Regulatory Overview of the Payment Services Regulations 2017: What UK Businesses Need to Know

Thinking about offering payment services or simply want to make sure your business is compliant when it comes to taking payments from customers? You’re not alone! With the rapid growth of online businesses and fintech in the UK, understanding the Payment Services Regulations 2017 (PSRs 2017) has become crucial for startups and established businesses alike.

But don’t stress - even though the legal landscape might seem complex at first glance, getting your head around the basics of the PSRs 2017 can empower you to build a trustworthy, compliant business from day one. In this guide, we’ll break down exactly what the regulations mean, who they apply to, the key obligations involved, and practical compliance steps you can take to stay on the right side of the law.

Let’s dive in and set your business up for long-term success, navigating payment services regulations the smart way - keep reading for everything you need to know.

What Are The Payment Services Regulations 2017?

The Payment Services Regulations 2017 (often shortened to PSRs 2017) are a set of UK rules that provide a legal framework for payment services and electronic money. They’re designed to make payment services safer, more competitive, and more transparent for users and businesses.

The regulations implement the EU’s second Payment Services Directive (PSD2), which means they replaced the earlier 2009 regulations and brought in many new requirements for payment service providers (PSPs), including stricter consumer protection and data security standards.

Under the PSRs 2017, “payment services” cover a broad range of activities, such as:

• Processing credit or debit card payments
• Running online payment platforms and wallets
• Money remittance (sending funds on behalf of someone else)
• Operating merchant acquiring businesses (processing payments for retailers)
• Initiating payments on behalf of a customer

Essentially, if your business in any way helps customers receive, send, or manage money electronically, there’s a good chance that the PSRs 2017 are relevant to you.

Who Needs To Comply With The Payment Services Regulations 2017?

Not every business taking payments needs to be directly authorised under the PSRs 2017 - but many more fall within scope than you might think.

The regulations apply to:

• Payment service providers (PSPs) - These include banks, online payment platforms, money transfer businesses, and e-money issuers.
• Payment institutions (PIs) - Businesses that carry out payment services as their core activity but aren’t banks (for example, independent payment processors).
• Small payment institutions (SPIs) - Smaller businesses processing limited monthly transaction volumes.
• Account information service providers (AISPs) and payment initiation service providers (PISPs) - These are newer types of fintechs enabled by PSD2. If your platform pulls account data or initiates payments for clients, you may be caught by the rules.

If you’re simply running a shop or online business and using a regulated third-party payment provider (like Stripe, PayPal, or your bank), the bulk of compliance falls to them. However, if you design and operate your own payment platform or handle payments directly for others, you’re likely a PSP yourself - in which case, the regulations are directly applicable and you’ll need to register (or get authorised) with the Financial Conduct Authority (FCA).

Still unsure whether you’re considered a payment service provider or need to be regulated? It’s wise to get legal advice tailored to your model - the definitions in the PSRs 2017 are broad and cover many potential business structures.

How Do The Payment Services Regulations 2017 Affect UK Businesses?

Even if you’re not directly regulated, if you collect payments, the PSRs 2017 can impact your contracts, customer communications, and risk management. Here are the main ways the regulations could affect your business:

• Regulated status: If you fall within the PSR definition of a payment service provider, you need to register or become authorised by the FCA before carrying out payment services.
• Customer protections: The regulations require clear, fair, and transparent terms for customers, especially around fees, refund rights, how payments are processed, and complaint handling.
• Operational requirements: You’ll have to meet strict obligations around safeguarding client money, reporting to the FCA, and maintaining robust IT and anti-money laundering controls.
• Data and security duties: Handling payment data means you must comply with not just the PSRs 2017, but also GDPR and the Data Protection Act 2018. This adds further requirements relating to customer data consistency, consent, and retention.
• Surcharging rules: The regulations ban businesses from charging extra fees to customers for paying by certain card types. Failing to comply could lead to enforcement action.
• Contractual arrangements: If your business uses payment agents, distributors, or develops software for payment processing, the agreements you use need to align with the PSRs 2017 as well as UK consumer law.

All of this boils down to one core point: taking payments isn’t just a business decision - it carries regulated responsibilities if you go beyond simply using existing, regulated payment platforms. It’s crucial to set up your systems, agreements, and disclosure practices fully informed by the law.

What Are The Key Requirements Under The Payment Services Regulations 2017?

The PSRs 2017 bring in a range of requirements for regulated payment service businesses. Here are the main compliance topics you’ll need to address:

1. Registration And FCA Authorisation

If you’re within scope of the PSRs 2017, you can’t provide payment services until registered or authorised with the FCA. This involves a detailed application process where you’ll need to show:

• Who your directors, controllers, and owners are
• How you’ll handle safeguarding of customer funds
• Your IT and security procedures
• Your approach to anti-money laundering (AML) and fraud prevention

Once authorised, you’ll need to meet ongoing reporting and audit duties, so it’s important to set up robust compliance foundations from day one.

2. Customer Contracts & Information

Regulated businesses must provide clear, user-friendly pre-contractual information and terms to customers. Your terms of business or website terms and conditions should explain:

• What services you offer
• All fees and charges
• How to cancel or get refunds
• How complaints are handled
• What happens if unauthorised transactions occur

This is about more than consumer protection - clear terms help prevent disputes and show regulators you’re operating transparently. If you need help creating bulletproof terms, check out our guide on terms and conditions.

