Gibraltar E-Commerce & VAT
Mandatory VAT Defences:Mastering the Two-Item Rule and managing the Fixed Establishment Trap.
Delivering Good Outcomes for Retail Clients
An article exploring how to manage Consumer Duty requirements for UK PSPs and Gibraltar PSPs accessing the UK Market under Passporting Arrangements.
Table of Contents
The UK Financial Conduct Authority (FCA) Consumer Duty and the Gibraltar Financial Services Commission (GFSC) Financial Services (Core Principles and Consumer Duty) Regulations 2024 represent a profound and transformative shift in the regulatory landscape for financial services firms.
This new Consumer Duty (CD )framework moves away from a prescriptive, rules-based approach towards an outcomes-focused model, demanding that firms actively deliver “good outcomes” for their retail customers. This marks an extension from the principles-based regulation which involves treating customers fairly, toward a more outcomes-driven approach. It requires firms not only to avoid causing foreseeable harm but to proactively act to deliver benefits and value to their customers. Good outcomes are defined with reference to the four key outcomes detailed below.
A “retail customer” means an individual who is acting for purposes which are outside their trade, business or profession and include:
For Payment Service Providers (PSPs) operating card and account programs, particularly those involved in complex multi-party arrangements like BIN sponsorship, this necessitates a deeply embedded, retail customer-centric framework that goes beyond mere procedural adjustments.
This article considers specific impacts of the CD on PSPs offering card and account programs, outlines the essential components of a robust CD compliance program, details what a comprehensive Board report should include, and provides critical insights into managing compliance within multi-party outsourced programs where brand partners have direct contact with cardholders and accountholders.
Key Dates and Dual Regulation: The UK FCA Consumer Duty became effective for open (i.e. currently offered) products from July 31, 2023, and for closed (i.e. legacy) products from July 31, 2024.
Gibraltar has aligned with the UK, for Gibraltar PSPs benefiting from UK market access under the UK-Gibraltar passporting arrangements, by introducing its own Financial Services (Core Principles and Consumer Duty) Regulations 2024, effective May 9, 2024. These regulations largely mirror the UK FCA’s CD and apply to GFSC-regulated firms offering services to UK customers. This creates a dual regulatory burden, effectively requiring adherence to both FCA and GFSC frameworks. The GFSC also anticipates extending its scope to all retail customers in 2026-2027.
At its core, the CD introduces a new regime which mandates that regulated firms must deliver good outcomes for retail customers. This principle provides a new heightened standard of care and is underpinned by the concept of “reasonableness,” which is an objective test interpreted in line with what could reasonably be expected of a prudent firm that understands the needs and characteristics of its target market customers.
Supporting this overarching principle are three cross-cutting rules for conduct. Firms are required to:
These rules apply both at a target market level and individual customer level.
Acting in good faith means firms should not exploit retail customers’ lack of knowledge or behavioural biases, and their culture, staff incentives, and remuneration structures must support this principle.
Avoiding foreseeable harm requires firms to consider both their actions and omissions that could cause detriment, even if they are not the sole cause, and to act where they can and raise issues with other relevant parties.
Enabling customers to pursue their financial objectives means establishing an environment where retail customers can act in their own interests, understanding that retail customers ultimately remain responsible for their decisions.
The CD also introduces four specific outcomes that represent key elements of the firm-retail customer relationship:
The CD applies to all supervised financial services firms including payment services and e-money firms.
The FCA has explicitly stated that it views governance as a significant issue within the payments sector, and so this will be a major area of focus for these UK firms. Failures by PSPs are particularly critical as their products are not usually covered by the Financial Services Compensation Scheme (FSCS) unless they are provided by a credit firm (bank), meaning firm failures could have an increased likelihood of causing losses to customers.
Whilst most PSPs are not covered by FSCS, they are required to safeguard customer funds—either by segregating them into separate accounts or insuring them thus making effective safeguarding and regulatory oversight essential to minimise retail customer harm.
