Payments Compliance Outlook 2024: The Compliance Dilemma - Growth At What Cost?

• Overriding theme of Vixio’s 2023 survey is the renewed and sustained focus on growth from payments firms
• Two of top three priorities for firms for 2024 is to acquire new product licences and expand market entry
• Credit cards came top on the list of payment instruments offering the greatest opportunity
• Cryptocurrencies are also considered a major payment opportunity among firms
• Having the right culture of compliance is not just a box-ticking exercise but a competitive advantage

As the compliance landscape becomes an increasingly challenging environment, Vixio’s annual Payments Compliance Outlook uncovers some of the most pressing challenges that stand in the way of firms finding the sweet spot between growth and compliance in 2024. 

This report gives your organisation an informed view of the year ahead, helping you understand how to efficiently scale your compliance needs, reduce the regulatory burden and empower your compliance team to become enablers, rather than blockers, to business growth.

Tipping the scales of compliance

As the payments industry is one of the most highly regulated in the world, firms must constantly strike a balance between their growth ambitions and regulatory requirements, including mitigating risks and safeguarding customers. 

Vixio’s annual Payments Compliance Outlook has uncovered a troubling trend among some payment firms, which could suggest the pendulum is swinging too far in the direction of growth. 

In our survey of 250 payments professionals in five key jurisdictions, 85 percent of respondents claim they are under pressure from within their business to increase risk appetite to support growth. But at what cost? 

This decision to increase risk appetite could indicate a more positive macro outlook among firms looking to grow. For example, our survey also revealed that two of the top three priorities for firms in 2024 is to acquire new product licences (22 percent) and expand market entry (21 percent). However, it is also notable that priorities such as customer protection (11 percent), anti-money laundering (AML) (10 percent) and data protection (7 percent) featured lower down the order. 

“Our aim is to strengthen risk management and compliance in the sector which underlies fintech and to ensure that business development grows only in tandem with compliance maturity.” Dovilė Arlauskaitė, Bank of Lithuania, told Vixio in 2022.

Although growth is imperative for firms, compliance is not an optional extra. The most successful payment firms know good compliance can be a competitive advantage. It helps them stay on the right side of the regulator to avoid any unnecessary fines and reputational damage. It also helps them to maintain customer trust to ensure they can scale.

Most firms understand the criticality of compliance and its challenges, with 58 percent of respondents naming compliance and legal risk as among their firm’s top three risks over the next 12 months. The majority of firms also appear to understand the need to resource compliance departments even when times are tough. When asked about their response to an economic downturn, more than half (55 percent) said they would increase headcount in their compliance department.  

Throughout 2023, Vixio has regularly reported on regulators complaining that some firms are not doing enough to mitigate risks and calling on them to up their compliance game. As Max Savoie from law firm Sidley Austin said, in one of our exclusive customer interviews, payment firms should expect “more probing questions from the regulator about their compliance”.

The payments trinity

Another crucial balancing act for any successful payments systems is to find the sweet spot between cost, security and ease of use. A payment system must be secure, but if this level of security adds too much cost and friction to the user journey, it will fail because no one will want to use it. The challenge to maintaining equilibrium is that disruptive technology constantly redefines what is possible, customer expectations change, and regulators intervene to mitigate perceived risks and to promote competition. 

Across our survey, fraud stood out again as one of the biggest issues among respondents. Not only was fraud prevention ranked the highest compliance priority among firms, but increased fraud rates were also considered to be among the greatest threats to their business. 

Fraud introduces extra costs and friction, severely disrupting the payments balance. In the UK, policymakers are scrutinising the rise in authorised push payments (APP) fraud. Not only has this led to regulators mandating a new confirmation of payee service, adding an extra check before a payment is sent, but liability has also shifted from the customer to payment system participants — spread equally between sending and receiving institutions. 

Technology can be an effective tool to quickly rebalance any disequilibrium, improve efficiencies and offer better customer experiences. Respondents were particularly optimistic about artificial intelligence (AI), with 59 percent citing it as one of the greatest technology opportunities for their business over the next 12 months. Previously, Vixio investigated use cases for AI and identified numerous applications for payments firms from fighting fraud, financial planning and risk management, to personalising and enhancing the customer experience. Regulators have also expressed excitement about AI as a tool to support their supervision of payment firms.

Additionally, respondents cited cloud computing as a significant technology opportunity. In particular, the technology enables firms to improve data security and efficiently scale operations, while reducing the need to manage capital intensive data centres and IT stacks. 

Finally, let’s not forget that despite all these considerations, a payment is just a simple message transfer made possible via a choice of payment instruments. According to our survey, credit cards came out top among respondents as offering the most opportunities for their firm over the next 12 months. Credit cards have historically been one of the most lucrative payment instruments, and our survey suggests this continues to be the case. If credit cards represent the elder statesperson of electronic payments, the next two on the list of greatest opportunities, instant payments and crypto, are the would-be usurpers.

