Payment acquiring in the UK is regulated by the Financial Conduct Authority (FCA), Payment Systems Regulator (PSR), and international card schemes. Businesses processing card payments must navigate authorization requirements, capital thresholds, and technical compliance standards to operate legally in this space.
This guide outlines the regulatory framework for payment acquirers, covering FCA authorization, safeguarding obligations, AML compliance, and scheme membership requirements. It provides essential information for businesses seeking to enter the payment acquiring market or work with established acquirers, detailing both initial licensing steps and ongoing compliance responsibilities.
Payment acquiring is a regulated activity in the UK, meaning businesses that provide this service must meet strict legal and compliance standards before they can operate. Three key entities are involved in regulating and overseeing acquirers.
The Financial Conduct Authority (FCA) regulates UK financial services firms. If your firm intends to act as an acquirer—helping merchants accept card payments—you must obtain authorisation under the Payment Services Regulations 2017. Acting as a payment acquirer without FCA authorisation constitutes a criminal offence under UK law.
While the FCA regulates individual firms, the Payment Systems Regulator (PSR) oversees the systems enabling UK payments, such as Bacs, Faster Payments, CHAPS, and card networks. The PSR ensures that these systems remain competitive and accessible.
This affects acquirers who must use settlement networks and clearing infrastructure or gain scheme access through banking or related services. If you plan to clear and settle transactions via a major system or through an integrator, you must meet the PSR's access requirements—though access terms may not always be favourable.
Beyond UK regulators, acquirers must engage with international Card Schemes such as Visa and Mastercard. Though not governmental bodies, these schemes enforce strict membership and scheme compliance standards for routing card transactions through their networks.
You will need either direct membership or a sponsorship agreement with a principal member. Compliance obligations cover transaction processing, fraud monitoring, technical certification, and dispute handling.
The legal foundation for payment acquiring in the UK is built on several key pieces of legislation. These laws define what acquiring activity is, when it becomes regulated, and what obligations apply to businesses involved in processing card payments.
The Payment Services Regulations 2017 (PSRs 2017) relate to the legislative provisions which control payment services within the UK. These are the regulations that implement the European Union's Second Payment Services Directive (PSD2), which applies to the UK post-Brexit.
The PSRs 2017 stipulate that acquiring of payment transactions is a regulated payment service. Therefore, any company working with merchants to effect card payment for goods and services to the consumer—and settling that payment in conjunction with card schemes—is engaging in a regulated payment service.
The PSRs 2017 allow for:
|
|
|
|
|
Regarding the Electronic Money Regulations 2011 (EMRs 2011), they imply a necessity for licensing for those who operate in the electronic money (e-money) provision space. They also apply to acquirers—particularly those operating under hybrid models that combine provision and acquisition facets into one channel.
For example, if your acquiring business also offers e-wallets or prepaid accounts where users can deposit money and use it for other services, you will need to be dual-licensed:
|
|
The Financial Services (Banking Reform) Act 2013 is not directly related to the operations of payment institutions but is part of the broader UK financial services regulatory framework related to financial infrastructure that supports payment systems.
Among other things, this Act established the Payment Systems Regulator (PSR) in 2015 and empowered it to:
|
|
|
For payment acquirers—particularly those requiring direct access to schemes or the settlement infrastructure—this Act formalizes your potential claims to access and operate within the payments network at commercially reasonable rates.
Becoming a licensed payment acquirer in the UK is a structured, regulator-led process. From selecting your regulatory status to onboarding your first merchant, each step must meet the standards set by the Financial Conduct Authority (FCA) and align with broader payment scheme requirements.
This section outlines the six key steps your business must follow to legally launch acquiring services in the UK.
Your first decision is whether you're going to be an:
|
|
APIs are larger enterprises that expect to charge more per transaction, provide a more comprehensive slate of services, or seek longer growth potential. APIs have greater requirements—higher capital thresholds, safeguarding obligations, and more complex governance standards.
SPIs are for those with lower transactional needs (generally under €3 million/month), with easier access and minimum capital outlay and reporting requirements. This limits access to passporting and service potential.
