PSRs 2017 Explained: Key UK Payment Services Compliance Steps

If your business takes payments, moves money, runs subscriptions, or builds software that “touches” payment flows, the Payment Services Regulations 2017 (often shortened to PSRs 2017) may be relevant.

For a lot of small businesses, the tricky part isn’t the idea of compliance - it’s knowing when PSRs 2017 applies, what the “red flag” activities are, and what practical steps you can take to reduce risk.

Below, we’ll break down PSRs 2017 in plain English and walk through key compliance steps you can put in place to protect your business from day one (and as you scale).

This article is general information only and isn’t legal advice. If you’re unsure whether your model is regulated, get advice on your specific payment flows.

What Are The PSRs 2017 (And Why Do They Matter For Small Businesses)?

PSRs 2017 is the UK’s core legal framework regulating payment services. It largely implemented the EU’s second Payment Services Directive (PSD2) into UK law and sets rules around:

• who can provide regulated payment services;
• how payment service providers must protect customers (including transparency and complaints handling);
• security requirements (including strong customer authentication); and
• how certain payment-related providers must be authorised/registered and supervised.

In practice, PSRs 2017 matters because there’s a big difference between:

• using a payment provider to accept payments (common for ecommerce and service businesses); and
• providing payment services yourself (common for marketplaces, platforms, fintech-style products, and businesses that hold or move funds for others).

If your business crosses into “providing payment services”, PSRs 2017 can trigger regulatory obligations, and in some cases you may need Financial Conduct Authority (FCA) authorisation or registration.

What Counts As A “Payment Service” Under PSRs 2017?

PSRs 2017 covers a range of activities. Some of the most commonly encountered categories include:

• money remittance (transferring money from payer to payee, often without accounts being created in the payer/payee’s name);
• execution of payment transactions (including transfers and card payments);
• issuing payment instruments or acquiring payment transactions (think card issuance/acquiring);
• account information services (AIS) (accessing and presenting information from a user’s bank account);
• payment initiation services (PIS) (initiating a bank transfer on the user’s behalf).

You don’t need to memorise the categories - the practical takeaway is: if you’re moving money between people/businesses, or accessing bank account data to initiate or optimise payments, you should assume PSRs 2017 may be in play and get advice early.

Does My Business Need To Comply With PSRs 2017?

Many small businesses interact with PSRs 2017 without being directly regulated under it. The key question is usually:

Are you simply accepting payment for your own goods/services, or are you providing a payment service to others?

Usually Low Risk: You’re Just Taking Payments For Your Own Sales

If you run a typical online store, agency, consultancy, gym, studio, or trades business, and you use a third-party payment provider to accept card payments or bank transfers for your own invoices, PSRs 2017 is generally more “background law” than a direct regulatory burden.

You still need to run your business properly - for example, having clear customer terms and transparent payment/refund practices - but you typically won’t need FCA authorisation just because you take payments.

Higher Risk: You Handle Money For Other People

PSRs 2017 tends to become front-and-centre when your business model involves things like:

• marketplaces where customers pay you and you pay out sellers/service providers;
• platforms that receive or control user funds (even briefly) before passing them on;
• subscription or billing platforms that collect and distribute payments (particularly if you control the flow);
• apps that initiate bank payments or use Open Banking-style access;
• cashback, wallet, stored value, or credits systems that behave like money (noting some models may be regulated as electronic money instead, under the Electronic Money Regulations 2011).

If any of that sounds like you, it’s worth mapping the flow of funds (step-by-step) and getting legal advice on whether you’re carrying out a regulated payment service, whether an exclusion applies (meaning the activity is outside the scope of the regulations) or an exemption applies (meaning it’s in-scope but treated differently), and what your compliance plan should look like.

Key PSRs 2017 Compliance Areas You Should Understand

Once PSRs 2017 applies, compliance isn’t just a “tick-box”. It’s usually a mix of operational controls, customer-facing disclosures, contracts, and security measures.

1) Authorisation Or Registration (And Getting The Perimeter Right)

One of the biggest PSRs 2017 risks is accidentally operating a regulated payment service without the right permissions.

Depending on what you do, you may need to be:

• authorised as a payment institution (or another relevant regulated status);
• registered (for example, as a small payment institution in some cases); and/or
• able to rely on a specific exclusion or exemption (which must be assessed carefully).

Small businesses often get caught out where the product started simple (“we just help users pay each other”) and then evolved (controlling funds, splitting payments, adding wallets, adding cross-border transfers). The compliance profile can change quickly as you scale.

