The Regulations That Shaped Fintech
A deep look at the historic data, fraud and banking regulations that shaped fintech's past & present, and a detailed look at the recent regs that could shape its future
What’s the difference between a Bill, a Law, and a Directive?
Which regulations have directly driven fintech innovation?
How did PSD1 transform digital banking?
What are the major regulations that will shape the future of financial services?
These questions and more will be answered in this week's edition.
Hey Fintechers and Fintech newbies 👋🏽
There’s been a lot of regulatory news over the past few weeks.
Last week in the UK there was the Smart Data Bill. The previous week was all about the GENIUS Act, and this week, the EU Accessibility is enshrined into law (June 28th).
I was going to look specifically at the GENIUS Act and its role in enabling the Stablecoin picture of the future so many are painting, but instead, I’m taking a step back and looking more broadly at all the major bills, acts and regulations that have shaped fintech over the past few decades.
Because, frankly, regulations often get a bad rep, and there is a common sense that they are merely a hurdle to frustrate and stifle innovation when the reality is quite the opposite. Most regulations have either sparked innovation or protected customers during periods of innovation and sometimes both.
For example, without PSD1, we wouldn’t have the plethora of digital banks we use today.
And without PSD2, we don’t have the acceleration in Open Banking innovation leading to faster and more accurate credit decisions as well as closer to 360° views of personal finances.
There have been so many that it can be difficult to keep track of ones that have directly and indirectly impacted fintech innovation and some fintechers aren’t even aware of the regulations that shape the way we do things. So, in this edition, I’m going to pretty much list out all the ones I think are important and maybe list some that haven’t been on your radar. So get ready for a very wordy, but important edition!
Here’s what to expect:
The Difference Between a Bill, Act, Law and Reg
The Major Regulatory Changes That Shaped the Past and present of FS
Data and Privacy
GDPR
Data Protection Act
Gramm-Leach-Bliley Act (GLBA)
AML / Fraud / Compliance
Money Laundering Regulations (updated in 2017)
Bank Secrecy Act (BSA) / Anti-Money Laundering Act (AMLA 2020)
1AMLD-6AMLD (EU AML Directives)
Banking, Credit, and Payments
PSD1
PSD2
E-Money Directive (2000, revised in 2009)
SEPA (Single Euro Payments Area) Regulations
Regulation E (Electronic Fund Transfer Act)
Dodd-Frank Act
Durbin Amendment (to the Dodd-Frank Act)
Consumer Credit Act (UK)
The Positive Impact of Regulation on Fintech
The 6 Regulations That Will Shape the Future of Finance
EU Accessibility Act
Consumer Duty (FCA)
AI Act (EU)
UK Smart Data Bill
GENIUS Act
PSD3
Interesting News 🗞: Xero acquires Melio
Now let’s get into it 💪🏽
Getting our Act (Bills, Laws, and Directives) together ⚖️
Let’s start with some of the nuances. The terms Act, Law, Bill, Directive and Regulation are sometimes used interchangeably, but it’s important to note there are legal differences between them, and they have specific meanings depending on the legislative process and jurisdiction.
📜 Bill
A bill is a proposal for new legislation or a change to existing laws. It is not yet legally binding. In the UK and US, a bill must pass through various stages of debate and approval in parliament (or Congress) before becoming law.
Example: The GENIUS Act is currently a bill in the US Congress that proposes transparency requirements and rule-setting for stablecoin issuers. It has not yet become law.
As a Brit, I’m not sure how or why I'm aware of this cultural moment but this is a famous explainer recognised by kids and adults from across the USA (probably boomers and Millennials rather than Gen-Z).👇🏽
⚖️ Law / Act
A law is a general term for a legal rule that has been formally enacted. Once a bill is passed by the legislature and receives the necessary approval (e.g., royal assent in the UK or presidential signature in the US), it becomes an act and, hence, enforceable law.
Example: The Durbin Amendment became part of US law as an amendment to the Dodd-Frank Act in 2010.
In the UK and US, the terms “act” and “law” are often used interchangeably once legislation is passed.
📘 Directive (EU)
A directive is a legislative act of the European Union that sets out a goal all EU countries must achieve but each country decides how to transpose it into national law.
Example: The Second Payment Services Directive (PSD2) required EU member states to implement laws supporting open banking, but the specifics vary by country.
Directives need local legislation to take effect and are not directly applicable on their own.
📕 Regulation (EU)
A regulation, in contrast, is directly applicable in all EU member states the moment it is enacted. It does not require national legislation and ensures uniformity across the EU.