In Brazil, the central bank governor suggested that the country’s successful instant payments service, Pix, combined with open finance, could eliminate the need for credit cards altogether. Our survey suggests, however, that credit cards will continue to play a prominent role in Brazil and elsewhere, with 58 percent of respondents in the Latin American country citing the payment method as the greatest opportunity for their firm over the next 12 months, compared with 44 percent overall. In fact, Vixio’s analysis of alternative payments growth over recent years suggests that new payment instruments are often complementary to existing services rather than competitive. For example, alternative payments often open up new use cases, supporting further digitalisation of payments, and creating a virtuous circle that benefits firms across the payments ecosystem. 

In our customer interview, Andrew Boyajian of open banking firm Tink echoed the sentiment that growth in one type of payment instrument can benefit other types of payment instruments. In making the case for the potential of open banking powered by instant payments, he argued that the progression of open banking has been made possible by the demand created by cards. And just like cards before, open banking is now reaching its own tipping point.

2023 at a glance

2023 has been an eventful year for payments regulation. In each of the five markets Vixio surveyed — the UK, US, Germany, Brazil and Australia — wide-ranging regulations have been proposed or introduced that are likely to have a lasting and profound impact on the payments landscape. From Australia’s multi-faceted strategic plan to modernise the country’s payments system and regulatory framework, to the EU’s new revised payments package, firms face potential changes to all parts of their business. Here are just some regulatory themes from updates that Vixio has captured across these five jurisdictions in 2023.

GROWTH AND COMPLIANCE: TWO SIDES OF SAME COIN (PART 1)

An overriding theme of Vixio’s 2023 survey is the renewed and sustained focus on growth from payments firms. Despite challenging economic and market conditions, such as rising interest rates and falling demand in certain payment categories, payments overall are generally resilient to economic shocks. Digitalisation continues to advance, new use cases are emerging and cash continues to decline in most markets — all good signals for further expansion and opportunity for payment firms.          

Key market indicators highlight continued strong growth, and in some cases acceleration of this growth. For example, in four out of the five markets in our survey, the rate of market growth in 2022 was either equivalent to or above the five-year average, and in the case of Brazil it had almost doubled.       

If Australia, the US and the UK are characterised as among the most highly developed global payments markets, then Brazil, until recently, could be considered relatively undeveloped. Over the last couple of years, however, Brazil has experienced an explosion in payments growth. As a result, it looks set to join this elite club sooner rather than later, with instant payments service Pix leading that charge. Launched in November 2020, the service processed 24bn transactions in 2022, equivalent to 29 percent of all non-cash transactions during the year. And rather than hindering the growth of other payment instruments, such as credit and debit cards, it helped accelerate their growth.

Impact depends on market segment and industry

Since 2021, the healthy uptrend in payments growth can partly be explained by a post-COVID boost as communities return to normal. However, the digital trends accelerated by the pandemic are also helping some payment firms to mitigate against risks presented by a tougher economic climate. Vixio expects some tempering of growth rates over the next few years, although these are likely to remain healthy across all jurisdictions.          

Alongside fighting fraud, new product licensing (22 percent) and new market entry (21 percent) represent the top three compliance priorities for firms in 2023.

Of potential significance is how comparatively low other regulatory priorities, such as data protection, consumer protection and AML, are rated. These priorities that focus on compliance risks and customer safeguarding could indicate a potential imbalance between growth and regulatory obligations. The potential consequences of this are discussed below.          

In the previous Vixio Payments Outlook, compliance teams reported an even mix between different competing priorities, such as fraud prevention (16 percent), consumer protection (15 percent), AML (15 percent), data protection (15 percent), new market entry (13 percent) and product licensing (12 percent). The focus on market growth and preventing fraud for 2023 may highlight the unique challenges and competitive market conditions that many firms are facing, but it could also signal risk if firms neglect key compliance obligations.

Cards for the win

Across all five markets surveyed, consumers and businesses are comfortable using a range of payment instruments. In the more developed markets of Australia, the UK and the US, there is a heavy preference for cards, which accounted for more than 70 percent of all non-cash transactions in 2022. In Brazil, cards represented just under 50 percent of all transactions, while in Germany card usage was particularly low at just 30 percent.      

When asked to list the payment instrument that offered the greatest opportunity for firms, credit cards came top, with 44 percent of respondents choosing it among their top three. Credit cards have historically been one of the most lucrative payment products for firms, particularly issuers, due to high fees, cross-border foreign exchange, customer loyalty and interest charges. Credit cards were particularly popular with respondents in Brazil (58 percent) and Australia (50 percent).           

The payment instrument’s popularity also suggests firms are not being put off by the challenging economic environment, including the potential for a credit crunch. Credit cards, and cards in general, continue to also be a target of regulators. In the UK, the Payment Systems Regulator is currently undertaking a review of card schemes and processing fees, while, in Australia, regulators continue to promote eftpos, the domestic card scheme, as a competitive alternative to international card schemes. Among the latest initiatives, regulators aim to promote network choice across card payments for both in-store and online payments, allowing merchants to choose the “least-cost routing” option. In August, the Reserve Bank of Australia threatened to introduce "formal regulatory requirements" if it did not see progress on implementation of least-cost routing by acquirers.          

