Regulatory Digest - April 2025

Stay informed on the latest regulatory developments shaping critical sectors. From the UK’s adjustments to MREL requirements for banks, to the European Union’s finalisation of PSD3, and global initiatives such as Visa’s acceleration of merchant onboarding, we bring you the essential updates that are influencing the financial landscape across multiple regions.

‍

Global

Regulation Name: FSB Finalises Format for Incident Reporting Exchange (FIRE)

Effective Date: 15 April 2025 (phased implementation encouraged)

Issued By: Financial Stability Board (FSB)

Summary: The Financial Stability Board (FSB) has finalised the Format for Incident Reporting Exchange (FIRE), introducing a global standard for cyber and operational incident reporting. Though primarily directed at financial institutions, FIRE’s scope is highly relevant to merchant onboarding and third-party risk management, enhancing cross-border consistency in the reporting and handling of operational disruptions — including merchant-related incidents.

Key Changes:

• Common Incident Reporting Format: Establishment of a standardised structure for reporting cyber and operational incidents across financial institutions and their third parties, including merchants.
• Third-Party Scope: FIRE explicitly extends to third-party providers, covering incidents arising from merchant operations that impact resilience.
• Private Sector Collaboration: Developed with industry input, tested against anonymised real-world incident data to ensure practical adoption.
• Phased Implementation: Jurisdictions and firms are encouraged to adopt FIRE progressively, allowing integration into existing onboarding and vendor management frameworks.
• Interoperability with Existing Systems: Designed for seamless alignment with current compliance, risk, and incident management systems used during merchant onboarding and monitoring.

Impact of Changes: Merchant onboarding teams and third-party risk managers must increasingly treat cyber and operational resilience as core to the vendor lifecycle. Incident reporting mechanisms involving merchants and vendors may soon need to align with FIRE standards to meet emerging regulatory expectations. Early adoption will mitigate compliance gaps, strengthen operational resilience, and enhance response times to merchant-related breaches or disruptions.

Action Required:

• Incident Response Integration: Review merchant onboarding processes to ensure incident reporting mechanisms are capable of aligning with the FIRE structure.
• Third-Party Contracts Update: Embed incident reporting obligations into merchant and vendor contracts, ensuring compatibility with FIRE standards.
• System Enhancements: Assess incident management tools and workflows for FIRE compliance to ensure efficient reporting and monitoring.
• Staff Training: Train onboarding, risk, and compliance teams in the application of FIRE principles when managing merchants and third-party providers.

Source: Financial Stability Board (FSB)

‍

EMEA

European Union

Regulation Name: Finalisation of Payment Services Directive 3 (PSD3) and Payment Services Regulation

Effective Date: Likely 2026 (subject to finalisation of regulations in spring 2025)

Issued By: European Commission

Summary: The European Union is set to finalise the Payment Services Directive 3 (PSD3) and the corresponding Payment Services Regulation in early 2025. These frameworks aim to bolster consumer protection, enhance payment security, and address the challenges posed by emerging technologies like Open Banking and digital finance.

Key Changes:

• Consumer Protection: Stronger protections against fraud, particularly Authorised Push Payment (APP) fraud, with a greater focus on reimbursement rules.
• Payment Security: New obligations for payment service providers (PSPs) to implement enhanced security measures to prevent fraud and ensure safe transactions across all digital payment platforms.
• Open Banking: Updated rules on data sharing, consumer consent, and cross-border payments, ensuring Open Banking services are standardised across EU Member States.
• Regulatory Harmonisation: A move towards a unified set of payment rules across the EU, aiming to reduce regulatory divergence and enhance consistency between Member States.

Impact of Changes: PSPs will need to overhaul their compliance frameworks, operational processes, and customer protection measures. Firms offering Open Banking services will face new rules on data sharing and consumer consent. While the push towards harmonised regulations will simplify cross-border payments, it will also raise the bar for regulatory compliance across the board. Higher supervisory expectations may lead to increased operational costs, especially in areas like fraud detection, data security, and reporting.

Action Required:

• Compliance Updates: Payment service providers must reassess their systems and processes to meet the new consumer protection, fraud prevention, and security standards.
• Operational Adjustments: Firms must ensure their payment infrastructures are ready to accommodate the updated regulations, particularly around Open Banking, data protection, and cross-border payments.
• Enhanced Reporting: PSPs will need to enhance their reporting and monitoring systems to meet the elevated supervisory standards, particularly in fraud detection and data security.
• Training and Awareness: Firms must invest in staff training and education to ensure smooth implementation of the new regulatory framework and minimise the risk of non-compliance.

