Payment regulations and standards are important for several reasons.

For one, they ensure that payment systems are secure and protect against fraud, data breaches, and other types of cybercrime. By adhering to their rules and guidelines, financial institutions and payment processors can minimise the risk of security breaches and protect customer data.

From the consumer perspective, regulations and standards also help to provide dispute resolution mechanisms and ensure transparency by having providers disclose their fees and charges. This helps to prevent abuse or other forms of fraud and ensures that consumers are treated fairly.

Regulations and standards can also help to make payment systems more efficient by promoting interoperability and standardisation – even on an international level – making it easier for different payment systems to work together.

This is important because payment systems are increasingly global, and cross-border transactions require standardised processes to ensure they are efficient, secure, and compliant with local regulations.

At the end of the day, regulations and standards are essential for ensuring payment systems’ safety, security, and efficiency while protecting consumers and promoting innovation and international cooperation.

Payments regulations and standards vary worldwide, with different countries and regions having their own regulatory frameworks. Let’s walk through some of the most well-known regulations.

Payment Card Industry Data Security Standards (PCI DSS)

The Payment Card Industry Data Security Standards (PCI DSS) are a set of security standards established by the major credit card companies to protect sensitive information associated with credit and debit card transactions.

PCI DSS, which includes a set of 12 requirements that cover various aspects of data security, ensures that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

It applies to all organisations that process credit card transactions, regardless of their size or the number of transactions and non-compliance can result in significant fines and damage to an organisation’s reputation.

Compliance with PCI DSS requires ongoing effort and resources, but it is an essential component of maintaining the security of cardholder data and protecting against fraud and other types of cybercrime.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation introduced by the European Union in 2018. It is designed to give EU citizens more control over their personal data and applies to all companies that process the personal data of EU citizens, regardless of where the company is located.

This means that even companies outside the EU that process the personal data of EU citizens – defined as any information relating to an identified or identifiable natural person, such as a name, an ID number, location data, or an online identifier – must comply with the GDPR.

Under the regulation, individuals have the right to access their personal data, to have their personal data erased, and to data portability. It also requires companies to obtain clear and explicit consent from individuals before collecting their personal data and provide them with clear and transparent information about how their data will be processed.

Non-compliance with the GDPR can result in significant fines, with penalties of up to €20 million or 4% of a company’s global annual revenue.

Anti-Money Laundering (AML) regulations

Anti-Money Laundering (AML) regulations prevent criminals from disguising illegally obtained funds as legitimate income.

AML regulations are designed to detect and prevent money laundering by requiring financial institutions, including banks, money service businesses, and securities dealers, to implement certain policies, procedures, and controls.

These regulations require institutions to identify customers, monitor their transactions, and report suspicious activity to the relevant authorities.

The AML regulations are intended to prevent various criminal activities, including drug trafficking, terrorist financing, corruption, and fraud. By preventing money laundering, these regulations help to reduce the profits criminals can earn from their illegal activities and make it more difficult for them to fund further criminal activities.

In many countries, non-compliance with AML regulations can result in significant fines, criminal charges, and the loss of the institution’s license to operate. As a result, institutions subject to AML regulations must take these requirements seriously and ensure that they have robust compliance programs in place.

Know Your Customer (KYC) regulations

Know Your Customer (KYC) regulations require financial institutions to verify and identify their customers before conducting business with them and are designed to ensure that financial institutions are not used to facilitate criminal activities.

Under KYC regulations, financial institutions must collect and maintain accurate and up-to-date customer information, including name, address, date of birth, and government-issued identification. They must also perform due diligence on their customers to determine their risk level and identify potential red flags or suspicious activities.

KYC regulations are enforced by regulatory bodies such as central banks, financial intelligence units, and other government agencies, and non-compliance can result in significant fines and legal penalties for financial institutions.

Payment Services Directive 2 (PSD2)

The Payment Services Directive 2 (PSD2) is a set of regulations introduced by the European Union (EU) to increase competition, innovation, and security in the payments industry.

The legislation applies to all payment service providers operating within the EU, including banks, fintech companies, and other payment institutions.

It is designed to create a more competitive, innovative, and secure payments industry by promoting open banking and enabling new fintech companies to offer innovative payment services.

