Regulatory Hub

Keeping Pace with a Fast-Moving Regulatory Environment

Daily-updated regulatory intelligence across UK, Europe, GCC and Global markets. Updated automatically each morning.

🇬🇧

United Kingdom

Imminent United Kingdom

UK Safeguarding Reforms for PIs and EMIs

New requirements in force 7 May 2026

The FCA's updated safeguarding framework strengthens requirements for payment institutions and electronic money institutions around how customer funds are protected, reconciled and reported. Greater emphasis on auditability, record-keeping and insolvency preparedness reflects lessons from recent PI failures and increased FCA supervisory focus on fund protection.

Active United Kingdom

UK APP Fraud Reimbursement Rules

Mandatory reimbursement from October 2024 · First PSR review 2026

The Payment Systems Regulator's mandatory reimbursement rules for Authorised Push Payment (APP) fraud require sending and receiving PSPs to share responsibility for reimbursing fraud victims. With a £85,000 maximum reimbursement cap, the rules create significant commercial exposure for smaller payment institutions and have prompted industry-wide reviews of fraud controls and customer due diligence.

🇪🇺

European Union

In Progress European Union

Payment Services Directive 3 (PSD3) & PSR

Political agreement expected Q1–Q2 2026 · National transposition 2026–2027 · Full application 2027–2028

PSD3 builds on PSD2 with stronger fraud liability rules, enhanced open banking rights and new provisions for payment account access. The accompanying PSR creates directly applicable rules across member states, removing the inconsistency of national transposition for core requirements.

Active European Union

EU Instant Payments Regulation (IPR)

Receive mandatory from January 2025 · Send mandatory from October 2025 · First reporting April 2026

All eurozone payment service providers must now be able to both receive and send instant credit transfers in euro. Pricing must be equivalent to standard credit transfers. The April 2026 reporting deadline requires PSPs to submit data on service availability and adoption rates to national competent authorities.

In Progress European Union

EU Anti-Money Laundering Package

AMLA established 2024 · Regulation and Directive application from 2027

The EU AML Package creates a new authority, the Anti-Money Laundering Authority (AMLA), with direct supervisory powers over high-risk financial institutions. The package harmonises AML/CFT requirements across member states, introducing a single EU rulebook and removing the inconsistencies that currently allow regulatory arbitrage between jurisdictions.

Active European Union

EU AI Act, Financial Services Implications

High-risk AI provisions applicable from August 2026 · GPAI model rules from August 2025

The EU AI Act classifies certain AI systems used in financial services, particularly credit scoring, fraud detection and customer risk assessment, as high-risk, requiring conformity assessments, technical documentation, human oversight mechanisms and transparency obligations. Payment and credit providers using AI models for real-time decisioning must assess their compliance position ahead of the August 2026 deadline.

In Progress European Union

Digital Euro Enabling Regulation

ECB technical work completed late 2025 · Enabling regulation expected 2026 · Potential issuance decision post-2026

The ECB completed its technical and preparatory work on a digital euro in late 2025 following the investigation phase. The enabling regulation, currently under consideration by the European Parliament and Council, will define the legal framework for issuance, distribution through intermediaries, holding limits and the relationship between a digital euro and commercial bank deposits.

🌍

Gulf Cooperation Council

🇸🇦 Saudi Arabia
Active Saudi Arabia, SAMA

SAMA Revised Payment Systems Oversight Framework, Circular 472047719

Issued 8 March 2026, replaces 2021 framework; annual self-assessment and CPMI-IOSCO public disclosure obligations now in force for SIPS operators

The Saudi Central Bank (SAMA) issued Circular 472047719 on 8 March 2026, replacing the 2021 Oversight Framework for Payments and Financial Settlement Systems with a more prescriptive supervisory regime anchored to Royal Decree No. M/26 and the Principles for Financial Market Infrastructures (PFMIs). Systemically important payment system (SIPS) operators must now conduct at least annual self-assessments against CPMI-IOSCO standards and publish a public disclosure summary following receipt of a SAMA non-objection letter, a transparency obligation absent from the previous framework. Non-SIPS operators face periodic assessments tied to their licensing conditions, and SAMA retains the right to commission independent third-party reviews where it identifies control weaknesses. Payment system operators in Saudi Arabia should review their internal governance frameworks, PFMI alignment, and operational resilience capabilities to ensure readiness for formalised supervisory engagement and potential public disclosure requirements.

