pricing models.
Liability shifts fraud losses to providers who fail to properly apply strong customer authentication, including intermediaries like payment gateways. Providers will be liable for specific impersonation scams and must implement confirmation of payee name-check systems to prevent payments to fraudsters. For merchants, enhanced authentication requirements introduce additional checkout friction, potentially affecting conversion rates for EU customer transactions.
UK-issued fiat-backed stablecoins will fall under new regulated activities from Q2 2026, requiring prospectus-style disclosures, prudential safeguards, and redemption governance. These requirements will be introduced under Part 5 of the Financial Services and Markets Act (FSMA), with firms able to begin applying for authorisation from late 2025. HM Treasury published draft legislation in April 2025 outlining these measures. However, the government confirmed it will not proceed with amending the Payment Services Regulations 2017 to bring stablecoins within the scope of regulated payments at this time.
For merchants considering stablecoin acceptance, this creates regulatory uncertainty and potential market fragmentation. Non-UK stablecoins may remain accessible to UK merchants through authorised platforms, without direct UK regulation unless the issuer has a UK establishment. This creates an uneven playing field in which offshore coins—such as USDC—can operate with lower compliance burdens than UK-issued equivalents, potentially distorting adoption of sterling-backed stablecoins.
Payment service providers using stablecoins remain in regulatory limbo with respect to business conduct standards. Merchants accepting stablecoin payments face unresolved questions around consumer protection, dispute resolution, and settlement finality, in the absence of a full regulatory framework. The 6–12 month authorisation timelines mean that early adoption of stablecoin-based payment models carries regulatory risk if providers fail to obtain the necessary permissions.
The United Kingdom will implement T+1 settlement for cash equities on 11 October 2027, in line with international efforts to shorten securities settlement cycles. This move aligns with the EU’s and Canada’s planned transition on the same date, and follows the United States’ shift to T+1 in May 2024. The UK government has accepted all recommendations from the Accelerated Settlement Taskforce and will legislate via amendments to the Central Securities Depositories Regulation (CSDR).
While the change has minimal direct impact on merchant payment operations, it carries significant implications for merchants with treasury, investment, or corporate finance functions involved in securities trading. The implementation plan outlines 12 critical and 26 recommended actions for market participants. UK-authorised funds investing in T+1 markets are expected to settle unit transactions on a T+2 basis from 11 October 2027 to align with compressed post-trade timelines.
Cross-border settlement operations, especially for firms active in both UK and EU markets, will require synchronised system upgrades to ensure resilience. The FCA has indicated it may take enforcement action against firms that fail to meet the deadline, citing market integrity concerns. February 2025 survey data show up to 29% of post-trade instructions for UK trades will need to be accelerated.
Regulatory changes affect merchants differently depending on scale, risk profile, and payment infrastructure. This section outlines key compliance pressures across e-commerce, high-risk sectors, and SMEs, highlighting where obligations are intensifying and where targeted action is most urgent.
PCI DSS 4.0.1 removed requirements 6.4.3 and 11.6.1 for SAQ A merchants, effective 1 April 2025, replacing them with risk-based eligibility criteria that require merchants to confirm their e-commerce systems are not susceptible to script attacks. SAQ a for DSSPCI DSS v4.0 increased from 24 to 29 requirements for e-commerce merchants, including mandatory quarterly external vulnerability scans by approved scanning vendors, even for iframe and redirect implementations.
Merchants incorrectly self-assess their eligibility for SAQ A versus SAQ A-EP risk, failing to implement over 100 security controls, which creates substantial vulnerabilities in their website security measures. The distinction centres on whether your e-commerce environment handles cardholder data directly or uses iframes and redirects to send customers to PSP hosted pages. Merchants must obtain confirmation from PCI DSS-compliant third-party service providers that their solutions include techniques protecting payment pages from script attacks when implemented according to instructions.
E-commerce merchants face an increased compliance burden with quarterly approved scanning vendor scans now mandatory, where previously not required under PCI DSS v3.2.1. Cross-border e-commerce creates complex multi-jurisdictional compliance obligations across payment services directives, data protection rules and consumer protection frameworks. Password policies now require a 12-character minimum complexity, four-password history prevention, and a 90-day maximum age requirement for web server access.
PCI DSS 4.0.1 removed requirements 6.4.3 and 11.6.1 for SAQ A merchants, effective April 1, 2025, replacing them with risk-based eligibility criteria that require merchants to confirm their e-commerce systems are not susceptible to script attacks. SAQ a for DSSPCI DSS v4.0 increased from 24 to 29 requirements for e-commerce merchants, including mandatory quarterly external vulnerability scans by approved scanning vendors, even for iframe and redirect implementations.
