In the ecommerce payments industry, the global regulatory environment has long attempted a delicate balancing act: creating the foundation for growth, innovation, and choice while ensuring consumers are protected from harmful financial practices, fraud, and abuse.
Throughout 2024, there have been multiple moves from regulators across many regions to expand regulatory authority and scope. However, when regulation moves at this pace, it’s equally critical that regulators keep an eye on the risk of economic loss and unintended, harmful consequences to the very consumers they aim to protect.
It has always been a tricky balance to strike, particularly as regulations become increasingly broad and more complex. These initiatives include, but aren’t limited to:
Processing cost fee caps: multiple jurisdictions have recognised that transaction processing fee costs (e.g., debit interchange) can unnecessarily penalise consumers and inhibit spending. Here, regulation strives to compensate network operators and service providers fairly, while ensuring consumers don’t end up paying more for goods and services than warranted.
Examples: Regulation II (in the US) and the UK’s Interchange Fee Regulation (IFR).
Transaction security and anti-fraud measures: long contentious, security requirements like the Strong Customer Authentication (SCA) struggle to find the right balance between fraud prevention, customer experience, and revenue growth. Although stopping fraud should always be a priority, hard regulations in this area can stifle revenue growth for merchants, while unintentionally creating friction for consumers.
Examples: PSD2 SCA in Europe, AusPayNet in Australia, the Japan Consumer Credit Association (JCA)/ the Ministry of Economy, Trade and Industry (METI) in Japan, Associação Brasileira das Empresas de Cartões de Crédito e Serviços (ABECS) in Brazil (not yet enforced).
Least cost routing: few would argue that merchants should enjoy the flexibility to route transactions in the most cost-effective way possible across a competitive range of networks. Yet, many argue that the loss of interchange revenue could result in unintended consumer impacts, particularly on loyalty programmes. Whether consumers would benefit from payment processing efficiencies also remains an open, hotly debated issue.
Examples: Regulation II (the US), RBA (Australia).
Open Banking, financial data access, and instant payments: recognising that consumers deserve more choice when it comes to financial services products, the use and protection of consumer financial data is an ongoing consideration. Opening an ecosystem of new players charged with guarding financial data presents significant challenges to the industry, particularly alongside emerging new rails for instant payments in many regions.
Open Banking examples: PSD2 and PSD3 (Europe), Consumer Financial Data Rights (CFPB in the US).
Instant payment examples: FedNow, RTP (the US), Wero (the EU), Pix (Brazil), UPI (India).
With large regulatory diversity, a fragmented global landscape, and regulators’ disparate compliance approaches, navigating the current regulatory climate is becoming increasingly onerous for merchants and other ecosystem stakeholders. Does the cost of compliance to the industry justify purported benefits? Do regulators create unintended consequences with more harmful impacts than the problems they are trying to solve?
One way to prevent such outcomes is ensuring more effective regulator-industry engagement through a well-rounded, inclusive consultation process. Regulators often rely on industry consultations that privilege an acquirer’s perspective as a proxy for the merchant’s voice. While there are many shared goals, acquirers and merchants have unique perspectives and potential business impacts – and each must be heard directly.
For organisations like the MRC, advocacy and regulatory engagement are most effective when merchants – especially in force – are consulted from the start. In many instances, such as SCA enforcement, significant compliance and revenue impact is concentrated on the merchant. At the same time, merchants are often in an ideal position to identify and measure unintended consumer consequences (e.g., in the case of SCA, challenges include abandonment and customer attrition). Additionally, there are nuances related to fraud vectors like first-party misuse – a problem that SCA cannot remediate and that regulators may not fully appreciate without active and direct merchant consultation.
Brazil is the most recent example of the ongoing push to require SCA (specifically 3DS in this instance), and it also illustrates many of the opportunities for increased industry collaboration needed to get ‘regulations’ right.
ABECS (a self-regulatory association) recently published SCA requirements, set to be enforced starting in February 2025. Yet, coming from a self-regulatory body, many merchants are unclear whether the requirements are a hard mandate and what potential non-compliance consequences could be. While there has been some engagement with merchants in the region, the MRC’s members are seeking a path to direct, ongoing consultation. Such tight timeframes often don’t leave sufficient time to explore impacts, including issuer-side readiness for risk-based authentication (RBA), assessing the economic impact of failed SCA challenges, and fully understanding consumer impacts.
For Brazil and across the globe, consistent, inclusive engagement from all stakeholders, including merchants, is imperative if regulations are to achieve their intended purpose. Without it, the increasingly complex global regulatory environment will face unintended consequences and reduce consumers’ confidence in the payments industry.
This editorial piece was first published in The Paypers' Global Ecommerce Report 2025, which provides a complete overview of key trends and strategies to help businesses worldwide succeed. Download your free copy today to explore in-depth insights on global ecommerce trends, the latest innovations in payment solutions, and strategies to stay ahead in a competitive market.
Keith is a 25-year payment, fintech, and fraud prevention veteran with functional expertise in product management, marketing, and corporate strategy. He currently co-leads the Merchant Risk Council’s advocacy efforts, working closely with MRC members, including the world’s top ecommerce merchant brands, card issuers, solution providers, advisory organisations, and card networks.
The Merchant Risk Council (MRC) is the premier global non-profit membership association for payments and fraud prevention professionals, established in 2000. MRC empowers its members to stay connected, current, and influential within the industry by emphasising collaboration, networking, education, and advocacy. Acting as a central hub for ecommerce fraud and payments professionals, solution providers, and brands of all sizes, MRC drives industry innovation and education. With operations in the US, Europe, and APAC, and expanding into LATAM, MRC is continuously growing its global presence.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now