Navigating regulatory change: compliance and the future of digital payments

Gianluca D'Imperio, Compliance VP at UniCredit: In 2026, Europe’s payments landscape is being fundamentally reshaped by converging regulations – PSD3/PSR, Digital Euro, eIDAS 2.0, and Digital Omnibus. 

 

In early 2026, Europe’s payments ecosystem is being reshaped by a convergence of reforms: the revised EU Payment Services Regulatory framework (PSD3/PSR), the acceleration of the Digital Euro legislative track, the ramp-up of eIDAS 2.0 wallets, and a ‘simplification’ wave via the Digital Omnibus package. 

From a Senior Compliance Advisor perspective, the common thread is clear: compliance is no longer a control function running alongside product strategy; it is becoming a design constraint that directly determines what ‘good’ digital payments and Embedded Finance look like. 

A post-October 2025 reality

The practical turning point for fraud and operational resilience came with the Instant Payments Regulation (IPR) go-live milestone for euro-area PSPs in October 2025, notably through Verification of Payee (VoP) requirements and the shift in sanctions controls toward regular customer screening rather than transaction-based screening for in-scope payments. This matters because ‘instant’ removes the time buffer that legacy controls used to rely on; fraud detection, customer warnings, screening logic, and exception handling must all work in real time (or be redesigned entirely). 

PSD3/PSR: fraud as a first-class regulatory objective

The PSD3/PSR reform agenda is pushing the market toward more harmonised, directly applicable obligations (via the PSR) and stronger customer protections, with fraud prevention moving from ‘best effort’ into a more prescriptive set of expectations. One emblematic shift is the broader, regulatory normalisation of payee verification (name/identifier matching) beyond ‘nice to have’ controls, reinforcing what the IPR already operationalised for credit transfers.

For compliance and fraud teams, the challenge is not only implementing controls, but managing the second-order effects:

• Customer experience vs. security: more friction at checkout or in-app flows can drive abandonment, but under-protecting users is no longer defensible when liability and reimbursement expectations tighten.
• Model risk and explainability: stronger transaction monitoring and scam detection must be auditable, challengeable, and consistently tuned across channels, especially as fraud morphs into ‘authorised’ scam patterns rather than classic unauthorised theft.

In Embedded Finance, these obligations become even harder: when payments are initiated inside non-bank customer journeys, the lines between platform accountability, PSP duties, and customer communications must be contractually and operationally watertight. 

Digital Euro: public money, private-sector controls

The Digital Euro is no longer a theoretical debate; the Eurosystem has moved beyond the 2023–2025 preparation phase and continues technical work while supporting the legislative process, with the ECB signalling that, if lawmakers adopt the regulation during 2026, issuance readiness could be reached around 2029. That timeline is long enough to tempt organisations to delay, yet short enough that architecture decisions made now (wallet strategy, authentication stack, fraud tooling, offline risk controls) may determine future integration cost and feasibility. 

From a compliance lens, two themes stand out:

• A Digital Euro payment instrument would likely demand bank-grade controls while aspiring to mass-market usability, which is exactly where fraudsters thrive – high volume, low friction, and social engineering at scale.
• It will pressure PSPs to rethink ecosystem-level fraud intelligence sharing (patterns, mule networks, scam typologies), because closed-loop institution-only controls are weaker when new rails emerge.

eIDAS 2.0: identity becomes payments control

eIDAS 2.0 and the European Digital Identity Wallet trajectory are positioning interoperable digital identity as a core enabler for authentication and onboarding across the EU. For payments, that is not just ‘better KYC,’ it is a potential structural upgrade for fraud controls: stronger identity proofing, better attribute assurance, and more reliable binding between user, device, and consent.

The compliance opportunity is significant, but so is the delivery risk:

• Identity wallets can reduce certain fraud types, but they will also create new attack surfaces (credential theft, wallet compromise, synthetic identities tied to compromised attributes).
• Embedding wallet-based identity into SCA and user journeys requires alignment across legal, security, product, and third parties; misalignment will show up as failed conversions, disputes, or weak evidence in fraud cases. 

Digital Omnibus: simplification with side effects

The Commission’s Digital Package explicitly aims to simplify parts of the digital rulebook (data, cybersecurity reporting, selected AI Act elements) and includes proposals such as streamlined incident reporting through a single-entry point and a broader push to reduce overlapping compliance burdens. For payments, ‘simplification’ is welcome, but it can also create transition ambiguity: revised interpretations of data handling, reporting channels, and governance responsibilities must be incorporated into fraud operations without weakening detection capability.

Fraud programmes are particularly sensitive to these changes because they depend on:

• fast, lawful access to high-quality data;
• cross-entity sharing and analytics;
• clear incident classification and reporting playbooks. 

What ‘good’ looks like in 2026

In this environment, compliance’s strategic role is to force coherence: controls cannot be bolted on after product launch, and ‘instant + embedded’ cannot be treated as merely a distribution channel. The institutions that will win are those that treat fraud risk as an end-to-end design problem – spanning identity, customer communications, confirmation signals (like VoP), monitoring, dispute handling, and third-party oversight – because regulators are increasingly setting the expectation that safety is a feature, not a back-office process.

 

This article is part of the The Paypers` Money Movement in 2026: Trends in AI, Payments & Regulation Newsletter, a source of expert insights on the forces reshaping fintech, payments, and banking, covering fraud and financial crime, AI in fraud prevention and risk intelligence, real-time and cross-border payments, European payments sovereignty and the future of instant rails, stablecoins, agentic commerce, compliance and the evolving regulatory landscape, payments fragmentation driven by geopolitics and regulation, infrastructure bottlenecks in banking modernisation, the shift from generic scale to verticalised, value-added payment models, and digital wallets changing consumer payment behaviour – delivering a clear, data-backed view of what will shape strategy and innovation in 2026 and beyond.

Explore the other contributions in this Money Movement in 2026: Trends in AI, Payments & Regulation Newsletter series for more expert insights:

• Bizum - European instant payments: sovereignty and cross-border interoperability
• McKinsey - Payments in transition: the forces shaping the future of global money movement
• Oliver Wyman - Navigating the future: how agentic commerce is redefining payments
• Triple-A - Stablecoins, the once-in-a-lifetime shift in payments
• Unlimit - Why the future of digital wallets depends on interoperability at scale
• ACI Worldwide - Global orchestration for a real‑time, APM‑driven payments era
• The Paypers - 2026 fraud forecast: AI, deepfakes, and rising cybercrime risks

About the author 

Gianluca D’Imperio is a Strategic Compliance Leader and Digital Finance expert at UniCredit, with over 25 years of experience in international banking. Specialised in EU Digital Finance, Payment Services, and Open Banking, he excels at transforming complex regulatory landscapes into strategic business opportunities. He represents the Group in prestigious international policy-making bodies, including the Association for Financial Markets in Europe and the Centre for European Policy Studies.

 

 

About the company 

UniCredit is a pan-European commercial bank with a unique service offering in Italy, Germany, and Central and Eastern Europe. The Group serves over 15 million customers worldwide, providing holistic financial solutions. By leveraging its digital transformation and a strong international network, UniCredit is committed to empowering communities to progress, delivering excellence to its stakeholders and supporting the real economy across its core markets.