Navigating regulatory challenges in fintech
Thanks to inward investment, the UK’s fintech sector has experienced rapid and dynamic growth in the last decade. In terms of size, this expansion is second only to that seen by the US. And with expansion, comes the increased input from regulators.
The result: a bureaucratic game of tug-of-war, attempting to find the balance between innovation and consumer protection.
Adding the duty of keeping on top of regulatory requirements — to an already full fintech plate — can be overwhelming.
To ease the burden, we’ve laid out the most recent regulation changes, and what you need to know about them.
Skip ahead ⬇️
New rules around APP fraud
PSD3 is on the horizon
A tighter grip on digital assets
Crypto clarity
Rigour around operational resilience
Managing AI and data risks
Fintech regulations: some final thoughts
New rules around APP fraud
What’s going on?
Authorised Push Payment (APP) fraud is when scammers trick individuals into willingly transferring money under false pretences.
Each year around 200,000 people fall victim to APP fraud, at a cost of approximately £459.7 million.
What do you need to know?
Starting in October 2024, new rules from the Payment Systems Regulator (PSR) take effect. All payment service providers using Faster Payments will be required to reimburse victims, up to a limit of £85,000.
If you want to deep dive into this topic, take a look at our in-depth article, APP fraud and its insurability.
PSD3 is on the horizon
What’s going on?
The upcoming Payment Services Directive 3 (PSD3) is set to reshape the financial landscape, impacting British fintech firms that operate within or provide services to EU markets. Building on the foundations of PSD2, the new directive aims to boost consumer protection, tighten security and standardise open banking practices across Europe.
While the UK is no longer part of the EU, UK-based fintechs will still need to comply with PSD3 if they want to stay competitive and continue expanding into European markets.
For British fintech firms, PSD3 will introduce tougher security measures, such as stricter customer authentication and more advanced fraud detection systems.
The directive also pushes for standardisation of APIs across the EU, meaning that firms will need to adjust their systems to meet these harmonised requirements, ensuring both compliance and interoperability.
Despite these challenges, PSD3 brings opportunities too. With a stronger focus on broader data access, fintechs can seize the chance to innovate, offering new services that better meet consumer needs.
Aligning with PSD3 won’t just ensure compliance; it could enhance competitiveness and trust within the evolving digital financial landscape.
What do you need to know?
With PSD3 still in the final stages of approval, the finished directive is expected to be released by late 2024 or early 2025. After that, EU member states will have an 18-month grace period to implement the changes, meaning the new rules are likely to take effect in 2026.
One of the key measures targets rising levels of fraud, including a new requirement to ensure that IBANs match the account holder’s name for all credit transfers.
Fintech firms that delay preparations risk heavy penalties — including fines for their European subsidiaries, potential legal issues and a loss of competitive edge to more agile competitors.
Waiting until the last minute could also lead to higher costs, as businesses scramble to upgrade their systems. The smart approach? Start preparing now to stay ahead of the game and avoid any last-minute surprises.
A tighter grip on digital assets
What’s going on?
Rules around digital assets remain a critical area of focus for UK regulators.
Since October 2023, the FCA now requires crypto ATMs and other digital asset businesses to register and comply with Money Laundering Regulations, in a bid to curb illegal activities and enhance consumer protection.
In January this year, the FCA and the Bank of England (BoE) also introduced the Digital Securities Sandbox (DSS) under the Financial Services and Markets Act 2023. This was seen as an innovative measure, allowing safe testing of new financial market infrastructures involving digital securities.
Participants in the DSS can use new technologies, like distributed ledger technology, to issue trade and settle securities, such as shares and bonds. This will happen under special rules for five years, until a permanent system is established.
What do you need to know?
As the digital asset market changes, fintech firms need to keep up with new regulations to stay compliant and protect their businesses.
Whether you run a digital assets firm or connect with those that do — ensuring your dependent businesses are compliant is not only good practice, it’s essential to ensure your insurance policies remain valid.
As a digital insurance broker, we have expertise across a wide range of topics, as well as a huge network of third-party providers should you need advice in this field. Get in touch with our team today to learn more.
Crypto clarity
What’s going on?
The Markets in Crypto-Assets (MiCA) regulation is the European Union’s bold step toward regulating the evolving world of cryptocurrency. Currently, crypto regulations vary significantly across EU member states, leading to confusion and inconsistency for businesses wanting to operate within the region.
