Regulatory Change Management — A Framework for Payment Firms

The pace of regulatory change affecting payment institutions and EMIs has accelerated significantly. In 2025–2026 alone, firms face new safeguarding requirements under PS25/12, the transition of cryptoasset regulation from MLRs to FSMA, evolving Consumer Duty expectations, operational resilience deadlines and incoming rules on digital settlement assets. Firms that lack a structured approach to regulatory change management risk compliance gaps, costly last-minute implementation projects and supervisory criticism. This guide sets out a practical framework.

Why Regulatory Change Management Matters

The FCA expects payment firms to maintain systems and controls that ensure ongoing compliance with all applicable regulatory requirements. This includes the ability to identify regulatory changes that affect the firm, assess their impact, and implement necessary changes in a timely and orderly manner. Firms that wait until rules are finalised — or worse, until enforcement action highlights non-compliance — demonstrate a reactive compliance culture that the FCA views unfavourably.

A structured regulatory change management framework serves several purposes: it provides early warning of upcoming changes, allowing the firm to plan resources and budgets; it ensures that changes are assessed systematically for their impact on processes, systems, documentation and customer communications; it creates an auditable record of the firm's engagement with regulatory developments; and it reduces the risk of compliance gaps that could result in regulatory action or customer harm.

The Four-Stage Framework

We recommend a four-stage framework for regulatory change management: Identify, Assess, Implement and Review.

Stage 1 — Identify (Horizon Scanning). The first stage involves systematic monitoring of regulatory developments from all relevant sources. For UK payment firms, the primary sources include: FCA Policy Statements, Consultation Papers and Guidance; HM Treasury legislation, consultations and policy papers; Payment Systems Regulator publications; Bank of England publications (particularly for firms involved in systemic payment systems); EU regulatory developments (relevant for firms with EU operations or where EU rules influence UK policy); and international standards from bodies such as the Financial Action Task Force (FATF), the Basel Committee and the Committee on Payments and Market Infrastructures (CPMI).

Horizon scanning should be conducted at least monthly, with key findings summarised in a regulatory change register that records the source, subject matter, potential impact, key dates and the individual responsible for tracking each item.

Stage 2 — Assess (Impact Analysis)

Each identified regulatory change should be assessed for its impact on the firm. The assessment should cover: which business lines, products, services or customer segments are affected; what changes are required to policies, procedures, processes, systems, contracts or customer communications; the resource requirements (internal staff, external advisers, technology changes); the implementation timeline and key milestones; and any dependencies or interactions with other ongoing changes.

The impact assessment should be proportionate to the significance of the change. A minor amendment to reporting requirements may need only a brief assessment and a process update. A fundamental change such as PS25/12 or the cryptoasset regime transition requires a detailed impact assessment, a dedicated project plan and board-level oversight.

Stage 3 — Implement

Implementation should follow a structured project approach with clear ownership, milestones and governance. For material changes, we recommend: appointing a named project owner (ideally a senior manager under SMCR); developing a detailed implementation plan with tasks, owners, deadlines and dependencies; conducting gap analyses between current arrangements and new requirements; updating policies, procedures, systems, templates and customer communications; delivering staff training on the new requirements; and conducting testing or dry runs where practical (for example, testing new reporting processes before the first live submission).

Implementation progress should be reported regularly to the compliance function and, for material changes, to the board or a relevant committee.

Stage 4 — Review (Post-Implementation)

After a change has been implemented, the firm should conduct a post-implementation review to verify that: all planned changes have been completed; the new arrangements are operating as intended; staff understand and are following the new processes; no unintended consequences or gaps have emerged; and lessons learned are captured for future change management projects.

The post-implementation review should be conducted within a defined period after go-live (typically 1–3 months, depending on the complexity of the change). Findings should be documented and any remedial actions tracked to completion.

Governance and Reporting

The regulatory change management framework should be embedded in the firm's governance structure. The compliance function should maintain the regulatory change register, provide regular reports to the board or relevant committee, and escalate material risks or resourcing challenges in a timely manner. The board should receive at least quarterly updates on the regulatory change pipeline, implementation progress and any areas of concern.

For firms operating under the SMCR, the Senior Manager responsible for compliance (typically the SMF16 Compliance Oversight function) should have explicit responsibility for the regulatory change management framework in their Statement of Responsibilities.

Regulatory Counsel advises payment institutions and EMIs on regulatory change management, compliance frameworks and governance. Contact us for a free initial consultation. See our compliance monitoring and governance frameworks pages for more.