Merchant Onboarding: Global Regulatory Update – April 2026

April 2026 shows a clear shift in how regulators are testing merchant onboarding. Across markets, the focus is moving from basic verification to whether firms can identify risk early, structure data properly, and monitor change as risk evolves.

Fraud, stablecoin exposure, crypto registration status, payment verification failures, AML model effectiveness, and multi-rail payment readiness are all moving closer to the point of entry. For payment providers, this means onboarding can no longer rely on manual checks, static data, or one-time approvals.

Firms that can combine structured onboarding, risk-based decisioning, continuous monitoring, and audit-ready records will be better positioned to manage regulatory exposure, reduce operational friction, and scale safely as payment systems become more complex.

‍

In this update (for merchant onboarding & compliance teams):

What changed: Regulators advanced rules and initiatives covering fraud, stablecoins, AML enforcement, payee verification, payment modernization, synthetic AML testing, VASP registration, and risk-based payment controls.

Why it matters: Merchant onboarding is becoming the control point where firms must prove risk is identified, validated, monitored, and documented before issues move downstream.

Regulatory signals: Manual onboarding is weakening. Regulators are pushing toward structured data, real-time validation, continuous monitoring, risk-based decisions, and stronger evidence of control effectiveness.

What to do next:

• Treat fraud and financial crime as onboarding risks
• Capture structured data for payment flows, ownership, beneficiaries, and transaction behavior
• Validate stablecoin issuers, VASPs, and high-risk merchants continuously
• Build onboarding workflows that support multi-rail payment setup and  cross-border readiness
• Pressure-test onboarding controls against realistic AML and risk scenarios

‍

Global

Ministerial Declaration of the Financial Action Task Force

Effective Date: 17 April 2026

Issued By: Financial Action Task Force (FATF) 

Applies To: All financial institutions, payment service providers, fintechs, crypto-asset businesses, and reporting entities across the 200+ jurisdictions in the FATF Global Network.

Summary:

• What: FATF Ministers have issued a new Declaration prioritizing fraud, reinforcing the risk-based approach, and supporting responsible innovation in digital payments and virtual assets.
• Why: Fraud is scaling rapidly, driven by technology (AI, telecoms, social platforms) and cross-border criminal networks, posing systemic risk to the global financial system.
• What’s Next: Strategic focus for 2026–2028 will center on fraud, payment transparency, virtual assets, and asset recovery—alongside a new round of mutual evaluations focused on effectiveness.

Key Changes:

• Fraud elevated to top priority: Full AML/CFT/CPF toolkit to be deployed against fraud, including scams, organized crime, misuse of legal entities, virtual assets, and emerging technologies such as artificial intelligence.  
• Risk-based approach reinforced: Confirmed as the core implementation model, with emphasis on proportionality, efficiency, and reducing unnecessary burden on low-risk sectors.
• Payment transparency strengthened: Updated standards to improve traceability and combat sanctions evasion and cross-border fraud.
• Virtual asset accountability: Increased peer review pressure on jurisdictions to fully implement FATF standards for crypto and VASPs.
• Asset recovery focus: Greater emphasis on tracing, recovering, and returning illicit funds to victims.
• New mutual evaluations: 2026–2028 round launched, with deeper focus on real-world effectiveness and risk prioritisation.

What This Means for Merchant Onboarding Teams:

Fraud is now a front-line onboarding risk, not a downstream concern. Firms are expected to assess whether a merchant could facilitate or launder fraud proceeds at the point of entry. The risk-based approach is no longer theoretical. It must be evidenced in how checks, data capture, and decisioning are prioritized. High-risk profiles require deeper scrutiny, while low-risk cases should be streamlined. 

Payment transparency expectations mean onboarding must capture complete and structured data on payment flows and cross-border activity, as gaps in data now translate directly into loss of traceability and control. Regulators are raising expectations on the use of advanced tools, but these must operate within controlled, auditable frameworks where every decision can be explained and defended. 

