Payments and fintech regulation: what’s on the radar for 2026

 

In this article, Oana Ifrim, Lead Editor at The Paypers, goes over the regulations expected to impact payments and fintech in 2026.

Dear reader, Happy New Year!

I hope 2026 has started well and you’re settling back into the rhythm.

If there’s one thing that hasn’t slowed down, it’s regulation. The landscape remains busy, demanding, and very much in motion. The EU’s Instant Payments Regulation is driving banks toward real-time, always-on payments with mandatory payee verification to combat fraud, while broader reforms are strengthening consumer protections. The FCA’s Open Finance roadmap lands in March, BNPL regulation is expected this year, operational resilience is embedded in 2026 regulatory agendas, and DORA is shifting from planning to proof, enforcing rigorous operational resilience across financial firms, collectively driving a major transformation in payment infrastructure and regulatory compliance, with 2026 demanding urgent, coordinated execution amid ongoing cross-border and implementation challenges.

BNPL regulation

A quarter of UK users have already been hit with late payment charges, with younger shoppers increasingly affected by missed BNPL payments. While providers often highlight interest-free credit, many consumers are actually using high-interest credit cards (often at rates of 20% or more) to fund those payments.  The result is a quiet but growing risk of debt spirals driven by poor transparency and low financial literacy. The absence of affordability checks has allowed some borrowers to take on multiple BNPL commitments across different providers, leading to debt that traditional credit scoring systems often fail to detect.

In July 2025, the FCA launched a consultation on unregulated BNPL agreements, called deferred payment credit (DPC), proposing regulation starting 14 July 2026. From 15 July 2026, lenders offering DPC agreements to finance purchases from merchants will fall under FCA regulation. However, merchants offering their own DPC agreements directly, and brokers of DPC agreements, will not. The consultation closed on 26 September, with a policy statement and final rules expected early 2026.

A temporary permissions regime will open two months before the rules take effect on 15 July 2026. Firms will then have six months from that date to apply for full authorisation.

This marks a significant shift for a sector that has largely operated outside traditional consumer credit regulation and could fundamentally change how millions manage their finances. Under the FCA’s proposals, BNPL providers will need to conduct affordability assessments, clearly disclose repayment terms and potential charges, and ensure consumers have access to the Financial Ombudsman Service if issues arise. Importantly, BNPL borrowers will receive the same protections currently available for other types of consumer credit.

The UK’s BNPL regulation change follows a similar move in Australia in June 2025, but the results haven’t been exactly as expected. Banks, now legally required to review all financial commitments during credit assessments, are reportedly advising some customers to close BNPL accounts to improve their borrowing capacity. It’s also been claimed that consumers who used BNPL responsibly to manage cash flow are now facing new barriers to accessing mortgages.

The challenge is finding balance: regulate too lightly, and BNPL fuels hidden debt and missed payments; regulate too heavily, and you cut off a budgeting tool many lower-income and younger consumers rely on, pushing them toward riskier credit. The UK must design affordability checks that protect the vulnerable without excluding responsible borrowers or harming smaller merchants. Assessments need to prevent reckless lending but remain manageable so smaller BNPL providers aren’t pushed out by costly compliance.

Ultimately, how BNPL develops will depend on execution - whether it becomes a sustainable, user-friendly credit option or breaks down into a complicated, regulation-heavy market that fails both consumers and merchants.

Digital Operational Resilience Act (DORA) – cybersecurity is now a matter of business survival and national resilience

Saturday, 17th January, marks the first anniversary of the Digital Operational Resilience Act (DORA).

DORA came into force in January 2025, fundamentally changing how financial entities across the EU and UK manage operational risk, cyber threats, and third-party dependencies by requiring stronger operational resilience, including robust incident reporting and ICT risk management. On January 17, 2025, the European Banking Authority (EBA) repealed PSD2’s major incident reporting regime, replacing it with DORA’s unified framework.

The regulation marks a significant shift in how the European financial sector approaches ICT-related risk and operational resilience, demanding a more robust and harmonised approach across the sector. DORA addresses a critical need by treating operational resilience as a systemic risk, underscored by major cloud outages, ransomware attacks, and cascading supply chain failures.

DORA implementation is clearly the regulatory priority for 2026, bringing payment firms, investment firms, banks, insurers and cryptoasset service providers under a unified operational resilience framework. Both the EBA’s and ESMA’s 2026 programmes place strong emphasis on operational resilience.

