European Payments & E-money
Regulatory Update and Outlook - July 2025

Introduction

The regulatory environment for multi-national banking, e-money, and payment firms across Europe (including the UK, Gibraltar, and the European Union) is undergoing a period of profound and accelerated transformation, presenting both significant challenges and strategic opportunities. Firms must navigate increasing complexity, cost, and accountability, driven by diverging regulatory frameworks, a heightened focus on consumer protection, and the emergence of new technologies. Understanding these evolving landscapes is critical for maintaining compliance, managing risk, and driving sustainable growth.

UK Regulatory Landscape: A Period of Significant Reform

The UK financial services sector is experiencing a significant shake-up, with major regulatory overhauls impacting payment services, e-money, and emerging crypto-asset activities. The Financial Conduct Authority (FCA) and the Payment Systems Regulator (PSR) are at the forefront of these changes, alongside His Majesty’s Treasury (HMT) and the Bank of England.

• FCA and PSR Merger: Streamlining Oversight

A significant development is the government’s announcement on 11 March 2025 that the Payment Systems Regulator (PSR) will be absorbed into the Financial Conduct Authority (FCA), with the move expected to take effect by late 2025. This consolidation aims to streamline oversight, reduce regulatory duplication, and address industry complaints about the complexity of engaging with multiple regulators.

For payment service providers, banks, and fintech firms, this merger presents both challenges and opportunities. It is anticipated to create a clearer, single point of engagement for regulatory matters, potentially reducing administrative burdens and fostering a more predictable regulatory landscape. The FCA plans to integrate the PSR’s staff and expertise, ensuring continuity of specialist payments knowledge within the new framework. While the full transfer of responsibilities requires new legislation, the PSR has stated it will continue to deliver on its work programme and commitments, retaining its full suite of powers pending these changes. The government’s National Payments Vision, published in November 2024, also emphasized the need to simplify existing plans and calls for the PSR and FCA to reduce regulatory overlap.

• FCA’s Enhanced Safeguarding Regime (CP24/20): Strengthening Consumer Protection

The FCA is proposing fundamental changes to the safeguarding rules for electronic money institutions (EMIs) and payment institutions (PIs) (collectively, “Payments Firms”), representing the most significant overhaul since the rules’ inception. This reform is driven by persistent concerns over shortfalls in client funds during insolvencies (an average 65% shortfall in Q1-Q2 2023) and legal uncertainty following court rulings (e.g., Ipagoo LLP and Allied Wallet cases) that challenged the existence of a statutory trust over relevant funds.

The FCA intends to implement these changes in a two-stage approach:

• Interim-state rules: Expected to be published in H1 2025 and enter into force six months thereafter, these rules will supplement existing safeguarding provisions in the Payment Services Regulations 2017 (PSRs) and Electronic Money Regulations 2011 (EMRs). Key requirements include:
  • Diversification and periodic review of third-party arrangements for holding, investing, insuring, or guaranteeing relevant funds.
  • Maintenance of a “resolution pack” (retrievable within 48 hours) with detailed information to assist insolvency practitioners in timely fund returns. This extends beyond existing wind-down plan requirements.
  • Monthly safeguarding regulatory returns to the FCA, providing granular detail on safeguarded funds and assets, including volumes, locations, breaches, or shortfalls.
  • Mandatory annual audits by independent external qualified auditors, with reports submitted to the FCA within four months of the period end.
  • Allocation of oversight responsibility for operational compliance to a firm individual with sufficient skill and authority.
  • Enhanced daily internal and external reconciliations of relevant funds to ensure the required amount is safeguarded, with material discrepancies notified to the FCA.
  • Impact: These prescriptive requirements will necessitate updating existing policies, governance arrangements, and staff training, potentially leading to significant operational burden and increased risk of supervisory and enforcement actions. Industry bodies like UK Finance and the Payments Association have voiced concerns about operational and financial strain, arguing that the changes may not adequately account for diverse business models.
• End-state rules: These will ultimately replace the safeguarding provisions in the PSRs and EMRs, contingent on HMT amending the underlying legislation. A central feature is the imposition of a statutory trust over relevant funds, assets in which they are invested, and related insurance policies/guarantees. This would establish that Payments Firms have legal ownership of funds but hold beneficial ownership for customers, creating additional fiduciary duties. The “D+1 rule” (requiring direct receipt of relevant funds into a Designated Safeguarding Account by the end of the next business day) is expected to be abolished and funds will need to be received directly into safeguarding accounts, which may pose challenges for multi-currency and cross-border business models. 