MiCA is set to change this by introducing a unified regulatory framework for the entire EU, streamlining compliance for businesses and increasing confidence for consumers. Covering a wide range of crypto assets — including tokens, exchanges, wallet providers and other service platforms — MiCA aims to bring clarity and consistency.
With a strong focus on consumer protection, MiCA seeks to reduce fraud risk, enhance financial stability and create a safe yet dynamic environment for innovation in the crypto space.
What do you need to know?
For fintech and crypto businesses looking to operate in Europe, MiCA introduces significant changes. From stricter transparency requirements for token launches to an increased emphasis on consumer protection, businesses must now prioritise compliance.
Stablecoin issuers, in particular, will need to ensure they maintain sufficient financial reserves to back their assets. In addition, there will be enhanced obligations around anti-money laundering (AML) practices, raising the compliance bar for all crypto-asset service providers.
The longer-term view is that once you're compliant, companies can operate across the entire EU under a single set of regulations, removing the need to navigate differing national laws. This makes it easier to expand and grow in the European market with greater confidence.
MiCA was officially adopted in June 2023, with phased implementation to follow. Companies offering crypto services will need to be fully compliant by December 2024 for most aspects of the regulation. Those dealing with stablecoins must already meet the new standards, as the deadline was June 2024.
The clock is ticking — now is the time to prepare your business for this landmark regulatory shift.
Rigour around operational resilience
What’s going on?
Operational resilience parameters have become a significant focus for UK regulators, with fintech firms being routinely tasked with their compliance.
Introduced in March 2022, firms have since been required to demonstrate their ability to remain within certain thresholds for critical business services under the operational resilience regime. These include rigorous testing and mapping exercises.
What do you need to know?
Ensuring operational resilience not only helps firms comply with regulatory requirements but also helps protect against potential disruptions that could impact business continuity.
There are two key takeaways regarding operational resilience that you need to know:
- By 31 March 2025, all relevant firms must be able to operate within impact tolerances — the maximum level of disruption able to be withstood before a major harm to service.
- Beyond this date, the FCA, the BoE and the Prudential Regulation Authority (PRA) will continue to enhance operational resilience standards, including the oversight of critical third parties.
Firms need to use advanced encryption techniques to store customer data and ensure customers can still access essential financial services in the event of a cyber attack, following FCA measures to enhance the cyber security requirements.
Managing AI and data risks
What’s going on?
The continual development of artificial intelligence (AI) is keeping UK regulators on their toes. In line with the European Union’s AI Act 2004, the FCA actively develops frameworks to address the use of AI and machine learning in financial services.
The FCA, PRA, and BoE are engaging with industry stakeholders to create guidelines for the safe deployment of these technologies and addresses potential risks, such as bias, ensuring there are no unfair outcomes from the use of AI.
What do you need to know?
The UK remains a leader in open banking, enhancing data privacy and security standards to protect consumers' financial information. With the continuing digitisation of finance, robust cybersecurity measures remain as crucial as ever.
Although not a malicious event, the tech industry is still reeling from the Crowdstrike outage. While it serves as a stark reminder of how quickly things can go wrong, it has refocused industry attention; many now seek to include cyber coverage as part of a comprehensive risk management strategy.
To keep in line with cyber security best practices, fintech firms should consider adopting advanced identity verification and fraud detection technologies. Simple measures include setting up Multi-Factor Authentication (2MFA) and enhanced checks.
Fintech regulations: some final thoughts
It’s a vast and fast-changing landscape out there, so critical strategies for fintech firms should include:
- Implementing comprehensive governance frameworks
- Engaging proactively with regulators
- Leveraging advanced compliance technologies
The right broker and the right insurance
As fintech firms continue to push boundaries, they face an increasingly complex regulatory landscape.
Fintechs should consider partnering with knowledgeable insurance brokers as an additional step to secure a variety of financial lines cover.
Robust insurance coverage for fintechs might include any number of policies, from professional indemnity to cyber liability and directors’ and officers’ (D&O) insurance.
Covers like these are designed to support fintech companies in the face of potential financial losses and legal liabilities, ensuring their resilience in an ever-changing regulatory environment.
Understanding these regulatory developments and implementing much-needed risk management strategies — including tailored fintech insurance coverage — is crucial for sustainable growth.
Was this article useful?
We're here to make complex information easier for businesses to understand.
This content has been created for general information purposes and should not be taken as formal advice. Read our full disclaimer.