In 2026, the focus will shift from readiness to proving ongoing operational resilience through rigorous testing and clear evidence. Supervisors will demand deeper insights into ICT risk and third-party dependencies, while DORA’s role grows, pushing fintechs to move from planning to active compliance as audits intensify and influence M&A due diligence.

The reason behind DORA is simple: the risks financial institutions face are becoming more complex and widespread and many payment companies still treat cybersecurity as a compliance checkbox rather than an existential business risk. That’s why resilience needs to be at the heart of their operations, not an afterthought. While tougher regulations and cyber threats make compliance essential, DORA also encourages smarter, resilience by design (you might want to watch this webinar) approaches instead of just checking boxes. It’s not a one-and-done deal; institutions need to keep refining their strategies, stay ready for changes, and remain proactive in a fast-moving digital world. For payment firms, DORA raises the bar significantly, making board oversight, rigorous resilience testing, and thorough third-party due diligence mandatory.

Cybersecurity is now a matter of business survival and national resilience. The NCSC (the UK’s National Cyber Security Centre) dealt with 204 `nationally significant` cyberattacks against the UK in the 12 months to August 2025 — a sharp rise from 89 the previous year, reads the British agency. Of a total of 429 incidents handled, 18 were categorised as `highly significant,` meaning they had the potential to seriously impact essential services. This marks an almost 50% increase in incidents of this second-highest level categorisation compared with the previous year, and the third consecutive year of growth.

The British government warns attacks on UK businesses are growing both more frequent and sophisticated. High-profile incidents, like the cyberattack on Jaguar Land Rover, show the potential for serious economic damage.

Nation-states and organised crime increasingly focus their attacks on financial institutions. The sector has faced unprecedented large-scale supply chain attacks exploiting third-party vulnerabilities, which cascade through national payment networks and central systems. Organised crime is increasingly blending physical and digital tactics, using social engineering, insider manipulation, and technical exploits to launch more sophisticated, coordinated attacks.

These trends clearly demonstrate why DORA’s regulatory framework is crucial for payment service providers and fintechs. Because financial services infrastructure is a prime target for both state-sponsored attacks and organised crime, any disruption can halt critical payment operations, undermine customer trust, cause significant financial losses, and trigger widespread economic fallout.

2026

Firms with weak cyber resilience risk severe regulatory penalties under DORA, NIS2, and the UK’s operational resilience framework, but more critically, they face losing customer trust, suffering major financial losses, and even having their licenses revoked. Navigating implementation is complex, especially for those operating across multiple jurisdictions with overlapping rules in the EU, UK, and beyond.

PSD3, PSR

PSD3: Amends PSD2 to strengthen consumer rights, fraud prevention, and access to payment accounts.
PSR (Payment Services Regulation): A directly applicable EU Regulation on payment services.

The European Council and Parliament reached provisional political agreement on PSD3 and PSR texts in November 2025, following June 2025 Council compromises and trilogues; formal adoption, legal-linguistic review, and Official Journal publication remain pending in early 2026.

At the end of this process, likely at the end of Q1 or beginning of Q2 2026, the text will enter into force and then start to apply after a transition period, which is expected to be 21 months.

FiDA Regulation

FIDAR (Framework for Financial Data Access) is a new Regulation to extend Open Banking-style data access to other financial products (Open Finance).

The Financial Data Access (FiDA/FIDAR) regulation remains in the trilogue negotiation phase between the European Commission, Council, and Parliament, with no final text or formal adoption achieved.
Trilogues for FiDA began in early 2025 after the Council and Parliament adopted their positions in late 2024, building on the Commission's June 2023 proposal. Progress has been steady but slower than anticipated, with the regulation now listed as `pending` in the EU's 2026 Work Programme. This inclusion reinforces that Open Finance remains a central strategic priority for the European Union. 

Final agreement could emerge in 2026, followed by formal adoption, Official Journal publication, and a 30-32 month compliance period, pushing full application to 2028 or later. The EBA anticipates over 50 mandates under FiDA alongside PSD3/PSR, planning a roadmap for implementation. No high-level principles or technical standards have been issued yet.