Example: The Digital Operational Resilience Act (DORA) is an EU regulation, once in force, it applies across the EU without local transposition.
The easiest way to think about it is to look at the typical process, which is for a Bill to be proposed and agreed on, that Bill be approved to be enshrined as a Law/Act, and then specific regulatory bodies such as the FCA, SEC, CFPB etc. drawing up specific rules, procedures, and penalties to implement the law under the authority of the Law/Act.
And while "regulation" is often used informally to describe the entire body of rules that govern fintech (e.g., “regulations affecting payments”), in legal terms:
A regulation has a specific meaning in jurisdictions like the EU (i.e., binding and directly applicable).
Bills are not yet enforceable.
Acts and laws are enforceable.
Directives are enforceable once transposed into national law.
Using the correct term helps clarify the stage, scope, and jurisdiction of a given rule, which is especially important in international fintech, but for simplicity, I’ll still use the term ‘regulation’ to refer to the overriding rules, Acts, Laws, Directives etc and where relevant explain where something is still a Bill vs an enforceable Act or Law.
The Regulations that Shaped Fintech’s Past and Present 📜
Going through ALL of the regulations that have driven innovation and kept customers safe since the dawn of time would make this a very lengthy edition, so instead I’m going to look at the key regulations from the past 20 years (occasionally dipping further back), and I’m starting with what some might consider, ‘the functional & protective ones’. Data & Privacy, along with AML, Fraud, and Compliance.
Data & Privacy 📄
The following three regulations have shaped the way businesses manage consumer data, and give more transparency and rights to those consumers.
GDPR (EU)
The General Data Protection Regulation (GDPR) came into effect in May 2018 to modernise the EU’s data protection framework in response to the growing scale and complexity of digital data use. Its core aim was to strengthen personal data rights across the EU and harmonise privacy laws among member states. Critically, GDPR introduced extraterritorial reach, applying to any organisation worldwide that processes the personal data of EU residents, meaning even non-EU companies had to comply or risk significant fines.
GDPR enshrines key rights for individuals, such as data access, the right to be forgotten, data portability, and explicit consent. It also places strict responsibilities on organisations to maintain transparency, report breaches promptly, and embed privacy-by-design into products and systems, raising the global bar for data protection.
🏢 Real-World Impact for Organisations:
Required redesign of how user data is stored, accessed, and deleted.
Obligated companies to offer clear consent mechanisms and allow data portability.
Imposed strict timelines for breach disclosure.
Non-EU companies must comply when handling EU residents' data.
🚀 Innovation/Consumer Benefit:
Triggered a global wave of privacy-focused products and cookie-consent tools.
Strengthened consumer trust and set expectations for transparency and control.
Pressured Big Tech to shift toward more privacy-centric business models.
Data Protection Act (UK)
The Data Protection Act 2018 is the UK’s implementation of the EU's GDPR, supplemented with UK-specific provisions post-Brexit. It sets out how personal data must be handled by businesses, government bodies, and other entities. Although the original Data Protection Act from 1998 had 8 principles about the processing, storage and access of data, the 2018 update brought this into the digital age and had more stringent oversight and consequences for non adherence.
Fun(ish) Fact: The data protection principles were one of the first things I learnt in ICT class (Information and Communication Technology as they used to call it)🏢 Real-World Impact for Organisations:
Must gain clear consent to process user data.
Need to respond to data access and deletion requests (DSARs).
Must appoint a Data Protection Officer (DPO) in some cases.
Hefty fines for non-compliance (£17.5M or 4% of global turnover, whichever is higher).
🚀 Innovation/Consumer Benefit:
Accelerated privacy-first UX (e.g., consent management, cookie tools).
Catalysed the rise of privacy-tech companies and tools for user control.
Raised consumer awareness of data rights — users now expect more transparency.
Gramm-Leach-Bliley Act (GLBA)
Passed to modernise financial services regulation in the U.S. in 1999, the GLBA also introduced significant privacy protections. It requires financial institutions to explain how they share customer data and to safeguard sensitive information.
🏢 Real-World Impact for Organisations:
Must provide privacy notices to customers.
Must allow customers to opt out of data sharing with non-affiliates.
Must implement robust information security programs.
🚀 Innovation/Consumer Benefit:
One of the first major U.S. laws to make data sharing policies transparent.
Spurred adoption of secure-by-design systems in banks and fintechs.