Merchants incorrectly self-assess their eligibility for SAQ A versus SAQ A-EP risk, failing to implement over 100 security controls, which creates substantial vulnerabilities in their website security measures. The distinction centres on whether your e-commerce environment handles cardholder data directly or uses iframes and redirects to send customers to PSP hosted pages. Merchants must obtain confirmation from PCI DSS-compliant third-party service providers that their solutions include techniques protecting payment pages from script attacks when implemented according to instructions.
E-commerce merchants face an increased compliance burden with quarterly approved scanning vendor scans now mandatory, where previously not required under PCI DSS v3.2.1. Cross-border e-commerce creates complex multi-jurisdictional compliance obligations across payment services directives, data protection rules and consumer protection frameworks. Password policies now require a 12-character minimum complexity, four-password history prevention, and a 90-day maximum age requirement for web server access.
Visa’s acquirer monitoring programme enforcement began in October 2025—with merchant excessive dispute ratios of 2.2% from June 2025, dropping to 1.5% for North America, the EU, and the Asia Pacific from 1 April 2026. Mastercard’s excessive chargeback programme places merchants with 100+ chargebacks and a 0.9% ratio in the standard level, or 300+ chargebacks and 3% ratio in the high excessive level, for two consecutive months.
High-risk merchant category codes, including direct marketing, adult content, online pharmacies, gambling and outbound telemarketers, face immediate fee eligibility without notification or workout periods. Merchants exceeding thresholds for six months will face heightened enforcement, including additional fees, mandatory action plans, and risk assessments, potentially leading to placement on the match list. Single fraud disputes can count twice in the VAMP ratio as both TC40 and TC15, with merchants potentially losing the ability to accept Visa payments.
Merchants dropped due to excessive chargebacks must obtain accounts from high-risk processors with considerably higher fees, or face industry blacklisting. Mastercard’s excessive fraud merchant programme requires a minimum of £50,000/$50,000 in fraud chargebacks, with monthly violation assessment fines from the second month of non-compliance. Credit card associations limit processing volume based on capital structure, high-risk concentrations, and chargeback rates, imposing additional activity limits or collateral requirements.
SMEs encounter frustrations with one-size-fits-all financial services solutions that are not tailored to particular use cases. Retailers need multiple payment types, while government sector businesses require electronic invoicing capabilities. Small businesses using self-hosted payment gateways must ensure PCI DSS compliance, whilst API-hosted gateways offer customisation but require technical expertise and higher setup and maintenance costs.
Many SMEs lack full digital maturity or operate in cash-reliant marketplaces, requiring reconciliation solutions that handle both cash and digital wallet payments rather than digital-only onboarding. When SMEs grow beyond certain size thresholds, they face significant cliff-edge increases in compliance obligations, which discourages growth and limits competitiveness. Building, testing and maintaining payment platforms proves complex and costly for SMEs, whilst ensuring compliance requirements creates additional resource challenges.
Cross-border payment complexity increases compliance costs due to multiple regulatory frameworks, currency handling, and varying consumer protection standards. SMEs must maintain PCI DSS compliance by utilising encryption and fraud detection tools to protect sensitive customer data, as breaches can create liability exposure. The EU compliance cliff-edge effects create disproportionate burdens as businesses transition from the SME to the small mid-cap category, deterring expansion.
While several major regulations are already scheduled, a number of additional reforms remain under consultation or development. This section highlights proposals with potentially significant merchant impact, covering open banking governance, payment infrastructure redesign, surcharging rules, and AI regulation.
PCI DSS 4.0.1 removed requirements 6.4.3 and 11.6.1 for SAQ A merchants, effective 1 April 2025, replacing them with risk-based eligibility criteria that require merchants to confirm their e-commerce systems are not susceptible to script attacks. SAQ a for DSSPCI DSS v4.0 increased from 24 to 29 requirements for e-commerce merchants, including mandatory quarterly external vulnerability scans by approved scanning vendors, even for iframe and redirect implementations.
Merchants incorrectly self-assess their eligibility for SAQ A versus SAQ A-EP risk, failing to implement over 100 security controls, which creates substantial vulnerabilities in their website security measures. The distinction centres on whether your e-commerce environment handles cardholder data directly or uses iframes and redirects to send customers to PSP hosted pages. Merchants must obtain confirmation from PCI DSS-compliant third-party service providers that their solutions include techniques protecting payment pages from script attacks when implemented according to instructions.