Key implications

FiDA aims to expand Open Finance beyond PSD2's payments scope to products like savings, insurance, and investments, favouring EU fintechs through data-sharing schemes while limiting non-EU bigtech access. Member states may opt into areas like occupational pensions, with phased rollouts for data availability. Most operations remain under PSD2 in the interim.

One key aspect of the ongoing negotiations is the explicit exclusion of gatekeepers (as defined under the Digital Markets Act) from obtaining a Financial Information Service Provider (FISP) licence, as noted by a policy analysis by the Centre for European Policy Studies (CEPS), specifically an ECRI In-Depth Analysis.

FIDA broadens Open Banking into Open Finance by letting FISPs access diverse financial data like loans and pensions to drive innovation and competition. The Digital Markets Act labels some bigtech firms as gatekeepers, and some policymakers want to bar them from getting FISP licenses to prevent data misuse. The analysis argues that a blanket ban is legally shaky and risks stifling innovation. Instead, it calls for a risk-based approach that evaluates all FISP applicants individually (including gatekeepers) with tailored safeguards to balance market fairness, consumer protection, and Open Finance goals.

G20 cross-border payments roadmap

The FSB’s latest update on the G20 cross-border payments roadmap underlines an uncomfortable truth: the heavy lifting on policy is largely finished, but the results on the ground remain underwhelming. Despite years of coordination, the system is still too slow, too expensive, and too opaque for many users, and the FSB now openly concedes that it is unlikely that satisfactory improvements at the global level will be achieved in line with the 2027 Roadmap timetable.

Policy frameworks are largely in place, but real-world impact remains limited — modest gains in speed and access, persistently high costs, uneven transparency, and slow execution now put the 2027 G20 targets at risk unless regulators and industry shift from policy design to delivery.

According to analysis from industry experts, costs remain stubbornly high (especially for P2P), speed improvements are minimal, and fewer than half of payments meet the one-hour goal. While transparency and access have inched forward, global targets are unlikely to be met on time, with implementation (ot policy) clearly the problem.

The issue isn’t coming up with new rules anymore, it’s making them work. Disjointed regulation, inconsistent AML/CFT requirements, sluggish infrastructure upgrades, and continued dependence on correspondent banking are all slowing things down. Even where initiatives like ISO 20022 and new payment rails are moving forward, patchy uptake and weak interoperability mean their real-world impact remains limited.

Instant Payments Regulation

The EU has moved from talk to enforcement. The Instant Payments Regulation (IPR) is now fully in play, pushing banks into a truly always-on, never-closed operating model.

Since January 2025, EU bank PSPs must be able to receive instant payments. Since October 2025, eurozone banks must also be able to send them and offer Verification of Payee services. Non-eurozone banks have until January 2027 to support receiving, and July 2027 to support sending. Non-bank PSPs, including EMIs and PIs, must meet receiving requirements by April 2027 and sending by July 2027.

Instant payments must be at no higher cost than regular SEPA transfers, eliminating the premium many PSPs have relied on. On top of that, banks have to upgrade their systems to handle the speed and complexity of instant payments. Old batch checks just won’t work anymore. Real-time monitoring is key – fraud scoring in under a second, sanctions screening before payment, behaviour-based anomaly detection, and compliance checks – all running nonstop with zero tolerance for delay. It’s a serious technical and operational challenge

The main challenges are ensuring consistent Verification of Payee across markets and investing in real-time fraud detection, which for smaller PSPs will likely lead to consolidation or push firms toward white-label and outsourced solutions. The direction is right, but without proper support during implementation, there’s a real risk of creating barriers that hold back newer, innovative players.

SCT Inst readiness does not exist in isolation; it is part of the EU’s broader payments and data transformation. Upcoming frameworks like PSD3 and the Payment Services Regulation will tighten fraud controls and expand data access rights, while FIDA will extend Open Banking into full Open Finance.

Verification of Payee

The European Payments Council’s Verification of Payee (VoP) scheme officially went live on 5 October 2025, and it’s a meaningful step forward in reducing payment fraud and misdirected transfers across SEPA. In simple terms, VoP checks the payee’s name against the account details before a payment is authorised.

All PSPs operating within the Eurozone (i.e. banks, payment institutions and e-money institutions) are required to offer the VoP service to their customers in accordance with new requirements.

