Payment Services Compliance Checklist for 2026
Compliance

Payment Services Compliance Checklist for 2026

MC
MEMA Regulatory Team
10 min read

Essential compliance requirements for payment institutions and EMIs, including safeguarding, SCA, operational resilience, and reporting obligations.

The payments landscape in 2025 presents both significant opportunities and substantial regulatory challenges for payment institutions (PIs) and electronic money institutions (EMIs). As the sector continues to evolve with new technologies, business models, and customer expectations, the FCA has intensified its supervisory focus on payment services compliance. For firms operating in this space, maintaining robust compliance frameworks is not merely a regulatory obligation but a fundamental requirement for sustainable business operations.

This comprehensive guide examines the key compliance requirements facing PIs and EMIs in 2025, identifies common compliance gaps that attract regulatory scrutiny, and provides a practical checklist to help your firm maintain full compliance with the Payment Services Regulations 2017 (PSRs 2017) and related requirements.

The Evolving Payments Regulatory Landscape

The UK payments sector operates within a framework shaped by the PSRs 2017, the Electronic Money Regulations 2011 (EMRs 2011), and the FCA's supervisory approach as set out in its Approach Document. Following the UK's departure from the European Union, this framework has continued to evolve, with the FCA taking an increasingly assertive approach to supervision of the payments sector.

Recent FCA communications, including sector-specific portfolio letters, have highlighted ongoing concerns about compliance standards across the industry. Areas of particular focus include safeguarding of customer funds, implementation of strong customer authentication, operational resilience, and the adequacy of financial crime controls. Firms that fail to meet these expectations face the prospect of intensive supervisory action, requirements for independent reviews, and potential enforcement proceedings.

Safeguarding Requirements: Protecting Customer Funds

Safeguarding represents the cornerstone of payment services compliance. The requirements exist to ensure that customer funds held by PIs and EMIs remain protected in the event of firm insolvency, enabling their return to customers ahead of other creditors.

Ring-Fencing Client Funds

Under Regulation 23 of the PSRs 2017 and Regulation 21 of the EMRs 2011, authorised firms must safeguard relevant funds by the end of the business day following receipt. This seemingly straightforward requirement demands robust operational processes to identify, segregate, and protect customer money.

Practical example: Consider a PI that processes payments for e-commerce merchants. When a consumer makes a payment that the PI holds pending settlement to the merchant, those funds are "relevant funds" that must be safeguarded. The firm must have systems capable of identifying these funds in real-time and ensuring they are placed under safeguarding protection within the required timeframe.

Key requirements include:

  • Segregated accounts: Relevant funds must be held in accounts clearly identified as holding customer money, kept separate from the firm's own funds
  • Acknowledgement letters: Banks holding safeguarded funds must provide acknowledgement that they have no right of set-off or counterclaim against the safeguarded funds
  • Diversification: Firms should consider spreading safeguarded funds across multiple credit institutions to reduce concentration risk
  • Real-time visibility: Systems must enable accurate, real-time tracking of safeguarded amounts

Insurance vs Segregation Methods

The PSRs 2017 permit two approaches to safeguarding: the segregation method (holding funds in designated accounts) or the insurance method (covering relevant funds through an insurance policy or comparable guarantee).

In practice, the vast majority of firms utilise the segregation method, as obtaining suitable insurance coverage has proved challenging. Firms using the insurance method must ensure their policy meets specific requirements, including coverage of all relevant funds, immediate payment upon firm insolvency, and an insurer authorised in the UK or a jurisdiction with equivalent regulatory standards.

The FCA's Approach Document makes clear that regardless of which method is employed, the firm retains full responsibility for ensuring customer funds can be returned promptly in an insolvency scenario.

Daily Reconciliation

Robust reconciliation processes are essential to effective safeguarding. The FCA expects firms to conduct daily reconciliations between:

  • Internal records of customer entitlements
  • Funds held in safeguarding accounts
  • Transaction records showing movements of relevant funds

These reconciliations must be conducted by appropriately trained staff, with clear escalation procedures for discrepancies. Many FCA enforcement actions in the payments sector have identified reconciliation failures as a contributing factor to safeguarding breaches.

Practical example: A firm should maintain a daily reconciliation pack that documents the closing balance of each safeguarding account, the total customer entitlement per internal records, any discrepancy identified, and the actions taken to investigate and resolve discrepancies. This documentation should be retained and available for regulatory review.