Paved the way for customer expectations of control over financial data.
PCI-DSS (Payment Card Industry Data Security Standard)
Introduced in 2004, PCI-DSS is a globally accepted security standard that applies to any organisation handling credit or debit card transactions. It was developed by major card networks (Visa, Mastercard, Amex, Discover, JCB) to combat rising payment fraud and ensure consistent security practices across the payment ecosystem. While not a law, compliance is contractually required by acquirers and payment processors, and non-compliance can result in hefty penalties or the loss of payment privileges.
🏢 Real-World Impact for Organisations:
Must follow strict security protocols to handle card data (e.g., tokenization, limited data retention).
Subject to annual audits or self-assessments, depending on transaction volume.
Non-compliance risks fines, reputational damage, and processing suspension.
🚀 Innovation/Consumer Benefit:
Raised the baseline standard for payment security across fintech and retail ecosystems.
Drove adoption of tokenisation, contactless payments, and fraud detection technologies.
Gave consumers greater assurance that their card data is being handled securely and responsibly.
Together, the Data Protection Act, Gramm-Leach-Bliley Act, and GDPR have been instrumental in shifting the balance of power from institutions to individuals when it comes to personal data. They established foundational principles of transparency, control, and security, forcing organisations to rethink how they collect, store, and share information. Add to that the PCI-DSS standard set by the schemes, and you have four of the most impactful regulations (and a standard) that shaped the way financial data is handled and how fintechs build backend processes as well as the key parts of onboarding journeys, card management screens, customer support flows and much more.
AML / Fraud / Compliance 🕵🏼♀️
Money Laundering Regulations (updated in 2017)
The Money Laundering Regulations starting from 1993 are the UK’s domestic response to global anti-money laundering standards, aligning with EU AML directives and FATF recommendations. These regulations impose legal obligations on financial institutions and fintechs to prevent, detect, and report money laundering and terrorist financing.
The 2017 version expanded scope to include cryptoasset exchanges and wallet providers, strengthened customer due diligence (CDD), and introduced a risk-based approach.
🏢 Real-World Impact for Organisations:
Mandatory KYC/KYB (Know Your Customer/Business) procedures at onboarding and throughout the customer lifecycle.
Ongoing monitoring of transactions, with obligations to report suspicious activity to the National Crime Agency (NCA).
Required appointment of a Money Laundering Reporting Officer (MLRO).
Severe penalties for non-compliance, including criminal liability.
🚀 Innovation/Consumer Benefit:
Pushed fintechs to build faster, automated onboarding with embedded digital CDD/KYC checks.
Sparked a wave of KYC, KYB, and IDV companies like Onfido and others.
Improved financial system integrity and reduced misuse for criminal purposes.
Strengthened consumer trust by reducing exposure to fraud and illicit financial flows.
Bank Secrecy Act (BSA) / Anti-Money Laundering Act (AMLA 2020)
The Bank Secrecy Act (BSA) is the cornerstone of U.S. anti-money laundering legislation. Enacted in 1970, it requires financial institutions to assist law enforcement in detecting and preventing money laundering. The AMLA 2020 update modernised the framework by enhancing transparency and expanding coverage to fintechs and virtual asset providers.
🏢 Real-World Impact for Organisations:
Required to establish and maintain AML programs including Customer Identification Programs (CIP) and Suspicious Activity Reports (SARs).
AMLA introduced a beneficial ownership registry to expose shell companies.
Fintechs operating in the U.S. must register with FinCEN and maintain AML compliance practices.
Greater regulatory focus on crypto transactions, wallets, and neobanks.
🚀 Innovation/Consumer Benefit:
Drove creation of automated AML software, real-time monitoring, and data analytics to detect unusual behavior.
Encouraged stronger identity verification at onboarding.
Enhanced protection for consumers and the financial system from fraud, identity theft, and illicit activity.
1AMLD – 6AMLD (EU AML Directives)
These are a series of evolving EU Anti-Money Laundering Directives aimed at strengthening AML enforcement across the EU. Each directive raised the bar for transparency, compliance, and enforcement:
1AMLD (1991): First EU-wide AML directive; focused on drug trafficking money laundering, applied to financial institutions only.
2AMLD (2001): Expanded scope to include lawyers, accountants, and more predicate crimes.
3AMLD (2005): Introduced the risk-based approach, PEP (Politically Exposed Persons) checks, and broader CDD requirements.
4AMLD (2015): Introduced a risk-based approach, requiring beneficial ownership registries.