PSPs are expected to deliver a higher standard of customer care and protection, implementing tools that enable customers to make effective decisions in their best interests. This includes a yearly review of both existing and new products and services offered.
A significant impact for PSPs under the CD is in tackling fraud. Firms are expected to have robust controls in place and to demonstrate that they have implemented measures to mitigate fraud risks, such as Authorised Push Payment (APP) fraud. The FCA has a dedicated CD Intervention team that will scrutinise significant occurrences detrimental to retail customers, examining incidents like APP fraud through the lens of customer protection and fraud resilience.
For digital-only firms, the CD requires careful consideration of how their online application processes and information provision align with compliance. Poorly designed apps that make it difficult for customers to find key information risk causing retail customer harm and are unlikely to meet the required standards. Similarly, customer support functions must be effective (whoever provides them), to meet the CD even in a digital-only context, and firms should have processes to prevent harm if customers lose internet or mobile access.
Communications strategy: PSPs must go beyond merely disclosing information required under existing regulations like the Payment Services Regulations (PSRs). They need to think more widely about the purpose of their communications and how they promote customer understanding and good outcomes. This involves providing more information than the legal minimum and ensuring clarity of pricing. Firms must avoid misleading promotions, disguising risks, or burying key terms in documents customers are unlikely to read.
Fees and charges. PSPs must assess whether transaction fees, redemption fees, and inactivity fees offer fair value. For example, firms charging inactivity fees should proactively contact customers to inform them of upcoming charges and make it easy for them to close accounts before incurring such fees, to avoid deriving income from customer inertia (what is sometimes known as ‘breakage’).
The processes surrounding account freezing are a key area of focus. The FCA and GFSC expects PSPs to consider these processes under the cross-cutting rules and retail customer support outcome. Firms must strive to make account freezing less frequent, less protracted, better communicated, and better supported, avoiding disproportionate freezing or inadequate explanations.
A comprehensive CD compliance program must embed retail customer interests at the core of their strategy and business objectives, driven by strong leadership from the Board. This demands a fundamental shift in the firm’s organisational ethos, integrating CD principles into employee training programs, performance management frameworks, and business incentive structures. Every employee, from front-line staff to senior management, must understand and prioritise good customer outcomes. It is essential that the CD compliance framework (including due diligence, fair value assessments, communication reviews, and Board discussions) and all monitoring conducted against that framework is documented and recorded.
Fair Value Assessment and Pricing Strategy: Products and services must offer fair value, characterised by a reasonable relationship between the price paid by retail customers and the benefits they receive. For card and account products, this means ensuring the overall price is proportionate to the benefits. Regulatory guidance explicitly warns against unjustified price increases and confirms that even where price caps exist, firms must demonstrate fair value, which may necessitate offering rates below the maximum permissible cap. Any commissions paid by customers must be rigorously considered within the fair value assessment to ensure they are justified and reasonably related to the distributor’s cost or the value added. Firms are not required to adopt cost-plus pricing or standardise pricing across all product lines and business areas, but they must ensure each product offers fair value on its own merits.
Enhancing Retail Customer Understanding and Communications: Firms must communicate in a manner that fosters retail customer understanding and enables effective, timely, and properly informed decision-making. This entails providing prominent, sufficient, and timely information that presents a balanced view of both the costs and risks, and the benefits of the product. Communications must be clear, easy to understand, and adaptable to diverse customer needs, including those with varying levels of financial literacy or language proficiency. PSPs should invest in user experience (UX) and communication design, potentially leveraging digital channels to deliver personalised, interactive, and easily digestible information. This approach includes rigorous testing of communications for effectiveness and adapting them based on retail customer feedback, moving beyond static, legally compliant but often overwhelming disclosures. Firms should adopt good practices like layering information, prioritising key details upfront, and using simple, relevant language, avoiding unnecessary disclaimers. They must ensure communications are tailored to the characteristics of the target market, and for individual customers when appropriate.