E-commerce merchants face an increased compliance burden with quarterly approved scanning vendor scans now mandatory, where previously not required under PCI DSS v3.2.1. Cross-border e-commerce creates complex multi-jurisdictional compliance obligations across payment services directives, data protection rules and consumer protection frameworks. Password policies now require a 12-character minimum complexity, four-password history prevention, and a 90-day maximum age requirement for web server access.
Visa’s acquirer monitoring programme enforcement began in October 2025—with merchant excessive dispute ratios of 2.2% from June 2025, dropping to 1.5% for North America, the EU, and the Asia Pacific from 1 April 2026. Mastercard’s excessive chargeback programme places merchants with 100+ chargebacks and a 0.9% ratio in the standard level, or 300+ chargebacks and 3% ratio in the high excessive level, for two consecutive months.
High-risk merchant category codes, including direct marketing, adult content, online pharmacies, gambling and outbound telemarketers, face immediate fee eligibility without notification or workout periods. Merchants exceeding thresholds for six months will face heightened enforcement, including additional fees, mandatory action plans, and risk assessments, potentially leading to placement on the match list. Single fraud disputes can count twice in the VAMP ratio as both TC40 and TC15, with merchants potentially losing the ability to accept Visa payments.
Merchants dropped due to excessive chargebacks must obtain accounts from high-risk processors with considerably higher fees, or face industry blacklisting. Mastercard’s excessive fraud merchant programme requires a minimum of £50,000/$50,000 in fraud chargebacks, with monthly violation assessment fines from the second month of non-compliance. Credit card associations limit processing volume based on capital structure, high-risk concentrations, and chargeback rates, imposing additional activity limits or collateral requirements.
SMEs encounter frustrations with one-size-fits-all financial services solutions that are not tailored to particular use cases. Retailers need multiple payment types, while government sector businesses require electronic invoicing capabilities. Small businesses using self-hosted payment gateways must ensure PCI DSS compliance, whilst API-hosted gateways offer customisation but require technical expertise and higher setup and maintenance costs.
Many SMEs lack full digital maturity or operate in cash-reliant marketplaces, requiring reconciliation solutions that handle both cash and digital wallet payments rather than digital-only onboarding. When SMEs grow beyond certain size thresholds, they face significant cliff-edge increases in compliance obligations, which discourages growth and limits competitiveness. Building, testing and maintaining payment platforms proves complex and costly for SMEs, whilst ensuring compliance requirements creates additional resource challenges.
Cross-border payment complexity increases compliance costs due to multiple regulatory frameworks, currency handling, and varying consumer protection standards. SMEs must maintain PCI DSS compliance by utilising encryption and fraud detection tools to protect sensitive customer data, as breaches can create liability exposure. The EU compliance cliff-edge effects create disproportionate burdens as businesses transition from the SME to the small mid-cap category, deterring expansion.
The regulatory landscape for merchant payments requires urgent, coordinated action to ensure compliance and resilience. Immediate focus must be on ISO 20022 migration ahead of the November 2025 deadline. Contact all PSPs now to confirm completion and secure written verification of successful testing. Develop contingency plans, including alternative PSP arrangements, to protect against transaction failures or remittance data issues.
From Q4 2025, shift focus to preparing for the Q2 2026 regulatory wave, covering payment safeguarding (7 May), contract termination protections (28 April), and BNPL regulation (15 July). These rules directly affect cash flow, payment continuity, and conversion rates. Assess safeguarding compliance, review contract notice periods, and confirm BNPL authorisation pathways.
Allocate resources strategically. Update 2026 budgets to reflect 15–25% PSP fee increases driven by compliance costs. Build operational resilience by diversifying PSP relationships and maintaining portable gateway configurations. Strengthen governance with clear accountability across finance, technology, legal, and procurement, supported by a compliance dashboard and monthly reviews.
Early, proactive compliance brings competitive advantages through enhanced data, stronger PSP relationships, and improved customer trust. By acting decisively now, merchants will secure operational continuity, manage cost pressures, and position their payment strategies for long-term success in an evolving regulatory environment.
There is no excerpt because this is a protected post.
UK merchants expect agentic commerce to grow rapidly, but uncertainty around liability, fraud, and standards is slowing readiness.
Stablecoins are moving into mainstream finance, reshaping payments, trade, and regulation as institutions explore faster, programmable settlement.
You need to be logged in to do this!
