18 July 2025
by Payments Intelligence
Regulatory developments continue to accelerate in the payments industry, ushering in a period of heightened complexity and strategic significance. In the UK, the implementation of landmark fraud prevention laws and the expansion of the cryptoasset regulatory perimeter mark a decisive shift towards greater accountability. Across the EU, operational resilience, real-time payments, and the steady rollout of the Markets in Crypto-Assets Regulation (MiCA) are reshaping the compliance standards for digital finance. Globally, preparations for central bank digital currencies and the evolution of open finance frameworks signal a longer-term structural shift.
The Payments Association’s payments regulation roadmap for Q3 2025 offers a forward-looking view of the legislation and consultations that will shape the compliance landscape. It provides practical, high-level analysis of what’s live, what’s coming into force, and what’s under active consultation, covering fraud liability, stablecoin oversight, instant payments, digital operational resilience, and future developments such as the digital pound and digital euro.
Viewing these initiatives as a whole presents a clear regulatory trajectory: accelerated timelines, harmonised standards, and enhanced scrutiny across governance, conduct, and technology infrastructure. Payment firms face mounting expectations, not just to comply, but to embed regulatory foresight into product strategy, vendor management, and consumer outcomes.
This roadmap is designed to support leadership, legal, and compliance teams in navigating a complex yet rapidly evolving regulatory landscape. It highlights legal exposures, outlines implementation timelines, and offers actionable steps to help your organisation adapt.
From 1 September 2025, a new corporate criminal offence under the Economic Crime and Corporate Transparency Act 2023 will come into force, marking a major shift in how UK authorities approach fraud prevention and corporate accountability. Large organisations will face criminal liability if they fail to implement “reasonable procedures” to prevent fraud committed by employees, agents, subsidiaries or other associated persons where the intent was to benefit the organisation or its clients.
The offence, modelled on similar provisions in anti-bribery and tax evasion law, applies regardless of whether senior management was aware of the misconduct. Companies in scope include those meeting at least two of the following thresholds:
Final guidance from the Home Office (November 2024) and FCA (April 2025) outlines six core elements of a compliant anti-fraud framework:
These principles will inform what counts as “reasonable” in the eyes of the regulator and the courts. Firms unable to demonstrate these controls may face prosecution, unlimited fines, and reputational harm, even if no actual benefit from the fraud was realised.
The FCA is set to publish its finalised interim safeguarding rules for authorised payment institutions (PIs) and electronic money institutions (EMIs) in mid-2025, following Consultation Paper CP24/20. These interim rules are the first phase of a two-stage overhaul of the safeguarding regime and are expected to take effect in Q4 2025 or Q1 2026, with a six-month implementation period.
The changes are a response to persistent compliance failings and systemic weaknesses in safeguarding arrangements across the sector. The FCA highlighted that firms which failed between Q1 and Q2 2023 had an average safeguarding shortfall of 65%, raising serious concerns about customer protection. The interim rules are designed to reinforce existing obligations under the Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs), with a strong focus on daily reconciliation, enhanced reporting, and audit transparency.
The measures include a requirement for firms to undertake daily internal and external reconciliations, maintain a resolution pack to assist administrators in the event of insolvency, submit a new monthly safeguarding return, and undergo an annual safeguarding audit. They must also formally allocate safeguarding oversight to a designated individual and demonstrate robust due diligence when selecting safeguarding banks, custodians, and investment arrangements for relevant funds. These reforms pre-empt a future move to an end-state “CASS-style” regime, including the imposition of a statutory trust over relevant funds.
Legal issue/risk:
The UK’s fast-growing BNPL sector is now firmly on the path to FCA regulation following the laying of the draft statutory instrument in May 2025. The Financial Services and Markets Act 2000 (Regulated Activities etc.) (Amendment) Order 2025 will bring third-party BNPL products into the scope of regulated credit activity, ending the regulatory vacuum that has fuelled rapid adoption but exposed millions of consumers to unregulated borrowing.
The new regime introduces FCA authorisation requirements for third-party BNPL providers, mandates affordability and creditworthiness checks, and grants consumers the right to access redress through the Financial Ombudsman Service. The rules will not apply to merchant-provided instalment credit, creating a two-tier market and raising potential future questions about competitive parity. The FCA will now undertake a 12-month rulemaking process to tailor disclosure, marketing, and conduct standards to the unique features of BNPL.
