UK & EU Fintech and Payments regulation update – March 2025

Read our note to help you benchmark compliance in the areas highlighted by the FCA’s latest Dear CEO letter: FCA priorities for payments firms: A compliance checklist

UK

Payments

• FCA sets out payments priorities: The Financial Conduct Authority has published a letter to payments firms outlining three key outcomes for the sector: (1) effective competition and innovation to meet customers’ needs, characteristics and objectives, (2) firms do not compromise financial system integrity, and (3) firms keep customers’ money safe. The letter outlines the actions that firms should take to achieve these goals, for example noting that they should ensure that effective reporting mechanisms are in place. Two areas for future development are identified: the creation of a new Open Banking regulatory framework and changes to strong customer authentication.

Read our blogpost: FCA tells payments firms to improve governance standards

• Feedback statement on digital wallets: The FCA and the Payment Systems
  Regulator have released a joint feedback statement regarding the responses to their July 2024 Call for Information to assess the impact of big technology and digital wallets (covered in our August 2024 update). The statement notes that digital wallets present an opportunity to foster innovation and may increase competition between payment systems, benefitting consumers. However, it also highlights stakeholder concerns regarding competition, consumer protection and operational resilience. These include the gaps in current regulatory frameworks, with some stakeholders advocating for the FCA to expand its remit to cover digital wallets. The FCA has identified steps to address these issues, for example stating it plans to engage with HMT on the current regulatory framework as part of its review of the Payment Services Regulations and Electronic Money Regulations.

Digital assets

• FCA looks to tackle misleading financial promotions: In its recent analysis of financial promotions data collected during 2024, the FCA has reiterated the need for firms to continue to raise standards with respect to compliance with the cryptoasset financial promotions regime. This aligns with recent sentiments expressed by the FCA on this topic (as covered in our November 2024 update). The analysis also notes that the FCA increased the number of financial promotions it withdrew or amended by 97.5% in 2024 as compared with 2023, further demonstrating its commitment to tackling misleading financial promotions. 

AI

• Treasury Committee inquiry on AI in financial services: The House of Commons Treasury Committee has commenced an inquiry into AI within financial services. The inquiry aims to investigate how the opportunities presented by AI may be exploited by UK financial institutions, whilst maintaining consumer protection and preventing financial instability. Areas on which input is being sought include how AI is currently used in different areas of financial services, how this may evolve in the next decade and the risks and benefits of using AI in financial services. The Committee is aiming obtain input from a range of stakeholders and the consultation closes on 17 March 2025.

General

• Guidance on failure to prevent fraud: Ahead of the failure to prevent fraud offence coming into force under the Economic Crime and Corporate Transparency Act 2023, UK Finance has published guidance to help firms prepare for its introduction. As of 1 September 2025, firms will be criminally liable for failing to prevent a fraud offence committed by an associated person, although there is a defence for those with reasonable prevention measures or where it is not reasonable for a firm to have such measures. The guidance is advisory only and consists of three sections: (1) interpreting the offence, (2) reasonable prevention procedures, and (3), the circumstances in which prevention measures would not be deemed reasonable. 

Visit our webpage: The UK Economic Crime and Corporate Transparency Hub

EU

Open Finance

• FIDA remains on the EU’s agenda: The European Commission has re-established its commitment to its proposed Financial Access Data regulation. Initially proposed in 2023, FIDA aims to regulate the sharing of financial data within the EU. Despite recent reports that the regulation would be withdrawn from the Commission’s agenda, FIDA appeared on the list of pending proposals in the Commission’s final 2025 work programme. However, the original proposal, with its broad scope and tight implementation timeline, may still be amended. Trilogue talks may be further delayed as the EU legislators re-evaluate their approach. 

Read our blogpost: It’s complicated: The EU’s on-again off-again relationship with open finance

Operational resilience

• ESAs publish roadmap for designating CTPPs under DORA: The European Supervisory Authorities have provided a roadmap of the steps for designating ICT third-party service providers as “critical” under the Digital Operational Resilience Act. The roadmap confirms the previously announced deadline of 30 April 2025 for the ESAs to receive registers of information on ICT third-party arrangements. The ESAs will deploy this information to perform criticality evaluations and will inform relevant service providers that they are to be deemed “critical” by the end of July 2025. Following notification, service providers will have a six-week window in which to object to their designation as CTPPs via a reasoned statement and supporting information. By the end of 2025, the ESAs will have made their final designations, though other firms may subsequently apply for “critical” status.
• Commission adopts penetration testing standards: The European Commission has adopted regulatory technical standards on threat-led penetration testing under DORA. The RTS includes the criteria used for identifying financial entities required to perform TLPT, the requirements for TLPT scope and management, the standards governing the use of internal testers and rules regarding the supervision required for the implementation of TLPT. The European Central Bank has also modified its framework for threat intelligence-based ethical red-teaming (TIBER-EU) to align with the DORA framework.
  