Recommended Actions:

• Embed fraud risk scoring: Score merchants at onboarding using structured inputs (business model, ownership, payment flows) so high-risk profiles are identified early, not missed at intake. 
• Operationalize a true risk-based model: Automatically route merchants based on risk, streamline low-risk approvals, and enforce enhanced due diligence, escalation, and auditable decisioning for higher-risk cases. 
• Strengthen payment data capture: Ensure onboarding collects structured payee and cross-border payment information to meet transparency requirements.
• Enhance VASP due diligence: Align crypto-related onboarding with FATF standards, anticipating increased scrutiny through peer reviews.
• Maintain audit-ready decisioning: Ensure onboarding decisions, supporting data, and applied controls are consistently recorded for supervisory review 

How OnBoard Helps:

OnBoard enables firms to operationalize FATF priorities through structured onboarding, risk-based decisioning, and auditable control.

• Smart Forms standardize the capture of merchant, ownership, and payment data, supporting consistent application of FATF-aligned onboarding requirements.
• OnBoard AIQ™ reads and interprets onboarding documents in real time, extracts and validates structured data at the point of entry, and triggers verification, risk checks, and workflow actions automatically based on defined rules and prompts.
• Integrated KYB, KYC, and AML checks support alignment with FATF Standards by validating identity and ownership against global data sources.
• Audit-ready reporting ensures onboarding decisions are fully traceable and defensible under FATF effectiveness and peer review expectations.

Source: FATF

‍

United States

GENIUS Act Requirements and Standards for FDIC-Supervised Permitted Payment Stablecoin Issuers and Insured Depository Institutions

Effective Date: Proposed rule published 10 April 2026

Issued By: Federal Deposit Insurance Corporation (FDIC)

Applies To: US payment service providers onboarding merchants that accept or issue USD-denominated payment stablecoins (e.g. USDC, USDT).

Summary:

• What: The FDIC has proposed rules under the GENIUS Act requiring stablecoin issuers to hold 1:1 reserves, meet capital thresholds, and ensure timely redemption, while clarifying limits on deposit insurance.
• Why: To bring stablecoins into a formal prudential regime and reduce systemic and consumer risk as adoption grows.
• What’s Next: Consultation closes early June 2026. A final rule is expected later in the year, after which compliant issuers (PPSIs) will be identifiable.

Key Changes:

• 1:1 reserve requirement: Stablecoins must be fully backed by high-quality liquid assets.
• Minimum capital: $5 million floor for new issuers, plus ongoing risk-based requirements.
• Redemption obligation: Issuers must redeem within two business days.
• No pass-through insurance: FDIC insurance applies to the issuer’s bank deposits, not to individual stablecoin holders.
• Tokenized deposits clarified: Treated the same as traditional deposits under existing law.

What This Means for Merchant Onboarding Teams:

Stablecoin usage introduces an additional layer of counterparty risk at onboarding. Merchant exposure may depend on the financial and regulatory standing of the issuing entity, not just the payment method itself.

Without pass-through deposit insurance, merchants bear direct credit and liquidity risk if an issuer fails or cannot meet redemption obligations. Treating stablecoins as equivalent to fiat creates blind spots in risk assessment and onboarding controls.

Recommended Actions:

• Inventory stablecoin usage: Map which stablecoins your merchants accept and identify their issuers.
• Confirm issuer intent: Engage issuers to determine whether they will meet emerging FDIC standards. 
• Update risk models: Adjust onboarding risk criteria so merchants using weaker or non-aligned issuers are flagged early 
• Clarify merchant terms: Reflect the absence of pass-through FDIC insurance in agreements.
• Track regulatory updates: Monitor the consultation and final rule for changes.

How OnBoard Helps:

OnBoard enables structured identification and assessment of stablecoin issuer risk at onboarding, aligned to FDIC requirements on backing, redemption, and insurance limitations.