These reforms are part of a broader modernisation effort that includes revisions to the Consumer Credit Act and a strategic shift toward principles-based regulation. While compliance burdens will rise, many stakeholders see the changes as an opportunity to strengthen consumer confidence, formalise industry standards, and enable sustainable long-term growth in the sector.
Legal issue/risk:
As of 31 March 2025, UK regulatory supervision of operational resilience has transitioned from a preparatory phase to active enforcement. The FCA has confirmed that firms, including payment and e-money institutions, must now remain within their declared impact tolerances for important business services, engage in continuous scenario testing, and demonstrate a resilience-first culture. The FCA emphasises resilience as a strategic asset for consumer trust and market stability, not merely a compliance checkbox .
Under this new phase, the FCA has issued a “Dear CEO” letter to payments firms, warning of intensified scrutiny on governance, third-party dependencies, incident response capabilities, and supply chain vulnerabilities. Supervisory attention will include reviewing firms’ self-assessments, contractual resilience obligations from key suppliers, and operational incident effectiveness.
Legal issue/risk:
The UK has entered a decisive phase in cryptoasset regulation with the introduction of the Financial Services and Markets Act (FSMA) 2000 (Cryptoassets) Order 2025. This landmark legislation encompasses a broad spectrum of crypto-related services, including stablecoin issuance, trading, custody, and staking, within the Financial Conduct Authority’s (FCA) regulatory perimeter. Critically, firms operating under Money Laundering Regulations (MLRs) must now secure Part 4A FSMA authorisation to continue operating legally once the transitional period ends.
The new framework is designed to mirror the standards applied to traditional financial services, focusing on consumer protection, prudential oversight, and operational resilience. For payments firms offering wallets, custody services, or stablecoin-based transactions, the shift demands a comprehensive review of business models, compliance structures, and governance arrangements.
The regime defines “qualifying stablecoins” as fiat-referenced tokens with asset backing and introduces seven new regulated activities. While stablecoins are not yet recognised as payment instruments under the Payment Services Regulations 2017, their issuance, custody, and dealing are now fully regulated financial activities. This positions the UK ahead of many jurisdictions in terms of clarity and scope.
On 13 December 2024, the UK Payment Systems Regulator (PSR) launched CP24/14, a consultation on remedies addressing excessive cross-border interchange fees (IFs) charged on online UK–EEA consumer card transactions. Following the removal of EU-wide caps after Brexit, issuers raised IFs from 0.2% to 1.15% (debit) and 0.3% to 1.5% (credit) – costing UK merchants an estimated £150–200 million per year.
To remedy this, the PSR proposes a two-stage cap:
The Stage 1 consultation closed on 7 February 2025, with a statutory direction expected following PSR review.
Following the UK Government’s National Payments Vision and signals from the FCA, a shift is now underway from prescriptive Strong Customer Authentication (SCA) rules to a more flexible, outcomes-based framework. This transition entails embedding risk-based authentication within principles of Consumer Duty, enabling innovation while maintaining robust fraud prevention.
Currently, contactless limits (e.g., £100 single transaction) are structured under existing SCA standards. The FCA’s recent Engagement Paper (deadline May 2025) explores granting firms the flexibility to increase these limits, conditional on evidence of low fraud rates through strong risk controls. This is an initial test of the broader outcome-based transition anticipated once SCA rules migrate from legislation into FCA regulations.
In May 2025, the Data (Use and Access) Bill received government approval, establishing a legal basis for Smart Data schemes that extend beyond banking and paving the way for a broader Open Finance framework. This represents a strategic evolution from the successful model of open banking (API-led sharing of account and payment data) to broader data portability across financial services, including pensions, mortgages, insurance, and investments.
These developments are closely aligned with EU counterparts, including the EU Data Act and FiDA frameworks. However, the UK favours a sector-based approach, in contrast to the EU’s technology-driven, cross-sector model. Expected launches include Smart Data schemes in financial services and energy, with the latter’s consultation to be concluded by March 2025.
The Bank of England is now midway through the design phase for the “digital pound,” a potential UK retail central bank digital currency (CBDC), following the publication of its first Progress Update in early 2025 and a detailed Design Note in January 2025.
This initiative adopts a platform model, where the Bank issues digital pounds via a central ledger, while private-sector firms offer wallets and payment services. The goal is to complement cash and existing deposit money, preserving the “singleness of money” across all digital forms.