This mirrors a similar routing choice introduced for debit cards in the US as part of the Dodd-Frank Act in 2011. The US is also hoping to offer similar competition for credit cards via the aforementioned Credit Card Competition Act, although the act’s path through Congress remains uncertain.

If cards represent more traditional payment opportunities, respondents also see significant value in alternative payments, with more than a third citing instant payments and cryptocurrencies, respectively.          

The popularity of Pix in Brazil has already been discussed, but the central bank is aiming to extend its functionality in 2024 to support new use cases, including automatic recurring payments and international transactions. Brazil’s central bank governor has even suggested that with future features, such as a credit facility supported by the country’s open finance framework, Pix could replace credit cards altogether.

Globally, policymakers continue to push instant payments as part of efforts to promote competition, innovation, open banking and financial inclusion. In the US, the launch of the Federal Reserve’s FedNow service will give a much needed competitive boost to the market. The country’s private bank-owned instant payments service operated by The Clearing House (TCH) has yet to gain a significant volume of transactions, despite launching back in 2017. Following the launch of FedNow, however, TCH began releasing announcements of its own, including the launch of a new Request to Pay service.           

In Australia, the country’s New Payments Platform (NPP) looks set to get a volume boost, following an announcement that transactions using the country’s Bulk Electronic Clearing System (BECS) will migrate to the instant payments service. New instant payments regulations in the EU will aim to address cost and availability in the region, and proposed changes to the Settlement Finality Directive could give non-banks direct access to the instant payments infrastructure for the first time, reducing payment firms’ reliance on banks.          
 

Balancing compliance as pressure mounts

As already noted, there is a strong focus on growth among payment firms, while compliance risks and safeguarding customers are relatively low priorities for some firms. But to what extent should this be of concern?           

A vast 85 percent of respondents said they had felt pressured by their firms to increase risk appetite to support business growth.

Many also appear to be heeding to this pressure. According to our survey, 68 percent of respondents said they are planning to either slightly or significantly increase risk appetite. Although this could be a sign of growing confidence in their market outlook, it could also demonstrate potential recklessness on the part of some firms, if their compliance teams are being forced to seek out risk.

          
When we dig a little further, there are one or two signs which could indicate that firms’ growth plans are being pursued at the expense of investment in compliance.

For example, 58 percent of respondents expect their compliance burden to increase over the next 12 months. When combined with a growing risk appetite, this could lead some firms to underestimate their compliance obligations.          

We also found a strong correlation between those that were under pressure to increase their risk appetite to support growth and those expecting their compliance burden to increase.          

For example, of those respondents who believe that there will be a significant increase in compliance burden over the next 12 months, three quarters also felt under significant pressure to increase their risk appetite to support business growth.          

Having the right culture of compliance is not just a box-ticking exercise but a competitive advantage. According to last year's Vixio Payments Outlook, respondents told us that the likely consequences of poor compliance practices were loss of reputation (27 percent) and reduced competitive advantage (26 percent). It is particularly noteworthy that both of these were considered to be more certain than the prospect of a fine from the regulator (24 percent). 

Well-founded

The expectation of a growing compliance burden is also well-founded. It is not just the growing barrage of regulations and requirements in these jurisdictions that Vixio has discussed here and elsewhere, but we have also heard directly from regulators complaining that firms are not taking their compliance risks seriously enough.          

The challenge for compliance teams is that many regulators, concerned that fast growth often comes at the expense of adequate risk management, are beginning to take a tougher line on payments firms. Making light of compliance obligations, therefore, is not a viable long-term option. Neobank N26 has found this out over the last couple of years, and is now facing restrictions in Germany and Italy due to inadequate compliance procedures.           

In Lithuania, which was previously a go-to jurisdiction for a European payments licence, regulators are increasingly taking steps to raise compliance standards. At the end of 2022, for example, Dovilė Arlauskaitė, the central bank's payments chief, told Vixio about the regulator’s plans going forward: “Our aim is to strengthen risk management and compliance in the sector which underlies fintech and to ensure that business development grows only in tandem with compliance maturity.”          

Among the actions taken by the Lithuanian central bank are:

• “Actively pursuing supervisory activities” to achieve “a sustainable and compliant operation of sector participants”.
• Reducing the number of new licences available, with a conscious focus on allowing “quality over quantity”.
• Revoking licences of existing players for compliance infringements and ramping up the number of enforcement actions. So far, these have included a €310,000 fine for UK-based e-money institution TransferGo, as a result of “deficiencies” and “insufficient” compliance with AML controls.