Proactive Identification and Support for Vulnerable Customers: See next section.
Robust retail customer Support Mechanisms: PSPs must provide a level of support that meets retail customers’ needs throughout their relationship with the firm. This means customer service should enable retail customers to realise the benefits of their products and services and support them in pursuing their financial objectives. Firms should make it at least as easy for customers to switch products, leave their service, or make a change as it is to buy the product in the first place. The quality of post-sale support should be as good as pre-sale support. PSPs should provide readily accessible and effective support channels appropriate to their target market and clearly signpost these services. If customer support issues are identified, including from complaints data, prompt action must be taken to correct them. Firms must also have exceptions processes for non-standard issues like fraud or technical problems, potentially requiring real-time human interaction.
The CD places significant emphasis on addressing the needs of vulnerable customers. This requires firms to proactively identify and address vulnerabilities through centralised operations, specialised staff, systematic data capture, and tailored communications.
PSPs should create an empathetic ecosystem that anticipates customer needs and provides proactive, tailored support. This may involve implementing advanced data analytics to identify potential vulnerabilities early, training staff not only in procedural compliance but also in empathetic communication, and designing flexible and accessible support journeys.
Whilst not requiring the collection of new data on protected characteristics, firms should use existing data to monitor for different outcomes for various groups. Staff must be trained to recognise and respond to vulnerability, and firms should establish clear processes for customers to disclose their needs.
Operations related to vulnerability need to be centralised to ensure improved handling, consistent data capture, and accurate trend identification. The emphasis on multiple sources of data and the need to avoid repackaging existing data highlights the necessity of an integrated data ecosystem that links disparate data points—such as call center interactions, transaction history, website clicks, and detailed complaint information—to construct a holistic view of the customer journey. Within a multi-party BIN sponsorship model this need for centralised data oversight can be very challenging and requires strong coordination and collaboration between the various stakeholders.
The CD’s scope extends to all firms within the distribution chain for products and services sold to retail customers, irrespective of whether a direct relationship exists, provided the firm is required to exert material influence over customer outcomes.
Managing CD obligations presents particular challenges in the PSP sector, especially when firms operate under multi-party BIN sponsorship models involving program managers and brand partners.
In Bin Sponsorship models, the regulated PSP provides the e-money or payment services, but the card or account programs are often branded by major commercial partners—who may have more frequent direct contact with end users. Additionally, third-party program managers may coordinate the day-to-day technical operational elements of the program, such as card processing management, working closely with both the brand partner and the PSP. This creates a complex chain of responsibility, making it more difficult to ensure that good client outcomes –as required under the CD – are consistently delivered, managed and monitored.
As a Bin Sponsor, a PSP inherently possesses significant material influence over the card and account programs it facilitates. The regulated firm cannot simply rely on the brand partner’s compliance, especially when dealing with often unregulated major brand partners. Whilst some functions can be delegated to third parties (program managers and/or brand partners), firms cannot delegate their responsibility and accountability for complying with their regulatory obligations. The PSP, as the outsourcing firm and Bin Sponsor, retains ultimate responsibility for meeting the relevant aspects of the CD, even if the outsourced provider has direct contact with cardholders and accountholders or material influence over customer outcomes.
To manage these risks effectively, PSPs should embed CD compliance within their wider comprehensive and integrated compliance framework, building on existing structures for:
Where responsibilities are shared across multiple parties, clear contractual arrangements, mapped accountability, and information-sharing protocols should be in place. PSPs should also regularly review whether customer-facing communications and support services provided by third parties align with the CD four outcomes: products and services, price and value, consumer understanding, and consumer support.