See here for our previous article summarising the proposed changes: https://ramparts.gi/proposed-changes-to-safeguarding-rules-for-uk-payment-service-providers/

• FCA Consumer Duty: Delivering Good Outcomes for Retail Customers

The Consumer Duty (CD) represents a fundamental shift in UK financial services regulation, mandating a proactive, outcomes-focused approach to consumer protection. It requires firms to put consumers at the heart of their business and focus on delivering good outcomes. The Duty applies to the regulated and ancillary activities of all firms authorised under FSMA, PSRs, and EMRs, in respect of products and services for prospective and actual retail customers.

Key Dates: The CD became effective for open products from 31 July 2023, and for closed products from 31 July 2024.

Scope and Principles: The CD applies broadly to retail customers, including individuals, micro-enterprises, and small charities (with annual income under £1 million for the latter two). Firms must ensure products/services meet customer needs, provide fair value, help achieve financial objectives, and do not cause harm. They must communicate clearly for informed decisions, avoid exploiting biases or vulnerabilities, and support customers without unreasonable barriers. Continuous monitoring and review of customer outcomes are expected, with boards taking full responsibility.

Specific Impacts for Payment Service Providers (PSPs):

• The FCA views governance as a significant issue within the payments sector, making it a major focus. PSPs are expected to deliver a higher standard of customer care and protection.
• A significant impact is on tackling fraud, particularly Authorised Push Payment (APP) fraud. Firms need robust controls and measures to mitigate fraud risks, with the FCA’s dedicated CD Intervention team scrutinising incidents.
• Communications strategy must go beyond minimum disclosure, ensuring clarity of pricing and avoiding misleading promotions or hiding key terms. Digital-only firms must ensure online processes and information provision align with compliance, preventing harm if customers lose internet access.
• Fees and charges must offer fair value (e.g., transaction, redemption, inactivity fees). Firms should proactively contact customers about upcoming charges to avoid deriving income from inertia.
• Processes around account freezing are a key focus, with expectations for them to be less frequent, less protracted, better communicated, and supported.

Obligations Across the Distribution Chain: The CD’s scope extends to all firms within the distribution chain (e.g., BIN Sponsors, Program Managers, Brand Partners), irrespective of a direct relationship, provided the firm can exert material influence over customer outcomes.

• The regulated PSP (e.g., Bin Sponsor) retains ultimate responsibility and accountability for meeting CD obligations, even if functions are delegated to third parties who have direct contact with customers. Unregulated brand partners and program managers must be educated on their responsibilities.
• This necessitates robust due diligence and comprehensive contractual governance when engaging with partners, extending beyond standard financial checks to retail customer protection practices. Agreements should allow for auditing partner operations, requesting data on customer outcomes, and imposing corrective actions.
• Product governance requires defining clear target and negative target markets, ensuring distribution strategies align, and scrutinising product design for foreseeable harm.
• Fair value assessment must encompass the entire cost structure imposed on the end customer, including fees or commissions charged by brand partners.
• Effective information sharing and active collaboration across the distribution chain are crucial, with formal protocols for data exchange (e.g., complaints, product performance) expected. Firms must notify the FCA if another firm in the chain is likely non-compliant.
• Board-level Consumer Duty assessments and annual reporting obligations are essential to review and challenge the CD compliance framework.