Key design-stage targets include user privacy (ensuring Bank and government cannot access personal data), functional resilience, and optional offline payment capabilities for remote or connectivity-constrained environments, a feature the Bank acknowledges is technically feasible yet involves trade-offs around double-spending protection and user experience. The conclusion of the design phase by 2025–26 will trigger a formal policy assessment and parliamentary decision on whether to proceed with full implementation.
Although the FCA’s Consumer Duty is already in effect—covering open products since July 2023 and closed products since July 2024—its implementation is far from complete. For payments firms, the Duty remains a defining regulatory focus heading into 2026. Rather than a static compliance event, the Duty is an evolving framework requiring continuous adaptation and active oversight to ensure firms deliver consistently good consumer outcomes.
The FCA has emphasised that firms must not only meet technical requirements but also integrate the Duty’s principles across the entire customer journey. This includes acting in good faith, avoiding foreseeable harm, and supporting customers in achieving their financial goals. The regulator expects firms to demonstrate how they deliver fair value, communicate effectively, and provide accessible, responsive customer support—particularly for vulnerable users.
This is not just about avoiding misconduct. The bar has been raised: weak product governance, poor communications, or unsubstantiated pricing can now be regulatory failings, even in the absence of complaints. Superficial compliance will not suffice. The FCA is already conducting deep-dive reviews, and a mid-2026 post-implementation assessment is expected to further sharpen scrutiny and enforcement expectations.
The EU’s new Instant Payments Regulation marks a major step in reshaping the cross-border payments landscape within the Single Euro Payments Area (SEPA). Adopted in March 2024, the legislation mandates that all payment service providers (PSPs) offering euro credit transfers must also offer SEPA Instant Credit Transfers (SCT Inst), ensuring 24/7/365 settlement within ten seconds, regardless of the time or day.
This regulation eliminates surcharges on instant payments, standardises fraud prevention requirements, and demands interoperability between legacy and real-time rails. For UK-based firms serving EU clients or operating via EU subsidiaries, it introduces a complex new compliance layer, particularly in relation to AML/CFT measures and liquidity management.
Non-euro area PSPs (including those in the UK serving EU customers) face a delayed timeline but must begin preparations now to avoid operational and reputational risks:
The European Commission’s proposals for the third Payment Services Directive (PSD3) and a new standalone Payment Services Regulation (PSR) signal the most extensive update to the EU’s payments legislation since the introduction of PSD2 in 2015. Published in June 2023 and currently under legislative negotiation, these reforms aim to modernise payment rules in response to rapid technological change, rising fraud threats, and the evolution of open banking and digital payment services.
Although the reforms apply only within the EU and have no direct legal effect in the UK, they are highly relevant to UK-based firms operating cross-border or serving EU clients. The UK Treasury has yet to publish its formal response to its 2023 consultation on the future of UK payments regulation, but is widely expected to pursue a distinct, though interoperable, regime. Until then, firms should track PSD3 and PSR developments closely.
The legislative package proposes substantial changes:
These reforms aim to strengthen user trust, improve interoperability, and ensure the continued competitiveness of the EU payments landscape.
The digital euro initiative has officially entered a critical phase, with the European Central Bank (ECB) aiming to secure legislative approval by early 2026 and begin implementation in 2028–2029 if a political consensus is achieved. Designed as a retail central bank digital currency (CBDC), the digital euro will serve as digital central bank money, accessible through private-sector wallet providers, operated on a platform model with offline payment capabilities, and supported by a formal rulebook outlining standards for privacy, interoperability, and user experience.
The ECB and European Commission assure that privacy-by-design principles will be embedded, limiting data flow to providers and preserving pseudonymity consistent with cash-like anonymity. Yet this privacy promise demands robust compliance capabilities: PSPs must balance user confidentiality with stringent AML/CFT obligations, real-time monitoring, and regulatory reporting.
The EU’s Digital Operational Resilience Act (DORA) establishes a binding regulatory framework for managing information and communication technology (ICT) and cyber risk across the EU financial sector. Applicable to over 22,000 financial entities – including banks, payment institutions, e-money firms, cryptoasset service providers, and critical ICT third-party providers (CTPPs) – DORA enforces a consistent and stringent standard of digital resilience. Its reach extends to UK-based firms with EU subsidiaries or branches, meaning cross-border firms must now factor DORA into their enterprise risk frameworks.
