Regulatory Hub

Keeping Pace with a Fast-Moving Regulatory Environment

Daily-updated regulatory intelligence across UK, Europe, GCC and Global markets. Updated automatically each morning.

🇬🇧

United Kingdom

Imminent United Kingdom

UK Safeguarding Reforms for PIs and EMIs

New requirements in force 7 May 2026

The FCA's updated safeguarding framework strengthens requirements for payment institutions and electronic money institutions around how customer funds are protected, reconciled and reported. Greater emphasis on auditability, record-keeping and insolvency preparedness reflects lessons from recent PI failures and increased FCA supervisory focus on fund protection.

Active United Kingdom

UK APP Fraud Reimbursement Rules

Mandatory reimbursement from October 2024 · First PSR review 2026

The Payment Systems Regulator's mandatory reimbursement rules for Authorised Push Payment (APP) fraud require sending and receiving PSPs to share responsibility for reimbursing fraud victims. With a £85,000 maximum reimbursement cap, the rules create significant commercial exposure for smaller payment institutions and have prompted industry-wide reviews of fraud controls and customer due diligence.

🇪🇺

European Union

In Progress European Union

Payment Services Directive 3 (PSD3) & PSR

Political agreement expected Q1–Q2 2026 · National transposition 2026-2027 · Full application 2027-2028

PSD3 builds on PSD2 with stronger fraud liability rules, enhanced open banking rights and new provisions for payment account access. The accompanying PSR creates directly applicable rules across member states, removing the inconsistency of national transposition for core requirements.

Active European Union

EU Instant Payments Regulation (IPR)

Receive mandatory from January 2025 · Send mandatory from October 2025 · First reporting April 2026

All eurozone payment service providers must now be able to both receive and send instant credit transfers in euro. Pricing must be equivalent to standard credit transfers. The April 2026 reporting deadline requires PSPs to submit data on service availability and adoption rates to national competent authorities.

In Progress European Union

EU Anti-Money Laundering Package

AMLA established 2024 · Regulation and Directive application from 2027

The EU AML Package creates a new authority, the Anti-Money Laundering Authority (AMLA), with direct supervisory powers over high-risk financial institutions. The package harmonises AML/CFT requirements across member states, introducing a single EU rulebook and removing the inconsistencies that currently allow regulatory arbitrage between jurisdictions.

Active European Union

EU AI Act, Financial Services Implications

High-risk AI provisions applicable from August 2026 · GPAI model rules from August 2025

The EU AI Act classifies certain AI systems used in financial services, particularly credit scoring, fraud detection and customer risk assessment, as high-risk, requiring conformity assessments, technical documentation, human oversight mechanisms and transparency obligations. Payment and credit providers using AI models for real-time decisioning must assess their compliance position ahead of the August 2026 deadline.

In Progress European Union

Digital Euro Enabling Regulation

ECB technical work completed late 2025 · Enabling regulation expected 2026 · Potential issuance decision post-2026

The ECB completed its technical and preparatory work on a digital euro in late 2025 following the investigation phase. The enabling regulation, currently under consideration by the European Parliament and Council, will define the legal framework for issuance, distribution through intermediaries, holding limits and the relationship between a digital euro and commercial bank deposits.

🌍

Gulf Cooperation Council

🇸🇦 Saudi Arabia
Active Saudi Arabia, SAMA

SAMA Revised Payment Systems Oversight Framework, Circular 472047719

Issued 8 March 2026, replaces 2021 framework; annual self-assessment and CPMI-IOSCO public disclosure obligations now in force for SIPS operators

The Saudi Central Bank (SAMA) issued Circular 472047719 on 8 March 2026, replacing the 2021 Oversight Framework for Payments and Financial Settlement Systems with a more prescriptive supervisory regime anchored to Royal Decree No. M/26 and the Principles for Financial Market Infrastructures (PFMIs). Systemically important payment system (SIPS) operators must now conduct at least annual self-assessments against CPMI-IOSCO standards and publish a public disclosure summary following receipt of a SAMA non-objection letter, a transparency obligation absent from the previous framework. Non-SIPS operators face periodic assessments tied to their licensing conditions, and SAMA retains the right to commission independent third-party reviews where it identifies control weaknesses. Payment system operators in Saudi Arabia should review their internal governance frameworks, PFMI alignment, and operational resilience capabilities to ensure readiness for formalised supervisory engagement and potential public disclosure requirements.