Product and Service Governance for Branded Card Programs: The PSP bears responsibility for ensuring that the underlying card and account products are fit for purpose and meet the needs of their target retail customers. This includes the critical task of defining a clear target market and, equally important, identifying a negative target market (i.e., retail customers for whom the product is unsuitable), and ensuring that distribution strategies are consistently aligned with these definitions. For co-branded products, the responsibilities for product design, terms and conditions, creditworthiness assessments, and transaction processing must be carefully delineated among all parties involved in a written agreement. The PSP must implement robust product governance frameworks that rigorously scrutinise the design, intended target market, and potential for foreseeable harm of every branded card/account program. This involves proactive engagement with brand partners at the product design stage, ensuring their marketing, customer engagement, and operational processes align with the firm’s CD obligations. This may require more stringent due diligence and ongoing monitoring of brand partners.
Ensuring Fair Value in Diverse Program Structures: The fair value outcome applies universally to all products and services. In the context of complex distribution chains, assessing fair value requires a comprehensive consideration of all costs and benefits, including any fees or commissions charged by brand partners. The PSP’s fair value assessment must extend beyond its direct charges to encompass the entire cost structure imposed on the end customer within the BIN Sponsor-Program Manager-Brand Partner chain. This is especially critical when the brand partner operates outside direct regulatory oversight, as their retail customer practices will not be subject to the same scrutiny. The PSP must conduct thorough due diligence on the entire value proposition presented to the end customer through these programs. This includes negotiating contractual terms that allow for oversight of the brand partner’s pricing and fees, and establishing parameters for what constitutes fair value within the partnership agreement. The Board of the PSP must be satisfied that the total cost to the retail customer, considering all parties in the distribution chain, delivers fair value, even if it requires influencing the brand partner’s commercial model.
Due Diligence and Contractual Governance with Brand Partners: Given the non-delegable nature of CD responsibilities, robust due diligence and comprehensive contractual governance are paramount when engaging with brand partners. Before entering any outsourcing arrangement, firms are expected to conduct a thorough pre-outsourcing analysis, encompassing checks on the service provider and assessing the significance of any disruption or failure to the firm’s financial resilience. This due diligence must extend beyond standard financial and operational checks to a deep dive into the brand partner’s retail customer protection practices, especially if they are not directly regulated to the same standard as the PSP. The PSP must establish an enterprise-wide risk management framework that identifies and mitigates risks inherent in third-party arrangements. Agreements with business partners should include provisions that allow the PSP to audit the partner’s operations in respect of the card program, request relevant data on customer outcomes, and impose corrective actions to ensure alignment with CD requirements. PSPs should also review their agreements with agents and distributors to determine if additional requirements, including information sharing, are required to ensure CD compliance. PSPs must consider the whole distribution chain and ensure that their contractual business partners roll down any necessary obligations, rights and powers to any connected processors or parties that are not directly contracted with the PSP.
Information Sharing and Collaboration Across the Distribution Chain: Effective compliance hinges on robust information sharing and active collaboration across the entire distribution chain. The FCA and the GFSC expect firms in the same distribution chain to share relevant information to enable each firm to meet its CD obligations and address potential issues swiftly, thereby preventing retail customer harm. (See also our guidance on managing the GDPR issues involved in multi-party payment service chains). The parties in the chain must establish formal protocols for regular information exchange, including periodic reporting on customer outcomes, complaint data, and product performance metrics. This promotes a shared understanding of retail customer risks and promotes collective responsibility. In some cases a BIN sponsorship model will also involve another regulated firm as program manager or brand partner. If a firm identifies a significant concern that another firm’s conduct could cause foreseeable harm to consumers, it is expected to act, which may include, challenging the other firm, taking steps to mitigate the risk to consumers, suspending activities and even notifying the regulator if concerns continue.
We set out in the Scenarios Schedule below some hypothetical examples of some of the issues PSPs need to consider to ensure they meet the CD within a co-branded Bin Sponsor product construct.