🇦🇪 United Arab Emirates
Active UAE, CBUAE

CBUAE, Updated AML/CFT/CPF Guidance for Licensed Financial Institutions

Guidance issued 16 April 2026; immediate application for all CBUAE-licensed financial institutions and Registered Hawala Providers under the UAE National AML/CFT/CPF Strategy 2024–2027.

The Central Bank of the UAE (CBUAE) issued a comprehensive revision to its AML, CFT, and counter-proliferation financing (CPF) framework on 16 April 2026, affecting all licensed financial institutions (LFIs) and Registered Hawala Providers operating in the UAE. The update introduces dedicated guidance on proliferation financing risk assessment, strengthened correspondent banking due diligence, and granular supervisory expectations across trade finance, moving beyond static sanctions screening toward continuous, dynamic risk monitoring. Customer due diligence and KYC are recast as ongoing obligations, not one-time onboarding exercises, with re-assessment required on material events and mandatory data retention standards. Payment firms, EMIs, and exchange houses must benchmark their existing frameworks against the new guidance and demonstrate active risk ownership, including updated risk models, board-level accountability, and documented gap assessments.

🌐

Global / Multi-Jurisdiction

Active Global

ISO 20022 Migration

SWIFT CBPR+ mandatory since November 2022 · Validation rules tightening 2025–2027 · MT sunset expected 2027

ISO 20022 is becoming the default messaging standard for high-value and cross-border payment systems globally. As SWIFT reduces tolerance for MT-to-MX translation and tightens validation rules, institutions with incomplete migration face growing operational and compliance risk. Structured data quality is now a baseline requirement.

Active Global

3DS2 & Strong Customer Authentication (SCA)

Mandated under PSD2 · PSD3 extends and refines SCA scope

Strong Customer Authentication requires payment transactions to be verified using at least two independent factors from the categories of knowledge, possession, and inherence. Under PSD2 and now PSD3, the obligation falls on the issuer for card transactions authenticated via 3DS, with liability shifting away from the merchant when 3DS is successfully applied. The commercial impact is significant: merchants who have not implemented 3DS correctly face higher fraud dispute rates and carry liability that authenticated transactions would transfer to the issuer. Exemptions, transaction risk analysis, low-value transactions, trusted beneficiaries, must be applied correctly to avoid unnecessary friction while maintaining compliance.

Active Global

FATF Travel Rule, Wire Transfers & Virtual Assets

Wire transfers: long established · Virtual assets: phased implementation 2023–2026

FATF Recommendation 16 requires that originator and beneficiary information travels with wire transfers above threshold, $1,000 / €1,000 in most jurisdictions. The same obligation now extends to virtual asset transfers under FATF's updated guidance, requiring virtual asset service providers (VASPs) to collect, hold, and transmit customer information on crypto transactions. Implementation across the VASP sector has been uneven, with the sunrise problem, the inability to send required data to a counterparty that has not yet implemented the rule, creating compliance gaps. For payment firms with cross-border wire transfer volumes or crypto-related business, travel rule compliance is both a regulatory obligation and an ongoing operational challenge as counterparty infrastructure matures.

Consumer Protection UK

FCA CASS 15 — Safeguarding Regime for Payment Firms

In force 7 May 2026; monthly reporting obligations from the same date.

The FCA's CASS 15 regime, in force 7 May 2026, requires authorised payment institutions and electronic money institutions to safeguard customer funds under stricter rules covering designated trust accounts, monthly reconciliation reporting, and updated disclosure requirements. Firms must file a new monthly return including the total amount of safeguarded funds and a breakdown of how they are held. The FCA has cited concern over customer money safety on firm failure, and safeguarding audits will now produce formal independent audit opinions. UK-authorised PIs and EMIs must review their safeguarding arrangements and reporting infrastructure before the implementation date.