For the majority of acquirers looking to expand, the route is typically through an API choice.
After determining the suitable entity, the next step is to assemble the complete FCA Application Pack for the FCA's review and approval.
|
|
|
|
According to the FCA's guidance, acquiring businesses in regulated industries must create a bespoke application. Failure to provide the requested information will increase processing time.
Now that your application is ready, submit it via the FCA Connect system. You'll also need to pay the non-refundable regulatory fees, which depend on your acquisition model and transaction volume.
Once submitted, you're in the FCA review queue. APIs typically have a deadline of up to 3 months—although actual timelines often extend to 6–9 months due to FCA feedback timeframes.
The FCA will assess your application, so be ready to respond to follow-up questions in these areas:
|
|
|
|
Maintaining clear communication throughout this stage is essential. The FCA may need clarification, additional documentation, or resolution of concerns before proceeding.
Once the FCA is satisfied with all information and requirements, you'll be listed on the FCA Register. Authorisation allows your business to legally conduct regulated acquiring activity in the UK.
However, you still cannot process card payments until the next step: applying to the relevant card schemes.
To accept card payments, you must either:
|
|
With direct membership, you control your acquiring process, but the technical and compliance requirements are substantial. You must complete scheme onboarding and scheme audits, and demonstrate the ability to manage fraud handling, chargebacks, and scheme compliance.
Many new acquirers opt to partner with established processors or scheme members before switching to direct membership as transaction volumes increase.
Securing authorisation from the Financial Conduct Authority (FCA) isn’t just about submitting a form — it’s about proving that your business is structured, funded, and governed in a way that meets the regulator’s expectations.
The FCA expects all applicants to demonstrate adequate commencement capital appropriate to the payment services being provided.
For acquirers operating as Authorised Payment Institutions (APIs), the minimum capital threshold is:
|
This capital must be liquid, available, and verifiable, not reliant on projected income. Audited confirmations or bank statements must be provided.
The FCA requires acquirers to have a clear governance structure with well-defined responsibilities and a senior leadership team suitable for a regulated financial entity.
You must have:
|
|
|
If your firm falls under the Senior Managers and Certification Regime (SM&CR), you must submit applications for individuals performing a Senior Management Function (SMF). These individuals must be FCA-approved and held personally accountable for regulated activity.
The FCA will assess all key personnel for competence, integrity, and financial soundness.
Applicants must demonstrate operational readiness and risk control capabilities appropriate to their acquiring activity.
This includes:
|
|
|
The FCA expects these policies to be implemented, maintained, and periodically reviewed.
Acquiring is infrastructure-intensive, and the FCA requires assurance of your systems’ reliability, security, and scalability.
You must provide:
|
|
|
If you plan to outsource any core function—such as transaction processing, fraud detection, or data hosting—you must disclose related contracts and demonstrate how you will manage risks in line with outsourcing guidelines in the FCA Handbook (SYSC 8).
Safeguarding is the important compliance requirement expected of UK-authorised payment acquirers to prevent loss of customer funds in case an acquirer goes insolvent or fails to conduct operations as anticipated. For the entities acquiring—those who have the merchant funds directly in hand, receive settlement amounts and take revenue payments—non-compliance with safeguarding requirements results in regulatory enforcement actions and reputational damage.
Safeguarding is the important compliance requirement expected of UK-authorised payment acquirers to prevent loss of customer funds in case an acquirer goes insolvent or fails to conduct operations as anticipated. For the entities acquiring—those who have the merchant funds directly in hand, receive settlement amounts and take revenue payments—non-compliance with safeguarding requirements results in regulatory enforcement actions and reputational damage.
Per the Payment Services Regulations 2017, authorised payment institutions must protect customer funds through one of two safeguarding measures:
|
|
Most firms choose the segregation method as it is simpler and aligned with FCA expectations.
If a firm chooses to segregate, there are requirements during the account opening process, the reconciliation process thereafter, and audits:
|
|
|
Non-compliance with safeguarding is one of the more common regulatory concerns identified through FCA enforcement and supervisory actions. It remains a focus of both pre-approval assessment and post-approval supervision.