• Smart Forms capture which stablecoins a merchant uses and the issuing entity at onboarding, ensuring issuer exposure is clearly identified at intake
• OnBoard AIQ™ reads onboarding documents in real time, extracts issuer-related data, and triggers verification and risk checks automatically based on defined rules aligned to reserve, capital, and redemption requirements
• Integrated KYB, KYC, and AML verification validates issuer and merchant entities against trusted data sources, strengthening confidence in ownership and regulatory alignment
• Risk-based workflows apply configurable rules to flag or escalate merchants linked to issuers with unclear backing, weak capital position, or delayed redemption capability
• Audit-ready reporting ensures onboarding decisions are fully traceable and defensible under regulatory scrutiny

Source: Federal Deposit Insurance Corporation

‍

Canada 

Bill C-12: Strengthening Canada’s Immigration System and Borders Act, Part 9 amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

Effective Date: 26 March 2026

Issued By: Parliament of Canada / FINTRAC implementation authority 

Applies To: All Canadian reporting entities under the PCMLTFA, including banks, payment service providers, money service businesses, fintechs, securities dealers, and portfolio managers.

Summary:

• What: Canada has overhauled core parts of its AML regime, giving FINTRAC the authority to issue penalties up to $30 million, impose mandatory compliance agreements, and publicly disclose enforcement actions.
• Why: The changes close enforcement gaps and establish a clear legal standard requiring compliance programs, including onboarding processes, to be “reasonably designed, risk-based and effective,” with financial and reputational consequences for failure. 
• What’s Next: Firms should prepare for mandatory FINTRAC enrollment requirements and review the implications of the new penalty, disclosure, and group-revenue provisions now in force. 

Key Changes:

• Massive penalty increases: Maximum penalties now reach $4 million for individuals and $20 million for entities, or 3% of global group revenue. Breaching a compliance order raises the cap to $30 million.
• Group revenue calculation: Penalties are based on total global revenue across affiliated entities, not just the local subsidiary.
• Mandatory compliance agreements: FINTRAC must require a compliance agreement where a person or entity has committed a prescribed violation. 
• Public disclosure of compliance action: Refusing to enter into a compliance agreement, or failing to comply with one, can trigger a compliance order that the Director must make public, creating direct reputational risk. 
• Statutory compliance standard: Section 9.6 formalizes that programes must be “reasonably designed, risk-based and effective,” setting a clear legal benchmark.
• New enrollment regime: Section 5 reporting entities must formally enroll with FINTRAC, subject to specified exceptions, with ongoing update and renewal obligations. 

What This Means for Merchant Onboarding Teams:

FINTRAC is now an active enforcement authority, putting onboarding under direct scrutiny as the first test of whether your compliance program is “reasonably designed, risk-based and effective.” Missed risks at onboarding now create immediate financial and reputational exposure, not just compliance gaps.

Penalty exposure extends to the entire affiliated group, meaning a single onboarding failure can drive enterprise-wide impact based on global revenue. Informal or inconsistent onboarding processes are no longer defensible under a standard that must be clearly evidenced and withstand regulatory review.

Recommended Actions:

• Pressure-test onboarding controls: Ensure onboarding workflows are risk-based, consistently applied, and supported by clear evidence of how decisions are made 
• Capture and maintain ownership and group data: Ensure ownership and affiliated entity information is collected and kept up to date in real time so changes are identified early 
• Build flexible onboarding workflows and forms: Ensure onboarding processes can adapt quickly to new FINTRAC requirements, including enrollment, data updates, and evolving compliance obligations without manual rework 
• Document for disclosure: Record all merchant data, checks, and decisions in a structured way so onboarding outcomes can be reviewed, defended, and disclosed if required 
• Flag and escalate high-risk merchants early: Ensure onboarding identifies and escalates higher-risk merchant profiles at the point of entry to prevent downstream compliance failures 

How OnBoard Helps:
OnBoard delivers a structured, auditable onboarding framework aligned to the new statutory standard of a “reasonably designed, risk-based and effective” compliance program.