5AMLD (2018): Extended AML rules to virtual currencies and prepaid cards, required KYC for crypto exchanges.
6AMLD (2020): Defined 22 predicate offences for money laundering (e.g., cybercrime), and introduced criminal liability for aiding money laundering including for legal entities.
In the UK, these directives were transposed into national law through Money Laundering Regulations, and were similarly implemented in each EU member state respective money laundering regs.
🏢 Real-World Impact for Organisations:
Required fintechs and crypto firms to perform enhanced due diligence and submit reports to local FIUs.
Raised expectations for transaction monitoring, especially for cross-border payments.
Must maintain auditable records and risk assessments.
🚀 Innovation/Consumer Benefit:
Led to widespread adoption of AI-driven AML tools that reduce false positives and increase detection accuracy.
Improved transparency around beneficial ownership and suspicious activity.
Protected consumers by tightening oversight across fast-moving digital finance.
The regulatory frameworks across the UK, US, and EU, from the UK’s Money Laundering Regulations to the Bank Secrecy Act and the evolving EU AML Directives, form the foundation of global efforts to safeguard financial systems from criminal abuse. These rules have forced financial institutions and fintechs alike to take fraud prevention and customer due diligence seriously, introducing mandatory KYC, suspicious activity monitoring, and identity verification requirements.
For fintechs, this created both challenge and opportunity. Compliance became a non-negotiable operational layer, but it also accelerated innovation in identity verification (IDV), real-time AML screening, and AI-driven transaction monitoring. Startups like Onfido, ComplyAdvantage, and Alloy emerged directly in response to these regulatory demands.
The real benefit, though, is to consumers.
Stronger safeguards against fraud, reduced risk of financial crime, and greater trust in the legitimacy of the digital financial ecosystem.
Even as regulations continue to evolve, these frameworks remain essential in protecting users while enabling fintechs to scale responsibly.
Now to the meatiest section…
Banking, Credit, and Payments 💳
For me, these are the most important regulations that have driven fintech innovation.
PSD1 (Payment Services Directive 1)
PSD1 which came into effect in 2007, was the EU’s first attempt to create a single market for payment services, enabling smoother, faster, and more competitive cross-border payments within the EU. It defined a legal category of Payment Institutions (PIs), allowing non-bank entities to enter the market and offer services like money remittance and payment processing.
🏢 Real-World Impact for Organisations:
Allowed fintechs to become regulated payment providers without needing a full banking license.
Introduced basic consumer protections and harmonised rules across the EU.
Created the foundation for SEPA implementation and pan-European fintech scaling.
🚀 Innovation/Consumer Benefit:
Broke the bank monopoly on payments and opened the door for new entrants.
Enabled the launch of early fintechs focused on remittances, mobile wallets, and merchant services.
Increased consumer access to lower-cost, faster cross-border transfers.
PSD2 (Payment Services Directive 2)
Building on PSD1, PSD2 brought in early 2015 and implemented by member states in 2018 introduced a bold new vision for data sharing and competition in payments. It required banks to open up access to customer accounts — with consent — via secure APIs, establishing the legal foundation for Open Banking in the EU. It also introduced Strong Customer Authentication (SCA) to enhance security. In the UK, it led to the Open Banking Mandate (CMA Order 2017), the dedicated setup of the Open Banking Implementation Entity, and the gold standard for Open Banking protocols now copied by many other regions across the world.
🏢 Real-World Impact for Organisations:
Banks were forced to build APIs and provide access to licensed Third Party Providers (TPPs).
Created two new fintech license types: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
Required implementation of SCA for many electronic payments, changing how authentication is handled.
🚀 Innovation/Consumer Benefit:
Gave consumers control over their financial data, enabling aggregation apps, account switching, and new payment journeys.
Catalysed a wave of Open Banking fintechs across Europe, from PFM tools to alternative lenders.
Helped standardise secure, API-first financial infrastructure, influencing global policy.
🔍 Want to learn more about PSD2 and the evolution of Open Banking? Click here for a deeper diveE-Money Directive (2000, revised in 2009)
The E-Money Directive enabled non-banks to issue stored value (electronic money), paving the way for digital wallets, neobanks, and prepaid card providers to legally operate across the EU without being a full bank.
🏢 Real-World Impact for Organisations:
Allowed companies like PayPal, Revolut, and Wise to get E-Money Licences.
Created a pathway for fintechs to build wallets, remittance, and prepaid services.
Required safeguarding of customer funds and regular audits.