Audit Requirements

Authorised PIs and EMIs must include in their annual audited accounts confirmation that they have complied with safeguarding requirements. The external auditor must specifically report on whether the firm's safeguarding arrangements comply with the PSRs 2017 or EMRs 2011 as applicable.

Beyond this annual requirement, firms should consider commissioning periodic independent reviews of their safeguarding arrangements. Given the FCA's heightened focus on this area, proactive assurance can identify weaknesses before they attract regulatory attention.

Strong Customer Authentication (SCA)

Strong Customer Authentication requirements, derived from PSD2 and implemented through the PSRs 2017, mandate that payment service providers apply multi-factor authentication to electronic payment transactions and certain other activities.

When SCA Applies

SCA is required when a payer:

  • Accesses their payment account online: Whether via web browser or mobile application
  • Initiates an electronic payment transaction: Including card payments, credit transfers, and direct debits
  • Carries out any action through a remote channel: That could imply a risk of payment fraud or other abuse

The authentication must incorporate elements from at least two of three categories: knowledge (something only the user knows), possession (something only the user has), and inherence (something the user is).

Exemptions Available

The regulations provide for various exemptions from SCA, which must be applied appropriately and documented thoroughly:

  • Low-value transactions: Contactless payments below GBP 45, or cumulative limit of GBP 130 since last SCA
  • Low-risk transactions: Based on transaction risk analysis where the payment service provider maintains fraud rates below regulatory reference rates
  • Recurring transactions: Subsequent transactions of the same amount to the same payee
  • Trusted beneficiaries: Payments to beneficiaries the payer has previously designated as trusted
  • Secure corporate payments: Dedicated payment processes or protocols available only to non-consumers
  • Unattended terminals: Payments at unattended terminals for transport fares or parking charges

Firms must maintain robust systems to apply exemptions correctly and must be prepared to demonstrate to the FCA that their approach is compliant and that fraud rates remain within acceptable parameters.

Technical Standards

The technical implementation of SCA must comply with the requirements set out in the PSRs 2017 and associated guidance. Key requirements include:

  • Dynamic linking: For electronic payment transactions, the authentication must be dynamically linked to the amount and payee
  • Independence of elements: The authentication elements must be independent, so that breach of one does not compromise the others
  • Confidentiality protection: The authentication procedure must protect the confidentiality of the authentication data
  • Transaction codes: Where applicable, transaction authentication codes must be specific to the amount and payee

Practical example: A PI operating a payment initiation service must ensure its authentication flow captures user credentials through secure channels, links the authentication to the specific payment amount and recipient, and generates a unique code that cannot be used for any other transaction.

Operational Resilience for PSPs

The FCA's operational resilience framework, which reached full implementation on 31 March 2025, applies to enhanced scope firms in the payments sector. These requirements demand that firms identify their important business services, set impact tolerances, and demonstrate they can remain within those tolerances during severe but plausible disruption scenarios.

Important Business Services

Payment firms must identify the services they provide that, if disrupted, could cause harm to consumers or market integrity. For most PIs and EMIs, this will include:

  • Payment execution services (processing of payment transactions)
  • Account information services where offered
  • Payment initiation services where offered
  • Customer support and complaint handling
  • Safeguarding of customer funds

For each important business service, firms must map the resources (people, technology, facilities, and third parties) required to deliver that service and understand the dependencies and potential points of failure.

Impact Tolerances

Impact tolerances represent the maximum tolerable level of disruption to an important business service. They must be expressed using appropriate metrics relevant to the service in question.

Practical example: A PI might set an impact tolerance for its payment execution service that no more than 0.5% of transactions are delayed by more than four hours during a disruption event. This tolerance reflects the point at which harm to customers and market confidence would become intolerable.

Setting impact tolerances requires careful analysis of the potential harm that could result from service disruption, including consideration of vulnerable customers who may be particularly affected by payment delays.

March 2025 Deadline

As of 31 March 2025, firms were required to demonstrate they can remain within impact tolerances for all important business services. This means:

  • Scenario testing has been completed for severe but plausible disruption events
  • Remediation plans are in place for any vulnerabilities identified
  • Boards have attested to the firm's operational resilience
  • Ongoing monitoring and testing programmes are operational

Firms that have not met these requirements should treat this as an urgent priority and consider engaging specialist support to address gaps before attracting regulatory attention.