• Smart Forms capture and maintain merchant ownership and affiliated entity data, ensuring group relationships are clearly identified and kept up to date at onboarding
• OnBoard AIQ™ reads onboarding documents in real time, extracts and validates data, and triggers risk checks and escalation automatically, ensuring high-risk merchants are identified early
• Automated KYB, KYC, and AML workflows apply consistent, documented checks against sanctions and watchlists, replacing manual processes that cannot withstand regulatory scrutiny
• Audit-ready reporting maintains full traceability of onboarding data, checks, and decisions, ensuring outcomes can be reviewed, defended, and disclosed under regulatory scrutiny

Source: Parliament of Canada, Bill C-12 (Royal Assent) 

‍

European Union

Public consultation on change requests for Verification Of Payee (VOP) Rulebook version 2.0

Effective Date: Consultation runs 1 April - 30 June 2026

Issued By: European Payments Council (EPC)

Applies To: All payment service providers (PSPs) that are subject to the EU Instant Payments Regulation (IPR), including banks, payment institutions, fintechs, and any entity onboarding merchants that send or receive SEPA payments.

Summary:

• What: The EPC has launched a consultation on updates to the VOP rulebook (v2.0), which underpins PSP compliance with the EU Instant Payments Regulation.
• Why: As instant payments scale, the EPC is refining VOP to better prevent fraud and misdirected payments.
• What’s Next: Feedback closes 30 June 2026. Approved changes will shape the final v2.0 rulebook and drive updates to onboarding and payment workflows.

Key Changes Proposed:

• Granular NOAP response codes: Introduction of sub-codes for “Verification Not Possible” (NOAP) to clearly identify why verification fails (e.g. account not found, inactive, or missing data).
• VOP bulk processing solution: Introduction of a standardized bulk verification capability, replacing the current requirement to debulk files into individual requests.
• Flexibility to 5-second rule for bulk payments: Clarification or exception to the current 5-second verification limit is being considered to better support bulk processing scenarios.
• Proposed extension to payer verification: Introduction of optional payer verification to address impersonation risks, improve reconciliation, and support evolving payment use cases.
• Expanded operational flexibility for verification checks: VOP may allow verification to be triggered at multiple points in the customer journey (e.g. beneficiary setup, mandate approval, supplier validation), supporting both real-time and batch checks beyond instant payment flow.

‍What This Means for Merchant Onboarding Teams:

Onboarding is becoming more directly accountable for verification outcomes. Failed checks will no longer appear generic. They will be traceable to specific data issues, making it clearer when onboarding has captured incomplete or incorrect information. This increases scrutiny on how data is collected, structured, and approved.

At the same time, onboarding must support both scale and flexibility. High-volume merchants and evolving verification requirements mean rigid processes will break under pressure, leading to operational bottlenecks, increased exception handling, and higher support costs.

Recommended Actions:

• Implement an end-to-end onboarding process: Ensure key beneficiary and payer data is captured at the first point of contact, validated early, and consistently carried through the onboarding journey in a structured and documented way.
• Standardise data capture and validation: Ensure onboarding collects and validates data in a consistent format to reduce errors and prevent verification failures downstream. 
• Track consultation outcomes: Monitor which changes are approved post- June 2026, as these will define new data and validation requirements.
• Design for flexibility: Build onboarding forms that can adapt to evolving VOP rules without major rework.
• Test exception handling: Validate workflows for failed payee checks, including escalation and manual review paths.
• Ensure full traceability of onboarding decisions: Maintain clear, structured records of data, validations, and decisions to support transparency and reduce operational friction. 

How OnBoard Helps:
OnBoard provides a flexible, auditable onboarding layer aligned with evolving VOP requirements.