🚀 Innovation/Consumer Benefit:
Opened the door for non-bank innovation in money storage and transfer.
Improved consumer access to digital wallets and international money movement.
Allowed fintechs to launch faster across the EU via passporting.
SEPA (Single Euro Payments Area) Regulations
SEPA which was phased in across the EU from 2008-2014 is a regulatory and technical initiative to make euro payments across European borders as easy and efficient as domestic ones. It harmonised payment formats, timelines, and identifiers (IBANs, BICs) across Europe.
🏢 Real-World Impact for Organisations:
Standardised euro credit transfers and direct debits across the EU.
Reduced cost and complexity of cross-border payments.
Required use of ISO 20022 messaging and IBAN identifiers.
🚀 Innovation/Consumer Benefit:
Supported the rise of pan-European fintechs like N26 and Wise.
Made sending money across borders faster, cheaper, and more transparent.
Removed some friction from EU-wide personal and business finance.
Regulation E (Electronic Fund Transfer Act)
Reg E established in 1978 governs electronic fund transfers involving consumers, including debit cards, ACH, and digital wallets. It ensures consumer protection against errors, unauthorised transactions, and fraud in the United States.
🏢 Real-World Impact for Organisations:
Requires clear disclosures, error resolution procedures, and user protections.
Applies to neobanks, P2P apps, prepaid programs, and embedded finance platforms.
Mandates refunds for unauthorised charges if reported promptly.
🚀 Innovation/Consumer Benefit:
Gave consumers confidence in using digital payments.
Required fintechs to design easy-to-access dispute resolution flows.
Supported the mass adoption of wallets and P2P payment apps.
Dodd-Frank Act
Passed in the aftermath of the 2008 financial crisis, Dodd-Frank created sweeping reforms across the U.S. financial system when it came into effect in 2010. It established the Consumer Financial Protection Bureau (CFPB) and imposed new rules on lending, consumer disclosures, and systemic risk.
🏢 Real-World Impact for Organisations:
Gave rise to regulatory frameworks that impact fintech lenders and credit bureaus.
Introduced fair lending laws, small business lending data requirements, and transparency mandates.
Empowered the CFPB to oversee emerging fintech products and services.
🚀 Innovation/Consumer Benefit:
Drove demand for transparent and consumer-friendly lending products.
Made disclosure and consent central to digital credit services.
Sparked innovation in credit scoring, BNPL, and loan servicing tools.
🔍 I would have also explicitly included the 1033 rule separately as it is still a section in Dodd-Frank but as there is no plan to formally enforce it I decided to omit it. You can read more about 1033 here though..Durbin Amendment (to the Dodd-Frank Act)
The Durbin Amendment, a last minute addition to the Dodd-Frank act by Richard ‘Dick’ Durbin, and specifically, Regulation ii of the amendment was implemented in October 2011 and capped interchange fees on debit card transactions on cards issued by banks in the US with over $10 billion in assets and required them to offer at least two unaffiliated payment networks for routing. It was aimed at increasing competition and reducing costs for merchants.
🏢 Real-World Impact for Organisations:
Lowered debit card interchange fees for large banks.
Affected economics for neobanks issuing debit cards (especially through partner banks).
Led to changes in card routing strategies and business models.
🚀 Innovation/Consumer Benefit:
Indirectly boosted fintech debit products by creating more competitive payment rails.
Gave merchants lower transaction costs, which could translate to consumer savings.
Opened discussions around payments network choice and transparency.
Consumer Credit Act (UK)
The Consumer Credit Act from 1974 regulates credit agreements in the UK from loans and credit cards to BNPL arrangements. It protects consumers by ensuring transparency, fair terms, and access to redress.
🏢 Real-World Impact for Organisations:
Requires clear disclosure of APR, total cost of credit, and repayment terms.
Covers cooling-off periods and cancellation rights.
Currently under review for modernisation to fit digital lending.
🚀 Innovation/Consumer Benefit:
Provides robust protections against predatory lending.
Informs the design of transparent digital lending journeys.
Lays the groundwork for more ethical fintech credit products.
From PSD1 and PSD2 in Europe to Dodd-Frank and Section 1033 in the U.S., the regulations shaping banking, credit, and payments have not only modernised legacy financial infrastructure, they've fundamentally rebalanced the relationship between consumers, banks, and fintechs. These laws have enabled new forms of financial access, encouraged interoperability, and forced incumbents to open up systems previously locked behind proprietary walls.
