The regulatory landscape for fintech and banking products is evolving rapidly across the UK and Europe. A combination of newly enacted laws and forthcoming reforms will influence how financial data is accessed and shared, how payments are designed and safeguarded, how fraud is managed, and how firms approach operational resilience. While some measures are already in force and others are still being finalised, the direction of travel is clear.
This blog outlines the key regulatory changes product teams should be planning for, explaining what each initiative is about, what is changing, when it applies, who it affects, and what it means for product roadmaps in 2026.
Index |
Taken together, these initiatives point to a coordinated regulatory shift. Regulators are pushing for greater data portability under tighter controls, stronger consumer protection in payments, and higher standards for resilience and third-party risk management. Although each regulation targets a specific area, they increasingly intersect in practice.
Decisions around consent design, data architecture, payment flows, or vendor dependencies are now likely to have implications across multiple regulatory regimes. For product teams, understanding this broader context is essential to avoid fragmented solutions and repeated re-engineering as new rules take effect.
What it is
The Data (Use and Access) Act provides the statutory framework for the UK’s Smart Data initiative, which is intended to extend open banking principles into a broader open finance ecosystem.
What is changing
The Act enables the government to introduce sector-specific Smart Data schemes via secondary legislation. These schemes may require firms to share customer data securely with authorised third parties, subject to customer consent. The scope is expected to extend beyond payment accounts to include areas such as pensions, insurance and credit data.
When it applies
The Act has received Royal Assent, with implementation expected to be phased as individual Smart Data schemes are defined and brought into force from 2025 onwards.
Who it affects
Banks, fintechs, insurers, pension providers, credit providers and other organisations that hold or use customer financial data.
⚒️ What this means for product teams
What it is
The Financial Data Access Regulation (FiDA) is the EU’s proposed open finance framework, intended to extend regulated data sharing across a wide range of financial products.
What is changing
FiDA would introduce obligations for financial institutions to provide access to certain categories of customer financial data through secure, standardised interfaces, subject to customer permission and governance requirements.
When it applies
FiDA is still progressing through the EU legislative process. Subject to final adoption, phased application is expected from 2026 onwards, alongside technical standards.
Who it affects
EU financial institutions and authorised third-party providers, as well as UK firms with EU customers, partners or data integrations.
⚒️ What this means for product teams
What it is
The PSD3 and Payment Services Regulation (PSR) package is the EU’s update to PSD2, aimed at strengthening the framework for payment services.
What is changing
The proposals focus on improved fraud prevention, stronger consumer protection, increased transparency, clearer safeguarding requirements and greater harmonisation across EU member states. Measures such as payee name-matching and clearer liability rules are expected to feature more prominently.
When it applies
The legislative process is ongoing. Most changes are expected to be phased in from 2026, subject to final agreement and technical standards.
Who it affects
EU payment service providers and e-money institutions, as well as UK firms that offer payment services into the EU or rely on EU-regulated payment partners.
⚒️ What this means for product teams
What it is
UK regulators (FCA, PRA and Bank of England) have introduced operational resilience rules requiring firms to identify important business services, set impact tolerances and prepare for disruption. Oversight of critical third parties is being strengthened.
What is changing
Regulators are moving toward more consistent incident reporting and stronger expectations around third-party risk management, particularly for firms heavily reliant on technology providers and outsourced services.
When it applies
Core resilience requirements are already in force, with further refinements and reporting expectations expected through 2026.
Who it affects
UK banks, payment firms, fintechs and their key third-party service providers.
⚒️ What this means for product teams
What it is
The Digital Operational Resilience Act (DORA) establishes a harmonised EU framework for ICT risk management, testing, incident reporting and oversight of critical ICT third-party providers.
What is changing
DORA introduces standardised digital resilience requirements across the EU financial sector, including expectations for incident handling and third-party oversight.
When it applies
DORA has applied since January 2025, with supervisory scrutiny expected to increase over time.
Who it affects
EU financial entities and ICT service providers, and UK firms that integrate closely with EU-regulated entities.
⚒️ What this means for product teams
What it is
Regulators in both the UK and EU are strengthening expectations around fraud prevention, reimbursement and the safeguarding of customer funds.
What is changing
In the UK, the FCA has signalled enhanced safeguarding standards for payment and e-money firms. In the EU, PSD3 proposals aim to clarify liability and strengthen consumer protection in cases of fraud.
When it applies
UK safeguarding reforms are expected to apply from 2026, while EU changes will follow the PSD3/PSR implementation timeline.
Who it affects
Payment institutions, e-money firms, wallets, marketplaces and embedded finance providers.
⚒️ What this means for product teams
What it is
UK GDPR and EU GDPR remain the foundation for personal data processing, with new open finance initiatives layering additional access and consent requirements on top.
What is changing
Smart Data and FiDA introduce new expectations around user control, transparency and revocation, while continuing to operate within GDPR principles such as data minimisation and purpose limitation.
When it applies
Changes will apply progressively as Smart Data schemes and EU open finance rules are implemented through 2026.
Who it affects
Any organisation processing customer financial or personal data.
⚒️ What this means for product teams
These regulatory developments signal a long-term shift in how financial products are expected to be designed and operated. For product leaders, the challenge is no longer simply tracking individual regulations, but understanding how they collectively change expectations around data access, payments, resilience and customer protection.
Enterprises that treat regulation as a strategic input into product design - rather than a reactive constraint - will be better positioned to adapt as rules are finalised, reduce delivery risk, and maintain trust with customers, regulators and partners as the industry moves toward 2026 and beyond.
If you are planning to scale, optimise, or innovate your payment products in 2026, get in touch with our experts to find out how we can help you.