• Smart Forms capture complete beneficiary and payer data at the first point of contact, ensuring information is structured and reusable across the onboarding lifecycle
• OnBoard AIQ™ reads onboarding documents in real time, extracts and validates data at intake, and triggers verification checks automatically to prevent downstream failures
• Automated KYB, KYC, and AML workflows perform real-time checks at onboarding, validating merchant, beneficiary, and payer data as it is captured, ensuring issues are identified and resolved before progressing
• Audit-ready reporting maintains full traceability of onboarding data, validations, and decisions, ensuring outcomes are transparent, defensible, and easy to reconcile

Source: European Payments Council 

‍

Eurosystem comprehensive payments strategy (including tokenized settlement assets, DLT infrastructure, and digital euro roadmap)

Effective Date: Published 31 March 2026

Issued By: European Central Bank (ECB) / Eurosystem

Applies To: All payment service providers (PSPs), banks, fintechs, merchants, and businesses operating in the euro area, especially those involved in wholesale, B2B, retail, or cross-border payments.

Summary:

• What: The Eurosystem has released a unified payments strategy spanning wholesale, B2B, retail, and cross-border use cases, covering tokenized settlement assets and confirming the digital euro roadmap.
• Why: Rapid technological change, including tokenization and distributed ledger technology, is driving the need to ensure payments remain reliable, competitive, and anchored in central bank money.  
• What’s Next: Key milestones include Pontes (DLT settlement) by Q3 2026, digital euro pilot in H2 2027 (potential launch 2029), and continued expansion of TIPS cross-border connectivity.

Key Changes:

• Standardization and straight-through processing in B2B payments: Greater use of structured data (e.g. ISO 20022), LEI, and system integration to improve automation, reduce AML/KYC friction, and enable efficient reconciliation. 
• Shift toward integrated, multi-use payment ecosystems: Payments across retail, B2B, wholesale, and cross-border are being aligned into a more unified framework, increasing the need for interoperable onboarding and system configuration 
• Expansion of tokenized and programmable payment models: Adoption of tokenized assets and programmable transactions to improve efficiency and transparency, while requiring systems to ensure security, resilience, and interoperability
• Integration of B2B payment processes: Strong push to embed payment flows into business systems, enabling automation, process integration, and innovations such as conditional payments 
• Expansion of cross-border interlinking and interoperability: Increased focus on connecting TIPS with other payment systems and global networks, enabling more efficient cross-border flows, supporting trade, and ensuring payments remain within regulated frameworks with strong AML/CFT standards

What This Means for Merchant Onboarding Teams:

If onboarding is still built around single payment flows, it is likely to become harder to sustain. Payments are being rebuilt into integrated, automated ecosystems, and onboarding increasingly defines how merchants are configured across payment rails, business processes, and cross-border flows from day one. 

If data is fragmented or workflows rely on manual steps, those gaps will become more visible as payment models evolve. Automation becomes harder to sustain, exceptions increase, and operational costs rise. Modernizing onboarding is no longer a future consideration. It is increasingly what determines whether payment operations can scale without loss of control. 

Recommended Actions:

• Map to multi-rail readiness: Capture which payment methods (SEPA, instant, digital euro, tokenized assets) each merchant needs, and where.
• Design onboarding for multi-rail environments: Capture how merchants operate across payment types, including B2B, retail, and cross-border flows. 
• Strengthen B2B data capture: For high-volume merchants, capture ISO 20022 readiness and verification of payee capability early.
• Capture structured, reusable data at intake: Ensure onboarding data supports automation, interoperability, and system integration from the start.
• Prepare for tokenized and programmable payments: Ensure onboarding can support new settlement models and conditional payment logic.
• Prepare your systems for cross-border readiness: Ensure your onboarding and payment infrastructure can support expanding global connectivity, adapt to new interlinking requirements, and handle cross-border flows without rework or disruption.

How OnBoard Helps:

OnBoard enables structured, multi-rail onboarding aligned to the Eurosystem’s direction on interoperability, automation, and control. 