Reporting Obligations

PIs and EMIs face a range of regulatory reporting requirements that must be met accurately and on time. Failure to comply with reporting obligations is frequently identified in FCA enforcement actions as an indicator of broader governance weaknesses.

Annual Audited Accounts

Authorised PIs and EMIs must submit audited annual accounts to the FCA within the timeframe specified in their authorisation conditions, typically within six months of their accounting reference date. These accounts must include:

  • A safeguarding audit opinion confirming compliance with relevant requirements
  • Disclosure of relevant funds held at the year end
  • Any material uncertainties regarding ongoing compliance

Small PIs operating under the registration regime have reduced requirements but must still submit annual accounts demonstrating compliance with capital requirements.

Safeguarding Reports

Beyond the annual audit requirement, the FCA may request ad hoc safeguarding reports, particularly where supervisory concerns have been identified. Firms should maintain the documentation and systems necessary to produce accurate safeguarding reports at short notice.

Capital Adequacy

PIs and EMIs must maintain capital resources at or above the minimum requirements set out in the PSRs 2017 and EMRs 2011 respectively. Reporting requirements include:

  • Initial capital: Demonstrated at authorisation and maintained on an ongoing basis
  • Own funds: Calculated using the method specified in the firm's authorisation
  • Regular reporting: Through RegData submissions as required by the FCA

Firms must have robust processes for monitoring capital adequacy and escalating concerns if capital approaches minimum thresholds.

Fraud Statistics

Payment service providers are required to submit fraud statistics to the FCA, enabling the regulator to monitor fraud trends across the sector. These statistics inform supervisory priorities and may be published in aggregated form.

Accurate fraud reporting requires robust systems for identifying and categorising fraudulent transactions, including distinguishing between different fraud types such as unauthorised transactions, authorised push payment fraud, and card-not-present fraud.

Common Compliance Gaps

Through our work with payment firms and analysis of FCA supervisory findings, we have identified several compliance gaps that frequently attract regulatory concern.

Weak Safeguarding Controls

The most common safeguarding weaknesses include:

  • Inadequate reconciliation: Firms failing to conduct daily reconciliations or lacking clear procedures for investigating discrepancies
  • Commingling risks: Customer funds held in accounts that also contain firm funds, or inadequate segregation procedures
  • Missing acknowledgement letters: Safeguarding accounts without proper acknowledgement from the holding bank
  • Poor record-keeping: Inability to determine individual customer entitlements quickly in an insolvency scenario

Firms should conduct regular reviews of their safeguarding arrangements, ideally including independent assurance from parties with specialist expertise.

Incomplete SCA Implementation

Despite SCA requirements being in force for several years, many firms continue to struggle with full compliance:

  • Exemption management: Inconsistent application of exemptions or failure to monitor exemption usage
  • Dynamic linking failures: Authentication not properly linked to specific transaction amounts and payees
  • Customer friction concerns: Overly cumbersome authentication journeys that lead to inappropriate attempts to avoid SCA
  • Delegated authentication: Inadequate oversight of authentication provided by third parties

The FCA expects firms to demonstrate both technical compliance and ongoing monitoring of SCA effectiveness.

Outsourcing Oversights

Many payment firms rely heavily on outsourced service providers for critical functions, including technology infrastructure, compliance services, and customer support. Common weaknesses include:

  • Inadequate due diligence: Insufficient assessment of provider capability and resilience before entering arrangements
  • Weak contractual provisions: Contracts that do not adequately address regulatory requirements, audit rights, or exit provisions
  • Limited ongoing oversight: Failure to monitor provider performance against agreed service levels
  • Exit planning gaps: No tested plan for transitioning away from critical providers if necessary

The FCA's outsourcing requirements demand that firms retain responsibility for outsourced activities and can demonstrate effective oversight at all times.