Also note: some “wallet” or “stored value” products are more likely to fall under the Electronic Money Regulations 2011 (and need FCA e-money permissions) rather than (or as well as) PSRs 2017. Getting the regulatory perimeter right early can save a lot of time and cost later.

2) Transparency: Customer Information, Charges, And Payment Terms

PSRs 2017 contains requirements around what information must be provided to users, including things like:

• charges and fees;
• execution times;
• reference exchange rates (where relevant);
• how to make a complaint; and
• how unauthorised transactions and errors are handled.

Even if you’re not fully regulated, it’s still good practice to make sure your customer documents explain payment processes clearly. For online businesses, this often sits within your Website Terms And Conditions and any product-specific terms.

3) Security And Strong Customer Authentication (SCA)

PSRs 2017 is closely linked with payment security requirements, including Strong Customer Authentication (SCA) in many electronic payment scenarios.

In a small business context, you may not implement SCA yourself (your payment provider may do it). But if you build payment journeys, manage checkouts, or design integrations, you should understand:

• when SCA is required;
• what exemptions can apply (and the risk if they’re misused); and
• how to reduce fraud and chargeback exposure through design and controls.

4) Complaints Handling And Customer Support

Where PSRs 2017 applies, complaints aren’t just a customer service issue - they can be a compliance issue.

Even for non-regulated businesses, it’s smart to systemise your approach, including:

• clear internal ownership of complaints;
• written timeframes and escalation paths;
• records of communications and outcomes; and
• templated responses for common payment disputes.

This becomes especially important if your business offers subscriptions or auto-renewing services, where payment disputes are common. If you run subscriptions, your Subscription Terms And Conditions should be aligned with how you actually bill customers and handle cancellation.

5) Data Protection (Because Payments Involve Personal Data)

Payment operations almost always involve personal data (names, emails, transaction histories, device data, sometimes bank details). That means you’ll also need to consider UK GDPR and the Data Protection Act 2018 alongside PSRs 2017.

From a practical standpoint, that usually means:

• having a compliant Privacy Policy that explains what you collect and why;
• tight internal access controls (who can see transactions and customer info);
• vendor due diligence (especially if third parties process payment data); and
• a plan for data breaches and incident response.

If you share customer data with processors (for example, payment processors, fraud tools, CRM systems), you may also need a Data Processing Agreement (or data processing schedule) in place with the right clauses.

A Step-By-Step PSRs 2017 Compliance Plan For UK Businesses

PSRs 2017 compliance can feel overwhelming at first, especially if you’re building a new product or running a platform. The trick is to break it down into manageable steps.

Step 1: Map Your Payment Flow (In Plain English)

Before you look at legal definitions, write down exactly what happens when someone pays:

• Who pays whom?
• Whose name is on the checkout or bank transfer?
• Do you ever receive, control, or hold funds (even briefly)?
• When do you pay out to third parties?
• Can users store value, credits, or balances?
• What happens if a transaction is disputed or reversed?

This is often where the “aha” moments happen. A lot of businesses discover they’re acting as a middleman in a way that changes their regulatory risk profile.

Step 2: Decide Whether You’re A Merchant, An Agent, Or A Payment Provider

In simple terms:

• Merchant: you sell your own goods/services and receive payment for those sales.
• Agent/Intermediary: you arrange payments or sales for others (this is where legal detail matters a lot, and some models may rely on specific exclusions such as the “commercial agent” exclusion in limited circumstances).
• Payment Provider: you provide a payment service (potentially regulated under PSRs 2017).

Be careful with assumptions here. Calling yourself an “agent” in your terms doesn’t automatically put you outside PSRs 2017 - the reality of what you do (and how money flows) is what counts.

Step 3: Pressure-Test Your Model Against Common PSRs 2017 Triggers

Here are some practical “trigger questions” that often indicate PSRs 2017 is relevant:

• Do customers pay you, and then you pay a supplier/seller later?
• Do you split payments between multiple parties?
• Do you operate an account, wallet, stored balance, or credit system that users can spend later (and could it be e-money)?
• Do you initiate bank transfers on a user’s behalf?
• Do you access a user’s bank account data to provide a service?

If you answered “yes” to any of the above, get advice early. Fixing regulatory issues later (after launch) is usually more expensive and disruptive than setting up correctly from the start.