• Smart Forms capture structured merchant, payment, and operational data at the first point of contact, ensuring your onboarding is ready for multi-rail and cross-border payment requirements from day one
• OnBoard AIQ™ reads onboarding documents in real time, extracts and validates data at intake, and triggers actions automatically, reducing manual effort and enabling faster, more consistent onboarding decisions
• Management by Exception through credit and risk engines ensures low-risk merchants are processed automatically while higher-risk or complex multi-rail setups are escalated, allowing you to scale without increasing operational burden
• Portfolio OCDD (Ongoing Customer Due Diligence) continuously monitors merchant activity and data, ensuring your onboarding remains aligned as payment flows evolve across systems and borders

Source: European Central Bank

‍

United Kingdom

Synthetic Data and Anti-Money Laundering; Project Report (including Synthetic Data AML Solution Sprint)

Effective Date: Published 15 April 2026

Issued By: Financial Conduct Authority (FCA), in collaboration with the Alan Turing Institute, Plenitude Consulting, and Napier AI

Applies To: All UK-regulated financial firms, payment service providers, fintechs, and any entity responsible for transaction monitoring, customer due diligence, or onboarding screening.

Summary:

• What: The FCA has released a synthetic dataset with embedded money laundering typologies, available via the Digital Sandbox to test and demonstrate AML detection, particularly AI-driven approaches.
• Why: Effective AML detection requires realistic, complex data, but access to live financial data is restricted. Synthetic data allows firms to test models safely while preserving privacy. 
• What’s Next: The dataset will be used in a regulatory data sprint, with results expected to shape future datasets and how regulators assess the effectiveness of AML controls 

Key Changes:

• Synthetic data introduced as a testing standard: Firms can now test AML models against realistic, privacy-safe datasets with embedded typologies, reducing reliance on live data
• Real-world complexity built into testing: Typologies reflect multi-account, multi-entity, and layered activity, mirroring how financial crime actually occurs
• Realistic complexity: Typologies are non-linear and varied, forcing models to detect patterns rather than rely on static rules.
• Detectability spectrum: Some patterns are easy to detect, others intentionally subtle, mirroring real-world conditions.
• Data sprint model: Firms test solutions in a collaborative sandbox, with oversight and challenge from peers and the FCA.

What This Means for Merchant Onboarding Teams:

While this does not directly change onboarding requirements, it exposes a deeper weakness in many AML control environments. If systems rely on isolated checks, manual verification, or delayed monitoring, they are less likely to reflect how financial crime actually operates. Suspicious activity is rarely visible in a single transaction. It sits across networks, entities, and layered flows.

If onboarding depends on static rules, manual review, limited visibility over linked activity, it will struggle to detect this level of complexity. The expectation is shifting. Firms are no longer only collecting and verifying data. They are expected to structure and monitor it in a way that allows risk to be understood across relationships and over time, not in isolation. 

Recommended Actions:

• Move beyond manual verification: Reduce reliance on manual reviews and ensure onboarding controls can scale to assess complex, multi-entity risk patterns
• Enable real-time risk validation at onboarding: Ensure merchant, beneficial ownership, and behavioral data is validated as it is captured, not after onboarding is complete
• Structure data for network-level risk detection: Capture and organize ownership, relationships, and transaction context so risk can be assessed across entities, not in isolation
• Build continuous monitoring into onboarding: Ensure onboarding feeds into real-time and ongoing monitoring processes, rather than acting as a one-time check

How OnBoard Helps:
OnBoard strengthens AML controls by enabling real-time validation, continuous monitoring, and structured onboarding that supports effective risk detection from day one.

• OnBoard AIQ™ reads onboarding documents in real time, extracts and validates data at intake, and applies configurable logic to identify complex risk patterns before approval
• Smart Forms capture structured merchant and beneficial owners data at the first point of contact, ensuring information is complete and usable for detecting multi-entity and layered risk
• Management by Exception automatically processes low-risk merchants while escalating complex or suspicious cases, reducing reliance on manual verification
• Portfolio OCDD provides continuous monitoring of merchant data and behavior, ensuring AML controls remain effective as risks evolve over time

Source: Financial Conduct Authority

‍

Australia

Expansion of AML/CTF laws to virtual asset service providers (VASPs) including public register and registration blitz

Effective Date: 2 April 2026

Issued By: AUSTRAC

Applies To: All businesses providing virtual asset services in Australia, including crypto exchanges, wallet providers, and any PSPs onboarding merchants involved in crypto or digital asset activity.