Elsewhere in Europe, regulators at both the national and supranational level are focused on creating a compliance-first environment. One aim of the EU’s new payments proposals is to give product intervention powers to the European Banking Authority. This will allow the regulator to “temporarily prohibit or restrict” payments or e-money products if the national authority has not adequately enforced the rules. It also means that payments firms cannot rely on low enforcement activity from national regulators as a significant factor in managing their compliance decisions.          

In the UK, in March 2023, the FCA published a letter to CEOs warning firms about common risks, failings and the need for good governance. Industry experts told Vixio that this should not come as a surprise to most payment firms, and that the regulator’s criticism was mild compared to that of other regulators. Firms should expect increased scrutiny from regulators, such as more warning letters and higher rates of enforcement activity. 

Customer Interview 

Balancing compliance and risk in the UK: Interview with Max Savoie, partner at Sidley Austin LLP           

Our research has shown that the Consumer Duty is a fairly low priority for UK compliance teams over the next 12 months. What has been your experience with payments firms seeking to comply with the Consumer Duty? Do you think that firms put enough resources in?  

It is really interesting to hear that. The Consumer Duty is a priority for the FCA and firms that are not taking it seriously do so at their own risk. Some of the larger players in the market have invested significant time and resources into compliance, but even those larger players have found implementation challenging. This is due to the breadth of the regime, and lack of detailed practical guidance on specific payment services.  

However, it is challenging for the FCA to provide tailored guidance as there are so many different business models in the payments sector that are in scope.  

I think that many smaller providers are likely struggling with additional compliance burdens, particularly where they are required to make changes made to customer terms or agreements with commercial partners. My sense is that there are mixed levels of awareness of these requirements.  

Do you think the recent EU payments proposals will make life easier for PSPs? Or are there going to be more compliance worries? 

I'm going to give a bit of a lawyer's answer here, and say that is a mixed picture. Some of the PSD3 proposals would permit PSPs to collect and share a broader range of data and delay settlement of a payment transaction in certain circumstances, which could be helpful for some firms. However, even in those areas where PSD3 might be helpful, it will still involve an extensive review and possibly substantive changes.  

Other changes like those proposed for safeguarding could mean non-bank PSPs have more to do, particularly if they have to diversify the methods through which they safeguard customer funds. 

I expect that EU/UK divergence will be challenging here as well, as firms currently have broadly similar policies, but this could change as both jurisdictions press ahead with reforms to payments regulation.  

Our research has shown compliance teams' top priority is growth with regulatory issues such as AML being a lower priority for the next 12 months. Yet, respondents tell us they expect the compliance burden to increase. Given we're seeing these regulatory proposals come up, how should firms plan?  

This approach is out of step with the FCA’s stated priorities for PSPs. Priorities here include AML, the Consumer Duty and safeguarding. As the Consumer Duty is a new regime and a flagship policy, I'd expect PSPs to start to receive more probing questions from the regulator about how they meet the requirements.  

With growth, one thing the FCA has consistently made clear is that customer acquisition and the aim of achieving frictionless customer onboarding processes should not come at the expense of robust customer due diligence and compliance with money laundering and sanctions rules.  

It does not surprise me that firms want to grow, and this is generally a good thing, but I think that there is a disconnect between some firms and the FCA in terms of balancing opportunities and risks. 

Complying with what regulation should be the priority for PSPs in the next year? 

It really does depend on the firm, but broadly speaking for the UK, firms would do well to look at the stated priorities of the FCA for the payments sector, especially the Consumer Duty, financial crime, safeguarding and other prudential requirements for non-bank PSPs. 

Crypto is another area, especially for PSPs providing crypto-asset services or supporting firms that do, which are more likely to face scrutiny from regulators and banks. We have two quite significant sets of rules that have come into effect this year, the first applies to marketing and promotion of crypto-assets services and the second applies to the information that must accompany certain transfers of crypto-assets. Any firm involved in providing, supporting or distributing crypto-asset services should be looking carefully at these rules.  

This is very much the start, and we are going to see a lot more reform coming. We have MiCA in the EU and analogous but not necessarily equivalent reforms being developed in the UK.  

Our survey found crypto has a high appeal for enabling growth. Given the crypto sector is increasingly being regulated, do you expect regulators to be more comfortable with a growing crypto sector than in the past few years? 

It is possible. Certainly the way regulators interact with a regulated firm will be different from the way they interact with an unregulated firm, or a firm that is applying for authorisation or registration. 

As the regulation of crypto-asset services continues to expand, firms operating in the sector, including PSPs, will likely face more scrutiny on issues such as compliance with new rules and conditions of authorisation or registration regimes.  

It is notable that there is still a relatively low percentage of firms obtaining FCA approval to provide regulated crypto-asset services.  

Overall, it is still a relatively difficult regulatory gateway to pass through.

Which element of the payments industry do you think is being hit the most by future regulatory burdens?  

More broadly, a theme I'm seeing in the UK and EU is increased attention on tech and fintech firms that are involved in the payments sector, particularly around their use of data and involvement with more traditional providers. In relation to these services, we are likely to see an expansion of regulation to cover a broader range of technical and data-related activities supporting payments in the UK and EU. 

