Payments View - June 2025

Welcome back to Payments View, it was great to see so many of you at Money2020 this year. Hope that everyone has recovered!

We have a packed edition of Payments View this month covering updates on:

• FCA multi-firm review of payments and e-money firms
• PSD3 – Final Texts in Sight
• EBA Opinion on PSD2 and MiCA Overlap
• Delay on Non-Bank PSPs’ Access to Central Bank Systems
• Standardised Terms for EU Payment Accounts
• UK Consumer Credit Reform – simplification and modernisation
• PSR APPR consolidated Policy Statement
• FCA’s New Enforcement Guide
• House of Lords Report on Growth and Competitiveness
• Next Stage of UK Crypto Regulation
• PSR Policy Statement on Specific Directions 2 and 3
• PSRs 2017 Update: Farage Termination Changes
• EU and FATF AML List Updates
• UK Payment Services MoU Updated

As always, don’t hesitate to reach out to us if you would like to discuss any of the developments in this edition.

“None of the firms we reviewed fully met our expectations” – FCA multi-firm review on risk and wind-down planning

Before we get started on a number of European-focused updates, we wanted to flag a key FCA update with the publication of its latest multi-firm review of e-money and payments firms. Here, the FCA’s focus has been on risk management frameworks and wind-down planning (“WDPs”), with the regulator’s view being that none of the 14 firms reviewed were fully complying with the FCA’s expectations.

The regulator has published its findings and is now expecting firms to review their own arrangements against the good/bad practices it has identified. This review, building on other recent comments on the importance of these frameworks by the FCA, as well as the additional (European) obligations on similar grounds, suggest that this is an area of regulatory compliance firms will need to re-focus on.

The FCA identified three general areas for improvement in risk management frameworks:

• Enterprise-wide risk management frameworks: Many firms lack comprehensive frameworks that reflect the complexity and scale of their activities and/or was “not appropriate for the current business and insufficient to support sustainable growth”. Risk management often remains siloed, with inadequate stress testing and insufficient financial resources beyond the minimum regulatory requirements.
• Liquidity risk management: The FCA believes that firms are not clearly identifying and articulating liquidity risks given the activities of the firm as well as raising a number of points on the use of cash balances.
• Group risk: The FCA found that material group risks were not being sufficiently identified or managed. Firms often rely on group-level policies without tailoring them to their specific risks, leading to unclear governance and decision-making during crises.

The FCA also identified several key areas for improvement in wind-down plans, highlighting the need for firms to enhance their frameworks to ensure credibility and operability:

• Disconnection from risk management frameworks: Most WDPs reviewed were inconsistent with firms’ risk management frameworks, reflecting broader issues in risk management and risk appetite frameworks.
• Lack of detail, testing, and validation: WDPs often lacked sufficient detail and were not adequately tested or validated, making them impractical in real-world scenarios – going so far as to say some were “inoperable” due to insufficient practical detail.
• Key considerations omitted: WDPs reviewed did not analyse how the wind-down timeline can be delayed by issues such as safeguarding, financial crime or contacting customers, for example not considering meeting obligations to safeguard residual customer funds for 6 years.
• Unrealistic timescales and resource assessments: Plans frequently did not include realistic timelines or assessments of how financial and non-financial resources would be maintained during the wind-down process.

The FCA did highlight elements of good practice observed across firms, both in the context of risk management frameworks and WDPs, albeit apparently at varying levels of maturity and completeness:

• Embedding risk management fundamentals in FG20/1 alongside integration of WDPs with wider risk management frameworks.
• Risk management frameworks that are commensurate with the complexity and scope of activities.
• Documenting conflicts of interest policy and lines of authority over intra-group arrangements, including access to shared financial resources.
• Explicitly considering liquidity risk in the risk management framework.
• Detailed and operable WDPs, making them practical and actionable.
• Comprehensive resource modelling including advisory fees, redundancy costs, and employee retention expenses.

Firms are now expected to review their arrangements against these findings and make necessary improvements to meet the FCA’s expectations.

We have assisted a number of firms with these points, so if it would be useful to have a quick chat on the FCA’s findings do let us know.