Source: KPMG Insights

‍

Initiative Name: Visa Introduce New Fee Structures

Effective Date: 1 April 2025

Issued By: Visa

Summary: Visa are updating their merchant onboarding and fee structures:

• Visa Arbitration Case Filing Fee Increase: The fee has increased from $500 to $600 to encourage earlier dispute resolution.
• Cyber Threat Protection Fee in the EU: A new fee of USD 0.0005 per authorisation will fund fraud protection initiatives for European acquirers.
• Consolidation of Dispute Monitoring Programs: Visa has merged VDMP and VFMP into a single Visa Acquiring Monitoring Program (VAMP) to streamline processes and expand enforcement.
• Mastercard’s Revised Merchant Advice Code TPE Criteria: New logic has been introduced for Transaction Processing Errors (TPE) to determine when transactions should not be retried.

Impact on Merchant Onboarding: Merchants will need to adjust for the increased arbitration filing fee and new cyber threat protection fee in their cost structures. The consolidation of dispute programs into VAMP will change dispute management processes, while the updated TPE criteria will require adjustments to transaction processing systems.

Action Required:

• Review Fee Structures: Update fee structures to reflect the new arbitration and cyber protection fees.
• Update Onboarding Processes: Revise processes to align with new dispute and transaction handling criteria.
• Staff Training: Ensure staff are trained on updated procedures and compliance standards.

Source: Paypal Developer

‍

America

United States

Initiative Name: Stripe Applies for U.S. Banking License to Enhance Merchant Acquiring Capabilities

Effective Date: 4 April 2025

Issued By: Stripe

Summary: Stripe has officially applied for a Merchant Acquirer Limited Purpose Bank (MALPB) charter with Georgia’s Department of Banking and Finance. This significant move brings Stripe closer to directly accessing Visa and Mastercard’s payment networks, enhancing its merchant acquiring capabilities. By acquiring this charter, Stripe will be able to process transactions directly, enabling faster payouts and lower fees for merchants, while bypassing the need for a BIN sponsor.

Key Changes:

• Direct Payment Network Access: With the MALPB charter, Stripe can bypass intermediary processors, resulting in faster transaction processing times for merchants.
• Lower Transaction Fees: Direct access to Visa and Mastercard networks enables Stripe to offer reduced transaction fees to merchants.
• Merchant Onboarding Improvement: Stripe’s new capabilities will simplify and accelerate the onboarding process for merchants, reducing the time and complexity typically associated with setting up on the platform.
• No Expansion into Traditional Banking: The MALPB charter focuses purely on merchant acquiring, excluding traditional banking services such as deposit-taking or lending.

Impact of Changes: Stripe’s acquisition of direct access to Visa and Mastercard networks will streamline the merchant onboarding experience, allowing for faster setup times and a more efficient route to market for businesses. Merchants will also benefit from lower transaction fees and quicker payouts, which are especially advantageous for high-volume merchants. Furthermore, Stripe’s ability to offer more seamless integration will support the global expansion of its merchant acquiring services, boosting scalability and operational speed.

Action Required:

• Onboarding Optimisation: Financial institutions should assess how Stripe’s new capabilities can streamline their onboarding processes and leverage direct access to payment networks for faster set-up.
• Cost-Saving Analysis: Businesses should review their transaction fee structures and payout timelines with Stripe to identify potential cost savings and advantages from bypassing intermediary processors.
• System Integration: Businesses may need to upgrade their systems to capitalise on Stripe’s enhanced merchant onboarding infrastructure and more efficient payment processing capabilities.

Source: Pymnts Publication

APAC

China

Initiative Name: Facial Recognition Regulations – Security Management Measures

Effective Date: 1 June 2025

Issued By: Cyberspace Administration of China (CAC) & Ministry of Public Security (MPS)

Summary: China’s latest biometric regulation marks a critical inflection point for platform security and merchant enablement. Effective 1 June 2025, facial recognition technologies face new legal thresholds aimed at curbing misuse, reinforcing individual privacy rights, and mitigating biometric risk—particularly concerning minors. Businesses must now justify use cases, adhere to disclosure mandates, and implement end-to-end security and governance frameworks. The rules present both operational friction and strategic consequences for onboarding flows across sectors.

