Payment service providers: what UK AML compliance actually requires

The UK’s Payment Services Regulations 2017 (PSRs 2017) define the legal and operational perimeter for firms providing payment services in the UK. They establish which payment service providers can operate as a Payment Institution (PI) or Electronic Money Institution (EMI), what authorisation they require, what conduct standards apply, and how customer funds must be safeguarded.

They are, however, only one side of the regulatory ledger that a UK payment service provider must operate against. The other side, and the side where enforcement risk concentrates, is the anti-money laundering and counter-terrorist financing (AML/CTF) regime that sits on top of payments authorisation. That regime is governed by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLRs 2017), enforced by the FCA, and shaped by guidance from the Joint Money Laundering Steering Group (JMLSG).

This article is for compliance teams operating inside UK payment service providers, EMIs, and payments-adjacent fintechs. It covers what the PSRs 2017 actually require, where they intersect with the MLRs 2017, what the FCA is currently enforcing against, and what payments firms typically get wrong as they scale through authorisation and into volume.

What is a Payment Service Provider?

A payment service provider is any firm authorised or registered to provide payment services in the UK under the Payment Services Regulations 2017. The definition is broader than many compliance teams assume.

The PSRs 2017 capture a wide range of firms within their regulatory perimeter: UK-authorised banks and building societies, electronic money institutions (EMIs), and non-bank payment service providers, including payment institutions (PIs), money remitters, and card acquirers. What these firms share is not a common business model but a common regulatory status: each is subject to FCA authorisation or registration, safeguarding obligations, and the conduct standards the PSRs impose.

Payment types covered under the PSRs

The PSR framework applies across the following PSP payment types:

• Credit transfers, including Faster Payments and CHAPS
• Direct debits
• Card payments, covering both issuing and acquiring
• Money remittance
• Payment initiation services and account information services, introduced under PSD2 and retained in UK law post-Brexit

A firm need only provide one of these services to fall within scope. The regulatory obligations attach to the activity, not the size of the firm or the complexity of its product.

Where online payment gateway service providers sit

Online payment gateway service providers occupy a specific position within the PSR framework. Most commercial payment gateway arrangements involve acquiring services, payment initiation, or settlement activity that brings them within scope. The FCA’s view is that economic substance, not technical labelling, determines regulatory perimeter. If the gateway is involved in executing or initiating the transaction, PSR obligations follow.

Security obligations are regulatory requirements, not optional features

The security obligations embedded in the PSRs are not discretionary. Secure payment platforms and secure online payment solutions are baseline regulatory requirements, not differentiating product features. Strong Customer Authentication (SCA), operational resilience requirements, and the obligation to report major incidents to the FCA are all mandated under the PSRs.

The question regulators now ask is not whether a payment service provider has a security framework, but whether that framework operates as required at the firm’s current transaction volume and customer scale.

APP Fraud Reimbursement: What Payment Service Providers Must Do Now

The mandatory reimbursement regime for authorised push payment (APP) fraud came into force on 7 October 2024 under rules set by the Payment Systems Regulator (PSR). For payment service providers operating on Faster Payments, it represents one of the most operationally significant compliance obligations introduced in the UK payments sector in recent years.

The 50/50 cost split

Under the regime, reimbursement costs are split equally between the sending payment service provider and the receiving PSP. Where a customer is successfully defrauded into authorising a payment to a fraudster-controlled account, both firms bear responsibility regardless of where the control failure occurred. The default reimbursement limit is £85,000 per claim.

This bilateral liability structure has direct implications for how payment service providers assess both outbound transaction risk and the quality of their inbound account controls. A receiving firm that allows its accounts to be used as fraud mule endpoints is exposed to reimbursement liability, not just regulatory censure.

The four-day pause provision

The Payment Services (Amendment) Regulations 2024 introduced a specific provision allowing payment service providers to delay a suspicious outbound transfer for up to four business days. This applies where the firm has reasonable grounds to suspect the payment is linked to APP fraud and needs additional time to investigate or contact the customer.

The four-day window is not a discretionary buffer. It is a defined regulatory mechanism with its own conditions and documentation requirements. Firms that use it without adequate grounds, or fail to use it when grounds exist, carry compliance exposure in both directions.

Burden of proof: what payment service providers must demonstrate to avoid reimbursement

Reimbursement is the default outcome. To avoid it, a payment service provider must demonstrate one of the following:

• The customer acted fraudulently
• The customer was grossly negligent, meaning they ignored a specific, clearly communicated warning from the firm about the risk of the payment
• The customer failed to report the fraud promptly without a good reason

The gross negligence bar is high. Generic terms and conditions or standard fraud warnings are unlikely to satisfy it. The FCA and PSR both expect warnings to be targeted, transaction-specific, and evidenced.