The regulation introduces five core pillars: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. Entities must implement an integrated governance structure that ensures board-level accountability for resilience. They must also meet strict standards for identifying, mitigating, and recovering from cyber incidents, and report major incidents within tight timeframes (initial notification within four hours, full report within one month).
DORA is unique in directly regulating critical ICT providers (e.g. cloud services, data analytics platforms, and digital infrastructure providers), placing them under the supervision of European financial authorities for the first time. Contractual agreements, service level expectations, and exit strategies must now meet DORA’s granular standards.
The Markets in Crypto-Assets Regulation (MiCA) is now the world’s most advanced and fully implemented regulatory framework for cryptoassets, bringing significant legal certainty and investor protections across the EU. MiCA applies to a broad range of entities – including cryptoasset issuers, trading platforms, custodians, and stablecoin providers – and introduces robust compliance requirements covering transparency, governance, capital reserves, and conduct of business.
Rules for stablecoin issuance (Asset-Referenced Tokens and E-Money Tokens) have been in effect since June 2024, requiring prior authorisation, white paper disclosures, and strict reserve management. The remaining provisions covering Cryptoasset Service Providers (CASPs) became fully enforceable from December 2024. As of Q3 2025, numerous providers – particularly those issuing euro- and USD-denominated stablecoins – are authorised under the regime, supervised by national regulators with strategic oversight from the European Securities and Markets Authority.
While MiCA does not apply in the UK, it is directly relevant to UK-based firms that serve EU clients or market cryptoassets in EU jurisdictions. The regulation also acts as a blueprint for the UK’s own cryptoasset regime, including expected stablecoin rules to be finalised by the end of 2025.
The UK government’s call for input on modernising the redress system signals a potential overhaul of how consumers and small businesses access compensation in financial services disputes. While the Financial Ombudsman Service (FOS) remains the cornerstone of redress, the government is exploring broader structural reform in light of mounting pressures on the system, including growing case volumes, complex multi-firm complaints, and limitations in handling mass claims.
For payments leaders, this review is particularly relevant given the increasing volume of disputes related to digital payments, BNPL, authorised push payment (APP) fraud, and cryptoasset services. As new payment models emerge and regulation expands (e.g. BNPL, stablecoins), so too does the complexity of consumer redress expectations.
The call for input poses critical questions around:
While no changes are imminent, firms should consider the implications for complaint handling, customer service models, and exposure to collective or systemic redress mechanisms. The review may also lead to more stringent governance and reporting expectations around dispute resolution processes.
Payments firms are encouraged to participate in the consultation by the 24 July deadline, especially if they are seeing rising complaint volumes or operate in rapidly evolving areas such as BNPL or crypto. Early engagement could help shape a redress system that is proportionate, efficient, and aligned with modern payment practices.
Summarising the regulatory developments from Q3 reveals the industry’s transition towards greater oversight, heightened accountability, and clearer integration of emerging technologies into existing frameworks. From the UK’s formalisation of its cryptoasset regime and fraud prevention obligations, to the EU’s operational resilience mandates and real-time payments initiatives, the message is consistent: regulatory expectations are rising, and compliance must now be proactive, data-driven, and embedded across the business.
This transition presents both risk and opportunity. Those that respond strategically – by aligning early with incoming rules, engaging with consultations, and modernising governance – will be best placed to differentiate themselves in a more regulated, but more trusted, ecosystem.
Looking ahead to 2026 and beyond, reforms around digital currencies (such as the digital pound and digital euro), open finance, and international regulatory convergence will further shape business models, partnerships, and compliance infrastructure. Organisations should begin planning for these shifts now, not only to meet future obligations but to lead in designing compliant, scalable digital payment systems.
Staying ahead means not only tracking what’s finalised, but anticipating what’s next. For continued updates, insight, and analysis on what matters most to payments compliance leaders, the next edition of Payments Intelligence will map the milestones and help you navigate what’s coming.
New research shows vulnerable customers are strong adopters of AI and digital banking, but are far more likely to experience failed payment journeys and poorer outcomes.
UK merchants expect agentic commerce to grow rapidly, but uncertainty around liability, fraud, and standards is slowing readiness.
Stablecoins are moving into mainstream finance, reshaping payments, trade, and regulation as institutions explore faster, programmable settlement.
You need to be logged in to do this!