Compliance teams step up  

Most firms understand the importance of compliance and that new and evolving regulation continues to be a serious risk to be managed by firms. For example, 58 percent of respondents named compliance and legal risk as among their firm’s top three risks over the next 12 months, above risks such as technology and market. In the US, in particular, this number rose to 72 percent.          
 

          
This sentiment is broadly shared across the business (i.e., not just within compliance teams), with 57 percent of respondents identifying as working in a payments-specific role also considering it a top three risk. This suggests that most firms are conscious of compliance risks as they seek to enter new markets and develop new payments products.  

Another sign that the culture of compliance is still top of mind for many firms is that most appear to understand the need to resource compliance departments even when times are tough. When asked about their response to an economic downturn, more than half (55 percent) said they would increase headcount in their compliance department. Although it is also worth noting that 27 percent of respondents said they would decrease their compliance headcount in the event of an economic downturn, highlighting attitudes to the role of compliance is not universal.            
 

FRAUD: DISRUPTING PAYMENTS (PART 2)          

Payment fraud is a menace that constantly evolves as technologies and habits change. Close down one avenue that can be exploited, and fraudsters will adapt and target another perceived weakness in the armoury. As a result, it is a constant battle for supremacy.          

But it is not just this tit-for-tat, permanent arms race that is the greatest challenge for payment firms. Fraud can disrupt significantly the way firms do business, damage their reputation with customers and partners, and is a significant cost both in terms of prevention and losses suffered.          

The EU’s rules around strong customer authentication (SCA) as part of PSD2 are a good example of this disruption. Although SCA may be a valid solution to solve unauthorised payments fraud, the controversial one-size-fits all policy caused consternation among many firms that had built their own successful fraud screening as part of their seamless payment offering. Some argued that SCA caused a double whammy of rising costs and falling sales; the latter because of increased basket abandonments as a result of the fiddly checkout experience.           

Fraud was a major concern of our survey respondents, with increased fraud rates considered the greatest threat overall to their businesses.   

In 2023, regulatory attention turned to authorised push payment (APP) fraud — where criminals trick victims into sending them money — using the speed and irrevocability of instant payments availability to their advantage. In the UK, this has been a particular problem, with UK Finance claiming that APP fraud losses alone were £485.2m in 2022.

To reduce this, the Payment Systems Regulator (PSR) issued a Specific Direction in October 2022 requiring directed PSPs to provide confirmation of payee. In June 2023, the PSR launched a new mandatory reimbursement requirement for APP fraud over Faster Payments. There is no minimum threshold for claims, and the only exceptions are in cases of gross negligence (which will likely be difficult to prove) or when the person is involved in the fraud. Even before the new mandate, APP fraud reimbursement had been rising, going from 26 percent in 2017 to more than 50 percent in 2022, according to UK Finance. However, costs are likely to increase as the new rules come into force.          

Both the payer and payee’s PSP will now be equally liable for reimbursement, which could be difficult for compliance teams to manage as it would make them liable for another company’s mistakes.           

In response, industry figures have told Vixio that the UK proposals do not address the root cause of the fraud, pointing out that about 75 percent of all fraud starts on Meta-owned social media sites Facebook and Instagram. Others have warned that such proposals may lead to conscious negligence, whereby customers feel safe to make a risky purchase, knowing that he or she will be reimbursed.

It is not just in the UK, a major component of the EU’s instant payments proposals is fraud reduction measures, including a new IBAN verification service that PSPs are required to perform when making an instant credit transfer.

Our qualitative findings suggest that respondents view fraud as a complex and multi-faceted issue that can have far-reaching consequences and is “difficult to stop”. Respondents mention how much of a growing problem it is, how it can “damage their reputation”, resulting in “customer and shareholder distrust”, and how it can lead to large direct and indirect costs.

“We are seeing [fraud] increase massively and it is expensive to claim on your insurance.” - Senior manager in a payments role, from our survey. 

Other perceived threats among our respondents were fears about an economic downturn (23 percent) and growing regulatory and compliance burden (22 percent). The perceived expectation of a growing compliance burden among survey respondents has already been discussed, but it is also interesting to note the extent to which perceived threat levels have increased. For example, the number of respondents that consider the growing regulatory and compliance burden as their number one threat have almost doubled since last year’s survey from 12 percent to 22 percent.

“Keeping up with the evolving compliance requirements requires frequent monitoring and updating of the organisation’s policies.” - C-level executive in a payments role, from our survey.  

Customer interview   

AML and fraud challenge: Interview with Hardeep Rai, product director, and Karin Yuklea, product strategy, Feedzai. 

What are the current trends that you see for fraud and payments?

Rai: Scams (authorised push payment fraud) continue to be the dominant issue; however, we are seeing some positive news in the fight to tackle this kind of fraud. In the UK, the regulator is taking significant steps to ensure that control mechanisms are in place and consumers get the protection they need.