Why manual review cannot keep pace

The four-day window and the burden of proof requirements together create an operational problem that manual review processes cannot solve at scale. A payments firm processing thousands of transactions daily cannot conduct meaningful fraud investigations within a four-business-day window using analyst-led triage. The evidential requirements for the gross negligence defence compound this: firms need documented, timestamped records of customer-facing warnings at the point of transaction, not retrospective case notes.

The APP reimbursement regime does not create new fraud typologies. It creates direct financial liability for the operational gaps that already exist. Payment service providers that have not assessed their detection and review capacity against this regime are carrying unquantified balance sheet exposure.

Cryptoasset Payment Service Providers: Additional UK requirements

A cryptoasset firm operating as a payment service provider in the UK does not face a choice between the crypto regulatory framework and the payments regulatory framework. It faces both, in full, simultaneously. Every PSR obligation, every MLR obligation, and every FCA supervisory expectation that applies to a traditional payment service provider applies equally to a cryptoasset payment service provider. The additional requirements described below sit on top of that baseline, not in place of it.

FCA registration under the MLRs 2017

Any firm providing cryptoasset services by way of business in the UK must register with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 before commencing those activities. This includes cryptoasset exchange providers and custodian wallet providers. Registration subjects firms to the full AML and CTF framework: customer due diligence, ongoing monitoring, suspicious activity reporting, and sanctions screening.

Registration under the MLRs is not a lighter-touch alternative to FCA authorisation. The FCA assesses applications against substantive AML competency standards and has a sustained record of refusing or withdrawing registrations where controls are inadequate.

Firms should also be aware that the MLR registration gateway is a transitional position. Under the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2025, a full FSMA authorisation regime for cryptoasset activities is expected to go live in October 2027, with the application window opening in September 2026. MLR-registered firms will need to apply for FSMA authorisation separately. There is no automatic conversion.

The Travel Rule for cryptoasset transfers

The Travel Rule came into force in the UK on 1 September 2023, introduced through the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 as Part 7A of the MLRs 2017. It requires cryptoasset businesses to collect, verify, and transmit identifying information about the originator and beneficiary of cryptoasset transfers, in the same way that payer and payee information must accompany traditional wire transfers under the Funds Transfer Regulation.

The connection to the wire transfer rules covered elsewhere in this article is direct: the Travel Rule is the cryptoasset implementation of FATF Recommendation 16, which underpins the wire transfer requirements that apply across the payments sector. The data obligations are structurally the same. The compliance challenge is operationally distinct because cryptoasset transfers can involve unhosted wallets, counterparty firms in jurisdictions that have not yet implemented the Travel Rule, and pseudonymous addresses that require additional verification steps.

The FCA’s expectation is that firms take all reasonable steps to comply, conduct due diligence on counterparty firms, and document their risk-based approach where full compliance is not yet achievable due to counterparty jurisdiction gaps.

The financial promotions regime

From 8 October 2023, the FCA’s financial promotions regime was extended to cover qualifying cryptoassets. Any invitation or inducement to engage with a cryptoasset product directed at UK consumers must now be fair, clear, and not misleading, carry prominent risk warnings, and comply with the rules set out in the FCA Handbook under COBS 4 and related provisions.

For cryptoasset payment service providers, the practical exposure here is broader than it may initially appear. The FCA has specifically warned that MLR-registered firms providing fiat-to-crypto or crypto-to-fiat payment services embedded in third-party platforms may be facilitating illegal financial promotions by unregistered firms. A payment service provider that offers on and off-ramp services through a partner’s application or website carries financial promotions compliance responsibility for what that integration enables. That responsibility does not stop at the firm’s own direct communications.

A cryptoasset payment service provider that has addressed its MLR registration, Travel Rule implementation, and financial promotions compliance has covered the current regulatory floor. That floor is rising. The FSMA authorisation regime expected in late 2027 will bring a materially more demanding set of conduct, prudential, and systems and controls requirements. Firms that treat current compliance as the end state are not prepared for what follows.

What the Payment Services Regulations 2017 actually do

The PSRs 2017 transposed the EU’s Second Payment Services Directive (PSD2) into UK law, and remain in force as retained UK legislation post-Brexit. Their scope is structural rather than conduct-led: they define who is in the regulatory perimeter, what activities count as payment services, and what authorisation and safeguarding obligations apply.