PSD3 – Final Texts in Sight

The biggest European update for this edition has been that the Council of the EU published a press release announcing that its Permanent Representatives Committee (COREPER) has agreed the Council's negotiating mandate on the legislative proposals relating to the Directive on payment services and electronic money services in the internal market (“PSD3”) and the Payment Services Regulation (“PSR”). In short, we’re getting there on final texts and firms will need to start getting up to speed on the EU-wide changes to the payment services regime, to the extent they’ve not already started to consider these.

In this latest set of changes, the Council has proposed:

• A requirement for PSPs to share fraud-related information.
• Bringing electronic communications service providers, such as internet carriers and messaging platforms, within the scope of fraud prevention. This is a really key step and, while the fraud prevention measures under PSD3/PSR are much lighter than under the UK (focused around Verification of Payee), this will be one to track for UK firms to see whether it affects the APP regime.
• Requiring ATM transactions to show all fees due and exchange rates before a transaction takes place and introducing further provisions intended to enhance transparency on payment card scheme fees and rules.
• Introducing “safeguards concerning innovative ways of making payments” empowering the EBA to review “and if appropriate update [relevant RTS] on a regular basis”.

The agreement on the negotiating mandate allows the Presidency of the Council to start negotiations with the European Parliament with a view to reaching political agreement on the legislation.

The Council published the texts of each of the mandates for negotiations with the European Parliament on 13 June 2025:

• Proposed text for the Directive on payment services and electronic money services in the internal market (PSD3) (10176/25).
• Proposed text for the Payment Services Regulation (PSR) (10268/25).

If you’re still trying to find the best way to update your teams on PSD3, we’d be very happy to discuss our latest product ‘PSD3 Ready’ which provides a detailed, provision by provision rulebook that will act as a one-stop companion for legal and compliance teams to help identify all the key changes.

EBA Opinion on PSD2 and MiCA Overlap

The EBA has issued an opinion (a ‘No Action Letter’) addressing the interplay between PSD2 and MiCA, aiming to resolve challenges arising from dual authorisation requirements for crypto asset service providers (“CASPs”) who are transacting electronic money tokens (“EMTs”).

The issue stems from the fact that certain activities involving EMTs could be seen as being under the scope of both PSD2 and MiCA, creating a regulatory overlap that would impose significant burdens on CASPs. To address this, the EBA has proposed a two-pronged approach:

Long-term Resolution: The EBA “advises the EU Commission, Council and Parliament to use the legislative process of PSD3/PSR to amend MiCA by strengthening/inserting in MiCA requirements applicable to the subset of crypto-assets services with EMTs that qualify as payment services in key areas such as the protection of consumers, the security of payments, the calculation of own funds, the reporting of payment fraud, and more”. This is the preferred approach and would include re-producing, or cross referring to, the relevant requirements set out in the PSD3/PSR.

Interim Measures: For the transitional period of two to three years while PSD2 remains in effect, the EBA has provided guidance to NCAs as to which activities involving EMTs should be regarded as payment services with

• the transfer of crypto assets where they entail EMTs and are carried out by the entities on behalf of their clients and custody and the administration of EMTs should be seen as payment services;
• custodial wallets should be regarded as a payment account under the PSD2, where the wallet is held in the name of one or more clients and allows to send and receive EMTs to and from third parties; and
• some services not constituting payment services, including the ‘exchange of crypto-assets for funds’ and ‘exchange of crypto-assets for other crypto-assets’ and cases where crypto-asset service providers intermediate the purchase of any crypto assets with EMTs.

NCAs are advised to grant applicants a transition period until 1 March 2026 before requiring authorisation under PSD2 for crypto asset related services classified as payment services as set out above,

Following on from this, NCAs are also advised to prevent entities that are not licenced as a PSP or have not entered into a partnership with a PSP, from providing services related to EMTs that qualify as a payment service. While the interim proposals mean that many EMT transactions will fall clearly out of scope of the payments regime, we are already seeing issues for those operating in the market (particularly on the licence required for firms/groups providing services related to EMTs that qualify as a payment service) so do let us know if you’d like to discuss.

Delay on Non-Bank PSPs’ Access to Central Bank Systems

A quick update that the ECB has postponed the timeline for non-bank payment service providers (“NB-PSPs”) to access Eurosystem central bank-operated payment systems and central bank accounts. Amendments to the Settlement Finality Directive and PSD2 had initially set 16 June 2025 as the date for NB-PSPs to request access to TARGET, the Eurosystem's central payment infrastructure. However, this has now been deferred to 6 October 2025.

