UK & EU Fintech and payments regulation update - December 2025
UK
Digital assets
- Bank of England consults on systemic stablecoins: The BoE is consulting on a regulatory regime for systemic stablecoins in the UK. Key measures include backing asset requirements, temporary limits on stablecoin holdings and the management of transition risks from the Financial Conduct Authority’s non-systemic regime. The consultation closes on 10 February 2026. The BoE plans to consult on more aspects of the regime next year and finalise its rules later in 2026.
Read our blogpost: Bank of England consults on UK regime for systemic stablecoins
- FCA speech on cryptoassets and stablecoins: The FCA has published a speech by David Geale setting out its evolving approach to regulating cryptoassets and stablecoins. Firms should prepare for a period of regulatory development, with further consultations expected on market abuse, admissions and disclosure, prudential rules, regulated activities, consumer duty and regulatory reporting. The FCA’s Regulatory Sandbox stablecoins cohort has opened for applications (closing in January), with testing to begin shortly, and the FCA will run in-person stablecoin policy sprints in March. From early next year, crypto firms can expect regular engagement from the FCA on its standards and expectations, while the FCA will also shape international policy direction by leading the Transatlantic Taskforce for Markets of the Future.
Payments
- UK looks to future of payments infrastructure: UK regulators have announced a new strategy to overhaul retail payments infrastructure, aiming for more than a simple upgrade. The Payments Vision Delivery Committee, comprising the FCA, Payment Systems Regulator, BoE and HM Treasury, plans to prioritise enabling seamless account to account payments, supporting diverse digital money types, tackling payment crime, and fostering innovation and fair access. The strategy emphasises inclusivity, resilience, and secure data sharing. Delivery will take several years, with the BoE leading the design. The Committee will publish its Payments Forward Plan by year-end, detailing key initiatives for both retail and wholesale payments, including digital assets, as part of the UK’s broader National Payments Vision.
Read our blogpost: UK releases strategy for updating retail payments infrastructure
- BNPL exemption for domestic premises suppliers: Domestic premises suppliers offering interest-free Buy Now, Pay Later products will be exempt from credit broking regulation under recent amendments to the Financial Services and Markets Act 2000. A new Order, effective from 3 December 2025, clarifies that these suppliers do not need credit broking permissions to provide BNPL options. Firms already authorised with Part 4A permission for regulated credit agreements will be recognised as permitted lenders of regulated BNPL products from the regulatory commencement date of 15 July 2026.
AI
- Report on disruptive technologies and skills needs: HM Treasury has commissioned the Financial Services Skills Commission to lead a report on future artificial intelligence skills, training and innovation needs in financial services. The research will evaluate the technologies shaping future business practices, workforce requirements and sector growth across the UK. Key outcomes will include an assessment of the skills needed for successful adoption of innovative technologies, practical recommendations for building these capabilities, and a cost benefit analysis of proposed measures. The report’s findings are due by mid-2027.
EU
Payments
- PSD3 reforms agreed: The EU has reached political agreement on a new Payment Services Regulation and PSD3, replacing PSD2 and the Electronic Money Directive. The package reshapes EU payments rules, increasing liability for payment and technology firms, and strengthening consumer protection. Key changes include mandatory verification of payee for all credit transfers, enhanced liability for fraud (including employee impersonation), customer-controlled transaction limits and card blocks, clearer pre‑transaction fee and currency conversion disclosures, and greater responsibility for online platforms hosting fraudulent content. The framework also promotes access to cash, strengthens open banking and data access tools, mandates fair mobile data sharing, and aligns more closely with the MiCA crypto regime. Formal adoption is expected by early Q2 2026, followed by a transition period which is expected to be about 21 months.
Read our blogpost: PSD3 breakthrough – EU legislators agree payments regulation reforms
AI
- EU Digital Omnibus: The European Commission’s Digital Omnibus package aims to streamline EU rules on AI, cyber security and data. Key changes include delaying the high risk AI regime under the EU AI Act to 2 December 2027, revising AI literacy duties towards broader fostering by authorities, and allocating oversight of some AI systems to the Commission’s AI Office. The package also proposes a harmonised, single reporting portal for incidents and cyber attacks across multiple regulations, reducing the administrative burden on firms. The European Parliament and Council will now review these proposals. The Commission has also launched a Digital Fitness Check consultation which is open for feedback until 11 March 2026.
Read our blogpost: The EU Digital Omnibuses, AI and the Amish
- European Banking Authority factsheet on the AI Act: The EBA has published a factsheet highlighting that the AI Act complements existing EU banking and payments regulation, especially for high risk AI used in creditworthiness and credit scoring. Going forward, banks and payment institutions will need to integrate AI Act obligations with sectoral rules and manage oversight by multiple authorities. The EBA foresees enhanced supervisory cooperation, supports future European Commission guidance on high risk classification and interplay with financial services law, and plans activities in 2026/2027 to promote a common supervisory approach and provide input to the AI Office and AI Board.
Read our blogpost: EU authorities weigh up impact of AI regulation on financial services
Operational Resilience
- ESAs publish list of designated critical third party ICT providers: The European Supervisory Authorities have published the first list of designated critical ICT third party providers under the Digital Operational Resilience Act. The authorities will now engage directly with these providers to assess their risk management and governance frameworks, aiming to ensure the operational resilience of services offered to EU financial entities.
- ECB publishes guide on TIBER-EU SSM implementation: The European Central Bank has published a guide for significant institutions outlining its approach to threat led penetration testing under DORA. By adopting the TIBER-EU framework, the ECB aims to strengthen banks’ resilience against cyber threats and ensure compliance with new regulatory standards.
General
- ECB publishes slides on tokenisation and the future of finance: The ECB presentation at the Central Bank of Ireland’s Financial System Conference 2025 highlights its focus on tokenisation and distributed ledger technology within the future of finance. The ECB explains DLT as a decentralised database technology and defines tokenisation as the process of issuing assets as programmable tokens using DLT. The ECB emphasises the need to develop a European market for digital assets to preserve European sovereignty, advance the Savings and Investments Union and foster innovation. The ECB stresses the importance of robust EU infrastructure, euro-denominated settlement assets and harmonised EU-wide regulation.
International
General
- Tokenisation of financial assets: A report by IOSCO explores financial asset tokenisation, noting it is growing but widespread adoption is still limited. Key challenges include interoperability between platforms and a lack of credible settlement assets. While tokenisation promises quicker settlements and improved collateral movement, most trading continues to use conventional infrastructure. Legal, operational, and cyber risks may require new controls in a DLT context. IOSCO urges regulators to apply equivalent rules and outcomes across comparable activities and risks.