PSD2 also enhances consumer protection and strengthens the security of electronic payments by requiring strong customer authentication and refunding unauthorised transactions.

Cross-border payments regulations

Cross-border payment regulations refer to the laws and guidelines that govern the transfer of funds between countries.

These regulations promote transparency, security, and efficiency in cross-border payment transactions while preventing illicit activities such as money laundering and terrorist financing.

One of the key regulatory bodies in cross-border payments is the Financial Action Task Force (FATF), an intergovernmental organisation that sets global standards for anti-money laundering and counter-terrorism financing.

FATF works closely with national governments and financial institutions to develop and implement effective cross-border payment regulations.

Some other notable cross-border payment regulations include:

• Foreign Account Tax Compliance Act (FATCA): This US regulation requires foreign financial institutions to report financial information about their American account holders to the Internal Revenue Service (IRS) in an effort to combat tax evasion.
• Common Reporting Standard (CRS): This international standard developed by the Organisation for Economic Co-operation and Development (OECD) requires financial institutions to report financial information about their foreign account holders to their home country’s tax authority.
• Basel III: This international banking regulation aims to improve the resilience of banks and the stability of the global financial system by strengthening capital requirements, enhancing risk management practices, and improving liquidity management.

Consumer protection in payments

Consumer protection in payments refers to regulations and practices to protect consumers who make payments through various payment methods, to ensure that consumers have a safe and secure payment experience and to provide them with remedies in case something goes wrong.

Legislation in this category can be widespread, and the specifics vary greatly from jurisdiction to jurisdiction. Looking just at the USA, some notable examples of consumer protection regulations in payments include:

• The Electronic Fund Transfer Act (EFTA): This law outlines the rights and liabilities of consumers who use electronic payment methods, such as debit cards, ATMs, and electronic checks. Under the EFTA, consumers can dispute unauthorised transactions and errors in electronic funds transfers.
• The Fair Credit Billing Act (FCBA): This law protects consumers who use credit cards. Under the FCBA, consumers can dispute unauthorised charges, bill errors, and defective or misrepresented goods or services.
• The Consumer Financial Protection Bureau (CFPB): This federal agency enforces consumer protection laws related to financial products and services. The CFPB provides information and resources for consumers to help them make informed payment decisions.

Other regional legislation

United States: In the US, payments are regulated by several bodies, including the Federal Reserve and the Office of the Comptroller of the Currency. Some key regulations include the Electronic Funds Transfer Act and the Dodd-Frank Wall Street Reform and Consumer Protection Act.

United Kingdom: In the UK, the Financial Conduct Authority (FCA) is the primary regulator of payments and is responsible for implementing various regulations, including the Payment Services Regulations and the Interchange Fee Regulations.

China: The People’s Bank of China (PBOC) regulates payments in China and has implemented several regulations, including the Measures for the Administration of Online Payment Services and the Measures for the Administration of Payment Services Provided by Non-bank Payment Institutions.

Australia: In Australia, payments are regulated by the Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC), among others.

Canada: In Canada, payments are regulated by the Office of the Superintendent of Financial Institutions (OSFI) and the Financial Consumer Agency of Canada (FCAC). Key regulations include the Payment Card Networks Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

Compliance with payment regulations and standards requires firms to first have a solid understanding of the laws and regulations that apply to their operations.

This requires regular monitoring of regulatory developments, as well as ongoing training and education to stay up to date on compliance requirements.

Firms must then invest the time to establish and implement policies and procedures to ensure compliance with these relevant laws and regulations. This may involve developing internal controls, conducting risk assessments, and establishing reporting mechanisms to ensure that potential compliance issues are identified and addressed in a timely manner.

It’s important to remember that a policy that only exists in a dusty binder on the top shelf in the back corner of an off-site storage unit, behind a precariously stacked pile of customer records from the 80s, doesn’t do anyone any good!

Compliance with these regulations and standards requires ongoing monitoring and testing to ensure that any issues are identified. If a compliance issue is identified, firms must take appropriate action and report the issue to the relevant authorities as required by law.

Failure to comply with payment regulations and standards can result in significant financial penalties, legal liability, reputational damage, and loss of business.

Therefore, it is essential that industry participants take compliance seriously and make it a priority in their operations.