Key Changes:

• Use Justification Required: Facial recognition must be demonstrably necessary and not used exclusively where viable alternatives exist.
• Mandatory Disclosures: Public-facing notices must detail data collectors, usage purposes, retention periods, and user rights.
• Large-Scale Data Registration: Entities storing over 100,000 facial records must register with provincial CAC and submit operational documentation.
• Minors' Data Protection: Biometric data collection for users under 14 requires verified parental consent and enhanced safeguards.
• No Coercive Practices: Users must not be compelled or misled into facial recognition when other verification methods are available.
• Strict Data Handling Rules: Encryption, local data storage, limited retention, and recurring audits are now compulsory.

Impact on Merchant Enablement: The regulation directly reshapes how merchants, platforms, and PSPs operating in China implement facial recognition features during onboarding. From biometric login to in-store personalisation and fraud prevention, every touchpoint must now align with CAC’s security and consent protocols. Vendors introducing biometric capabilities face elevated scrutiny, and onboarding flows must be re-engineered to comply with sector-specific and user-type (e.g., minors) constraints.

Action Required:

• Vendor Assessment: Immediately audit facial recognition providers for compliance with CAC’s new registration, consent, and security mandates.
• Onboarding Flow Updates: Embed biometric compliance checks into KYC, risk scoring, and platform access control processes.
• Data Governance Integration: Localise data workflows to meet China's encryption, storage, and disclosure requirements.
• Youth-Facing Product Review: Apply enhanced due diligence to merchants interacting with minors or operating in sensitive sectors.

Source: China Briefing (March 2025) / CAC Regulatory Bulletin

‍

India

Initiative Name: RBI’s PRAVAAH Portal for Regulatory Applications

Effective Date: 1 May 2025

Issued By: Reserve Bank of India (RBI)

Summary: From 1 May 2025, the Reserve Bank of India (RBI) mandates all regulated entities to submit applications for licences, authorisations, and approvals via the PRAVAAH platform. This centralised system will streamline regulatory submissions, improve tracking, and enhance security across sectors like banking, payments, and credit information.

Key Changes:

• Mandatory Use of PRAVAAH: All regulatory applications must be submitted via PRAVAAH starting 1 May 2025.
• Centralised System: The platform will now manage nearly all regulatory requests, improving transparency.
• Accessible Features: User manuals, FAQs, and video guides will be available for easy navigation.

Impact on Merchant Onboarding: Merchants in India’s financial and payment sectors must adapt to PRAVAAH to ensure smooth regulatory approval processes. The move will speed up approvals but requires financial institutions to align their systems with the new platform to avoid delays.

Action Required:

• System Update: Ensure all regulatory applications are submitted via PRAVAAH by 1 May 2025.
• Compliance Adjustment: Align merchant-facing services with PRAVAAH’s submission guidelines.
• Training and Support: Train teams on using the PRAVAAH platform effectively.

Source: RBI Notification

‍

Australia

Initiative Name: AFCA Support for 2025 BNPL Reforms

Effective Date: 10 June 2025

Issued By: Australian Financial Complaints Authority (AFCA)

Summary: From 10 June 2025, Buy Now Pay Later (BNPL) products will be formally regulated under Australia’s National Credit Act. Providers must hold an Australian Credit Licence and register with AFCA, granting consumers access to independent dispute resolution and enforcing responsible lending standards. This aligns BNPL operators with traditional credit providers and marks a structural shift in digital credit oversight.

Key Changes:

• AFCA Membership Required: BNPL providers must join AFCA by 26 May 2025 to remain compliant.
• Mandatory Dispute Resolution: Consumers gain formal recourse via AFCA if direct resolution fails.
• Responsible Lending Obligations: New conduct standards introduced, mirroring those in regulated credit.
• Regulatory Licensing: An Australian Credit Licence becomes compulsory for BNPL providers.

Impact of Changes: The reforms redraw the regulatory map for BNPL firms, raising the bar for entry and ongoing operations. All providers must be licenced and onboarded into the AFCA regime, introducing operational hurdles and potential onboarding delays. Financial institutions, marketplaces, and PSPs must review compliance protocols to ensure partner alignment ahead of the June deadline.

Action Required:

• Vendor Review: Assess BNPL and credit partners for compliance with new AFCA and licensing rules.
• Merchant Enablement Adjustments: Update onboarding workflows to reflect dispute resolution and licensing requirements.
• Compliance Coordination: Align legal and compliance reviews with the revised credit framework.
• Deadline Planning: Anticipate disruptions post-26 May 2025 for non-compliant BNPL enablement.

Source: AFCA Newsroom