Payment Initiation: Key Legal Considerations For UK Startups And SMEs

If you’re building (or scaling) a product that moves money, you’ve probably come across payment initiation.

For UK startups and SMEs, it can be a brilliant way to improve checkout conversion, reduce card fees, and offer customers a faster way to pay. But it also sits in a heavily regulated area where a “move fast” mindset can create expensive problems later.

In this guide, we’ll break down what payment initiation is, where the legal risks tend to sit, and the practical steps you can take to stay compliant and protect your business from day one. This article is general information only and isn’t a substitute for regulatory advice (your FCA position is highly fact-specific).

What Is Payment Initiation (And Why Does It Matter For Your Business)?

Payment initiation is the process of initiating a bank transfer on a customer’s behalf (with their permission) directly from their bank account to a merchant or business.

In plain English: rather than your customer typing in card details or manually sending a bank transfer, a payment initiation flow can let them authorise a payment through their bank, and your system triggers the payment as part of the checkout or invoicing journey.

Common Ways Startups And SMEs Use Payment Initiation

• Ecommerce checkout (as an alternative to cards).
• Invoice payments where customers can click a link and approve a transfer through their banking app.
• Subscriptions (more complex, because instant bank payments aren’t the same thing as Direct Debits).
• Marketplaces that collect funds from buyers and pay out to sellers (often raises additional regulatory questions).

Why The Legal Side Matters Early

Payment initiation often touches:

• regulated financial services rules (including whether you need authorisation);
• data protection (because you’ll be handling personal and sometimes sensitive financial data);
• consumer law (if you’re selling to consumers and need to handle refunds and complaints properly);
• contract risk (because you’ll likely rely on third parties and need strong legal protections).

Getting these foundations right early can make fundraising, partnerships, and scaling much smoother.

Is Payment Initiation Regulated In The UK?

Often, yes.

In the UK, payment initiation is closely tied to the regulatory framework that came from PSD2 (the revised Payment Services Directive) and is implemented through the UK’s Payment Services Regulations 2017 (commonly called the “PSRs 2017”). The Financial Conduct Authority (FCA) is the key regulator in this space.

It’s also worth separating payment initiation from another common “open banking” service: account information services (AIS), which involve accessing and presenting account data (rather than initiating a payment). Some businesses do one, the other, or both - and the regulatory analysis can differ.

Depending on what your business is doing, you may fall into one of these buckets:

• You are a regulated provider (and might need FCA authorisation/registration).
• You partner with a regulated provider (and you operate as an agent/outsourced service provider/technical service provider, depending on the model).
• You are not carrying out regulated payment services (but you still need to manage legal risk, data protection, and customer terms properly).

When Payment Initiation Can Trigger FCA Permissions

If you are providing a “payment initiation service” to a user (for example, triggering payments from their bank account to a merchant), you may be carrying on a regulated activity.

That doesn’t automatically mean you must become FCA-authorised yourself, but you do need to understand your role clearly. A common startup pitfall is assuming the regulated partner “covers everything”, when in reality your user journey, branding, and responsibilities might still expose you to compliance obligations.

Common “Red Flag” Scenarios To Check Early

• You touch or control funds (even temporarily), or you route money through accounts you control.
• You present the payment flow as your service, rather than a third party’s.
• You provide account access features alongside payment initiation, such as pulling bank transaction data (this can bring in additional regulatory requirements, including whether you’re also providing an account information service).
• You operate a marketplace and handle buyer funds before paying sellers.

If any of these sound like your model, it’s worth getting advice early on your regulatory position before you build too much around assumptions.

What Agreements Do You Need For Payment Initiation?

Payment initiation businesses tend to rely on multiple relationships at once: customers, merchants, banking infrastructure providers, technology vendors, and sometimes introducing partners.

Without the right contracts in place, you can end up taking on liability for fraud, chargebacks, outages, or data breaches that you can’t control.

1) Customer Or Merchant Terms (Your “Front Door” Contract)

If you’re selling a product to businesses (for example, a payment initiation checkout tool for merchants), your contract should clearly set out:

• what services you provide (and what you don’t provide);
• your onboarding requirements and merchant responsibilities;
• service levels and support boundaries;
• fees, billing, and when you can change pricing;
• security obligations and acceptable use rules;
• liability caps and exclusions (carefully drafted so they’re enforceable);
• termination rights and what happens to data and access on exit.

In many cases, a well-structured Master Services Agreement is the core legal document that keeps expectations clear and reduces disputes later.

2) Website And Platform Terms

If you’re operating a website or platform (even if you sell primarily B2B), your online terms still matter. They help set the rules for site use, IP ownership, disclaimers, and account controls.

For many startups, Website Terms and Conditions are a practical baseline, then you can layer on product-specific terms as your payment initiation service matures.

3) Supplier And Integration Contracts (Where Risk Can Hide)

Most payment initiation models rely on third-party infrastructure. That’s fine, but you’ll want to check:

• who is responsible for outages (and what credits/remedies apply);
• how liability flows if there’s fraud or a disputed payment;
• data protection roles (controller vs processor);
• subcontracting rights (and whether you can veto high-risk subcontractors);
• audit and security provisions (especially if you’re handling financial data).

If your product includes proprietary software components, you may also need clear licensing terms with customers and partners, particularly around permitted use, restrictions, and IP protection. This is where a tailored Software Licence Agreement can help avoid messy IP disputes later.

Data Protection And Security: What UK Startups Need To Get Right

Payment initiation is as much a data issue as it is a payments issue.

Even if you never “hold” money, you’re likely handling personal data, identifiers, and behavioural data that can create real risk if mishandled.

UK GDPR And The Data Protection Act 2018

In the UK, data protection is mainly governed by UK GDPR and the Data Protection Act 2018. The key question for many payment initiation models is: are you acting as a controller or a processor?