You don’t have to take my word for it.
If you’re reading this you’ve probably directly worked to understand and adhere to one or many of these rules. Whether that’s being the head of a KYB technology provider building a more efficient solution for KYC’ing customers across regions, or, as I was, someone reading the PSD2 regs in early 2017 and later getting to grips with the Open Banking Protocols to build an Open Banking data powered fintech.
These regulations have underpinned, and in many cases, enabled the sprawling fintech innovation we’ve seen across the globe, hence why I’m giving some of these “their flowers” as the kids say. 😎
The Impact of Regulation on Fintech and FS
My intention wasn’t to brain dump a load of bills, laws, acts and standards to show the scale and depth of rules that have shaped fintech, but that is one of the side effects.
What it has done is shown the impact that regulation can have, and it’s why when new directives, legislation and bills are put forward, they give an indicator as to where the industry will be steered in the following few years by looking at how past regulations have given rise to innovation and consumer benefits.
For Digital Banking for example, without PSD1, Money Laundering Regulations, AMLD 1-6, the E-Money Directive and PCI-DSS compliance would we have innovative and secure digital banking products like Monzo, Revolut, Tide, and others.
For Open Banking, without PSD2 we wouldn’t have the sheer number of TSPs, PFMs, Open Banking Payments companies as well as the 1000s of innovators that were able to use open protocols to build products faster, using an easy to utilise API to pull account data and initiate payments.
For Payments and Embedded Finance, regulations like SEPA, the Durbin Amendment, Reg E, and the E-Money Directive enabled a more accessible, interoperable, and developer-friendly payments landscape — giving rise to companies like Stripe, Adyen, Square, Checkout.com and countless embedded finance platforms that power everything from gig economy payouts to marketplace lending.
In many cases, it’s regulation that creates the playing field on which fintech can compete, experiment, and scale. Whether it’s through granting new types of licences, enforcing interoperability, or mandating consumer protections, well-designed regulatory frameworks act as enablers of innovation, not the blockers of it that some make it out to be.
That’s why the next wave of regulation is worth paying close attention to. From smart data legislation in the UK to PSD3, and the EU’s AI Act and Digital Operational Resilience Act (DORA), the shape of what’s next in fintech is already being sketched out in legislative drafts and consultation papers. In this final section, we look at the most recent regulations taking hold today, and those on the horizon that are likely to define the next chapter of fintech innovation.
The 6 Regulations That Will Shape the Future of Fintech 🚀
1. EU Accessibility Act
This Act in force from 28th June ‘25 mandates that key products and services, including banking and e-commerce, be accessible to people with disabilities. It covers websites, mobile apps, ATMs, payment terminals, and customer support services.
🏢 Real-World Impact for Organisations:
Must redesign digital experiences to meet accessibility standards (WCAG 2.1).
Applies to banking apps, online onboarding, payment interfaces, and comms.
Requires training and review of internal accessibility practices.
🚀 Innovation/Consumer Benefit:
Promotes inclusive fintech that works for people with disabilities and the elderly.
Spurs demand for accessible-by-default design tools and services.
Helps build trust and loyalty through universal, user-friendly digital journeys.
🌱 Potential Areas of Innovation:
Accessible fintech UI kits or developer tools
Voice-assisted banking or biometric accessibility features
Compliance-as-a-service for accessibility
🔍 For new readers, click here to read the deep explainer of the EUAA I put together.2. Consumer Duty (UK FCA)
The FCA’s Consumer Duty which has been in effect for new products since 2023 requires all financial firms to deliver good outcomes across the customer lifecycle — not just at point-of-sale. It introduces a proactive obligation to avoid harm and act in the best interests of consumers.
🏢 Real-World Impact for Organisations:
Must review pricing, disclosures, communications, and product suitability.
Requires ongoing monitoring of customer outcomes.
Places the burden of proof on firms to show they’re acting in the customer’s interest.
🚀 Innovation/Consumer Benefit:
Encourages clearer UX copy, transparent pricing, and ethical product design.
Spurs the development of real-time outcome tracking and feedback analytics.
Builds consumer trust by reducing hidden fees, poor-fit products, and confusing terms.
🌱 Potential Areas of Innovation:
Outcome tracking tools and dashboards
Intelligent disclosure/UX copywriting tools
Adaptive pricing and fairness assessment platforms
3. AI Act (EU)
The AI Act, expected to come into force in 2026, is the world’s first major regulatory framework for artificial intelligence. It categorises AI use cases by risk and imposes strict requirements on high-risk systems, including those used in credit scoring, fraud detection, and biometric ID.
