5 ways to manage regulations in the payments industry

Advances in financial technology and new criminal methodologies impact the payments industry constantly. As governments around the world introduce regulations to keep pace with an evolving risk landscape, payment companies need to be able to adapt to meet their compliance obligations without negatively affecting the quality of their products and services. 

In addition to existing legislation, such as Payment Services Directive 2 (PSD2), there’s no shortage of payment regulations on the global horizon. In the UK, for example, the government is reviewing its Payment Services Regulations (PSR), with a view to modernising the country’s payments system in the wake of Brexit.

Similarly, in late 2022, the US government released a report into The Future of Money and Payments, setting out a range of regulatory options for instant payment systems and blockchain-based stablecoins, and for the potential introduction of a Central Bank Digital Currency (CBDC). The EU is also welcoming digital payment systems through regulations such as the Markets in Crypto Assets (MiCA) and the Transfer of Funds, which will come into effect in 2024 and 2025 respectively, and will impose new reporting and recording keeping rules on transactions involving cryptocurrency. 

Incoming payments regulations will increase the administrative burden on companies in a variety of ways, and force them to find new ways to maintain the efficiency of compliance processes – at the risk of fines and reputational damage. While regulatory change management in the payments industry can be challenging, the process doesn’t have to be painful, and there are ways to make life easier for compliance, legal, and risk teams, regardless of an organisation’s size or resources. 

Let’s take a look at 5 ways to help manage regulations in the payments industry. 

1. Map regulatory obligations

It may seem an intuitive first step, but a payments service provider won’t be able to effectively manage regulatory change unless it understands which payments regulations are relevant, and what compliance requirements they entail. The first step in that process should be to review and map regulatory obligations and identify potential gaps or weak spots. While details vary by jurisdiction, key global payment services regulations include:

• PSD2: In effect since 2018, the second Payment Services Directive is an EU framework that enables third parties to retrieve certain information in customers’ bank accounts in order to facilitate payments. PSD2 involves robust consumer protections and security measures, including Strong Customer Authentication (SCA). 

• SCA: The Strong Customer Authentication regulation is a facet of PSD2 which imposes two-factor authentication and the 3D Secure Protocol (3DS) on payments in order to verify customer identities and reduce fraud. 

• Financial crime: Payment service providers must comply with the relevant jurisdictional regulations in order to address criminal threats such as money laundering, terrorism financing and fraud. Key anti-money laundering (AML) and counter-financing of terrorism (CFT) regulations include:
  • The EU’s Anti-Money Laundering Directives (AMLD). All EU member states must implement the latest AMLD as part of domestic legislation. The Sixth Anti-Money Laundering Directive (6AMLD) came into effect on 3 June 2021. 
  • The UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
  • The US Bank Secrecy Act.

• Suspicious activity reports: Companies must file reports with the relevant authorities when they detect suspicious activity in customer transactions. Reporting procedures vary by jurisdiction: in the EU and UK, for example, companies file Suspicious Transaction and Order Reports (STOR), while the US uses the term Suspicious Activity Report (SAR). 

• Data privacy: Payment service providers must typically comply with regional data privacy laws. The General Data Protection Regulation (GDPR) is the primary data privacy law in the EU (and the UK), setting out strict rules for the storage and use of private data. While the US has no federal equivalent to the GDPR, there are comparable state regulations such as the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Privacy Act (VCDPA), and the Colorado Privacy Act (CPA). 

In addition to identifying relevant payment regulations, companies must also consider how they are going to integrate compliance with workflows, considering business objectives, risk appetite, ethics policy, and logistical requirements such as record-keeping and storage. 

After mapping contemporary compliance obligations, companies should also work towards an understanding of how the regulatory landscape will change in the future. In practice, this means performing adequate horizon scanning with a focus on upcoming regulations, current and announced government consultations, new sanctions designations, advances in technology, and emerging criminal methodologies. 

2. Communicate with regulatory bodies 

One of the best ways to understand payments industry regulations (and subsequently implement compliance measures effectively) is to go straight to the source, by communicating directly with regulatory bodies and authorities. It is critical that payment service providers establish the correct way to interact with the relevant regulators – both to obtain information and to submit mandated reports (such as STOR). 

