Payments regulation: PSR priorities and FPS access obligations
The Payment Systems Regulator (PSR) has had a demanding 2024, implementing mandatory reimbursement for authorised push payment (APP) fraud and continuing its programme of work on access to the UK's payment infrastructure. The PSR's concurrent competition powers and its sector-specific regulatory tools give it a broad toolkit that it has shown willingness to use, and firms operating in or accessing the UK payment systems should be closely engaged with its work programme. The PSR's strategic priorities for 2024/25 — protecting consumers from fraud, enabling competition and innovation, and ensuring that payment systems are resilient and reliable — reflect a regulator that is prepared to intervene firmly where it identifies harm.
The APP fraud mandatory reimbursement regime, which took effect on 7 October 2024 under the Payment System Regulations 2017 (as amended), requires sending and receiving payment service providers to reimburse confirmed victims of APP fraud up to a maximum of £85,000 per claim. Firms must have claims handling processes in place that meet the Reimbursement Requirements set by the PSR, must assess each claim against the standard of 'gross negligence' (the only ground for refusing a claim that is otherwise confirmed as APP fraud), and must maintain data on claims received, assessed, and paid. The 50/50 split between sending and receiving PSPs is the default allocation of reimbursement cost, but this can be varied by bilateral agreement or by reference to the receiving PSP's fraud controls.
Faster Payments System (FPS) access has been a PSR priority for several years, driven by the perception that indirect access arrangements are costly and create barriers for smaller payment firms. The PSR's FPS Access Review has resulted in commitments from Pay.UK and the direct participants to improve access arrangements, and the PSR has published guidance on what reasonable access terms look like for indirect participants. Payment firms that are experiencing difficulty with access, facing unreasonable pricing or conditions, or being denied access without adequate explanation should consider whether a PSR complaint or market review referral is appropriate.
The FCA's complementary work on payments firms covers authorisation, conduct obligations, and prudential requirements for payment institutions (PIs) and e-money institutions (EMIs). The FCA's 2023 Dear CEO letter to payments firms highlighted financial crime controls as the primary area of supervisory concern, noting that a significant proportion of supervised firms had inadequate transaction monitoring, customer risk assessment, and SAR filing processes. The FCA indicated that it would take action — including cancellation of authorisations — against firms that failed to demonstrate adequate financial crime controls. Payments firms should treat this as an ongoing supervisory priority and conduct regular self-assessments of their financial crime frameworks.
Open banking and variable recurring payments
The transition from open banking to open finance — and specifically the implementation of variable recurring payments (VRPs) beyond the current sweeping use case — remains a work in progress. The Joint Regulatory Oversight Committee (JROC) roadmap published in 2023 set out a phased approach, and the PSR and FCA have both indicated that this remains a priority. Payment firms should monitor JROC developments and consider how the expansion of VRPs could affect their business models and technical infrastructure.