VoP sits at the heart of the EU’s new Instant Payments Regulation, which requires all Eurozone payment service providers (PSPs) to support instant credit transfers with mandatory payee verification. 
VoP also directly supports PSD3’s strengthened consumer protection agenda, which aims to reduce fraud losses and misdirected payments across the EU. Implementing this functionality requires real-time access to trusted reference databases and seamless incorporation into digital channels and APIs, capabilities that will also help future-proof compliance as PSD3 and the Payment Services Regulation expand fraud prevention and liability rules.

Overall, this is a positive step. Verification of Payee can materially reduce APP fraud, but outcomes will depend on execution. Implementation will be complex and could strain PSPs and their partners, and the real test will be whether VoP is embedded into broader fraud and customer experience strategies rather than treated as a standalone compliance task. By 2026, firms that get integration, data quality, and edge-case handling right will see real benefits; those that don’t risk adding friction without meaningfully reducing fraud.

For PSPs operating in EU Member States whose currency is not euro, this obligation will start to apply as of 9 July 2027.

Open Finance framework

In October 2025, the UK’s financial watchdog, the Financial Conduct Authority (FCA), has announced details of its strategy and roadmap for promoting Open Finance. To support this work, ahead of launching the open finance roadmap and strategy, FCA are announcing a major new partnership.

The initiative includes the launch of the Smart Data Accelerator, an extension of the FCA's existing sandbox environment, and two ‘TechSprints’ scheduled for November 2025 to February 2026, focusing on mortgages and SME lending.

The FCA has also commissioned KPMG and Europe Economics to assess the benefits and risks of open finance, plans to release a detailed roadmap and strategy for open finance by March 2026.
This marks a significant advancement. The UK’s Open Banking initiative has already sparked innovation in payments, lending, and financial management. Expanding these ideas to include mortgages, pensions, savings, and investments could greatly enhance consumer experiences and boost the wider economy.

But it’s not without risks. The big question is whether the ecosystem can avoid replicating the same power imbalances and complexity around data control that have held back progress elsewhere. Without solid rules and a fair commercial framework, open finance risks becoming a playground for a few dominant players, leaving consumers confused and exposed

EU Crypto (MiCAR)

MiCAR (Regulation (EU) 2023/1114) establishes a harmonised EU framework for crypto-assets and CASPs, including licensing, passporting, consumer protection, and AML/KYC rules.

Most EU member states provide grandfathering for existing CASPs operating before December 30, 2024, allowing continued operations during authorisation applications, with deadlines varying by country. Nations like Ireland, Germany, and Austria set 12-month periods ending December 31, 2025; others including Czech Republic, Estonia, France, Luxembourg, Malta, Italy, and Spain extend to 18 months through July 1, 2026. CASPs must submit authorisation applications before these national cut-offs to qualify.

By mid-2026, full MiCAR compliance will apply EU-wide as transitional periods expire, barring unlicensed firms from operating. The regime promotes regulatory uniformity, bolsters consumer safeguards, and enforces rigorous AML/KYC standards. 

Regulatory framework for cryptoassets

Back in October 2023, the Treasury dropped detailed plans to bring cryptoassets under tighter UK regulation, proposals aimed at creating new rules that would force firms offering crypto services here to get FCA authorisation and oversight. Fast forward to December 2025, and the government laid the Financial Services and Markets Act (Cryptoassets) Regulations 2025 before Parliament, which, if approved, will officially bring cryptoassets into the regulatory fold. This new regime is expected to kick in by 25 October 2027, meaning any firm wanting to operate in this space will need FCA approval from day one. This is a necessary move because crypto’s explosive growth demands clear rules to protect consumers and the market. But it’s also a huge shake-up for the industry. Firms ignoring these changes risk being shut out of the UK market entirely. 

If there are regulatory insights you want to explore further, feel free to get in touch. At The Paypers, we’re always ready to dig into specific topics or chat about how these changes might impact the industry and the key players involved: oana@thepaypers.com

Oana Ifrim is Lead Editor at The Paypers, with a strong passion for content planning, strategy, and industry research. She manages features covering fintech, banking, and payments modernisation, while ensuring accuracy and clarity throughout content and editorial coverage. Oana conducts expert interviews and thought leadership content, moderates webinars and conference panels, leads research projects, reports, and whitepapers, and represents The Paypers at major industry events.

She can be reached at oana@thepaypers.com or on LinkedIn.