See here for our previous article summarising the impact of the Consumer Duty regime for UK and Gibraltar Payment Service Providers:

https://ramparts.gi/consumer-duty-compliance-for-gibraltar-and-uk-payment-service-providers/ 

• New UK Authorisation Regime for Cryptoassets and Cryptoasset Regulated Activities

The UK is integrating cryptoassets into its established financial regulatory framework, moving from a previous focus on AML registration and financial promotions (FinProm) to a comprehensive authorisation regime. HMT handles primary legislation, while the FCA develops detailed rules and undertakes supervision.

Scope: The regime targets “qualifying cryptoassets” (fungible, transferable, similar to traditional instruments) and “qualifying stablecoins”.

• Key Regulated Activities will include the issuance of stablecoins, operation of trading platforms, dealing in/arranging cryptoassets, custody, and staking. Firms undertaking these activities will require full FCA authorisation.
• Prudential Regulation: The approach draws from the MiFIDPRU framework, with crypto-specific adjustments. Proposed rules (COREPRU and CRYPTOPRU) outline the Overall Financial Adequacy Rule (OFAR) and Own Funds Requirement (OFR), which is the highest of:
  • Permanent Minimum Requirement (PMR): £350,000 for stablecoin issuers and £150,000 for cryptoasset custodians.
  • Fixed Overheads Requirement (FOR).
  • K-factor Requirement (variable based on activities/risks).
  • There are also Liquid Assets Requirements (BLAR, ILAR) and Concentration Risk rules. Cryptoassets issued by the firm or connected parties are not eligible as capital.
• Custody Services: Firms safeguarding cryptoassets (including private key management) will require authorisation. Proposed requirements include segregation of client cryptoassets from firm assets, holding assets in a non-statutory trust arrangement, maintaining accurate books/records, and robust controls/governance.
• Territorial Scope: The regime applies to UK-domiciled and overseas firms serving UK clients, particularly retail customers. The existing “overseas persons exclusion” will generally not be extended to cryptoasset activities.
• Timeline: Draft legislation was expected in Q1 2025, to be laid in H2 2025, with implementation expected in mid-2026, following a 12-month transition period for already MLRs-registered firms. The FCA has planned multiple discussion and consultation papers.

See our deep dive into the proposed UK regime for authorisation of cryptoasset services: https://ramparts.gi/new-uk-authorisation-regime-for-cryptoasset-regulated-activities/

• Operational Resilience: Strengthening the Financial Sector

The UK has adopted a two-pronged approach to bolster operational resilience.

• A framework for operational resilience in the financial sector, implemented in March 2022, with a longstop compliance date of 31 March 2025, applying to regulated financial institutions, including those authorised under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.
• A new oversight regime for critical third parties (CTPs) providing material services to regulated financial institutions, which took effect from 1 January 2025. CTP designation is based on the likelihood that a service failure could threaten UK financial stability or confidence. Designated CTPs will face new obligations for risk management, testing, and incident monitoring/reporting. 
• Unlike the EU’s DORA, the UK regime currently does not include fining powers for CTPs.

• Authorised Push Payment (APP) Fraud Reimbursement Rules

The UK introduced a mandatory reimbursement scheme for victims of Authorised Push Payment (APP) fraud, which came into force on 7 October 2024. This applies to eligible payments made through the Faster Payments Scheme and the higher-value CHAPS system, requiring reimbursement within five business days, subject to exceptions. Territoriality: The rules primarily target UK-based PSPs. Non-UK PSPs only need to comply if they are undertaking operational activities within the UK (e.g., through a regulated local branch, holding funds in UK-based payment accounts offered to consumers, and executing authorised transactions from the UK). Serious international APP fraud poses an ongoing challenge to these protections. Moreover, significant concerns have been raised about the disproportionate impact of liability sharing passed on from larger banks to smaller PSPs with limited balance sheets.

