Payments Regulatory Deadlines to Watch in October 2025

Each month, we leverage data from our Horizon Scanning Regulatory Deadlines Calendar to bring you a glimpse of the key response deadlines and legislation effective dates coming up, so you can plan and take action around some of the most important regulatory developments unfolding right now.

In October, there are 55 regulatory deadlines on the horizon — with 19 key consultation periods coming to an end and requiring a response, and 30 actionable deadlines to be aware of coming into effect.

What are the regulatory deadlines to watch in October?

Japan

The Japanese Financial Supervisory Agency (FSA) has announced new revisions to the cybersecurity reporting requirements of the comprehensive guidelines for the supervision of major banks and other financial institutions following the signing of an agreement between the FSA and other government agencies on reporting cyber incidents that aims to reduce the burden on organisations affected by cyber-attacks and to expedite the government's response.

Under the revisions, regulated entities may now notify the FSA and other government agencies of distributed denial of service (DDOS) and ransomware attacks via the Common Form for DDoS Attack Cases and Common Form for Ransomware Cases (both download links). The revised guidelines will take effect from October 1 2025.

Albania

On September 15, 2025 the Decision 49/2025 On the Approval of Certain Amendments to the Regulation “On Determining the Requirements for Credit Transfers and Direct Debits in Euro,” applicable to payment service providers (PSPs) and banks. 

Key amendments include: 

• PSPs in Albania may charge fees for Single Euro Payments Area (SEPA) credit transfers, instant credit transfers and direct debits, both incoming and outgoing, using the shared cost method (SHA) in line with SEPA rules. 
• However, fees for outgoing SEPA payments cannot exceed the limits set by the Bank of Albania for equivalent domestic euro payments, while any fees on incoming SEPA payments must be strictly cost-based. 
• This does not apply to currency exchange fees and instant credit transfers.
  

This decision enters into force on October 7, 2025 and until the accession of Albania to the European Union. 

Brazil

On September 25, 2025, the Central Bank of Brazil (BCB), in conjunction with the National Monetary Council (CMN), approved BCB Resolution No. 505 and CMN Resolution No. 5,251. 

Taken together, the new resolutions establish the mandatory use of Automatic Pix in cases where the end user receiving funds from an interbank debit authorization is a legal entity or entity not authorized to operate by the BCB. As a result, payers will now have to authorize debits from their account using the app of the institution where the account to be debited is held.  According to a BCB news release announcing the resolutions, this mandatory use of Automatic Pix is aimed at providing greater convenience and control to customers, as well as preventing undue debits.

The resolutions take effect on October 13, 2025, with a deadline of January 1, 2026 for relevant institutions to adapt existing contracts and debit authorizations, and to implement other measures necessary for compliance.

Pakistan

On 25 July 2025, the State Bank of Pakistan (SBP) issued a circular introducing a revised and consolidated Customer Onboarding Framework, aimed at simplifying account opening procedures and expanding access to digital financial services.

The framework applies to all SBP Regulated Entities (REs) that maintain customer relationships, including Banks, Development Finance Institutions (DFIs), Microfinance Banks (MFBs), Digital Banks, and Electronic Money Institutions (EMIs). It consolidates existing onboarding instructions and sets out uniform standards for due diligence, documentation, and digital enablement. SBP has advised all REs to ensure full compliance with the circular by October 25, 2025.

India

On April 22, 2025 the Reserve Bank of India issued a circular on the migration to ‘.bank.in’ domain. This is following a press release promoting the initiative to reduce cyber security threats and malicious activities like phishing. The '.bank.in' domain will now be operationalised specifically for banks, with the Institute for Development and Research in Banking Technology (IDRBT) designated as the exclusive registrar. 

This authorisation has been granted by the National Internet Exchange of India (NIXI), under the Ministry of Electronics and Information Technology (MeitY). All banks are advised to commence the migration of their existing domains to the ‘.bank.in’ domain and complete the process no later than October 31, 2025. 

The Vixio Payments Compliance Horizon Scanning tool shows you real-time updates on regulatory deadlines and trends across 140+ global jurisdictions, including all US states, at the click of a button. Its Regulatory Deadlines Calendar feature sets out effective dates for published legislation, closing dates for consultation periods on proposed regulatory developments, and deadlines for specific requests for information by regulatory authorities. 

We’ve only shown you a snapshot of October’s deadlines.

Want to see them all? Book a demo with a member of our team, who can show you the full Regulatory Deadlines Calendar for this month.