2024 is expected to be another busy year for the payments sector, bringing significant regulatory developments for the payments industry. In a recent article for Thomson Reuters Regulatory Intelligence, Florian Reul, Olivia Murphy and Simon Treacy explore the trends that will shape the regulatory outlook for payments services in the EU and UK this year. In this post we pull out three areas which highlight the differences and similarities in the approach taken by the EU and UK with regard to payments regulation.
01| Operational resilience
Both the EU and UK have introduced operational resilience rules which apply to payment service providers.
The EU’s Digital Operational Resilience Act (DORA) provides a detailed and comprehensive framework on digital operational resilience for EU financial entities, including banks, payment and e-money institutions, and cryptoasset service providers. DORA starts to apply from January 2025, so payment services providers are accelerating their preparations to meet these stringent requirements aimed at managing ICT risks.
In the UK, payment and e-money institutions are among the firms that have had to apply operational resilience rules since March 2022. The UK regime is similar but more outcomes-based than the prescriptive rules set by DORA. For example, under DORA, firms must maintain a register of information with all contractual arrangements for their use of ICT services and must meet extensive technical standards specifying the content of this register. The UK’s requirement corresponding mapping requirement is, by contrast, much more high level.
Some important aspects of the UK regime have not yet taken effect. For example, the requirement for firms to remain within their impact tolerance levels in the event of a severe but plausible disruption starts to apply from 31 March 2025 and so this year payment firms will need to build out the final parts of their operational resilience plans to meet this deadline.
02| Cryptoassets
On cryptoassets, the EU has opted for a broad approach with the Markets in Cryptoassets Regulation (MiCAR) which is due to start applying in 2024. The new regime will bring in a new EU-wide framework for cryptoassets, distinguishing between e-money tokens (EMTs), asset referenced tokens (ART) and other types of cryptoasset.
The UK is adopting a more piecemeal approach. Having already brought cryptoassets into the scope of its financial promotion regime, the next priority is introducing a licensing regime for stablecoins. For example, the new legislation will update payment services regulations so that they apply to fiat-backed stablecoins that are used in UK payment chains. It remains to be seen how this will be defined and how that definition will map to similar concepts under the EU’s MiCAR.
03| Payment services
The EU and UK are both looking to reshape their regulatory framework for payment services, although with a different focus.
The European Commission’s proposals for Payment Services Directive 3 (PSD3) and the new Payment Services Regulation (PSR) loom large on EU payment firms’ horizon. As drafted, the proposals would have wide-ranging operational impact on payment service providers. Plans to require banks and other payment service providers to provide instant payments and a payee verification service will also introduce new compliance costs.
The UK exploring ways to bring about a "smarter" and more agile regulatory regime, shifting legislation for e-money and payment services off the statute books and moving it into the regulators’ rulebooks. For example, in 2024 the Financial Conduct Authority (FCA) will propose replacing detailed technical standards for strong customer authentication with an outcomes-based regime. Safeguarding rules are also likely to be rewritten.
As each regime evolves independently, payment firms with a UK and EU presence will need to gauge how best to comply with both regimes.
For more on payments regulation in 2024 read our article in Thomson Reuters Regulatory Intelligence.