Series

Publications

UK & EU Fintech and payments regulation update – September 2025

Publication|

2 September 2025

UK

Payments

FCA sets new safeguarding rules: The Financial Conduct Authority has confirmed changes to the safeguarding regime for payments and e-money firms. New FCA rules will supplement legislative requirements. They include new reconciliation, record-keeping and reporting requirements, as well as an annual audit of safeguarding compliance. The FCA says that this supplementary regime – formerly known as interim rules – will make it easier for the FCA to intervene when firms do not meet its safeguarding expectations. The rules start to apply on 7 May 2026.

Read our blogpost: FCA confirms tougher safeguarding rules for payments and e-money but delays longer-term reform

FCA hits pause on end-state rules: In last year’s consultation on the safeguarding regime (covered in our October 2024 update), the FCA proposed end-state rules which would have imposed a statutory trust and required firms to receive relevant funds directly into a designated safeguarding bank account. In its policy statement, the FCA says that it will assess the effectiveness of the supplementary regime before deciding whether to re-consult on these proposals. Allowing time for firms to implement the new rules and complete a full audit process, any such consultation is not expected before Q4 2027.

Listen to our podcast: FCA sets course for safeguarding reform

FCA updates Approach Document: The FCA has amended its guidance for payment services and e-money to reflect changes to the safeguarding regime. The draft version shows changes which will take effect in May 2026.
PSR revokes Specific Direction 2: The Payment Systems Regulator has confirmed that Specific Direction 2 has been revoked to allow space for a new approach to retail payments infrastructure under the National Payments Vision. SD2 required the operator of the Bacs payment system to procure contracts for central infrastructure services in a competitive manner. SD3 was revoked earlier in the year for similar reasons.

Open Banking

FCA shares feedback on the design of open banking: The FCA has responded to its call for input on the design of the Future Entity for UK open banking (covered in our May 2024 update). In its feedback statement, the FCA confirms that the Future Entity will not be a public body and will not have its own enforcement powers. It has also dropped plans for an interim body. The FCA is planning industry workshops ahead of further announcements before the end of the year.

AI

Legal risks for agentic payments: Agentic payments are transactions initiated and managed by AI-powered digital agents. These agents can act autonomously on the user’s behalf to authenticate users automatically on trusted sites, suggest optimal payment methods, and alert users when interacting with new or potentially risky domains. In a new blogpost we explore the key legal considerations for agentic payments.

Read our blogpost: Agentic payments: What are they, what are the legal risks and what’s next?

General

FCA suggests ways to improve digital design: FCA research examines how consumer credit providers use digital platforms in customer acquisition and application journeys. The review also highlights practical examples of both good and poor practice in the context of Consumer Duty standards on credit providers. Although the review focuses on consumer credit providers, the findings are of broader interest to all firms with a digital presence.
FCA finds algorithmic trading controls are insufficient: A review of algorithmic trading controls has found significant variation in compliance with regulatory technical standards under UK MiFID. Shortcomings include outdated governance policies, unclear ownership of algorithms and insufficient investment in market abuse surveillance. The FCA encourages firms to use the findings to strengthen compliance.

Read our blogpost: FCA finds shortcomings in algorithmic trading controls

First PISCES operator gets FCA greenlight: The FCA has approved the LSE as the first operator of a PISCES platform. PISCES will allow trading of shares in private companies on an intermittent basis. The LSE expects to launch its Private Securities Market later this year.

EU

DORA

EU prepares to designate vendors as critical: The European Supervisory Authorities have started to contact ICT third-party service providers to designate them as being “critical” under the Digital Operational Resilience Act. The ESAs are analysing data from financial entities’ registers of information and are applying criticality criteria under DORA’s oversight framework. They will finalise the designations and start overseeing critical ICT third-party service providers in the autumn. A list of designated providers is expected in November.

Read our blogpost: DORA: Designating critical ICT third-party service providers

AI

EBA promotes the use of SupTech tools to tackle money laundering: The European Banking Authority has published a report on how competent authorities are adopting supervisory technology (SupTech) to combat AML and CFT. According to the EBA, SupTech (including AI and blockchain) is supporting risk assessment, inspection planning and audit trails, but successful implementation depends on tailored strategies and effective cross-border and cross-disciplinary collaboration.
EIOPA opines on AI use in insurance sector: The European Insurance and Occupational Pensions Authority has released a report on AI governance and risk management for the insurance sector. The guiding principles include proportionality in risk assessment, strong data governance and transparency with customers. EIOPA will review supervisory convergence in two years and may issue further guidance.

Read our blogpost: EU insurance supervisor guides firms on managing AI risks

Digital assets

Crypto market abuse rules made law: Commission Delegated Regulation 2025/885 has been published on the Official Journal of the EU. It contains regulatory technical standards supplementing the Markets in Crypto-Assets Regulation. For example, the RTS specifies the arrangements, systems and procedures that those arranging or executing transactions in cryptoassets must have in place to prevent and detect market abuse under MiCAR. The rules start to apply on 9 September 2025.