🇦🇪 United Arab Emirates
Active UAE, CBUAE

CBUAE, Updated AML/CFT/CPF Guidance for Licensed Financial Institutions

Guidance issued 16 April 2026; immediate application for all CBUAE-licensed financial institutions and Registered Hawala Providers under the UAE National AML/CFT/CPF Strategy 2024-2027.

The Central Bank of the UAE (CBUAE) issued a comprehensive revision to its AML, CFT, and counter-proliferation financing (CPF) framework on 16 April 2026, affecting all licensed financial institutions (LFIs) and Registered Hawala Providers operating in the UAE. The update introduces dedicated guidance on proliferation financing risk assessment, strengthened correspondent banking due diligence, and granular supervisory expectations across trade finance, moving beyond static sanctions screening toward continuous, dynamic risk monitoring. Customer due diligence and KYC are recast as ongoing obligations, not one-time onboarding exercises, with re-assessment required on material events and mandatory data retention standards. Payment firms, EMIs, and exchange houses must benchmark their existing frameworks against the new guidance and demonstrate active risk ownership, including updated risk models, board-level accountability, and documented gap assessments.

🌐

Global / Multi-Jurisdiction

Active Global

ISO 20022 Migration

SWIFT CBPR+ mandatory since November 2022 · Validation rules tightening 2025-2027 · MT sunset expected 2027

ISO 20022 is becoming the default messaging standard for high-value and cross-border payment systems globally. As SWIFT reduces tolerance for MT-to-MX translation and tightens validation rules, institutions with incomplete migration face growing operational and compliance risk. Structured data quality is now a baseline requirement.

Active Global

3DS2 & Strong Customer Authentication (SCA)

Mandated under PSD2 · PSD3 extends and refines SCA scope

Strong Customer Authentication requires payment transactions to be verified using at least two independent factors from the categories of knowledge, possession, and inherence. Under PSD2 and now PSD3, the obligation falls on the issuer for card transactions authenticated via 3DS, with liability shifting away from the merchant when 3DS is successfully applied. The commercial impact is significant: merchants who have not implemented 3DS correctly face higher fraud dispute rates and carry liability that authenticated transactions would transfer to the issuer. Exemptions, transaction risk analysis, low-value transactions, trusted beneficiaries, must be applied correctly to avoid unnecessary friction while maintaining compliance.

Active Global

FATF Travel Rule, Wire Transfers & Virtual Assets

Wire transfers: long established · Virtual assets: phased implementation 2023-2026

FATF Recommendation 16 requires that originator and beneficiary information travels with wire transfers above threshold, $1,000 / €1,000 in most jurisdictions. The same obligation now extends to virtual asset transfers under FATF's updated guidance, requiring virtual asset service providers (VASPs) to collect, hold, and transmit customer information on crypto transactions. Implementation across the VASP sector has been uneven, with the sunrise problem, the inability to send required data to a counterparty that has not yet implemented the rule, creating compliance gaps. For payment firms with cross-border wire transfer volumes or crypto-related business, travel rule compliance is both a regulatory obligation and an ongoing operational challenge as counterparty infrastructure matures.

Consumer Protection UK

FCA CASS 15, Safeguarding Regime for Payment Firms

In force 7 May 2026; monthly reporting obligations from the same date.

The FCA's CASS 15 regime, in force 7 May 2026, requires authorised payment institutions and electronic money institutions to safeguard customer funds under stricter rules covering designated trust accounts, monthly reconciliation reporting, and updated disclosure requirements. Firms must file a new monthly return including the total amount of safeguarded funds and a breakdown of how they are held. The FCA has cited concern over customer money safety on firm failure, and safeguarding audits will now produce formal independent audit opinions. UK-authorised PIs and EMIs must review their safeguarding arrangements and reporting infrastructure before the implementation date.