Due to the rise of scams, banks have invested a lot in terms of people and technology, as well as more education for consumers. This is certainly helping to stabilise the scam losses in the UK.

Yet, if you look at that broader issue, across the wider world, it is a different story. The UK has had success, but everyone else is still wrestling with the problem.

Elsewhere, regulation also has not caught up, but we are starting to see this happen now. In Singapore, regulators are discussing how you reimburse, and Australia's plans are imminent as well. 

How bad is payment fraud in the UK compared with other jurisdictions? What exacerbates fraud in your opinion?

Rai: The first thing that I would point out is that the UK is very good at reporting on fraud. There is really good, rigorous reporting, and this is not consistent elsewhere. Therefore, the UK can sometimes get more attention, due to the availability of the data, but that does not necessarily mean the problem is greater than in other countries.

The numbers are big, of course. Billions and billions are being lost, but it is hard to say whether it is better anywhere else. You cannot compare with France or Germany, for example, as there is no consistent data set to do such analysis.

From speaking with customers on the ground, you can tell that fraud is becoming a very big issue and a topic of discussion in the US. This is partly due to the increased adoption of real-time payments, which fuels a higher level of fraud, as fraudsters can move their ill-gotten gains faster.

What are the challenges that firms face with keeping up with the evolving AML regulatory landscape?

Yuklea: Firstly, dealing with this area is not getting any easier. In addition to ever-expanding regulations and regulatory focus, financial institutions (FIs) and payment processors are dealing with ongoing rapid changes to the financial and technology ecosystem itself. 

Regulators and FIs are struggling to keep up with this rapidly changing environment and adapt their AML compliance approach quickly, while criminals are often ahead of the game in exploiting vulnerabilities in new financial products and services and leveraging advanced technology.    

Many FIs are also hampered by outdated and stagnant AML technology solutions that were designed decades ago, and are unsuited for the current environment. It is always a game of catch-up, and FIs cannot keep using very old technology as it will, and has, become very ineffective. 

How are firms changing their approach to money laundering? How do you help them?

Yuklea: One of the biggest changes that is happening in financial services is the shift to digital banking across the industry. This has introduced many challenges but also opportunities, as digital banking can be a rich source of valuable data about customers and their behaviour. It also offers the ability to access this data and interact with the client in real time while they are logged into an online portal. 

Today, this technology is under-utilised in AML compliance, which is mostly still based on limited back-office datasets and delayed processing. But we believe this will increasingly become a key component in an effective AML programme. 

We are working with our clients to facilitate this journey and shift to a more proactive approach to financial crime prevention through the use of more advanced and agile technology.

How do you deal with multi-country compliance? 

Yuklea: Core AML compliance requirements are typically very similar globally, with relatively limited variations, as the fight against financial crime is a global one and is guided by common principles (and criminals operate globally using similar techniques as well). What tends to be substantially different is the focus and level of enforcement in different jurisdictions. This often means that although the high-level AML principles are the same, their application in practice really differs by jurisdiction, which drives FIs’ technology priorities.

For example, in certain Asian and LatAm markets, there is more openness to new technology such as machine learning and AI. These regulators are more comfortable with advanced technologies and are focused on monitoring effectiveness, while they are somewhat less stringent on certain governance aspects around its use. 

In some regions like the US and UK, however, regulators are more hesitant to trust new technology and require very extensive governance processes around it. This can discourage banks from early adoption of technology innovations (due to the risks and cost associated with meeting these regulatory expectations).

Machine learning is an opportunity to enable more effective and agile financial crime prevention strategies that cannot only address current challenges, but can keep up with the rapid ongoing changes that are inherent to today’s banking environment and consumer expectations of a seamless user experience. 

A trend over the next few years has to be the adoption of supporting tools for AML prevention — not just AI but the governance framework around that.

Tapping into technology    

Successful payments firms must strike a fine balance between ensuring security, managing costs and making their products accessible and easy to use. The disruption to the payments experience caused by issues such as fraud and money laundering can cause an imbalance to the payments experience, threatening business models and leading to customer attrition. 

One solution to this balance problem is to invest and innovate through the use of technology. Survey respondents were particularly excited about the prospects of artificial intelligence (AI). A total of 59 percent of respondents put AI among their top three technology opportunities, and 28 percent put it as their first choice. AI was closely followed by cloud computing (58 percent), including 23 percent that ranked it as their top choice.

Our qualitative results show that respondents view AI as a significant opportunity due to its potential to improve many aspects of their business. Respondents highlighted improved efficiency, for example, reduced costs and the provision of better services, such as faster payment processing and greater personalisation for customers.

“Artificial intelligence can take on tasks and processes that are time consuming and tedious for our team, freeing them up so they can focus on more value-added activities.” - Founder of a payments processor, in our survey.

Our results also suggest that AI may be particularly useful in compliance departments where it can help with a variety of tasks, such as staff recruitment, scoping out initial research and reducing workloads.