🏢 Real-World Impact for Organisations:
Must classify and assess AI systems based on risk tier.
Requires transparency, data quality documentation, and human oversight.
Limits use of certain AI for social scoring or real-time surveillance.
🚀 Innovation/Consumer Benefit:
Sets a baseline for trustworthy AI in financial decision-making.
Encourages investment in auditable, explainable, and ethical AI models.
Could lead to innovation in AI monitoring, bias detection, and model transparency tooling.
🌱 Potential Areas of Innovation:
Explainable AI toolkits for fintech
AI auditing and risk classification platforms
Low-risk AI tools that don’t require full compliance overhead
4. UK Smart Data Bill
The Smart Data Bill is the UK’s move toward Open Finance and Open Everything, building on Open Banking principles. It seeks to give consumers control over their data across sectors including energy, telecoms, pensions, and insurance via interoperable APIs and consent frameworks. It was given Royal Ascent on the 19th June ‘25 and come into force via secondary legislation over the coming months.
🏢 Real-World Impact for Organisations:
Will require financial firms to build APIs and adopt consistent data-sharing protocols.
Opens up competition in markets like insurance, pensions, and credit.
Encourages convergence of identity, data, and consent infrastructure.
🚀 Innovation/Consumer Benefit:
Expands Open Banking benefits to new industries.
Gives consumers easier access to personalised, cross-sector financial services.
Powers the next wave of embedded finance, switching tools, and data-driven insights.
🌱 Potential Areas of Innovation:
Cross-sector personal finance dashboards
Embedded insurance, pensions, and savings tools
Smart data aggregation APIs and consent orchestration platforms
5. GENIUS Act (Guiding and Establishing National Innovation for U.S. Stablecoins Act)
The GENIUS Act passed by the Senate and heading to the House for approval, creates a federal regulatory regime specifically for payment stablecoins, requiring them to be fully backed 1:1 with high-quality, liquid reserves (like U.S. dollars or short-term Treasuries) and forbids paying interest to holders. It identifies three categories of permissible issuers (insured-bank subsidiaries, OCC-regulated non-banks, and state-licensed entities), and centralises primary supervision with federal regulators like the OCC or approved state authorities.
🏢 Real‑World Impact for Organisations:
Only approved entities can issue stablecoins; issuing otherwise may result in millions of dollars in fines or criminal charges.
Strong reserve, transparency, and redemption requirements force issuers to adopt robust systems and internal reporting.
Issuers are classified as financial institutions under AML laws, expanding regulatory scope and oversight.
🚀 Innovation/Consumer Benefit:
Sets a clear regulatory foundation that can help stablecoins become trusted payment instruments, especially among traditional financial institutions.
Enhances consumer confidence through reserve backing, clear redemption rights, and AML safeguards.
Encourages institutional and corporate adoption, opening the door for fintech platforms and digital wallets to integrate stablecoin-based payment rails.
🌱 Potential Areas of Innovation:
Stablecoin issuance-as-a-service platforms, supporting reserve management, compliance, and token minting.
Transparency dashboards tracking reserve holdings, transactions, and audit logs for consumers and auditors.
Plug-and-play AML and redemption infrastructure tailored for fintech firms entering the stablecoin market.
6. PSD3 (EU)
PSD3 is the planned evolution of PSD2, aiming to refine and expand the Open Banking framework. It may consolidate PSD2 and E-Money regulations, broaden data access to non-payment accounts (e.g., savings, mortgages), and harmonise consent management and fraud protections and is estimated to be implemented in 2026-2027.
🏢 Real-World Impact for Organisations:
Will require TPPs and ASPSPs to improve API performance and reliability.
Could streamline licensing and regulatory overlap between Payment Institutions and EMIs.
Might introduce Open Finance mandates, bringing more account types into scope.
🚀 Innovation/Consumer Benefit:
Signals the move from Open Banking to Open Finance.
Could lead to richer, more personalised fintech services.
Builds on the success of PSD2 to further unlock data-driven innovation.
🌱 Potential Areas of Innovation:
Open Finance platforms covering pensions, investments, and credit.
Universal consent layers for data sharing.
Real-time, fraud-aware payment initiation services.
How They Impact The Future of Fintech? 🔮
Just as PSD1, Dodd-Frank, PSD2 and the other key regulations enabled a unique period of innovation in financial services, these 6 recent and proposed regulations will shape this next period of innovation.