• Other UK Regulatory Developments

The Bank of England and HMT are in a “design phase” for a digital pound, with no final decision yet on its implementation. The PSR has ongoing market reviews, including on card scheme and processing fees and cross-border interchange fees, identifying concerns about competition and increasing costs. The FCA has also finalized rules extending its Code of Conduct (COCON) to include serious non-financial misconduct (e.g., bullying, harassment), effective 1 September 2026. While these rules currently do not apply to payments firms or e-money institutions, the FCA aims to align this approach across all financial services, indicating a foreseeable risk of future extension.

Gibraltar Regulatory Landscape: UK Alignment with Unique Considerations

Gibraltar remains a key jurisdiction for e-money and banking, with its regulatory framework heavily influenced by its need to maintain access to the UK market and its alignment strategy with UK standards. The Gibraltar Financial Services Commission (GFSC) is the primary regulator.

• Alignment with UK Standards: Dual Regulatory Burden

Gibraltar has closely aligned its regulatory framework with that of the UK. For example, Gibraltar introduced its own Financial Services (Core Principles and Consumer Duty) Regulations 2024, effective 9 May 2024, which largely mirror the UK FCA’s Consumer Duty. This creates a dual regulatory burden for Gibraltar PSPs benefiting from UK market access under passporting arrangements, effectively requiring adherence to both FCA and GFSC frameworks. The GFSC is actively reviewing local firms’ compliance, with thematic reviews having started in Q3 2024. 

• Credit Institution Framework: Distinct from EMIs

For credit institutions in Gibraltar, the core legislation, primarily the Financial Services Act 2019 and the Financial Services (Credit Institutions and Capital Requirements) Regulations 2020, establishes a comprehensive prudential regime for banks. These requirements are much stricter than those for EMIs. As credit institutions, they are subject to the Gibraltar Deposit Guarantee Scheme, which protects depositors’ funds, a key distinction from the safeguarding rules applicable to EMIs/PIs.

• UK-Gibraltar Passporting – GAAR Soon?

The continued functioning of the UK-Gibraltar transitional passporting and temporary permission arrangement is vital for many firms, especially those leveraging a Gibraltar credit institution licence to service the UK market. This arrangement is currently set to last until 31 December 2025, though the FCA notes it may be extended to allow for the implementation of the permanent Gibraltar Authorisation Regime (GAR). While Gibraltar firms are primarily supervised by the GFSC, UK authorities retain powers to intervene if they perceive inadequate supervision or divergence from UK standards, which could threaten market access. The likelihood of a failure to extend the current temporary regime or agree to the more broadly structured GAAR is assessed as very low given the political and economic importance of UK market access for Gibraltar and the UK (which is ultimately responsible for Gibraltar as a British Overseas Territory with significant strategic importance to the UK).

Note: EMIs and PIs in the UK are regulated under the Electronic Money Regulations 2011 (EMR 2011) and Payment Services Regulations 2017 (PSR 2017), not directly under FSMA and the Gibraltar Oder and so not directly subject to the Temporary Permissions Regime. Gibraltar EMIs and PIs operate under entirely separate provisions in the Payment Services Regulations 2017 (Schedule 7) and Electronic Money Regulations 2011 (Schedule 5) which were amended by the Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018 (SI 2018/1201) and do not require renewal.

• Outsourcing, Agents, and Distributors: Retained Accountability

Gibraltar’s approach to outsourcing closely mirrors UK and EU standards. The GFSC has published a comprehensive Guidance Note on Outsourcing and Third Party Risk Management, which emphasizes that firms remain fully accountable for outsourced functions in line with UK and EU law and practice. Key expectations include formal outsourcing policies, thorough due diligence, written contracts with access/audit rights, and business continuity/exit plans. For firms operating with Program Managers (PMs), this framework is central to the GFSC’s supervision, requiring robust oversight and treating any regulatory failure at a PM as a direct failure of the BIN Sponsor’s own systems and controls.