“Artificial intelligence allows for the automation of tasks, and is capable of providing large-scale data analysis, increasing efficiency and improving decision-making so that the organisation becomes more competitive in the market.” - Senior manager in a legal role, in our survey.

Industry figures have separately told Vixio of AI’s potential in payments to reduce fraud, such as the use of cybersecurity monitoring, identity screening and pattern recognition to detect  suspicious activity in real time.

The use of the cloud has long been discussed in the payments industry as a way to improve efficiency and support firms as they scale. At the same time, as processing power and internet bandwidth have expanded the ability to deploy the cloud to support tasks, it has become an increasingly cost-effective option. The cloud can allow firms to outsource key tasks and reduce the need to manage capital-intensive data centres and IT stacks. This is echoed by our respondents who regard cloud computing as a versatile technology that can help with data storage, scalability and security to support business growth.     

“Cloud computing provides data privacy and security with storage in a centralised manner.” - C-level executive in a payments role, from our survey.

“Cloud computing allows us to scale up or down our IT resources on demand, and access them from anywhere without any internet connection.” - C-level executive in a payments role, from our survey.

       
CONCLUSION

Regulation is constantly evolving as policymakers respond to changing economic and market conditions. In some cases, regulators are directly citing tough economic conditions as part of their rationale for stricter supervisory regimes.    

Growth is vital, of course, but without the corresponding culture of compliance, firms risk significant long-term consequences. Unnecessary fights with the regulator can slow a firm down and can do significant reputational damage. However, with the right tools and support, firms can efficiently scale their compliance operations even in times of increasing regulatory burden. This allows compliance teams to spend more time as enablers rather than barriers to growth.

Customer Interview - Open banking  

Open banking and open finance continue to be exciting market developments that are affecting firms across all jurisdictions in our study. From the ambitious implementation timeline of UK regulators to the EU’s proposed open finance framework, this topic will likely continue to be a top payment trend in 2024.           

To get the latest insights on these developments, Vixio spoke to employees at two of the UK’s leading open banking providers: Jack Wilson, head of public policy at TrueLayer; and Andrew Boyajian, head of variable recurring payments at Tink.

Jack Wilson, head of public policy at TrueLayer

At the inception of open banking, there was a lot of emphasis on its use for sharing account data. How has open banking technology and uses of that technology changed in the last few years? 

The emphasis on account information has shifted, and there is now much more focus on the payments side of open banking. The perception was that payments took off slowly — but it takes time to educate businesses about new payment methods, and for those businesses to put a change into their own roadmaps. The open banking industry has been working hard on this, and that is now paying off, with more than 11m open banking payments made in July 2023. With variable recurring payments just starting to take off, we are unlocking yet more convenience for consumers, allowing them to save money and pay off debt with ease. 

Vixio has recently seen an uptick in regulatory activity for open banking in the UK. What are your thoughts on future open banking regulatory developments? 

There is a heck of a lot on the horizon. 2023 was supposed to be the year of delivery for open banking. So far, there has been a lot of discussion and consultation. 

The Joint Regulatory Oversight Committee (JROC) has been continuing its work over the summer, and due from that is a roadmap (due autumn) for unlocking new open banking functionality and enabling recurring payments to be used for bill payments, e.g. tax, utilities and other financial services applications, such as investments. 

The JROC is also looking at the future of the Open Banking Implementation Entity (OBIE). OBIE has really been responsible for making open banking a success in the UK. Its future has been uncertain for a few years, but hopefully the JROC will create certainty, e.g., through its funding and governance, and it can get on with delivering the rest of open banking.

The Data Protection and Digital Information (DPDI) Bill is going through parliament as we speak and should give “Smart Data” powers to sectoral departments. While it will give the Treasury powers to “underpin” the future of open banking, it will also enable other departments to embrace open data.  

What effect do you think emerging technologies, including AI, will have on UK regulation? 

Financial regulators are increasingly engaged in emerging technologies. In recent years the focus has been on understanding the risks of crypto and stablecoins and developing an appropriate regulatory regime. It is likely we will now see regulatory activity in the AI space, even if this is initially just sizing up the opportunities for financial services. We should expect that AI will feature in forthcoming regulatory strategies and business plans.

How will the Consumer Duty impact firms like TrueLayer and what does it say about the future of UK regulation?

The Consumer Duty applies to all open banking firms and we have been busy preparing for the go-live date over the summer. Open banking's success hinges on gaining the trust and loyalty of consumers, creating excellent consumer experiences and adding value — so the Consumer Duty obligations should not come as a heavy lift for the industry. 

The duty shows that the UK is way ahead when thinking about that kind of regulation, but it does demonstrate a swing of the pendulum from a focus on competition (as we had in 2016 with open banking legislation) to a focus on consumer protection (when taken alongside the wide-ranging APP rules).

What regulatory themes do you think will dominate 2024?

Early in 2023, Andrew Griffith, the UK economic secretary, said that this will be the year of delivery for open banking. We have seen a lot of work and discussion taking place about the future approach to regulation. 