Payments

FCA sets new safeguarding rules: The Financial Conduct Authority has confirmed changes to the safeguarding regime for payments and e-money firms. New FCA rules will supplement legislative requirements. They include new reconciliation, record-keeping and reporting requirements, as well as an annual audit of safeguarding compliance. The FCA says that this supplementary regime – formerly known as interim rules – will make it easier for the FCA to intervene when firms do not meet its safeguarding expectations. The rules start to apply on 7 May 2026.

FCA hits pause on end-state rules: In last year’s consultation on the safeguarding regime (covered in our October 2024 update), the FCA proposed end-state rules which would have imposed a statutory trust and required firms to receive relevant funds directly into a designated safeguarding bank account. In its policy statement, the FCA says that it will assess the effectiveness of the supplementary regime before deciding whether to re-consult on these proposals. Allowing time for firms to implement the new rules and complete a full audit process, any such consultation is not expected before Q4 2027.

FCA updates Approach Document: The FCA has amended its guidance for payment services and e-money to reflect changes to the safeguarding regime. The draft version shows changes which will take effect in May 2026.

PSR revokes Specific Direction 2: The Payment Systems Regulator has confirmed that Specific Direction 2 has been revoked to allow space for a new approach to retail payments infrastructure under the National Payments Vision. SD2 required the operator of the Bacs payment system to procure contracts for central infrastructure services in a competitive manner. SD3 was revoked earlier in the year for similar reasons.

Open Banking

FCA shares feedback on the design of open banking: The FCA has responded to its call for input on the design of the Future Entity for UK open banking (covered in our May 2024 update). In its feedback statement, the FCA confirms that the Future Entity will not be a public body and will not have its own enforcement powers. It has also dropped plans for an interim body. The FCA is planning industry workshops ahead of further announcements before the end of the year.

Legal risks for agentic payments: Agentic payments are transactions initiated and managed by AI-powered digital agents. These agents can act autonomously on the user’s behalf to authenticate users automatically on trusted sites, suggest optimal payment methods, and alert users when interacting with new or potentially risky domains. In a new blogpost we explore the key legal considerations for agentic payments.

General

FCA suggests ways to improve digital design: FCA research examines how consumer credit providers use digital platforms in customer acquisition and application journeys. The review also highlights practical examples of both good and poor practice in the context of Consumer Duty standards on credit providers. Although the review focuses on consumer credit providers, the findings are of broader interest to all firms with a digital presence.

FCA finds algorithmic trading controls are insufficient: A review of algorithmic trading controls has found significant variation in compliance with regulatory technical standards under UK MiFID. Shortcomings include outdated governance policies, unclear ownership of algorithms and insufficient investment in market abuse surveillance. The FCA encourages firms to use the findings to strengthen compliance.

First PISCES operator gets FCA greenlight: The FCA has approved the LSE as the first operator of a PISCES platform. PISCES will allow trading of shares in private companies on an intermittent basis. The LSE expects to launch its Private Securities Market later this year.

DORA

EU prepares to designate vendors as critical: The European Supervisory Authorities have started to contact ICT third-party service providers to designate them as being “critical” under the Digital Operational Resilience Act. The ESAs are analysing data from financial entities’ registers of information and are applying criticality criteria under DORA’s oversight framework. They will finalise the designations and start overseeing critical ICT third-party service providers in the autumn. A list of designated providers is expected in November.

EBA promotes the use of SupTech tools to tackle money laundering: The European Banking Authority has published a report on how competent authorities are adopting supervisory technology (SupTech) to combat AML and CFT. According to the EBA, SupTech (including AI and blockchain) is supporting risk assessment, inspection planning and audit trails, but successful implementation depends on tailored strategies and effective cross-border and cross-disciplinary collaboration.

EIOPA opines on AI use in insurance sector: The European Insurance and Occupational Pensions Authority has released a report on AI governance and risk management for the insurance sector. The guiding principles include proportionality in risk assessment, strong data governance and transparency with customers. EIOPA will review supervisory convergence in two years and may issue further guidance.

Digital assets

Crypto market abuse rules made law: Commission Delegated Regulation 2025/885 has been published on the Official Journal of the EU. It contains regulatory technical standards supplementing the Markets in Crypto-Assets Regulation. For example, the RTS specifies the arrangements, systems and procedures that those arranging or executing transactions in cryptoassets must have in place to prevent and detect market abuse under MiCAR. The rules start to apply on 9 September 2025.

UK & EU Fintech and payments regulation update – September 2025

Share this:

Contents

UK

Payments

Open Banking

AI

General

EU

DORA

AI

Digital assets

UK

Payments

Open Banking

AI

General

EU

DORA

AI

Digital assets

UK & EU Fintech and payments regulation update – September 2025

Share this:

Contents

UK

Payments

Open Banking

AI

General

EU

DORA

AI

Digital assets

​

​

UK

Payments

Open Banking

AI

General

EU

DORA

AI

Digital assets