For UK payment institutions and e-money firms, 2026 will be less about regulatory interpretation and more about regulatory delivery. The policy direction is now largely set. What matters is execution quality, governance credibility, and the ability to evidence good outcomes consistently.
This shift is firmly rooted in the FCA’s Strategy 2025–2030, which seeks to support growth and innovation while strengthening trust, reducing financial crime, and improving consumer resilience. For firms, the message is clear: innovation is welcome, but only where control environments scale with complexity and volume.
The supervisory baseline
The FCA’s 2025 Dear CEO portfolio strategy letter for payments firms effectively defines the minimum supervisory standard for 2026. It reinforces three core expectations: effective competition that delivers customer value, strong financial system integrity, and robust protection of customer funds.
In practice, the FCA is signalling reduced tolerance for weak governance and fragmented accountability. Firms should expect scrutiny where boards lack clear ownership of key risks, where oversight of agents and partners is superficial, or where management information focuses on activity rather than outcomes. Growth strategies that outpace control maturity – whether through new corridors, embedded finance partnerships or programme management models – are likely to attract challenge.
The FCA’s approach reflects its wider strategic objective of being a more assertive, data-driven regulator. For firms, this means being able to demonstrate not just that controls exist, but that they work.
Financial crime: a standing strategic priority
AML, sanctions and financial crime remain at the sharpest edge of FCA supervision. This is not a cyclical focus but a structural one, explicitly embedded within the FCA’s long-term strategy.
In 2026, supervisory attention is likely to centre on three pressure points. First, sanctions screening effectiveness, including alert handling quality, governance and auditability. Second, correspondent, agent and partner risk, particularly where complex payment chains obscure accountability. Third, velocity risks associated with instant payments and crypto on- and off-ramps.
The FCA’s expectations have moved decisively beyond the existence of frameworks and policies. Boards are increasingly held accountable for whether financial crime controls are appropriately resourced, independently tested and supported by credible MI. Weaknesses in AML systems are now treated as much as governance failures as they are technical compliance gaps.
Operational resilience: from transition to scrutiny
The end of the operational resilience transition period in March 2025 marked a turning point. Firms are now expected to remain within impact tolerances for their important business services under severe but plausible disruption.
For 2026, this translates into a “prove it” supervisory stance. The FCA is likely to test whether service mapping reflects real operational dependencies, whether scenario testing is sufficiently challenging, and whether firms have realistic substitution and recovery strategies – particularly in relation to third-party and cloud service providers.
Outage communications and incident management are also likely to attract closer attention, reflecting the FCA’s consumer resilience objective. Firms that treat operational resilience as a documentation exercise rather than an operating discipline risk falling short.
Fraud and APP scams: sustainability over compliance
Fraud, and APP fraud in particular, sits at the intersection of consumer protection, operational risk and financial sustainability. While the APP reimbursement regime came into force in October 2024, 2026 will be about whether firms’ fraud operating models are economically and operationally sustainable.
Supervisory interest is likely to extend beyond formal compliance into areas such as scam prevention effectiveness, confirmation of payee performance, case handling quality, and governance of fraud analytics and decisioning models. For boards, fraud is no longer simply a conduct risk; it is a balance-sheet risk with direct implications for pricing, product design and partnerships.
What boards should be doing now
As firms enter 2026, boards should focus on a small number of fundamentals. Risk appetite statements should be refreshed to reflect safeguarding, fraud, financial crime and resilience tolerances in practical terms. Management information should evidence outcomes and harm reduction, not just control activity. Finally, firms should subject safeguarding, resilience and fraud frameworks to audit-style testing to ensure they can withstand supervisory scrutiny.
Part 2 of this series will examine how structural reform, safeguarding changes and the expansion of the crypto regulatory perimeter will reshape the UK payments landscape in 2026 and beyond.