The delay is attributed to some euro-area member states not yet transposing the required amendments into their national legislation. To avoid legal uncertainty, the ECB has also extended the transition period for NB-PSPs to migrate to TARGET until 31 March 2026. This decision ensures a smoother transition and is intended to avoid operational disruptions for NB-PSPs.

We know this is a key one for European clients (with background on the proposals in the Spring edition) so do let us know if you’d like to discuss.

Standardised Terms for EU Payment Accounts

Finally from a European perspective, the EBA have published a report following a review of the standardised terms for the most common services relating to payment accounts under the Payment Accounts Directive (“PAD”) set out in RTS from January 2018 – with no change to the terms proposed.

Under Article 3(6) of the PAD, the EBA is required to regularly review the standardised terms. The EBA found that the current list of standardised terms remain suitable and fit for purpose, and does not require immediate changes. It does acknowledge that there would be potential benefit to amending the standardised terms to include instant credit transfers due to their increasing prevalence following the implementation of the Instant Payments Regulation ((EU) 2024/886). However, it believes that the benefit is outweighed by the costs involved for NCAs and for the industry due to the need to make available amended disclosure documents to all of their customers and NCAs.

The EBA has therefore decided not to amend the RTS. Instead, it will revisit the findings in four years' time or when significant other market or legislative developments occur to ensure the terminology remains relevant and effective.

UK Consumer Credit Reform – simplification and modernisation

This has been a long time coming but the recent publication of the CCA consultation paper and HM Treasury’s confirmation on the incoming regulation of BNPL are key moments in modernising the UK's consumer credit regime. If the CCA proposals (which are under consultation) are taken forward, then we will see a much needed simplification and modernisation of the CCA, integrating much of its content into the FCA Handbook. This will result in significant changes to the current (very rigid) sanctions for non-compliance (relying instead on other regulatory deterrents including the FCA’s general enforcement powers, Consumer Duty rules and the Senior Managers and Certification Regime), with many of the prescriptive information requirements being removed entirely.

On BNPL, the Draft Legislation and Government Response to the BNPL Consultation both build on the FCA’s ongoing work to bring these products within the regulatory perimeter, with the current position being broadly the same as set out in the October edition of Payments View from last year. As a reminder:

• Scope: Merchant-provided instalment credit will remain exempt (subject to an anti-avoidance provision).
• Conduct requirements: In line with the wider proposed CCA reforms, CCA disclosure and servicing rules (e.g. in relation to pre-contract disclosure, content of agreements and notices of sums in arrears) will be disapplied, with the FCA planning to develop bespoke rules. Similarly, BNPL will not be subject to CCA enforcement sanctions (e.g. unenforceability); firms will, instead, be regulated via the FCA's principles-based regime.
• Credit broking: The Government has maintained its position on exempting most merchants from the requirement to obtain credit broking permissions, but unauthorised merchants will need to have financial promotions signed off by an authorised person.
• Interaction with payment services regime: Where BNPL arrangements qualify as payment services, providers must also comply with the Payment Services Regulations 2017. The FCA may disapply duplicative information requirements using the rules it is developing.

For BNPL providers, this means significant operational adjustments but also an opportunity to build consumer trust under a regulated regime. Traditional lenders will see a more level playing field, and consumers can expect enhanced protection and clearer information to make informed financial decisions.

We’ve broken out the updates in more detail here and we will be hosting a webinar with the FCA on BNPL regulation on 18 July 2025 which you can sign up for here. The session will provide an opportunity to discuss the implications of the new framework and share insights on best practices for compliance.

APP Fraud Reimbursement Requirements – PSR consolidated Policy Statement

In an interesting move, the PSR has published a “consolidated” policy statement setting out a “single point of reference” on the APP scam reimbursement regime (over six months after the regime was put in place). At less than 30 pages it is certainly a slimmer document than the collected documents industry has been working with to date and should provide a useful first reference point for firms. For more complex questions, however, firms will still need to refer to specific guidance in the Directions, PSRs publications and Pay.UK rulebook (which, when we last ran the numbers, together was nearly 250,000 words).

The main takeaway is the ‘FAQ section’ at the back of the document which is intended to provide additional guidance following the “constructive suggestions” from the industry. While our submission of a PSR-branded car crash emoji wasn’t directly addressed we’d suggest that firms sitting on the perimeter of the regime do take a look at the answers here as some (particularly question 8 on page 24) are more than a simple clarification and could affect how firms scope in the products they offer.