After obtaining approval, the FCA expects firms to demonstrate compliance with safeguarding requirements at any time, including:
|
|
|
|
Aside from assessments triggered by firm-specific issues (e.g., complaints), the FCA may request bank confirmations, reconciliation data, and safeguarding figures during thematic assessments or firm reviews. Recently, enforcement actions have increased against firms misallocating funds, delaying reconciliation, or failing to separate firm money from client money.
Appoint a dedicated safeguarding officer or make safeguarding part of the remit of your compliance team, supported by clear internal reporting lines and automated reconciliation tools.
Payment acquirers sit at a critical point in the financial system — facilitating the movement of funds between customers, merchants, and banks. That position comes with a heightened risk of exposure to money laundering, terrorist financing, and fraud. As a result, the UK imposes strict obligations on all regulated acquirers under its anti-financial crime framework.
All FCA-authorised payment institutions must comply with the Money Laundering Regulations 2017 (MLR 2017). Your firm, as an acquirer, will be considered a relevant person and must take the necessary steps to ensure your service is not used to facilitate crime.
Requirements include:
|
|
|
|
|
Your AML framework will be reviewed during your application, and the FCA will assess compliance during ongoing supervision.
For acquirers, the primary AML risk involves onboarding and maintaining relationships with merchant clients. You must conduct Customer Due Diligence (CDD) at the beginning of every merchant relationship and apply Enhanced Due Diligence (EDD) for:
|
|
|
CDD must include:
|
|
|
You must also conduct ongoing monitoring, assessing merchant transaction behaviour in real-time or near-real-time using automated rules and behavioural flags to identify suspicious activity.
If ongoing monitoring raises unresolved concerns, you may be required to submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA).
SARs are required when there is suspicion or awareness that a transaction involves:
|
|
|
Your firm must have:
|
|
|
The NCA may issue a defence against money laundering (DAML), which means you must halt the transaction during the moratorium period until further instruction is given.
In addition to financial and operational compliance, payment acquirers in the UK must meet stringent technical, security, and fraud prevention standards. These are essential not only for regulatory approval but also for maintaining card scheme membership and customer trust.
PCI DSS (Payment Card Industry Data Security Standard) is a global standard developed by card schemes (Visa, Mastercard, etc.) and regulators to protect cardholder data. Acquirers must maintain PCI compliance.
Acquirers are within PCI scope if any systems interface with, process, or store cardholder data or sensitive authentication data.
This includes:
|
|
|
Affected entities must:
|
|
|
|
Acquirers and card schemes must demonstrate compliance annually. If payment processors are not PCI-certified, they risk fines, scheme non-compliance sanctions, or loss of ability to support credit card processing.
Strong Customer Authentication (SCA) is required under the UK implementation of the EU Regulatory Technical Standards (RTS) on SCA and Secure Communication, as mandated by PSD2.
SCA enforces two-factor authentication for most card-not-present transactions. While acquirers don’t execute authentication, they must:
|
|
|
Non-compliance with SCA can result in declined transactions and chargebacks that cannot be contested. Acquirers are expected to proactively monitor authentication performance and act on fraud detection and red flags.
Fraud detection and effective response are core compliance obligations for payment acquirers.
|
|
If a security incident occurs (e.g., data breach, or significant fraud), you are required to notify the FCA without undue delay. Notification obligations are detailed in SUP 15.3 of the FCA Handbook. Incidents that may trigger reporting include:
|
|
|
Additionally, card schemes may require separate notifications and initiate forensic investigations, especially in cases involving compromised PAN or CVV data.
Once authorised by the Financial Conduct Authority (FCA), payment acquirers must comply with ongoing post-authorisation compliance obligations. These standards are mandatory—non-compliance can risk your regulated status, endanger client funds, or result in conduct breaches under UK regulations.
All regulated payment firms must submit regulatory returns through the RegData platform on a scheduled basis. Acquirers are primarily responsible for submitting:
|
|
REP017 relates to market activity and service performance, while REP018 addresses non-fraud-related operational incidents and evaluates your firm’s resilience. These reports are used by the FCA to monitor your risk profile. Submission deadlines vary based on firm size but must be timely, accurate, and consistent with previous filings to avoid scrutiny for misreporting or delays.