AML-CFT UAE

CBUAE AML/CFT/CPF Guidance Package, PF, TBML, Correspondent Banking and CDD/KYC

Issued 16 April 2026; supervised institutions should align policies, controls and training against the guidance without delay.

The Central Bank of the UAE (CBUAE) issued an updated AML/CFT/CPF guidance package for Licensed Financial Institutions (LFIs) and Registered Hawala Providers, covering proliferation financing (PF), trade-based money laundering (TBML) and transshipment, correspondent banking, and CDD/KYC and record-keeping expectations. The package sets supervisory expectations for PF risk assessment and ongoing monitoring of emerging typologies, and requires firms to test whether controls are effective and remediate gaps. For payments firms and remitters, the TBML and correspondent banking guidance tightens expectations on risk-based monitoring of trade-related payment flows and on due diligence and governance for respondent relationships. Firms should update customer risk profiling, onboarding and ongoing review triggers, and role-based training to ensure transaction monitoring and sanctions screening are consistent with the new guidance.

Open Banking Saudi Arabia

SAMA Open Banking — Transition from Sandbox to Full Licensing

Licensing regime opened 26 March 2026; first two fintechs licensed 8 April 2026.

SAMA announced on 26 March 2026 the transition of its Open Banking Programme from the regulatory sandbox into a full licensing regime, with the first two fintech firms receiving open banking licences on 8 April 2026. Licensed firms must meet substantive governance, cybersecurity, API performance, consent management, and operational resilience standards — obligations that are materially more demanding than those that applied during sandbox participation. Compliance infrastructure built during the sandbox phase will need to be formalised and strengthened to meet permanent supervisory expectations, including requirements under the Personal Data Protection Law (PDPL) and the Banking Control Law. Payment firms and fintechs seeking to offer open banking services in Saudi Arabia must now obtain a SAMA licence before commencing activity.

Card Schemes Global

Visa VAMP — New Acquirer and Merchant Fraud Thresholds 2026

Acquirer threshold 0.5% from 1 January 2026; merchant Excessive threshold 1.5% from 1 April 2026.

Visa's Visa Acquirer Monitoring Programme (VAMP) introduced tightened thresholds from 1 January 2026, requiring acquirers to keep their VAMP ratio (fraudulent transactions plus disputes as a percentage of total card-not-present transactions) below 0.5%, half the previous threshold. Merchants face an Excessive threshold of 1.5% from 1 April 2026, down from 2.2%, with continued tightening expected through 2026. Acquirers exceeding the threshold face Visa-imposed monitoring, fines, and potential restrictions on CNP processing; merchants in breach are subject to escalating monthly penalties. Acquirers should review portfolio-level CNP fraud ratios and merchant monitoring capabilities immediately, with particular focus on high-volume e-commerce merchants.

Digital Assets UAE

UAE Federal VASP Law — New Licensing Framework for Virtual Asset Service Providers

Issued 13 February 2026; existing licensees must comply with all modules by 13 February 2027.

The UAE Capital Markets Authority issued Decision No. 4/R.M/2026 on 13 February 2026, replacing the 2023 VASP framework with a comprehensive three-module rulebook covering eight licensed virtual asset activities. Any firm operating a crypto exchange, custody service, brokerage, or advisory platform in or from the UAE must hold a CMA licence, with minimum capital requirements ranging from AED 500,000 for multi-party trading platforms to AED 4,000,000 for firms dealing as principal. Privacy tokens and algorithmic stablecoins are absolutely prohibited, with no licensing pathway available. Existing licensees have until 13 February 2027 to comply with the new Business Regulation and Alternative Trading System modules; firms relying solely on a UAE free zone trade licence must obtain a VASP licence or cease regulated activity.