A few other useful points to pull out are that:

• where amendments might be required to SD19-21 and SR1, the PSR (and its successor) is planning to only issue amendments in April and/or October each year;
• the 12-month evaluation of the regime is still on track for later this year and will include consideration of the maximum level (currently £85,000 per claim); and
• the implementation date for Reporting Standard B is still not confirmed.

FCA’s New Enforcement Guide Published

After a decisive pushback from industry on the FCA’s ‘name and shame’ regulatory proposals, the final Enforcement Guide has now been published by the FCA in policy statement PS25/5. The headline grabbing element of this was the FCA’s climb down on its ‘name and shame’ proposals, which were widely trailed. What remains is the ability to publish in ‘exceptional circumstances’, which will be supplemented by the FCA’s ability to:

• announce where there is suspected unauthorised or criminal activity.
• reactively confirm an investigation (e.g. where a firm or other investigatory body has already made the fact of the investigation public); and
• share information on an anonymous basis where it is desirable for education or to encourage compliance with FCA Rules (‘Enforcement Watch’).

Importantly, these new circumstances will only apply to investigations commenced on or after 3 June 2025, which is a significant row back from the original proposals which were intended to apply across the entirety of the FCA’s enforcement book.

Other points that caught our eye were:

• A focus on enforcement work reducing financial crime which highlights what we think is going to be the FCA’s key focus in the ‘pro-Growth’ era.
• The bar has been raised for opening an investigation, which we think will result in greater use of FCA supervisory powers.
• No investigation opened in the last 2 years has been closed with no further action.
• The FCA will publish anonymous info where to do so would be educational (not yet clear if that means we will get an ‘Enforcement Watch’ or similar).

We know that a number of clients were tracking this following our seminar with the FCA earlier this year so do let us know if it would be useful to speak further with our colleagues in the litigation department.

FCA and FOS: House of Lords Report on Growth and Competitiveness

The House of Lords Financial Services Regulation Committee has published its second report on the FCA's secondary objective of facilitating the UK economy's growth and international competitiveness. It isn’t a glowing report card and identifies key barriers to growth, including regulatory inefficiency, uncertainty, and a pervasive culture of risk aversion which stifles innovation and discourages new market entrants. The Committee has specifically called on the FCA to prioritise removing redundant or duplicative requirements to provide firms with the clarity and certainty needed to maximise the benefits of the Consumer Duty. The report also continues to highlight the need for reforming the redress framework, citing the Consumer Duty as an example of a requirement where there is a real risk of the FCA and FOS taking inconsistent approaches. The Committee stresses that the FOS must focus on its original mandate of providing swift redress rather than acting as a quasi-regulator by examining complex issues.

The FCA has published a statement responding and reaffirming its commitment to supporting economic growth and outlining steps it has already taken, such as retiring outdated supervisory documents, paring back its insurance rulebook, and working on redress reforms.

Next Stage of UK Crypto Regulation

As you will probably have seen, there has been a lot of UK crypto developments over the last few weeks and, while you can find further details on our sister-publication Crypto View, we wanted to flag that the FCA has released both CP25/14 (inviting feedback on proposed rules and guidance concerning the issuance of qualifying stablecoins and the safeguarding of qualifying cryptoassets) and CP25/15, which sets out proposed prudential requirements for cryptoasset firms.

CP25/14 forms part of a wider effort to develop a comprehensive regulatory framework for cryptoassets in the UK. It follows HM Treasury’s publication of a Draft SI and Policy Note outlining proposals for a new regulatory regime for cryptoassets, as well as the FCA’s earlier Discussion Paper (DP25/1) on the regulation of cryptoasset activities.

In related news, one update that caught our eye was that JPM has announced its own ‘deposit token’ (JPMD); a stablecoin-like token on Coinbase’s public blockchain Base which is meant to serve as a digital representation of a commercial bank deposit. JPMD is intended to offer clients round-the-clock settlement as well as the ability to pay interest to holders, only being available to JPMorgan’s institutional clients.