3. Safeguarding And Risk Controls

The FCA expects strong safeguards to protect customer funds, including:

• Keeping customers’ money separate from your own business funds (“ring-fencing”)
• Putting in place insurance or comparable guarantees if required
• IT security measures to defend against fraud, hacking, and data breaches

Getting these controls right can be technically demanding - but it’s crucial for both compliance and customer trust.

4. Anti-Money Laundering (AML) And Reporting

The PSRs 2017 work hand-in-hand with other UK laws such as the Proceeds of Crime Act 2002 and Money Laundering Regulations. You’ll need policies for:

• Customer due diligence and onboarding checks (KYC)
• Reporting suspicious transactions to the National Crime Agency (NCA)
• Internal staff training and documentation

If you ever have questions about how extensive these checks need to be for your business type, reach out to a legal expert for help.

5. Handling Complaints

If you’re a regulated payment service provider, you must have a documented complaints procedure and resolve complaints within maximum timelines set by law. Unhappy customers must be able to take their grievances to the Financial Ombudsman Service if unresolved.

This means you’ll want a well-drafted, compliant complaints policy tailored to your payment services.

What Are The Main Exceptions and Exemptions?

Not every business involved in payments will be fully regulated - there are several “exemptions” in the PSRs 2017. For example:

• Cash-only businesses are generally out of scope
• Businesses solely accepting payments for their own goods/services via regulated third-party providers (like PayPal, Square, or Stripe) do not need direct authorisation
• Some low-volume payment processors (e.g., “small payment institutions” below certain thresholds) have lighter compliance requirements
• Limited networks, such as closed-loop gift cards operating only within a single retailer, might also be excluded

The key is that these exemptions have strict definitions. If your operations grow or change, you could drift into scope and require authorisation, so regular compliance checks are a must. For a hands-on look at structuring your business, check out our business structure guide.

How Can My Business Ensure Ongoing Compliance With The Payment Services Regulations 2017?

Once you’re authorised or registered under the PSRs 2017, staying compliant isn’t a one-off job - it’s an ongoing responsibility.

Here are practical steps you can take:

• Keep all customer-facing contracts, privacy policies, and website terms up to date with changes in the law
• Regularly review your payment service processes and security controls
• Train staff on compliance and how to spot fraud or suspicious payments
• Stay alert to new FCA guidance and reporting requirements
• Undertake periodic legal reviews to avoid scope creep or missing a renewal/registration
• Have a strong relationship with legal and compliance professionals who understand both your industry and payment law

Compliance can be complex, but it doesn’t have to be overwhelming. Sprintlaw is here to guide you through each step and help you avoid the most common mistakes - from registrations, to contract drafting, to ongoing legal support. If you need help with your core legal documents, why not explore our business document checklist for UK startups?

What Legal Documents Should A Payment Services Business Have In Place?

The right legal documents are essential for protecting your business as you operate under the PSRs 2017. Key documents include:

• Terms of sale or terms of business (for customers)
• Service agreements (for partners, agents, or B2B relationships)
• Privacy Policy and Cookie Policy (ensuring GDPR and e-Privacy compliance)
• Staff handbooks and AML/financial crime policies
• Complaints policy and procedure
• Up-to-date contracts with payment technology vendors and acquirers

Avoid using generic templates - in regulated sectors like payments, your contracts must be tailored to your model and clearly aligned with law and FCA expectations. If you need a hand drafting or reviewing key documents, our contract lawyers are ready to help.

Top Tips For Navigating Payment Services Regulation Compliance

• Don’t assume you’re exempt - check the scope of your activities against PSRs 2017, especially if you’re in fintech or plan to scale
• Engage with the FCA process early - authorisation can take time and requires detailed preparation
• Be transparent and fair with customers - clear terms and processes are a must
• Understand that compliance is ongoing, not a “set and forget” job
• Seek legal advice the moment your business model changes or grows into new payment services

What Happens If My Business Fails To Comply With The Payment Services Regulations 2017?

Failure to comply with the PSRs 2017 can have real consequences for your business, including:

• FCA enforcement action (fines, public sanctions, or forced cessation of services)
• Contractual disputes or inability to enforce payment-related terms
• Reputational harm and lost customer trust
• Civil liability to customers or other businesses for unfair or non-compliant practices

That’s why setting up your regulatory and legal compliance from day one is vital - it’s about protecting both your business and your customers long-term.

Key Takeaways

• The Payment Services Regulations 2017 set out strict rules for anyone offering payment services or operating fintech platforms in the UK.
• Businesses offering payment processing, money transfers, account services, PIS or AIS models may need authorisation with the FCA - check your status early.
• All regulated payment services businesses should prioritise customer transparency, robust contractual terms, financial safeguards, and ongoing compliance checks.
• Legal documents such as terms of business, service agreements, privacy policies, and AML procedures must be tailored for compliance - avoid generic templates.
• Failing to comply can lead to fines, forced shutdowns, contractual disputes, and reputational harm.
• Getting professional legal advice is strongly recommended before launching any payment services or fintech business.

If you’d like some tailored legal guidance on the Payment Services Regulations 2017 or help with compliance, contracts, or FCA registration, our friendly team is here to help. You can reach us at team@sprintlaw.co.uk or call 08081347754 for a free, no-obligations chat about your business needs.