• Consumer Duty

See our previous article summarising the impact of the Consumer Duty regime for UK and Gibraltar Payment Service Providers:

https://ramparts.gi/consumer-duty-compliance-for-gibraltar-and-uk-payment-service-providers/ 

European Union Regulatory Landscape: Harmonization and Centralization

The EU payments ecosystem is undergoing significant evolution, driven by efforts to accelerate instant payments, overhaul existing payment directives, centralize AML/CFT supervision, and regulate crypto-assets.

• Instant Payments Regulation (IPR): Accelerating Real-Time Transactions

The European Commission’s Instant Payments Regulation (IPR) is set to revolutionize the region’s payments ecosystem by mandating near real-time fund transfers (settled within 10 seconds) available 24/7. 

Key Deadlines for Eurozone Banks:

• From 9 January 2025: Banks must be able to receive instant payments in euro and charge the same or lower fees as for regular transfers.
• By 9 October 2025: Banks must also be able to send instant payments in euro and verify the intended beneficiary.
• For PSPs outside the euro area, these capabilities will be required by 2027. The IPR aims to accelerate adoption, support the digital economy, and remove barriers to widespread use. It also removes the €100,000 transaction limit for SEPA Instant Credit Transfers and mandates more precise timestamping and real-time customer notifications. Meeting these requirements necessitates significant technical and operational upgrades, but also presents an opportunity for firms to innovate and strengthen their market position.

• Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a major EU regulation that came into effect on 17 January 2025, introducing uniform digital resilience and ICT risk management standards for EU-regulated financial institutions, including payment and e-money firms. It also establishes a new supervisory regime for critical ICT third-party service providers (CTPs).

DORA mandates that firms implement internal governance frameworks and robust ICT risk management strategies, including defined risk tolerances and regular testing. One key requirement is threat-led penetration testing (TLPT), which is more demanding than prior regimes. Firms must also maintain communication strategies for ICT disruption events and comply with new rules on outsourcing and third-party risk. Contracts with ICT providers must meet minimum standards—especially if they support critical functions.

Critical ICT CTPs, once designated based on systemic importance and substitutability, face direct EU oversight by the European Supervisory Authorities (ESAs). They must establish strong risk controls, testing regimes, and incident monitoring procedures. Non-EU ICT providers serving EU firms may be required to set up an EU presence.

DORA’s delegated regulation on TLPT standards entered into force on 8 July 2025, reinforcing its implementation across the financial sector and third-party supply chains.

In contrast, the UK’s operational resilience regime, also in force in 2025, is broadly similar but differs in key areas:

• DORA specifies detailed contractual requirements; the UK does not.
• DORA grants fining powers over ICT CTPs; the UK does not.
• DORA has extraterritorial reach; the UK regime does not require a UK presence.
• Designation criteria for CTPs differ between jurisdictions.

DORA significantly raises the compliance bar, especially for BIN Sponsors and outsourcing-heavy fintechs. Operational failings by Programme Managers may be treated as failings of the Sponsor itself, reinforcing the need for end-to-end oversight, risk controls, and contractual enforcement throughout the value chain.

• PSD3 and the Payment Services Regulation (PSR): A New Legislative Structure

Published on 28 June 2023, the European Commission’s landmark legislative package splits the existing framework into a third Payment Services Directive (PSD3) and a new, directly applicable Payment Services Regulation (PSR). This represents an evolution of PSD2, aiming to address inconsistencies, level the playing field between banks and non-banks, and bolster consumer protection. 

Final rules are expected by late 2024 or early 2025, with an 18-month transition period, suggesting applicability in 2026. 

Key Changes:

• Merger of E-money and Payment Services: The Second E-Money Directive (EMD2) will merge with PSD3 and the PSR, creating a single, harmonised regulatory framework. EMIs will become a sub-category of PIs, subject to the same licensing regime but with some stricter requirements (e.g., higher initial capital) preserved.
• New Authorisation Requirements: Firms will need to demonstrate compliance with new requirements as part of a simplified re-authorisation process, including the submission of a detailed winding-up plan outlining measures for an orderly wind-down. Existing authorisations remain valid for 24 months after PSD3 enters force, with re-application required within 18 months.
• Enhanced Safeguarding: PSD3 retains PSD2 safeguarding requirements but introduces a mandate to mitigate concentration risk by ensuring safeguarded funds are not held entirely with one institution. It clarifies that e-money funds must be safeguarded by the end of the next business day and mandates prior notification to regulators of material changes. The European Council’s position on PSD3 introduces clearer obligations, enhanced protections, and requires institutions to inform users about applicable insolvency laws and potential risks. It also stresses that payment institutions must safeguard the full amount owed to users, regardless of any deductions from international card scheme netting.
• Fraud and Open Banking: The package introduces stricter rules on fraud and enhanced open banking.
• Direct Applicability: The PSR’s directly applicable nature is intended to minimise national implementation discrepancies, reducing compliance complexity for firms operating across multiple EU member states.

• EU AML/CFT Package and Anti-Money Laundering Authority (AMLA): Centralised Supervision

The EU has finalised a transformative Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) legislative package. It consists of the 6th AML Directive (AMLD6), a directly applicable AML Regulation (AMLR), and a regulation establishing the Anti-Money Laundering Authority (AMLA).

• AMLA will begin operations in mid-2025 and assume direct supervisory responsibility for a selection of up to 40 of the highest-risk cross-border financial institutions by 2026.
• This represents a fundamental shift towards a single, integrated system of AML/CFT supervision across the EU, aimed at closing loopholes from inconsistent national implementation.
• The European Banking Authority (EBA) is tasked with developing binding Regulatory Technical Standards (RTS), with a key consultation closing on 6 June 2025, and final standards submitted by 31 October 2025. The new rules will largely apply from mid-2027.

• Markets in Crypto-Assets Regulation (MiCAR): Regulating Digital Assets

MiCAR introduces a comprehensive regulatory framework for crypto-assets, fostering innovation while ensuring consumer protection, market integrity, and financial stability. It primarily targets Crypto-Asset Service Providers (CASPs), including exchanges, custodians, brokers, advisors, and trading platforms. Key obligations for CASPs include licensing, capital requirements, consumer protection measures, market integrity rules, and adherence to existing AML/KYC regulations (e.g., AMLD5, AMLD6).

Electronic Money Tokens (EMTs): MiCAR specifically regulates single-currency stablecoins as Electronic Money Tokens (EMTs).

• Only authorised EEA credit institutions (banks) and Electronic Money Institutions (EMIs) can issue EMTs to the EU market.
• Issuers must notify national regulators and provide a detailed white paper outlining token characteristics and risks.
• They must guarantee 1:1 redemption of EMTs at par with the referenced fiat currency, without fees.
• Issuers must adhere to prudential requirements (capital, reserve, liquidity) to ensure they can meet redemption requests and maintain stability. MiCAR imposes strict requirements on reserves backing stablecoins, demanding a significant portion be held in highly liquid financial instruments and deposits, with thresholds for daily/weekly maturities.
• “Significant” EMTs (reaching certain thresholds for customer base or market capitalisation) face additional requirements, including stricter capital/custody rules, audit requirements, interoperability, and direct supervision by the EBA.

Interplay with PSD2/PSD3: The EBA has provided crucial clarity on the regulatory overlap affecting EMTs. In a “No Action” letter published on 10 June 2025, the EBA clarified that transfer and custody services for EMTs also constitute payment services under PSD2.

• This creates a temporary but significant dual-authorisation burden for Crypto-Asset Service Providers (CASPs) engaging in these activities, as they must obtain a PSP authorisation or partner with an authorised PSP by 1 March 2026.
• The EBA recommends that National Competent Authorities (NCAs) apply both MiCA and PSD2 capital requirements cumulatively, which will impose significant capital costs. However, to avoid regulatory conflict, the EBA has advised NCAs not to prioritise enforcement of PSD2’s safeguarding requirements for EMT-related services, as MiCA has its own robust asset reserve rules. This development is highly relevant for anyone operating in the crypto space, imposing substantial new regulatory and capital hurdles.