PSR Policy Statement on Specific Directions 2 and 3

Acknowledging that “the current Faster Payments central infrastructure will likely be operational for significantly longer than previously expected” the PSR has published a policy statement and consultation paper (PS25/4) announcing its decision to revoke Specific Direction 3 (SD3) and Specific Direction 3a (SD3a), while also consulting on the potential revocation of Specific Direction 2 (SD2) and Specific Direction 2a (SD2a). These changes are all tied up in the operation of the central infrastructure for Faster Payments and the delays in (and recent cancellation of) the New Payments Architecture programme based on the feedback the PSR received on their earlier consultation paper in December last year.

The PSR has determined that revoking SD3 and SD3a will provide the necessary flexibility and certainty to progress the objectives of the National Payments Vision. This includes reassessing the requirements for retail payments infrastructure and strengthening governance and funding arrangements. The PSR has also been consulting on the revocation of SD2 and SD2a, which relates to the competitive procurement of central infrastructure for BACs. The consultation on SD2 and SD2a closed on 5 June 2025, with a final decision expected shortly thereafter. The regulator’s initial view is that the rationale for revoking SD3 may also apply to SD2, as removing these obligations could similarly support the delivery of the NPV.

PSRs 2017 Update: Farage Termination Changes

We’ve been tracking this one for a while but we now have a date for the framework contract termination changes which will be effective from 28 April 2026, extending the minimum notice period for contract terminations from two months to 90 days and requiring PSPs to provide detailed explanations for terminations. Additionally, PSPs must inform users of their right to complain to the Financial Ombudsman Service.

The surprising point here has been how much lead time given to firms to make this change – the requirements themselves remain as discussed in previous editions of Payments View. The FCA will update its guidance to reflect these changes, ensuring firms are prepared for the new requirements.

If you’d like us to review or suggest some language to drop into your terms, do let us know.

EU and FATF AML List Updates

An update for your MLROs but the European Commission has amended the list of high-risk third countries to now include the addition of Algeria, Angola, Côte d’Ivoire, Kenya, Laos, Lebanon, Monaco, Namibia, Nepal, and Venezuela. Conversely, Barbados, Gibraltar, Jamaica, Panama, the Philippines, Senegal, Uganda, and the UAE have been removed from the list following improvements in their AML and CTF frameworks. You can refer to the full regulation here.

Moving away from sunny Europe to the even sunnier Caribbean, an update for international firms that the BVI has been added to the FATF grey list of jurisdictions under increased AML monitoring, with concerns that it may be added to the EU’s AML blacklist the next time it is updated. You can find more detail (albeit focused on the implication on the country’s funds industry) from our colleagues here.

UK Payment Services MoU Updated

Finally the Bank of England, FCA, PRA, and PSR have set out the results of their review of the collective Memorandum of Understanding on the high-level framework they use to cooperate with one another in relation to payments in the UK. Following engagement with a wide range of firms, trade associations and consumer groups, as well as members of the Vision Engagement Group a revised MoU has been published, focused on delivering the National Payments Vision (NPV), particularly through helping to enhance coordination across regulators.

The changes include outlining (at Annex 1) each entity’s roles and responsibilities, alongside key areas of policy, plus confirmation that there will be no immediate changes to the PSR's remit or ongoing work programme (despite its axing). There will be further revision to the MoU to reflect changes to the PSR’s remit “at an appropriate time” but in the meantime, the FCA and PSR note that they are working together, with the FCA's executive director for payments and digital finance also leading the PSR.

News Flash

• OTPs Banned by UAE Central Bank: The Central Bank of UAE has issued a directive asking financial institutions to eliminate weak authentication methods including SMS and email one-time passwords which, we understand, has caused significant difficulties for those in the market – do let us know if you’d like to discuss.,
• FCA Appointment: The FCA has appointed David Geale as the permanent Executive Director for Payments and Digital Finance who will also take on the role of Managing Director of the PSR. You can click here to read more from the press release.
• Financial Lives Survey: The FCA has unveiled key findings from its Financial Lives 2024 survey, shedding light on consumer vulnerability and financial resilience. The survey is always useful reading for firms to help them benchmark their own internal positions against the data that the FCA sees and reveals that 24% of all UK adults continue to have low financial resilience. The survey also sets out that 18% of adults struggle with financial numeracy and that one in 25 adults have specific accessibility needs. The full report is available here.
• FCA Open Finance Sprint 2025: The FCA's recent Open Finance Sprint brought together over 100 stakeholders to explore transformative financial services approaches. Focusing on financial wellbeing, growth, resilience, and digital ID, the FCA’s finding from the event may be interesting for firms to consider. You can refer to the article here.