Who the PSRs cover

The PSRs apply to firms providing any of the following payment services in or from the UK:

• Cash deposit and withdrawal services on a payment account
• Execution of payment transactions, including credit transfers, direct debits, and card payments
• Issuing payment instruments or acquiring payment transactions
• Money remittance
• Payment initiation services and account information services (the so-called ‘open banking’ services introduced by PSD2)

Firms providing these services in the UK must either be authorised by the FCA as a Payment Institution or Electronic Money Institution, registered as a Small Payment Institution (SPI) or Small Electronic Money Institution (SEMI), or operate as a credit institution already authorised under the Financial Services and Markets Act. The FCA maintains the public register of authorised payment firms.

What the PSRs require operationally

Beyond authorisation, the PSRs impose specific operational obligations that have downstream AML implications:

• Safeguarding of customer funds. Customer funds must be segregated and held in safeguarding accounts. Operational failures in safeguarding are a frequent cause of FCA intervention, and safeguarding controls are now examined in parallel with AML controls.
• Strong Customer Authentication (SCA). PSRs require two-factor authentication for electronic payments, with limited exemptions. Failures in SCA implementation can mask fraud and money laundering typologies that AML systems should detect.
• Conduct standards and complaint handling. Including the requirement to refund unauthorised transactions, which has knock-on implications for first-party fraud monitoring.
• Information on the payer. The Funds Transfer Regulation requirements, payer and payee information accompanying transfers, sit inside the MLRs 2017 but are operationally inseparable from the payment rails the PSRs govern.

The PSRs and MLRs are often treated as separate regulatory tracks inside payments firms. They are not. PSR-level controls, SCA, safeguarding, transaction execution, are inputs into the AML risk model. A firm with strong PSR controls and weak AML controls is exposed; the reverse is also true.

The AML obligations sitting on top of the PSRs

Every authorised PSP, PI, and EMI in the UK is a relevant person under the MLRs 2017, regardless of the size of its book or the simplicity of its product. The full MLR regime applies. In practice, the AML obligations that consume the most operational attention inside payments firms are the following.

1. Firm-wide risk assessment (Regulation 18)

Every payment service provider must produce and maintain a written, board-approved AML risk assessment that addresses the firm’s customers, products and services, transactions, delivery channels, and geographies. For payments firms, this assessment is unusually dynamic; customer mix and transaction patterns can shift quarterly as new corridors, products, or partner integrations launch.

The risk assessment is the document the FCA asks for first in any supervisory engagement. Its quality is interpreted as a proxy for the maturity of the entire AML programme.

2. Customer Due Diligence (Regulations 27–37)

Payment service providers must perform CDD before establishing a business relationship or carrying out occasional transactions above thresholds defined in the MLRs (£15,000 for most transactions, £1,000 for money remittance, and £250 for prepaid e-money under certain conditions).

Where payments firms typically struggle: occasional transactions that aggregate to exceed thresholds, customer profiles built from limited onboarding data that do not refresh as the relationship deepens, and CDD that was performed once and then never re-verified across multi-year relationships.

3. Transaction monitoring and reporting (Regulations 28 and 86)

Payment service providers must monitor transactions throughout the business relationship to identify activity inconsistent with the customer’s known profile, and must report suspicious activity to the National Crime Agency via Suspicious Activity Reports (SARs).

Transaction monitoring is the area in which payments firms most frequently fall short under regulatory review. The reasons are structural: payments firms process more transactions per customer than any other regulated sector; the typologies are more varied (card-present, card-not-present, faster payments, international remittance, e-money loads, account-to-account); and the data needed to detect suspicious patterns is distributed across multiple systems (issuer, acquirer, scheme, internal ledger, partner platform).

4. Sanctions screening (under the Sanctions and Anti-Money Laundering Act 2018)

Distinct from but operationally integrated with AML, UK financial sanctions are administered by the Office of Financial Sanctions Implementation (OFSI). Payments firms must screen customers and transactions against the UK Sanctions List, freeze assets where matches are found, and report to OFSI. Since the introduction of the strict liability regime in 2022, OFSI penalties for sanctions failures have increased materially.

5. Record-keeping and audit trail (Regulation 40)

Records of CDD, transactions, internal investigations, and SAR filings must be retained for five years. For payments firms with high transaction volumes, the operational challenge is less about retention duration and more about the searchability and reconstructability of the record set under audit.

FCA enforcement in the payments sector: what the recent record shows

The FCA has signalled, repeatedly and unambiguously, that AML supervision of the payments sector is a strategic priority. The FCA’s portfolio letters to payments firms in 2023 and 2024 identified financial crime as a key area of concern, with specific reference to transaction monitoring, sanctions screening, and the operational scaling of AML controls.