Summary:

• What: Australia has expanded AML/CTF laws to formally adopt the “VASP” definition, launched a public register, and completed a regulatory sweep removing inactive crypto firms.
• Why: The virtual asset sector is identified as a high money laundering risk, with gaps in oversight previously allowing dormant or misused registrations to be exploited for illicit activity.
• What’s Next: VASPs must keep registration details current. The public register is now live, and AUSTRAC will continue active supervision of the sector.

Key Changes:

• DCE/VASP terminology: Updated to reflect the broader scope of crypto-related services now captured under AML/CTF rules.
• Public VASP register: A searchable register increases transparency and allows verification of active, legitimate providers. 
• Active enforcement and register cleanup: AUSTRAC has removed inactive and dormant entities, reinforcing the integrity of the register
• Ongoing data accuracy requirements: VASPs must maintain up-to-date business details or risk deregistration.
• Higher barrier to entry: Reinforces strict entry and ongoing compliance standards for crypto businesses.

What This Means for Merchant Onboarding Teams:

The crypto sector does not stand still, and neither can your onboarding. AUSTRAC’s enforcement shows that registration status can change quickly, and relying on manual verification or point-in-time checks will not keep up. In a volatile market like VASPs, manual processes are not just inefficient. They are becoming a direct risk to onboarding integrity.

What matters now is visibility over time. Firms need current validation and continuous monitoring to ensure merchants remain compliant after approval. Without it, businesses can move out of compliance faster than controls can detect, creating avoidable AML risk 

Recommended Actions:

• Eliminate manual verification at onboarding: Replace manual checks with automated validation against the AUSTRAC register to reduce delays and prevent outdated approvals
• Enable real-time VASP validation: Ensure merchant registration status is verified instantly at onboarding, not after approval
• Continuously monitor registration status: Implement ongoing checks to detect changes in VASP status as they happen
• Flag and act on volatility signals: Automatically identify inactive, deregistered, or inconsistent profiles and trigger escalation
• Strengthen classification of crypto merchants: Ensure all in-scope merchants are correctly identified and validated under the expanded VASP definition

How OnBoard Helps:

OnBoard embeds VASP verification directly into onboarding workflows, reducing manual checks and improving control consistency.

• Smart Forms capture key VASP-related information at the first point of contact, including registration details and virtual asset activity, ensuring onboarding data is complete and ready for validation
• Automated KYB validates business entities against global and regulatory data sources, including VASP registers, reducing reliance on manual checks and ensuring accuracy at onboarding
• OnBoard AIQ™ reads onboarding documents in real time, extracts and verifies VASP data at intake, and ensures decisions are based on current, validated information
• Ongoing Customer Due Diligence (OCDD) continuously monitors VASP status and merchant data post-onboarding, detecting changes such as deregistration or inactivity and enabling immediate action

Source: AUSTRAC

‍

India

Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025

Effective Date: 1 April 2026

Issued By: Reserve Bank of India (RBI)

Applies To: All Payment System Providers (PSPs), payment participants, banks, non-bank entities, card issuers, UPI apps, and mobile wallet providers operating in India.

Summary:

• What: The RBI has introduced a strengthened authentication framework mandating two-factor authentication (2FA) for all digital payments, with at least one dynamic, transaction-specific factor, moving beyond reliance on SMS OTP alone.
• Why: To enable the payments ecosystem to adopt more advanced and adaptable authentication methods, moving toward a risk-based approach aligned with evolving technologies and transaction patterns
• What’s Next: Issuers must implement risk-based authentication (RBA). Cross-border CNP transactions must comply by 1 October 2026.