See our detailed guide to MiCAR here: https://ramparts.gi/european-crypto-assets-law-and-regulation/

• EBA Guidelines on Outsourcing Arrangements EBA/GL/2019/02:

  These guidelines are foundational for managing third-party risk in the EU, applying to credit institutions, payment institutions, and e-money institutions when they outsource functions. They cover the entire outsourcing lifecycle, emphasizing that firms remain fully accountable for outsourced functions.

• EBA Consultation on Product Oversight & Governance (POG) Guidelines:

  A consultation launched on 9 July 2025 signals the EBA’s focus on emerging consumer protection risks, particularly integrating Environmental, Social, and Governance (ESG) features into products and combating “greenwashing”. Final guidelines are planned for Q1 2026, applying from 1 December 2026.

Cross-Jurisdictional Considerations and Strategic Implications for Multi-National Firms

The confluence of these regulatory changes creates a complex and challenging environment for multi-national banking, e-money, and payment firms.

• Regulatory Divergence: The Post-Brexit Landscape

Since Brexit, the UK and EU have embarked on separate regulatory trajectories, leading to significant divergence in critical areas. The UK’s proposed statutory trust for safeguarding (going beyond current EU requirements) and its proactive Consumer Duty are prime examples. This divergence means a “one-size-fits-all” compliance strategy is no longer viable for groups operating with licences in different regulatory spheres (e.g., Gibraltar EMI or bank for the UK and Gibraltar + Maltese EMI for EEA). Firms must maintain and enhance a dual-track compliance framework, with specific, ring-fenced procedures for areas of significant divergence, including separate operational playbooks, risk models, and legal documentation.

• Increased Compliance Burden and Cost of Doing Business

The cumulative effect of new reporting requirements (e.g., monthly safeguarding returns), mandatory annual audits, and higher capital expectations will inevitably raise the cost of doing business. This impacts firms’ profitability and resource allocation.

• BIN Sponsorship and Outsourcing: Heightened Scrutiny

Regulatory scrutiny remains high for fintechs leveraging BIN sponsorship, with a heavy emphasis on AML controls and operational risk. Crucially, a regulatory failure at a Programme Manager is now treated as a direct failure of the BIN Sponsor’s own systems and controls. The regulated PSP, as the outsourcing firm and Bin Sponsor, retains ultimate responsibility for meeting relevant regulatory obligations (e.g., Consumer Duty), even if the outsourced provider has direct contact with customers or material influence over outcomes. This necessitates a robust framework for managing risks posed by the PM network, including due diligence, ongoing monitoring, risk management, and contractual enforcement. Clear contractual arrangements, mapped accountability, and information-sharing protocols are essential where responsibilities are shared across multiple parties.

• Need for Proactive Adaptation

To navigate this landscape successfully, multi-national firms must:

• Invest in technology and governance upgrades to enable segregation, transparency, real-time reconciliation, and efficient regulatory reporting.
• Optimise dual-jurisdiction models, clearly defining and documenting intra-group arrangements to meet the stringent requirements of all relevant authorities (e.g., GFSC, MFSA).
• Consider developing “centres of excellence” within the group, leveraging expertise efficiently while ensuring local compliance.

The increased compliance burden also presents an opportunity for larger, more robust sponsors to offer “compliance-as-a-service” as part of their value proposition, as smaller Program Managers may be driven towards such partnerships.

In conclusion, the regulatory landscape for multi-national banking, e-money, and payment firms is dynamic, complex, and rapidly evolving across the UK, Gibraltar, and the EU. Firms must proactively adapt to diverging rules, heightened consumer protection standards, stringent safeguarding requirements, and evolving crypto-asset regulations. Agile, informed strategies, coupled with diligent oversight and continuous improvement, are crucial for maintaining compliance, mitigating risks, and seizing competitive advantages in this transforming financial ecosystem.

Please contact me if you would like strategic regulatory support, M&A advice, independent compliance assessments or compliance guidance within the payments and e-money sector.