UK & EU Fintech and payments regulation update - February 2025

Catch up our payments in 2025 blogpost series:

1. Operational resilience
2. Safeguarding
3. Payment services
4. Future of retail payments
5. AI in payments

UK

General

• FCA hints at contactless limit changes: In a letter to the government, Nikhil Rathi (FCA CEO) says that growth will be a cornerstone of its next five-year strategy. The letter notes that the FCA and PSR will introduce variable recurring payments as a new open banking payment method and use powers under the Data (Use and Access) Bill to develop open finance. It also suggests the FCA could remove the £100 contactless limit, levelling the playing field with digital wallets. The FCA calls on the government to act on digital identity authentication and verification.
• PSR on supporting the government’s growth mission: In its response to the government, the PSR outlines the steps it is taking to promote growth this year. These include taking action on card fees, enabling payments infrastructure for the future and realising the opportunities of open banking. The letter also notes that the PSR Managing Director role will join up with a new role at the FCA for an Executive Leader of Payments and Digital Assets.

Payments

• FCA and PSR set next steps for open banking: In a press release the FCA and PSR look forward to “significant progress” being made in 2025 on open banking. The regulators note the key role that Open Banking Limited will play in establishing an independent central operator to coordinate how variable recurring payments are made. They also plan to work with the industry to progress development of the commercial arrangements underpinning both variable recurring payments and use of open banking for e-commerce.
• PSR gives strategy update: Following a mid-point review of its five-year strategy, the PSR has released a strategy update. The PSR says its core commitments include embedding APP fraud reforms, finishing Phase 1 work on variable recurring payments and driving forward upgrade of Faster Payments. The PSR also plans to provide an update on its work on digital wallets in Q1 2025.
• PSR cross-border card fee consultation: The PSR’s consultation proposing a cap on cross-border interchange fees (covered in our January 2025 update) closes on 7 February 2025.

AML

• FCA review of money mule detection: Money mules move the proceeds of crime on behalf of criminals, sometimes unwittingly. The FCA has shared the results of a multi-firm review into how payment services firms use money mule account detection tools. The FCA encourages firms to refine their thresholds to ensure they are capable of identifying mule activity, recognise the risk of not investigating all alerts appropriately and demonstrate strong risk management by proactively detecting unusual transactions to stop fraudulent transactions sooner. The FCA expects all payment services and account providers to consider their systems and controls against the findings.

AI

• FCA studies bias in natural language processing: As part of its AI research series, the FCA has published findings from a pilot study exploring bias in a natural language context. The research suggests biases in word embeddings could be identified and removed at source through current methodologies. The FCA plans to release more research notes on how AI intersects with financial services.

Operational Resilience

• Operational incident and third-party reporting: The UK regulators are consulting on new operational incident and third-party reporting regimes. Join us on 10 February for a webinar on the proposals and how they compare to the EU’s Digital Operational resilience Act (DORA).
  
  Webinar: How DORA is impacting UK operational resilience rules

EU

Operational resilience

• DORA applies: Following a two-year implementation period, DORA started to apply on 17 January 2025. EU payment service providers must now report operational or security payment-related incidents according to the incident reporting framework under DORA. In response, the European Banking Authority has confirmed the repeal of its incident reporting guidelines under the Payment Services Directive (PSD2).

DORA deadline day arrives: Here are five things firms still need to do

• Commission settles debate on scope of ICT services: The European Commission has given guidance on when financial services may be treated as “ICT services” as defined under DORA. While it is possible that a regulated financial entity may provide ICT services, the Q&A suggests that this will only be where those services are unrelated to or independent from regulated financial services (whether regulated under EU law or elsewhere).

EU shares key guidance on DORA

• Commission rejects subcontracting rules: In a letter the Commission has formally rejected the European Supervisory Authorities’ draft regulatory technical standards on subcontracting under DORA. According to the Commission the proposed rules requiring financial entities to monitor the subcontracting chain goes beyond the ESAs’ mandate.

Commission rejects DORA subcontracting rules

AI

• AI literacy requirements take effect: The EU AI Act requires providers and deployers of AI systems to take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and others dealing with the operation and use of AI systems on their behalf. Training should take into account the context in which the AI systems are used. The requirement applies as of 2 February 2025. The Commission will release guidance on the requirement later in the year.

The EU AI Act: What is it and what do payments firms need to know?

Payments

• EBA releases PSD2 guidance: The EBA has released new Q&As on PSD2. For example, these relate to safeguarding with a credit institution in a third country; cancelling orders due to suspicions of fraud; exchange rate mark-ups; and the definition of e-money.

The EBA's latest PSD2 guidance and its impact for payments firms

EBA guidance on acquiring payments transactions and whether electronic money institutions can apply negative interest

Digital assets

• Guidance on non-compliant cryptoassets: In a statement, ESMA and the Commission say that cryptoasset service providers operating a trading platform are expected to stop making non-MiCA compliant asset-referenced tokens and electronic money tokens available for trading. To allow EU investors to liquidate or convert their position in non-MiCA compliant ARTs and EMTs, CASPs may maintain cryptoasset services for these products on a “sell only” basis until the end of Q1 2025. CASPs are told to launch communication campaigns aimed at raising awareness among investors about the impact of MiCA’s application on ARTs and EMTs that are not EU-authorised.
• ESMA opines on CASP conflicts of interest: ESMA has published an opinion relating to its draft RTS on conflicts of interest requirements for CASPs under MiCA (covered in our June 2024 update). The opinion considers amendments proposed by the Commission. The Commission may adopt the RTS with ESMA’s amendments or reject it
• ESMA guidance on MiCA best practice: ESMA’s supervisory briefing on the authorisation of CASPs under MiCA contains guidance on substance and governance, outsourcing and suitability of personnel. The guidance aims to help national regulators and applicants operationalise MiCA into concrete checks and controls. In ESMA’s view there are no “low-risk” CASPs. ESMA expects regulators to apply the principles in the supervisory briefing during authorisation procedures and to ensure continued compliance once CASPs have been authorised.