The Board holds ultimate responsibility for assessing whether the firm is delivering good outcomes consistent with the CD. To facilitate this, the firm is required to prepare a report for its governing body (at least annually), detailing the results of its monitoring of retail customer outcomes and outlining any necessary remedial actions. Note the requirement for ongoing monitoring and periodic review within the operational teams is continuous, the Board Report is therefore an opportunity for the firm’s directors to review and challenge the CD compliance framework, processes and outcomes.
The FCA have published various rules, guidance and recommendations on how firms should meet the CD. PS22/9 sets out the Consumer Duty final rules, FG22/5 contains the non-Handbook Guidance for firms on the Consumer Duty and they have also published examples of good practice in key areas such as customer support outcomes. In Gibraltar, the GFSC actively reviewed local firms’ compliance, releasing a thematic review of CD Board Reports in March 2025, which highlighted both commendable practices and areas requiring improvement.
Key Aspects of a Good Board Report:
Remedial Action Framework: For addressing identified risks and poor outcomes, firms must take appropriate action to rectify situations where deficiencies are discovered. Action plans must be clearly defined in terms of purpose, specific actions, assigned responsibilities, realistic timescales, and the data to be used to evidence their effectiveness. Root cause analysis is essential for identifying underlying trends and implementing necessary systemic changes to prevent recurrence. This iterative nature of continuous monitoring, ongoing review, and the requirement to remedy or mitigate issues highlights a continuous improvement cycle. The firm should establish clear escalation paths for identified poor outcomes, assign specific owners for remedial actions, and rigorously track progress, with a robust feedback loop to product design, communication, and customer support teams to prevent recurrence and drive systemic improvements.
The CD is a significant extension of financial services regulation, demanding a proactive, outcomes-focused approach from PSPs operating in both the UK and Gibraltar. Compliance is not a tick-box exercise but requires a fundamental cultural transformation, embedding retail customer interests at every level of the firm.
For PSPs managing card and account programs, particularly those involved in complex multi-party BIN sponsorship arrangements with often unregulated brand partners, this means maintaining control of non-delegable responsibilities and exercising material influence across the entire distribution chain. Brand partners and program managers may not be regulated firms and so the onus is on the regulated PSP to ensure they are fully educated about the responsibilities that come with offering regulated financial products (and their role in enabling the PSP to do so).
Brand partners must not let natural reluctance to share confidential, commercially valuable customer data obstruct the ability for the PSP to ensure the CD requirements are met for the benefit of all parties in the chain. This is necessary for a successful co-branded card /account program that is not subject to scrutiny, regulatory intervention and potential adverse media and fines. It also necessitates PSPs being more selective about which program managers and brand partners they are able to work with, business partners that do not demonstrate a culture of compliance in other areas (IT, data protection, fraud management, aggressive pricing, etc) are unlikely to be safe partners for the PSP when considering the CD obligations.
By carefully building robust compliance programs, ensuring fair value, fostering retail customer understanding, providing comprehensive support, and rigorously reporting on outcomes to the Board with transparent remedial action plans, PSPs can meet their regulatory obligations and solidify their reputation as trusted financial services providers committed to delivering genuinely good outcomes for their retail customers across all their products and services. Proactive engagement, diligent oversight, and continuous improvement are crucial for demonstrating an effective culture of compliance.
Scenario 1: Product & Services – Misaligned Target Market and Foreseeable Harm
Scenario 2: Price & Value – Opaque Fees and Erosion of Value
Mandatory VAT Defences:Mastering the Two-Item Rule and managing the Fixed Establishment Trap.
Since its initial publication, the landscape surrounding the UK Gambling White Paper, particularly concerning illegal lotteries, prize competitions, and free draws, has continued to evolve…We will delve into the latest developments and their potential impact on businesses and consumers, offering a current perspective on the ongoing efforts to refine gambling regulations and ensure a fairer, more transparent environment for all.
Overview of current UK approach to systemic stablecoins and comparison with how MiCAR regulates important (significant) stablecoins
Latest updates on the latest implementation status of the Markets in Crypto-Assets Regulation (MiCAR).