Regulators have responded to these changes with a mix of incremental adjustments and bold new frameworks. The introduction of the revised Payment Services Directive (PSD2) in the UK and Europe marked a significant step, mandating stronger customer authentication and giving third-party providers access to payment account infrastructure and data. While some saw PSD2 as a natural evolution from earlier directives, its impact has been far-reaching, fundamentally altering how payments are made and data is shared.
In the UK, the Financial Conduct Authority (FCA) has played a proactive role in evolving the market, balancing consumer protection with the need to encourage innovation. Regulatory sandboxes, for example, have allowed businesses to trial new products in a controlled environment, reflecting an evolutionary approach to regulation that adapts to the pace of technological change.
In recent years, the FCA has also increasingly sought to align payment services regulation with standards applicable to other financial service providers. For example, the Consumer Duty, ensuring payment firms uphold high standards of customer care and fair treatment. Moreover, the introduction of new CASS (Client Assets Sourcebook) rules brings payment institutions closer to the robust safeguarding requirements traditionally imposed on banks, strengthening consumer protection and operational resilience. The KPMG 2026 PayMod report highlights this trend with 65% of orgnisations stating that complying with evolving regulation is a key driver of payments modernisation.
Currently, payment firms in the UK are not fully subject to the Senior Managers Certification Regime (SMCR). However, the FCA has expressed concerns about governance in the sector and is pushing for extension to improve conduct and clarify responsibility for senior individuals and so the FCA intends to broaden the SMCR’s coverage to include these firms, thereby enhancing individual accountability. This development reflects a further example of the ongoing effort to bring payment firm regulation into greater alignment with the regulatory framework applied to other financial services institutions.
We have also seen over recent years the FCA transition payment regulation from prescriptive, rules-based regulation to a principles-based approach (or "outcomes-focused" regulation). This shift aims to move away from rigid compliance checklists toward ensuring firms deliver fair, safe, and transparent outcomes for consumers. The FCA's Consumer Duty is the cornerstone of the shift, requiring firms to proactively demonstrate they are delivering good outcomes for customers, moving beyond legalistic, "letter of the law" compliance.
The transition towards principles-based regulation in the payments sector has been driven by several key factors. Firstly, this approach is inherently more adaptable to innovation, enabling regulatory frameworks to keep pace with the rapid evolution of fintech without the need for constant legislative updates. Secondly, regulators are seeking to cultivate a culture of accountability among firms, encouraging them to embrace the spirit of the law rather than simply adhering to its letter. This strengthens ethical standards and promotes fair treatment of consumers. Finally, the shift supports proactive protection by expecting firms to embed fraud prevention and security measures into their products from the outset, rather than relying on remedial action after rules are breached.
At the European level we have the proposed Payment Services Directive 3 (PSD3) on the horizon, which aims to further modernise the regulatory framework in Europe. It is expected to enhance consumer protection, and respond to technological advances, particularly around digital payments and cybersecurity. Its introduction signals both evolutionary and revolutionary elements within the regulatory landscape, reflecting the sector’s ongoing transformation. According to the KPMG PayMod Report, a significant proportion of firms indicated that factors such as cybersecurity and resilience (86%) and payment services regulation (84%) are already having a large impact on firm’s payment platforms, strategies and costs. With the emergence of PSD3 this trend is only expected to continue in the foreseeable future.
PSD3 also proposes to extend regulatory coverage to new types of payment providers and business models, such as those arising from advances in Open Banking and embedded finance and is also expected to address emerging risks associated with digital wallets, cryptocurrencies, and other innovative payment solutions, ensuring that regulation keeps pace with rapid technological change.
Overall, PSD3 aims to foster innovation and competition in the payments market, while maintaining a high level of consumer protection and security. Its eventual adoption will mark both an evolution of existing frameworks and a revolution in the approach to digital payments, reflecting the dynamic nature of the sector and the need for regulatory agility in the face of ongoing transformation.
Collectively, these motivations underpin the move towards a regulatory environment that is agile, forward-thinking and focused on delivering positive outcomes for both consumers and the industry.