The enforcement record reflects that priority:

• Starling Bank (£29 million, October 2024): The FCA found that Starling’s financial crime controls did not keep pace with its growth, and specifically that its automated screening systems did not check customers against the full sanctions list for several years. The case is instructive for payments firms scaling rapidly: controls that worked at one volume cease to function at the next, and the absence of periodic re-validation is itself a finding.
• ADM Investor Services International (£6.47 million, August 2023): Failings in AML controls for a payments-adjacent broker. Notable for the FCA’s emphasis that AML programme deficiencies persisted despite repeated internal awareness, a documented control weakness that goes unremediated becomes a multiplier on penalty.
• Al Rayan Bank (£4 million, January 2023): Inadequate AML controls, including source of funds verification, a CDD failure rather than a monitoring failure, but the underlying root cause is the same: policy without operational execution.

Across the payments sector specifically, the pattern in FCA findings is consistent. The issues cited are not novel typologies. They are well-known control areas, such as sanctions screening, transaction monitoring scenarios, source of funds verification, and EDD execution, which the firm’s own policies described correctly, but its operations did not deliver.

FCA expectations for payments firms have shifted from ‘do you have these controls?’ to ‘can you demonstrate that these controls operate at your current scale?’ The proof point regulators now seek is operational evidence, not policy documentation.

Where UK payments firms commonly get caught under AML supervision

Drawing on FCA Final Notices, JMLSG guidance, and industry remediation experience, five operational gaps recur across the sector.

1. CDD that does not refresh

Onboarding CDD is performed thoroughly at the start of the relationship and then never updated. A customer onboarded as a low-volume domestic user is treated as such two years later, even when their transaction profile now resembles a high-volume international remitter. Periodic CDD refresh, triggered by behavioural change rather than calendar alone, is the standard the FCA now expects.

2. Transaction monitoring scenarios that are not calibrated to risk

Generic rules (thresholds set at scheme defaults, scenarios inherited from a previous platform) produce high alert volumes and low conversion to SAR. The output of monitoring becomes triage rather than detection. Calibration must be tied to the firm’s own risk assessment and re-tuned as the customer base evolves.

3. Sanctions screening that is partial

Screening against an abbreviated or stale list, fuzzy matching parameters that miss legitimate hits, screening of customers but not counterparties or beneficial owners; all are cited findings. The Starling case made it explicit: screening must cover the full list, be re-run on list updates, and be evidenced as having occurred.

4. EDD that is documented but not lived

PEPs and high-risk customers are formally escalated to EDD, files are populated, but enhanced ongoing monitoring is not executed at the cadence the EDD outcome specified. The gap between defined monitoring regime and executed monitoring regime is a structural exposure for payments firms.

5. Funds transfer rules not consistently applied across payment rails

The Funds Transfer Regulation requires that payer and payee information accompany electronic transfers. Where firms operate across multiple rails (Faster Payments, SEPA, SWIFT, card schemes), the consistency of this data across rails is uneven. Missing or incomplete payer data is both an MLR breach and a transaction monitoring blind spot.

What good AML operations look like inside UK payment service providers

The firms that emerge well from supervisory review share a small number of operational characteristics. They are described here as testable propositions rather than aspirations.

• The risk assessment is a live document. Refreshed when the firm launches new products, opens new corridors, signs material partners, or sees material change in transaction profile; not annually as a compliance exercise.
• CDD is event-driven as well as periodic. Behavioural triggers such as sudden volume change, new counterparties, change of beneficial ownership, prompt CDD refresh in addition to scheduled review cycles.
• Monitoring scenarios are owned, not inherited. Each scenario has a documented rationale, a calibration owner, an alert-to-SAR conversion rate, and a periodic tuning record.
• Screening is operational evidence, not configuration. Every screening event has a timestamp, a list reference, a hit disposition, and a re-screening trigger when lists update.
• EDD outcomes are scheduled in the system. Enhanced monitoring regimes specified in EDD decisions are loaded into the monitoring engine, not held in a file note.
• The audit trail is reconstructable end-to-end. From customer identifier to onboarding decision to monitoring activity to SAR filing to review outcome;  a single query path, not a forensic exercise.

How RelyComply supports payments firms operating under the PSRs and MLRs

RelyComply’s AML platform is built for the operational reality that payments firms face: high transaction volumes, distributed data, multiple rails, and an FCA expectation that controls demonstrably operate at scale rather than merely existing in policy.

The platform supports the full lifecycle described in this article, risk-based CDD, configurable transaction monitoring calibrated to the firm’s risk assessment, sanctions and PEP screening with full audit trail, EDD as a structured workflow rather than a status, and end-to-end traceability from customer identifier through to regulatory filing.

To understand how this works in practice for a payments firm at your stage of growth, book a platform walkthrough, or read our overview of AML compliance for payments firms.

Frequently asked questions about the Payment Services Regulations and AML