2026 Compliance Checklist

Use this checklist to assess your firm's compliance posture and identify areas requiring attention:

Safeguarding

  • [ ] Daily reconciliation procedures are documented and consistently followed
  • [ ] All safeguarding accounts have valid acknowledgement letters
  • [ ] Customer entitlements can be calculated accurately within 48 hours
  • [ ] Safeguarding audit opinion in annual accounts is unqualified
  • [ ] Policies address treatment of funds received outside business hours
  • [ ] Concentration risk in safeguarding arrangements has been assessed

Strong Customer Authentication

  • [ ] SCA is applied to all in-scope transactions and activities
  • [ ] Exemption application is systematic and documented
  • [ ] Dynamic linking is correctly implemented for payment transactions
  • [ ] Fraud rates are monitored against regulatory reference rates
  • [ ] Customer authentication journeys are tested regularly
  • [ ] Third-party authentication providers are adequately overseen

Operational Resilience

  • [ ] Important business services have been identified and documented
  • [ ] Impact tolerances are set for all important business services
  • [ ] Scenario testing has been completed for severe but plausible events
  • [ ] Vulnerabilities have been identified and remediation plans are in place
  • [ ] Board attestation on operational resilience is current
  • [ ] Ongoing testing programme is operational

Reporting and Capital

  • [ ] Annual accounts are submitted on time with required safeguarding opinion
  • [ ] Capital adequacy is monitored continuously with clear escalation triggers
  • [ ] RegData submissions are accurate and timely
  • [ ] Fraud statistics are compiled and reported as required
  • [ ] Material changes are notified to the FCA promptly

Governance and Oversight

  • [ ] Board receives regular MI on payment services compliance
  • [ ] Compliance monitoring programme covers all PSRs requirements
  • [ ] Outsourcing arrangements are documented and adequately overseen
  • [ ] Staff training on payment services requirements is current
  • [ ] Policies and procedures are reviewed and updated annually

How MEMA Can Help

Maintaining payment services compliance in 2025 requires specialist expertise, robust systems, and ongoing vigilance. MEMA Consultants has deep experience supporting PIs and EMIs across the full spectrum of regulatory requirements.

Our services for payment firms include:

  • Safeguarding reviews that assess your arrangements against FCA expectations and identify practical improvements
  • SCA compliance assessments including technical review of authentication implementations and exemption management
  • Operational resilience support from identifying important business services through to scenario testing and board attestation
  • Regulatory reporting assistance ensuring accurate and timely submissions to the FCA
  • Gap analysis and remediation providing prioritised action plans to address compliance weaknesses
  • Outsourcing framework development establishing robust arrangements for third-party oversight
  • Authorisation and variation applications supporting firms seeking new permissions or changes to existing authorisations
  • Training programmes for boards, senior management, and operational staff

Our team includes former FCA supervisors with direct experience of payment services supervision and consultants who have supported firms through regulatory reviews, s.166 skilled persons reviews, and enforcement proceedings.

Contact us today for a confidential discussion about your payment services compliance requirements.

About the Author

The MEMA Regulatory Team comprises former FCA supervisors and experienced compliance consultants with extensive expertise in payment services regulation, including the PSRs 2017, EMRs 2011, and the FCA's approach to supervising the payments sector.

This article is for general guidance only and does not constitute legal or regulatory advice. Firms should seek independent professional advice tailored to their specific circumstances.

Payment ServicesEMIPISafeguardingPSD2SCA
About the Author
MC

MEMA Regulatory Team

The MEMA Regulatory Team includes ex-FCA supervisors and Big 4 consultants with deep expertise across all aspects of UK financial services regulation and compliance.

Need regulatory support?

Our team can help with FCA authorisation, compliance outsourcing, and regulatory change implementation.

Book a consultation
Related Insights

Continue Reading

Non-Financial Misconduct: September 2026 Deadline for Non-Bank Firms
Compliance18 Apr 2026

Non-Financial Misconduct: September 2026 Deadline for Non-Bank Firms

Understanding PS25/23 requirements for tackling bullying, harassment, and misconduct, with implementation guidance for affected firms.

9 min readRead
Complaints Reporting Reform: Preparing for the July 2026 Taxonomy Changes
Compliance25 Mar 2026

Complaints Reporting Reform: Preparing for the July 2026 Taxonomy Changes

Understanding PS25/19 and the new consolidated complaints return, including implementation requirements and key deadlines.

8 min readRead
Transaction Monitoring Systems: Meeting FCA's Updated Expectations
Compliance28 Feb 2026

Transaction Monitoring Systems: Meeting FCA's Updated Expectations

A practical guide to the FCA's Financial Crime Guide requirements for transaction monitoring, including AI approaches and good practice.

9 min readRead