Cross-Border Payment Regulation in the UK: A Framework Guide for Payment Firms

Cross-border payment services represent one of the most complex regulatory environments for UK payment institutions. Firms providing international remittance, cross-border merchant acquiring, foreign currency payment execution or multi-jurisdictional e-money services must navigate overlapping obligations under the Payment Services Regulations 2017, the Money Laundering Regulations 2017, UK sanctions legislation, and FCA supervisory guidance. Since Brexit, the loss of passporting rights has added further complexity for firms serving European Economic Area markets. This guide examines the regulatory framework, FCA expectations and practical compliance considerations for payment institutions operating across borders.

The Regulatory Framework for Cross-Border Payments

The PSRs 2017 authorise payment institutions to provide regulated payment services — including payment execution, money remittance and merchant acquiring — within and from the United Kingdom. There is no separate cross-border payment licence; the firm's API or SPI authorisation covers both domestic and international services. However, cross-border services attract additional regulatory scrutiny and specific compliance obligations that do not apply — or apply with less intensity — to purely domestic operations.

The key regulatory instruments governing cross-border payment activity include: the PSRs 2017 (the primary authorisation framework); the MLRs 2017 (anti-money laundering obligations, including enhanced due diligence for correspondent relationships and high-risk jurisdictions); the Sanctions and Anti-Money Laundering Act 2018 (SAMLA) and associated statutory instruments (sanctions compliance); the Proceeds of Crime Act 2002 (suspicious activity reporting); and FCA supervisory guidance, including Dear CEO letters and thematic reviews targeting cross-border payment risks.

Post-Brexit EEA Access

Before Brexit, UK-authorised payment institutions could passport into EEA member states under PSD2, providing services across the single market without additional local authorisation. This passporting right ceased at the end of the transition period on 31 December 2020. UK payment institutions can no longer provide regulated payment services into EEA jurisdictions on a cross-border basis or through establishment (branches) without obtaining local authorisation in the relevant member state.

Firms that previously relied on passporting must now choose from several options: establishing a separately authorised entity in an EU/EEA member state (often Ireland, Lithuania or the Netherlands); registering agents in EEA jurisdictions through an EU-authorised partner; entering into contractual arrangements with locally authorised institutions; or restricting services to non-EEA markets. The choice depends on the firm's business model, volume of EU business, cost tolerance and strategic priorities. See our guides on Lithuania vs Ireland and passporting after Brexit for detailed analysis.

AML and Financial Crime Obligations

Cross-border payment activity attracts heightened AML obligations because international transactions inherently involve greater complexity, reduced transparency and — for certain corridors — elevated financial crime risk. The MLRs 2017 require payment institutions to conduct a business-wide risk assessment that specifically addresses the geographic risk profile of their payment flows. Firms must identify and assess the money laundering and terrorist financing risks associated with each jurisdiction in which they operate, considering factors including the jurisdiction's AML framework, FATF mutual evaluation results, sanctions exposure, corruption indices and the firm's own transaction data.

For specific payment corridors assessed as higher risk — including remittance to jurisdictions with identified AML deficiencies — the FCA expects enhanced transaction monitoring, stricter customer due diligence thresholds and more intensive ongoing monitoring. The FCA's Dear CEO letter to payment firms in 2023 specifically highlighted concerns about inadequate geographic risk assessment and insufficient tailoring of controls to corridor-specific risks.

Correspondent Banking and Payment Relationships

Payment institutions that access international payment networks through correspondent banking relationships are subject to the enhanced due diligence requirements in Regulation 34 of the MLRs 2017. This applies to relationships with credit institutions or other financial institutions in third countries through which the PI executes cross-border payments — commonly known as 'respondent' relationships from the correspondent bank's perspective.

Enhanced due diligence for correspondent relationships requires: gathering sufficient information about the respondent institution to understand its business, reputation and quality of supervision; assessing the respondent's AML/CTF controls; obtaining senior management approval before establishing or continuing the relationship; clearly understanding the respective AML responsibilities of each party; and, where payable-through accounts are involved, satisfying that the respondent institution has conducted adequate due diligence on the customers with direct access.

Agent Networks and Distribution

Many cross-border payment institutions — particularly money remittance operators — distribute services through agent networks in both the UK and receiving jurisdictions. Under the PSRs 2017, agents providing payment services in the UK must be registered with the FCA. The principal firm (the authorised PI) is responsible for the regulatory compliance of its agents, including AML obligations. The FCA requires firms to: conduct fit-and-proper due diligence on agents before appointment; provide adequate training on regulatory obligations; implement ongoing monitoring of agent activity; conduct periodic reviews (at least annual) of agent compliance; and maintain registers of all appointed agents.

For overseas agents and distribution partners, the picture is more complex. The FCA does not register overseas agents, but it expects UK-authorised firms to exercise appropriate oversight of any third parties through which they deliver services internationally. The FCA's supervisory approach focuses on whether the UK firm has adequate systems and controls to manage the risks arising from its international distribution network — including financial crime risk, operational risk and consumer protection.

FCA Supervisory Focus Areas

The FCA has identified cross-border payment services as a priority supervisory area, with particular focus on: adequacy of geographic risk assessment and corridor-specific controls; quality of transaction monitoring for international payment flows; robustness of agent and distribution partner oversight; compliance with the crypto travel rule for cross-border cryptoasset transfers; sanctions screening effectiveness for high-volume cross-border transactions; and consumer protection — including transparency of fees, exchange rate margins and execution timescales for international payments.

Firms should expect supervisory engagement on these topics through the normal supervisory cycle, section 166 skilled person reviews, thematic reviews and, where deficiencies are identified, enforcement action. The FCA's 2024 enforcement statistics showed a continued increase in action against payment firms, with cross-border financial crime controls featuring prominently in published outcomes.

Regulatory Counsel advises payment institutions on cross-border regulatory strategy, AML compliance frameworks, agent network governance and FCA supervisory engagement. Contact us for a free initial consultation. See our payment institutions sector page for more.