• If you decide why and how personal data is processed, you’re likely a controller (with broader responsibilities).
• If you only process data on behalf of another business (for example, a merchant), you might be a processor (but still with important obligations).

Many startups are actually controllers even when they assume they’re processors, because their platform decisions shape the data processing.

Your Privacy Information Needs To Be Clear

Because payment initiation can involve bank-linked data, customers will be sensitive to how you handle it. Transparent privacy disclosures aren’t just “good practice” - they’re a legal requirement.

A properly drafted Privacy Policy should explain, in plain language:

• what personal data you collect;
• your lawful basis for processing;
• who you share data with (including key service providers);
• international transfers (if applicable);
• retention periods;
• how users can exercise their rights.

Data Processing Terms With Customers And Suppliers

If you process personal data on behalf of merchants (or other customers), you’ll often need a contract that includes UK GDPR-compliant processor terms.

This is commonly handled using a Data Processing Agreement, which helps allocate responsibility and reduce “grey areas” if something goes wrong.

Security Controls And Strong Customer Authentication (SCA)

Payment initiation flows typically require strong customer authentication (SCA) as part of the wider regulatory push to reduce fraud.

Even where the bank handles the actual authentication step, your business still has security responsibilities - particularly around:

• how you authenticate users before initiating a payment request;
• session security and access controls;
• logging, monitoring, and incident response;
• staff access to production data (and internal policies/training).

Don’t overlook the internal side of security either. If your team is building and operating this product day-to-day, written policies can help you show you’ve taken reasonable steps to manage risk.

Consumer Rights, Refunds And Complaints: Getting The Customer Experience Legally Right

Even if your product is “payments infrastructure”, your legal obligations can change depending on who your end users are and how you sell.

If you sell directly to consumers (B2C), or you facilitate consumer purchases, you need to think carefully about consumer law compliance.

Consumer Rights Act 2015 And Fair Terms

The Consumer Rights Act 2015 requires consumer contract terms to be fair and transparent. If your terms are overly one-sided (for example, broad exclusions of liability that don’t make sense for consumers), you can run into enforceability issues and regulatory scrutiny.

For startups building payment initiation into consumer-facing apps, you’ll also want to ensure your marketing and onboarding journeys are clear and not misleading - especially when explaining how payments are authorised and what happens if something goes wrong.

Refund Expectations And Operational Reality

One practical issue with payment initiation is that it doesn’t behave exactly like card payments. Refunds may not be “instant” in the same way, and reconciliation can be more manual depending on your setup.

That’s not necessarily a problem - but it is a problem if your customer communications and terms don’t match reality.

Make sure you have a clear policy and process covering:

• when refunds are available (and when they aren’t);
• refund timeframes and how they’re processed;
• what happens if the customer sends funds to the wrong reference or account;
• how you handle disputes, complaints, and error resolution.

If You Offer Subscriptions Or Recurring Payments

If your business offers subscriptions, you’ll need to think carefully about how recurring payment initiation is structured (and how you communicate it).

This is a common area where founders accidentally create compliance risk by relying on vague cancellation processes, unclear renewal wording, or confusing payment authorisations.

If subscriptions are part of your model, well-drafted Subscription Terms and Conditions can help set clear rules for billing, renewals, cancellation, failed payments, and service suspension.

Practical Compliance Checklist For Payment Initiation Startups

It can feel like a lot, so here’s a practical checklist you can work through.

Business Model And Regulatory Position

• Map your payment flow end-to-end (who pays whom, where funds go, who has access, who controls the user journey).
• Confirm whether you are providing payment initiation services as a regulated activity under PSRs 2017.
• If you offer account data features as well, consider whether you’re also providing an account information service (AIS) and what that means for compliance.
• If partnering with regulated firms, clarify in writing whether you’re an agent, outsourced provider, or technical service provider (and what that means for your responsibilities).

Legal Documents And Customer-Facing Terms

• Put in place customer/merchant terms that match how your platform actually works (fees, service levels, termination, liability).
• Ensure your website/app terms reflect your product and risk profile.
• Make sure marketing statements about speed, cost, and security are accurate and not misleading.

Privacy, Data Protection And Security

• Confirm your UK GDPR role(s) (controller/processor) and document your reasoning.
• Implement a privacy policy and data processing terms that match your real processing activities.
• Maintain a security plan (access controls, logging, incident response) appropriate to financial data handling.

Operational Readiness

• Have a written complaints and dispute process (and make it easy for users to contact you).
• Build a clear refunds process that works operationally and matches your terms.
• Review key supplier contracts for liability, data protection, and continuity risk.

Most importantly: don’t wait until you’ve launched to do this. Investors, enterprise customers, and strategic partners often ask these questions early - and having clear answers can be a big commercial advantage.

Key Takeaways

• Payment initiation can improve customer experience and reduce reliance on card payments, but it sits in a legally sensitive area.
• In the UK, payment initiation is often linked to PSRs 2017 (PSD2 implementation), and your model may trigger FCA regulatory considerations.
• It’s important to distinguish payment initiation from account information services (AIS), as the legal and compliance considerations can differ depending on what you provide.
• Strong contracts matter: your customer/merchant terms and supplier agreements should clearly allocate risk for outages, fraud, disputes, and data handling.
• Data protection is central: UK GDPR and the Data Protection Act 2018 require transparent privacy information and the right controller/processor arrangements.
• If you sell to consumers or facilitate consumer payments, you must align your terms and processes with consumer law expectations, including fair terms and clear refund handling.
• Getting your legal foundations right early helps you scale faster, build trust, and avoid expensive compliance surprises later.

If you’d like help structuring your payment initiation model, contracts, or privacy compliance, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.