However, I do not think that the rubber has hit the road yet. We have not unlocked new functionalities. I am hoping that 2024 is the actual year of delivery and that we see both banks and third-party providers come together to create more new products and services for consumers and businesses.

Have you noticed much divergence between the EU and the UK on regulation thus far? How does this impact firms like TrueLayer?

There is a divergence with timelines.

The EU machinery has started to roll on reviewing PSD2 and creating a revised directive and regulation. A lot of work has been put into this and the ball is now rolling. In the UK, they have not yet kicked off that major review of the legislation, and we do not have a revised text. We have had a consultation and have made piecemeal changes like those for APP fraud and bank account closures, but there have been no huge developments yet. I think we are at risk of falling behind.

Likewise, in the UK, there has been a lot of discussion about open finance. The UK kicked off very early in 2018-19 with this, but then activity dropped off. In the EU, we have now got the FIDA proposal. We do have an opportunity to catch up with the Data Protection and Digital Innovation Bill, but the powers in that bill need to be put to use quickly by the relevant regulators once final.

While there may be a divergence in timelines, I think that the EU and UK have the same things in mind. It is an interesting time to be in both markets!    

***     

Andrew Boyajian, head of variable recurring payments at Tink

Open banking has been around for a while now and, initially, consumers weren’t very aware of it. Do you think that’s changed now?

We have approached a place where there is a nice intersection. If we zoom out, it is nice to reach a place where we can see the progression to open banking. This originated with Diners Club in the ‘50s, and then Visa launched in ‘58, and then we saw the beginnings of Mastercard. 

What worked in the card example was the building of demand. We are seeing consumers beginning to become more expecting of things like speed, and convenience. Merchants are looking for high conversion rates, and demand is now building for these solutions that open banking can power.

We are seeing more and more banks consider their strategies. On the experience and trust front, we are getting better and better with payments. You now just need a face scan for biometric SCA, for example. This was not the case a couple of years ago.

The experience with open banking is also now far, far better than it was. Consumers are seeing this out and about. It is no longer a strange payment form, similar to how Diners Club evolved. When these elements come into place is when we will see a tipping point.

Vixio has recently seen an uptick in regulatory activity for open banking in the UK. What are your thoughts on future open banking regulatory developments?

I'm really excited about the regulatory activity that is happening. One thing with inertia to me was an area dedicated to variable recurring payments (VRPs). 

Moving from a single payment to VRP environment. This means repeated transactions and not single, immediate payment. This is exciting as there is some effort to get technology to market. We're beginning to see pilots and proofs of concept. This is very encouraging to see, and the focus for regulators is on benefitting end-users and addressing pain points. There have also been recent developments with PSD3 and PSR in the EU. It is encouraging that as well as developments with the SEPA payment access scheme, we are seeing the building blocks that are required to kick off open banking momentum.

This has all happened in just a few months.

What are the key use cases for VRPs and what is the overall business case for this?

One of the best use cases is sweeping. Sweeping VRPs would be an evolution of how consumers can control their finances. The rollout of sweeping, the automatic transfer of money between two accounts, is well underway, much like a direct debit or standing order, except with greater transparency over the amount, frequency and end date. We're beginning to see how end users can have better control and flexibility. It is a terrific opportunity to begin promoting VRPs. The first area where this is happening is lower risk cases, such as tax payments, where VRPs are a great way of complementing existing payment methods. 

This is one of the reasons that Tink partnered with NatWest, as it meant that they had a way to position it to their end users.

What needs to happen to ensure that VRPs are a success story in the UK?

When thinking about what creates the best experience with VRPs, it is understanding the needs of wider adoption. We need to create the best experiences. From our view, we need to consider how to make it easier to get to market, and how to make something reputable. For example, are there ways to standardise it? Could we agree to focus on these use cases, and think about internal operations? Things like this mean any financial institution can use minimal effort to implement VRPs. This is the key to making sure that it can take root in the UK. We want to see how this grows as well, for the best commercial model. This would mean we have a logical, next step in place, such as subscriptions.

Is much work taking place on VRPs in the rest of Europe? Do you think that the recent regulatory proposals could help make way for this kind of innovation?

The UK prides itself on being a leader in open banking. VRP is propelling it as a leader in open banking. In the EU, SEPA is creating the right framework for this. PSD3/PSR creates a capability for uniformity and considers how experiences can be consistent throughout the EU. Beyond that, there is also the European Commission's proposal for instant payments. Instant payment legislation is looking to promote use and create parity in pricing. The adoption of this is a building block for VRP.

In 2024, what do you predict will be the biggest trend in payments?

I think that we will see the continued growth of Pay by Bank with retail consumers. One thing that this will pave the way for is VRPs. I think this is going to be the case in SEPA as well. Other markets, such as Australia, are considering what their equivalent is. 

APPENDIX: Country profiles dashboard
 

UNITED KINGDOM
 

UNITED STATES
 

GERMANY

BRAZIL

AUSTRALIA