Step 4: Put The Right Customer Documents In Place

Even if you’re not an FCA-authorised payment institution, you still need clear, enforceable agreements that explain:

• what customers are buying;
• how and when payments are taken;
• how refunds, chargebacks, and disputes are handled; and
• what happens if you suspend or terminate an account.

For ecommerce and online service businesses, this is often handled through a combination of:

• E-Commerce Terms And Conditions (for online selling);
• subscription terms for recurring billing (if applicable); and
• privacy documentation for payment and transaction data.

If your business is B2B and you invoice customers, it’s also worth making sure your invoicing and payment terms are consistent and clear. Having a solid process (and compliant invoices) can reduce disputes before they start - see typical invoice requirements and build them into your finance workflows.

Step 5: Create Internal Controls (So Compliance Isn’t Just A Document)

Regulated or not, strong internal controls make payment operations safer and more defensible. Depending on your risk profile, that may include:

• access management (limiting who can see payment and transaction data);
• segregation of duties (the person approving payouts isn’t the same person creating payees);
• refund and dispute playbooks (so staff respond consistently);
• audit trails of changes to bank details and payout instructions; and
• incident reporting procedures (what to do if you suspect fraud or a breach).

If your team uses work devices and handles payment admin, it can also help to document expected behaviour and security standards through an Acceptable Use Policy (particularly where staff access sensitive customer data).

Step 6: Review Your Third-Party Providers And Outsourcing Terms

Most small businesses rely on third parties for parts of their payment stack (payment processors, fraud tools, accounting integrations, customer support software).

To reduce risk, you should understand:

• what each provider does (and whether they are regulated for that activity);
• what happens if they have downtime;
• how data is shared and secured; and
• what liability sits with you vs them if something goes wrong.

This is also where contract drafting matters. A tailored set of customer terms and supplier contracts can help clarify responsibilities, reduce disputes, and protect your cashflow.

Common PSRs 2017 Pitfalls (And How To Avoid Them)

When we see small businesses run into PSRs 2017 issues, it’s often because of these common pitfalls.

Assuming Your Payment Provider “Covers” You

Using a third-party payment provider can reduce your burden, but it doesn’t automatically remove regulatory risk if your business model effectively provides a payment service.

For example, a marketplace can still be exposed if it controls the flow of funds and sets rules for holding/payouts, even if a third-party processes the card payment.

Running Credits Or Wallets Without Considering The Legal Character

Store credit, vouchers, and “in-app balances” can seem like a marketing feature, but depending on how they work, they can raise regulatory and consumer law issues.

In particular, some wallet or stored value models may be regulated as electronic money (under the Electronic Money Regulations 2011) rather than just a “feature” in your product.

You’ll want to ensure your terms are clear about:

• expiry and redemption rules;
• refundability;
• whether credit can be exchanged for cash; and
• what happens on account closure.

Weak Refund / Cancellation Processes

Payment disputes often spike when cancellation and refund processes aren’t clear, or staff handle them inconsistently.

Even outside PSRs 2017, cancellation rights and subscription compliance can be a major risk area. If you offer recurring billing, make sure your subscription terms are consistent with how customers sign up, how they cancel, and when you take payments.

Not Aligning Privacy Disclosures With Payment Reality

Payments generate sensitive behavioural data (transaction history, purchase patterns, sometimes device and location data via fraud systems). If you’re collecting it, your privacy documentation and internal controls need to match what’s actually happening in your business.

Key Takeaways

• PSRs 2017 regulates payment services in the UK and becomes most relevant when you’re moving money or handling funds for others, not just taking payment for your own sales.
• If you run a marketplace, platform, wallet/credits product, or initiate payments, you should map your payment flow early and get advice on whether PSRs 2017 authorisation or registration is required (and whether the Electronic Money Regulations 2011 may apply instead or as well).
• PSRs 2017 compliance often involves more than legal wording - you’ll usually need security controls, complaint handling processes, and clear operational workflows.
• Clear customer documents (website terms, subscription terms, refund processes) reduce disputes and can support compliance with payment transparency expectations.
• Payments almost always involve personal data, so UK GDPR compliance (privacy policy, data processing terms, access controls) typically sits alongside PSRs 2017 risk management.
• Don’t rely on assumptions like “our payment provider covers everything” - responsibility depends on what your business actually does with funds and payment data.

If you’d like help assessing whether PSRs 2017 applies to your business model, or you want your customer terms and privacy documents reviewed so they match your payment flows, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.