Examples of key financial regulators across Europe include:

• UK: The Financial Conduct Authority (FCA)
• France: The Autorité des Marchés Financiers (AMF)
• Germany: The Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)
• Switzerland: The Eidgenössische Finanzmarktaufsicht (FINMA)
• EU: The European Banking Authority (EBA)
• US: The Financial Crimes Enforcement Network (FinCEN)

Communication with regulators is not just about reporting suspicious activity. By opening communication channels, companies can obtain technical advice, training resources and literature, updates on incoming regulations, and best practice guidance. Similarly, companies that interact regularly with regulators demonstrate their responsibility and dedication to meeting compliance standards, learn how to address problems more efficiently and help regulators understand the unique challenges that they face. 

3. Take a risk-based and proactive approach

Many payment regulations (typically relating to AML, CFT, and fraud) require companies to take a risk-based approach to compliance, assessing the risk that individual customers or clients present, and then adjusting their response to meet the perceived threat. The risk-based approach is recommended by the international AML/CFT standard-setting organisation, the Financial Action Task Force (FATF), and is a way to balance regulatory obligations with budgetary limitations and efficiency needs.

Risk-based compliance essentially means that companies should apply more robust compliance measures to higher-risk customers while applying simplified measures to lower-risk customers – thus protecting the experiences of products and services as much as possible. 

Risk assessment is critical to the risk-based approach and is predicated on the Know Your Customer (KYC) process. Effective KYC requires companies to understand customer risk as much as possible by collecting and verifying identities, and monitoring customers’ payment activity. In practice, this means implementing a variety of controls, including:

• Customer due diligence: Collecting and verifying identifying data such as names, addresses, dates of birth, and corporate information. 
• Transaction monitoring: Monitoring customer transactions for signs of suspicious activity, such as payments to high-risk individuals or jurisdictions. 
• Screening: Screening customers for red flag risk indicators, such as designation on international sanctions lists and other types of watchlists. Companies should also screen for adverse media reports that involve customers as a way to establish risk before it is confirmed by official channels. 

Risk-based compliance shouldn’t be a case of going through the motions. Customer risk levels change constantly and so companies must perform KYC at onboarding and then proactively throughout the business relationship. The more a company knows about its customers, the more accurately it will be able to apply compliance measures and meet regulatory expectations. 

4. Educate employees

Regulatory change management is a lot easier with skilled employees managing the process. With this in mind, payment service providers should ensure that their employees understand their regulatory environment, and have the knowledge and expertise to handle challenges and unexpected events. 

In practice, this means implementing a training and education schedule for employees, keeping them up to date with the latest regulatory changes affecting the payments industry and being comfortable with implementing them as part of the company’s compliance solution. That process might involve identifying new risks, expanding regulatory knowledge and access to resources, or integrating and using new technology tools.

It is worth thinking about how technology can help facilitate employee education: establish a shared document or repository that acts as a single source of truth, and consider developing a knowledge management system to put critical data at employees’ fingertips and help new employees get up to speed quickly. 

5. Integrate RegTech

The volume and complexity of payment industry regulations are making it increasingly difficult to achieve payments industry compliance using manual processes, which are typically time-consuming and prone to human error. By leaning into technology, and in particular RegTech, companies can make regulatory change, and compliance, easier, integrating automated speed, efficiency, and accuracy, and reducing the potential for costly compliance penalties.  

RegTech may be deployed for a range of functions and compliance challenges, including automatically mapping relevant regulatory requirements to internal policies and procedures, and ensuring that internal stakeholders are alerted to changes in near real time. 

By integrating RegTech, companies also create value-adding opportunities to take advantage of industry innovations, especially in artificial intelligence (AI) and machine learning (ML), both of which can create efficiencies for conventional payment processes, protect customer experiences, and help companies better adapt to regulatory changes and emerging criminal methodologies. 

RegTech for a changing payments landscape

The pace of regulatory change is fast and unrelenting and it is vital that companies develop and implement a strategy to help them deal with the challenges that creates. CUBE’s RegTech platform was created with that goal in mind, with flexible regulatory change solutions powered by AI, and tailored to individual business profiles and compliance frameworks. 

Our trusted, configurable compliance tools help organisations around the world manage their regulatory change journeys from end to end, integrating powerful regulatory assurance and horizon scanning, protecting customers, and making stronger business decisions. 

To learn more about CUBE’s regulatory technology platform, get in touch today.