  Read our blogpost: ESAs set out roadmap towards the designation of critical ICT third-party service providers and Commission adopts RTS on threat-led penetration testing
• Amendments to DORA ICT and security risk management measures: Harmonised ICT risk management requirements now apply under DORA. The European Banking Authority has, accordingly, announced that it has reduced the scope of its Guidelines on ICT and security risk management measures. The rationale behind the changes is the avoidance of duplication and the need to provide legal clarity to the market. One significant change is the narrowing down of the entity scope to firms covered by DORA. The scope of the requirements on relationship management of payment service users in relation to the provision of payment services, has also been reduced. The updated Guidelines will apply within two months of the publication of the translated versions.

Digital assets

• MiCA Delegated Regulations to enter into force: Following their publication in the Official Journal of the EU on 13 February 2025, several Delegated Regulations under the Markets in Cryptoassets Regulation will come into force on 5 March 2025. Topics covered by these regulations include complaints-handling and co-operation arrangements between competent authorities and supervisory authorities of third countries.
• Commission adopts more MiCA rules: The Commission has adopted more RTS under MiCA, setting technical standards on record-keeping and conflicts of interest policies. The Council and Parliament will scrutinise the regulations before they are published in the Official Journal.
• ESMA consults on draft knowledge and competence guidelines under MiCA: The European Securities and Markets Authority has published a consultation paper addressing the draft guidelines for the criteria to assess knowledge and competence under MiCA. Amongst other obligations, the draft guidelines state that cryptoasset service providers should ensure that their staff have the necessary knowledge and competence to fulfil their obligations. They also state that CASPs should ensure this knowledge and competence is assessed, maintained and updated by firms. The consultation will close on 22 April 2025 and ESMA expects to publish a final report in Q3 2025.

AI

• Guidance on the definition of “AI system”: The European Commission has published guidelines regarding the definition of an “AI system” under EU’s AI Act. Published in the wake of a 2024 consultation, in which feedback on the seven main elements of the definition of an “AI system” was sought, the new guidance expands upon each aspect of the definition in turn. For example, the guidelines on ‘inference’ (the fifth element of the definition of an “AI system”), distinguish basic data processing systems from those that can learn, reason and model, with the latter likely to be deemed as an AI system.

Read our blogpost: EU – Guidance on “AI systems”. Does an elephantine definition matter?

Global

Digital Assets

• Digital Assets Defined: The Wolfsberg Group, consisting of 13 international banks, has issued FAQs on Defining Digital Assets. Designed to help firms evaluate the anti-money laundering and counter-terrorist financing risks posed by digital assets, the FAQs may prove a helpful resource in developing policies to tackle these areas. Various digital assets such as anonymity-enhanced cryptocurrency, are defined in the FAQs, whilst topics such as the concept of digital assets as a product or service and relevant stakeholders are also addressed.  Updates will be published in due course, with the Group aiming to provide further guidance as the landscape develops.

Payments

• Wolfsberg Group Guidance on Payment Transparency: In addition to its digital asset FAQs, the Wolfsberg Group has recently published Guidance on Payment Transparency – Roles and Responsibilities. Addressing the responsibilities of stakeholders to abide by payment transparency standards, this may serve as useful guidance for payment services providers. 
• FATF publishes second consultation on payment transparency: The Financial Action Taskforce has published a consultation document proposing updates to its recommendation 16 (R 16), its interpretive note (INR 16) and the corresponding Glossary. Aimed at aligning these standards with changes in payment business models and developing risks within the sector, the proposals incorporate stakeholder feedback on the FATF’s initial February 2024 consultation. Updates include an increased emphasis on the varied responsibilities for different types of payment transfers and an amended objectives section which clarifies that real-time sanctions screening is not required by R 16 in every scenario. The deadline for responses is 18 April 2025 and the FATF plans to finalise its revisions in June 2025. It subsequently plans to publish guidance on payment transparency.