👉🏽 The EU Accessibility Act has already had some impact, with Monzo and Bunq both launching accessibility features at the end of 2024 (Monzo partnering with SignLive to improve inclusivity for users who rely on BSL, and Bunq upgrading its AI assistant, ‘Finn’, introducing real-time speech-to-speech translation within its app). Accessibility will be seen as a moat by many more fintechs soon…
👉🏽 With the FCA’s Consumer Duty Rule we should see more customer centric products being built, real customer discovery being done, and financial services organisations being held to account for not delivering effective products to consumers.
👉🏽 The EU AI Act will push fintechs to rethink how they build, train, and govern the models behind everything from credit scoring to fraud detection. Beyond compliance, it will likely usher in a new generation of ethical, explainable AI products that are both performant and accountable — giving consumers greater visibility into how decisions are made and prompting better human-in-the-loop design.
👉🏽 The UK Smart Data Bill signals the expansion of Open Banking into Open Everything. By enabling consumers to share their data not just across banks, but across sectors like energy, telecoms, pensions, and insurance, this legislation has the potential to create an entirely new layer of cross-industry fintech orchestration — powering switching services, personalised comparisons, and financial wellbeing tools that span everyday life.
👉🏽 The GENIUS Act represents a critical step toward a regulated, stablecoin-powered payments future in the U.S. For the first time, it sets out a federal framework for fiat-backed stablecoins, giving institutional and fintech players the clarity needed to explore new digital money rails, build stablecoin-native wallets, and integrate programmable money into mainstream finance — all with strong consumer safeguards.
👉🏽 And finally, PSD3, still in development, will shape the evolution from Open Banking to Open Finance in the EU. With its focus on stronger API performance, broader data access, and potentially unified licensing across payment and e-money institutions, PSD3 could unlock deeper integration opportunities, power richer data-sharing ecosystems, and bring more financial products into the open-access economy — from savings and investments to pensions and credit.
Together, these regulations hint at a future of finance that’s more inclusive, intelligent, connected, composable, and a key word that seems to be popping up in more and more mission statements…programmable..👀
If there’s one thing I’d like readers to take away from this (aside from how beneficial regulations are to the enablement of innovation and protection of customers) is to think about which of the above recent and inevitable regulations will transform the area of fintech you work in, and start thinking about how and where this transformation will happen because then you get a front row seat to regulation in action!
That’s it from me and this wordy edition on a very important subject.
If you enjoyed it, learnt something, or hopefully both, then drop a like and drop you comments below. Which important regulation did I miss? Which do you think is overrated in terms of impact?
See you in two weeks 👋🏽
J.
Interesting News 🗞: Xero acquires Melio
This is interesting news, but not surprising.
New Zealand-based cloud accounting leader Xero announced on June 24, 2025, it will acquire Melio, a U.S. SMB-focused payments processor, for US $2.5 billion upfront. Melio is a fast-growing accounts payable/receivable platform used by ~80,000 U.S. small businesses, processing over $30 billion annually and the acquisition grants Xero end-to-end control over payment workflows, integrating bill pay directly into its accounting platform.
Why do I say it’s interesting but not surprising?
As I wrote a couple of years ago, SMBs interact more with their accounting platform than log into their business bank account. ASPs are becoming the operating system for SMBs giving them cashflow analytics, healthchecks, and embedded finance. Capturing more functional activity was inevitable as ASPs strengthen their position as the core OS.
Excellent detailed insights into regulation. Great reading for us fintech nerds!
Both IFR (EU 2015/751) and PSD2 (EU 2015/2366) were passed around a similar time period, and both had a huge impact on the payment landscape. In some ways they complemented each other but IFR is lesser known than PSD2.
IFR regulated interchange at 0.20% debit and 0.30% credit for consumer domestic and intra-EU transactions. This, in reality, obliterated card reward schemes especially in the UK, where almost all decent Visa and Mastercard rewards have disappeared in the past years.
IFR highlighted the challenge of high card payments fees and allowed Open Banking from a PISP perspective to make the case for lower fees especially for higher value transactions where a per item fee could still be much cheaper than 0.20%.
However, one irony is that by forcing card fees so much lower, the differential between OB payments and cards became almost non existent for low value transactions. Yet cards come with various protections that OB payments don't have.
If cards had stayed at the higher interchange fees prior to IFR then perhaps the incentive for merchants to move to OB payments more quickly would have been there, and the move would have taken place with more urgency!