Under SUP 15 of the FCA Handbook, authorised firms must notify the FCA of material changes or incidents, including:
|
|
Such events must be reported within the required notification window—typically one business day. Notifications must be submitted through official channels, clearly and promptly.
Acquirers must also comply with governance expectations set out in the Senior Managers and Certification Regime (SM&CR). This includes ensuring that senior managers and certified staff demonstrate integrity, uphold effective risk management, and promote fair customer outcomes.
Additionally, firms are subject to extensive recordkeeping practices, including:
|
|
|
|
These records must be retained for a minimum of five years and be available for FCA review at any time.
Finally, all FCA-regulated acquirers are responsible for paying FCA annual fees, determined by firm size and regulatory permissions. These must be paid on time to avoid penalties or enforcement action.
Authorisation from the FCA allows you to operate as a payment acquirer under UK law — but it does not, by itself, give you access to the card networks. To process card transactions for merchants, you must either become a licensed member of card schemes like Visa and Mastercard or work with a scheme-approved partner.
There is a scheme-specific onboarding and certification testing process. This is a secondary, intensive approval that occurs concurrently with your FCA registration, and it is equally rigorously reviewed. During Visa scheme onboarding and Mastercard scheme onboarding, the card schemes will assess your:
|
|
|
|
|
In addition, scheme network integration is required, including transaction testing and approval, and may involve letters of support from bank sponsorship or processing partners. Scheme onboarding can take several months and should be factored into your launch timeline.
New and scaling acquirers must decide between direct membership and sponsored membership.
With direct membership, your firm becomes a scheme member and takes full responsibility for scheme compliance, settlement, and risk management. This model requires fulfilling a wide range of technical, financial, and operational controls, including the provision of a scheme guarantee, access to clearing funds, and compliance with all scheme rules.
Sponsored membership allows firms to access schemes via a principal member, bank sponsor, or acquirer-processor. This option reduces operational complexity and accelerates time to market, as the sponsor generally manages scheme communications, settlement, and compliance infrastructure. However, it limits your control over internal governance, pricing, operations, and branding.
Regardless of the model, firms must maintain a defined internal governance framework and robust risk controls.
Joining a scheme through Visa or Mastercard brings ongoing scheme compliance requirements and regular scheme audits, including:
|
|
|
|
Card schemes take swift action against non-compliant acquirers—ranging from fines to membership termination. To mitigate risk, acquirers must stay aligned with scheme updates and conduct regular internal reviews in collaboration with compliance and revenue operations teams.
DECTA offers a comprehensive turnkey acquirer processing solution through a unified acquirer processing platform that delivers tailored services to meet the needs of banks and financial institutions. These solutions simplify acquiring from both a regulatory compliance, payment data security, and functional standpoint.
Merchant Onboarding and Management: Automated MID (Merchant Identification Number) and TID (Terminal Identification Number) management are available 24/7. DECTA's legal entity handling, rate plans, and visibility into merchant and terminal IDs reduce administrative burdens for faster merchant onboarding.
Transaction Routing and Processing: Supports omnichannel processing. DECTA consolidates sales channels into a single system that enables seamless POS (Point of Sale) integration and mobile payments.
3D Secure Payment Authentication: DECTA enables support for the latest 3D Secure (3DS v2.2) standards and full PSD2 compliance, including Strong Customer Authentication (SCA). This helps reduce fraud risk and increase payment acceptance rates.
Tokenized Payments: Accept tokenized payments through eWallet integration with Apple Pay, Google Pay, and Samsung Pay. Tokenization provides fast and secure transactions both in-store and online.
Direct Scheme Connectivity and PCI-Compliant Stack: DECTA provides direct scheme connectivity, including both Mastercard connectivity and Visa connectivity, supported by a PCI DSS Level 1 certification infrastructure for maximum payment data security.
DECTA’s acquirer processing platform provides licensed acquirers with a secure, scalable infrastructure trusted by merchants for reliable transaction routing and varied payment processing capabilities.