Key Changes:

• Mandatory two-factor authentication with dynamic factor: All transactions must use two distinct authentication factors, with at least one dynamically generated per transaction. OTP can remain part of the process, but not as the sole control.
• Risk-based authentication introduced: Security checks can scale based on risk (e.g. device, behavior, location), balancing friction and protection. 
• Cross-border CNP timeline: Issuers must implement validation and RBA for non-recurring cross-border transactions by October 2026.

What This Means for Merchant Onboarding Teams:

This does not directly change merchant onboarding requirements. But it does signal a broader shift toward risk-based controls becoming the standard across payment systems. 

Payment providers will need to bridge the gap between traditional, manual onboarding models and modern risk-based frameworks. Static data collection and one-time checks are no longer enough to keep up with evolving risk.

Onboarding must now support real-time monitoring of transaction risk, behavior, and context, not just at approval, but continuously. That means capturing structured, usable data upfront so risk can be assessed dynamically as merchant activity evolves. Without this foundation, real-time monitoring cannot function effectively, and risk will go undetected.

‍Recommended Actions:

• Move away from manual onboarding models: Replace static, manual processes with structured and automated data capture that can support dynamic risk assessment
• Capture data to support real-time monitoring: Ensure onboarding collects detailed information on transaction types, channels, and expected behavior to enable ongoing risk visibility
• Enable risk-based merchant profiling: Classify merchants at onboarding based on risk indicators so monitoring can adapt to different risk levels
• Support real-time monitoring capabilities: Ensure onboarding feeds into systems that can continuously assess transaction risk, behavior, and context as activity occurs
• Maintain audit visibility: Record merchant data, risk classification, and onboarding decisions to support traceability and ongoing oversight

How OnBoard Helps:
OnBoard structures onboarding to support stronger authentication governance and risk-based controls from the outset. 

• Smart Forms capture structured data on merchant activity, transaction patterns, and operating context at the first point of contact, ensuring onboarding supports real-time monitoring
• OnBoard AIQ™ extracts and validates onboarding data in real time, improving accuracy and ensuring merchant profiles reflect how they actually operate
• Risk engines apply risk-based logic at onboarding, automatically fast-tracking low-risk merchants while escalating higher-risk or complex cases, ensuring efficiency without compromising control
• Portfolio OCDD enables continuous monitoring of merchant activity post-onboarding, ensuring transaction risk, behavior, and context are assessed in real time as they evolve

Source: Reserve Bank of India 

‍

Cross-market signals for onboarding and compliance teams

April 2026 makes one thing clear: merchant onboarding is becoming a live control layer. Regulators are no longer only asking whether firms collect information. They are focusing on whether onboarding data is accurate, risk-based, monitored over time, and capable of supporting modern payment environments. 

• Fraud is now a front-line onboarding risk, not only a transaction monitoring issue
• Stablecoin and crypto activity introduce issuer, registration, and counterparty risk at onboarding
• AML enforcement is moving toward evidence of effectiveness, not just control design
• Payee verification failures are becoming traceable to poor onboarding data quality
• Payment systems are becoming multi-rail, automated, tokenized, and increasingly cross-border by design
• Synthetic AML testing highlights the limits of static rules and manual verification
• VASP supervision shows why real-time monitoring is essential in volatile sectors
• Risk-based payment controls require structured onboarding data from the start

This is no longer just an onboarding efficiency challenge. It is a risk control challenge that starts at the point of entry. 

OnBoard by MVSI supports that shift by bringing digital onboarding, KYB, AML screening, underwriting and ongoing customer due diligence (OCDD) into a single controlled architecture for regulated payment environments.

We work with payment providers, acquirers, PayFacs, lenders, and banks to operationalize risk-based onboarding, automate decisioning, and maintain real-time visibility over merchant risk, ensuring onboarding remains consistent, auditable, and aligned with evolving regulatory expectations. 

If your onboarding model still depends on manual checks, static data, or fragmented workflows, April’s updates show why that model is becoming increasingly harder to defend.

‍

This content is provided for general information only and does not constitute legal or regulatory advice.