.svg)
As 2024, 2023 and 2022 have shown, there is no rest for the wicked when it comes to payments regulation, and both the UK and EU look set for more compliance changes.
2025 marks ten years since the EU’s revised Payment Services Directive (PSD2) was implemented, and much has changed in that time.
In 2015, the UK was still a member of the EU, Barack Obama was US President and the UK’s Payment Systems Regulator (PSR) was in the early stages of its existence.
There has been non-stop regulatory initiatives and implementation deadlines for the payments industry in both the UK and the EU in the past ten years, and the next 12 months are unlikely to see any quietening.
“Looking ahead to 2025, firms can anticipate significant supervisory engagement,” said Simon Treacy, senior associate at Linklaters.
Discussing the EU, Treacy said he expects regulators to focus on how firms are meeting their Digital Operational Resilience Act (DORA) requirements, especially regarding their contracts with third-party technology providers and the robustness of ICT risk management frameworks.
“While enforcement actions can’t be ruled out, because regulators may choose to make an example of firms who have failed to adequately engage with the regime, the initial focus will be on supervisory engagement aimed at improving compliance standards behind the scenes,” he said.
Looking back at the past year, Treacy said that the European Parliament elections meant work on initiatives such as the third Payment Services Directive (PSD3) was paused for several months.
As a consequence, the EU’s development of regulatory policy was relatively quiet during this period.
“However, we can expect activity to pick up again in the coming months,” he predicted.
Growing momentum
Max Savoie, a partner at Sidley Austin, agreed, pointing out that PSD3 and its regulatory counterpart, the Payment Services Regulation (PSR), are not yet in their final form, but that momentum is picking up.
“We’re starting to see more back-and-forth among EU legislators in developing the commission’s original draft proposal,” he said. “This is typically a sign that we’re entering the end-game stages of finalising the text of the directive and the regulation.”
According to Savoie, what will be particularly interesting, and where many unanswered questions remain, are the regulatory technical standards and guidelines to be developed by the European Banking Authority (EBA).
“Some of the more challenging aspects are likely to be addressed in those, as was the case under PSD2,” he said. “The EBA has been given a broad mandate in areas like safeguarding, and this is where we’ll see the critical details of how firms will need to implement the framework once finalised."
Incoming safeguarding reforms
Safeguarding is also a pertinent topic in the UK, given that the Financial Conduct Authority (FCA) finally unveiled wide-ranging reforms in a now closed consultation last year.
“Several firms and trade associations have submitted responses, with common themes including that the FCA has underestimated the challenges and costs to firms of implementing the proposals, particularly those in its ‘end-state’ rules requiring funds to be received directly into safeguarding accounts,” he pointed out.
Savoie said that many in the industry hope that the FCA will consider these issues in more detail and issue a further consultation on the end-state rules before those are finalised.
“That said, my sense is that this is a genuine consultation, and the FCA appears open to hearing how the market thinks these rules should work, whether certain proposals need revisiting, and where additional guidance might be needed to make implementation feasible,” he said.
However, Savoie cautioned that its “wishful thinking” for any firms to expect the FCA to scrap the proposals entirely or abandon key aspects. “The themes of the proposals are likely here to stay, with the focus shifting to how they’re applied, what’s required, and whether exemptions or carve-outs might be extended.”
Alison Donnelly, director at fscom, agreed that safeguarding was likely to be a dominant issue for payments and e-money firms.
“Safeguarding will absolutely be an issue for firms as they prepare for both interim measures and long-term compliance,” she said.
Like Savoie, Donnelly suggested that there is scope for change to what the FCA has proposed: "Points of clarification have been submitted to the FCA, and hopefully, this will lead to an adaptation of the rules or more meaningful guidance.
“However, if even the interim state rules are implemented without clarity and guidance, it could create significant challenges for firms.”
Donnelly warned that resolution packs, for example, may involve complex technology changes, and firms will need to get it right. “The evolving regulatory landscape will require technological changes to adapt, and there’s not a long window to implement these changes effectively."
The continued impact of the Consumer Duty
Experts in the payments space were also clear that the Consumer Duty, despite having been in effect for more than a year, will remain a theme for payments and e-money firms operating in the UK in 2025.
Savoie acknowledged that the implementation of the Consumer Duty has been ongoing, with the FCA showing a strong focus on it.
“The FCA is actively engaging with firms to check their progress on implementation, and it’s clear that this will remain a key area of regulatory supervision."
Olivia Murphy, managing associate at Linklaters, said: "Consumer Duty continues to be a high priority. Firms are still working on implementation, with an FCA review suggesting that just over half are demonstrating compliance.”
Murphy added that a “systematic approach, supported by board oversight and effective management information, is crucial”.
“While there was a check-in on progress last year, we may see more regulatory scrutiny next year, keeping it high on the agenda."
A busy year awaits
Payment service providers (PSPs) operating in both the EU and UK are likely to be kept busy in 2025, with a raft of regulatory changes incoming.
In addition to the implementation of DORA and safeguarding reforms, the authorised push payment (APP) scam requirements, possible changes to strong customer authentication (SCA) and the EU’s Instant Payments Regulation (IPR) rules are all coming to fruition.
And changes in oversight such as new buy now, pay later (BNPL) regulation in the UK and the EU’s inaugural crypto framework, the Markets in Crypto Assets (MiCA) regulation, will also change things for firms in the consumer credit and crypto spaces.
Payments and e-money firms must act decisively to stay ahead, conducting a comprehensive gap analysis to identify areas where their current processes and compliance frameworks fall short of upcoming requirements
They should also actively engage with regulators’ consultations and with industry bodies to understand and influence the evolving landscape, while allocating resources effectively.
They will need to prioritise competing compliance updates and ensure robust internal training to ensure that staff are adapting well to impactful new rules.
By taking these steps in the coming months, firms can mitigate risks, reduce compliance costs and position themselves as leaders in a regulatory environment that will only become more complex as payments and e-money firms become more systemically important to the UK and the EU.
Take a look at Vixio's 2025 Payments Compliance Outlook: How Technology and Outsourcing Can Tackle Regulatory Overload
