Merchant Onboarding: Global Regulatory Update – March 2026

March 2026 shows a clear regulatory shift: merchant onboarding is increasingly being treated as the first controlled point of fraud prevention, jurisdictional risk management, identity assurance, and compliance accountability. For regulated payment providers, this raises the standard for how onboarding decisions are evidenced, how high-risk cases are escalated, and how control is maintained when digital identity, third parties, or automated workflows are involved. Firms that can combine onboarding speed with system-enforced governance will be better placed to reduce exposure, satisfy supervisory expectations, and scale with confidence.

‍

In this update (for merchant onboarding & compliance teams)

What changed: Regulators are tightening rules. FATF now treats cyber-enabled fraud as a money-laundering channel, cross-border payments are shifting to jurisdictional action plans, and the ECB has launched its digital euro pilot.

Why it matters: Regulators are enforcing, not advising. Fraud due diligence is now central to onboarding. Digital identity speeds verification but liability remains with the firm, and geographic risk triggers mandatory controls.

Regulatory signals: Regulators are signalling earlier fraud intervention, stronger identity assurance, tighter jurisdictional controls, and clearer accountability for how onboarding decisions are made and evidenced.

What to do next:

• Embed fraud-risk scoring into onboarding
• Verify UK digital identity providers
• Automate enhanced due diligence for high-risk jurisdictions
• Prepare for the digital euro, cross-border updates, and full BNPL regulation

‍

Global

Cyber-Enabled Fraud: Digitalization and Money Laundering, Terrorist Financing and Proliferation Financing Risks

Effective Date: 24 February 2026 

‍Issued By: Financial Action Task Force (FATF)

‍Applies To: All financial institutions, payment service providers, fintechs, and reporting entities globally, particularly those operating in jurisdictions where cyber-enabled fraud is a growing threat.

‍Summary:

• What: The FATF has published a new paper examining how cyber-enabled fraud has become one of the most widespread and damaging forms of financial crime, and how countries can use the FATF Standards to tackle it.
• Why: Fraud volumes are exploding. In Singapore, scam cases are up 61% in two years, and in the UK, fraud now accounts for over 40% of all crimes. 90%  of FATF-assessed jurisdictions have identified fraud as a major money laundering risk.
• What’s Next: Over the next few years, the FATF will double down on fraud, including analyzing the rise of scam centres and pushing countries to mobilise the full FATF toolkit, from payment transparency to asset recovery.

‍Key Changes:

• Payment transparency: Increasing traceability of fraud proceeds, including through measures such as confirmation of payee mechanisms. 
• Asset recovery: Revised FATF Standards now require payment-suspension or freezing tools, non-conviction-based confiscation, and faster international cooperation to recover stolen funds.
• Virtual assets: Jurisdictions are expected to close gaps in implementing FATF Standards to reduce misuse of crypto and digital assets for fraud.
• Beneficial ownership (BO): Professional fraudsters use shell companies to hide proceeds. Revised BO standards require a risk-based, multi-pronged approach to collecting and using ownership information.
• Domestic and international partnerships: National anti-fraud centres and AML coordination bodies need to work more closely across borders to detect and disrupt transnational fraud networks.
• Advanced technology: Financial Intelligence Units (FIUs) and banks are increasingly using machine learning models to detect fraud-related anomalies, with some also building risk-scoring systems for payments. 

‍What This Means for Merchants Onboarding Teams:

If you're onboarding merchants, you now need to think about fraud risk differently. It's not just about whether a merchant might commit fraud, but whether their business could be used to move or disguise fraud proceedings. This raises the stakes at onboarding, where missed signals can expose your organization to fraud losses, regulatory scrutiny, and downstream liability.

It also increases expectations to verify ownership structures, understand how the business actually operates, and capture sufficient data to support defensible decisions. Modern fraud strategies are increasingly embedded in how merchants present themselves online, from deceptive websites and disguised storefronts to hidden or misrepresented business activity, making surface-level checks increasingly unreliable.

‍Recommended Actions:

• Expand onboarding data capture: Capture structured data on how the business operates, including website behavior, customer journey, and expected payment flows to support traceability of funds
• Validate business activity at onboarding: Assess whether the merchant’s stated activity aligns with observed behavior and declared business model, particularly where online presence may misrepresent actual operations
• Strengthen beneficial ownership checks: If a merchant's ownership structure looks unnecessarily complex or opaque, treat that as a red flag and dig deeper before approving.
• Look at payment transparency tools: Start exploring whether "confirmation of payee" or similar mechanisms could help you verify that funds are going where they're supposed to.
• Keep an eye on virtual assets: If you're onboarding crypto-related merchants or businesses that deal in digital assets, make sure your due diligence is aligned with FATF standards, this is an area where enforcement is likely to tighten.
• Stay tuned for the Global Fraud Summit: The FATF is participating in the Interpol/UNODC summit in Vienna next month. Expect further guidance on operational capabilities to prevent, detect, and recover fraud proceeds.

‍How OnBoard Helps:

OnBoard enables organizations to detect and control hidden fraud risk at merchant onboarding through structured data, behavioral analysis, and enforced decisioning.

• AIQ SiteScanner™ identifies deceptive website behavior: Analyzes merchant websites to detect cloaking, redirects, and mismatches between stated and actual business activity, exposing risks that static onboarding checks may miss.
• Smart Forms capture structured onboarding data: Standardizes the  collection of business model, ownership, and digital presence to support accurate risk assessment.
• Decision Engine enforces risk-based onboarding decisions: Applies rules, flags inconsistencies, and ensures high-risk merchants are escalated or blocked before approval.
• Reporting provides auditability of onboarding decisions: Maintains a clear record of data, checks, and outcomes to support defensibility under regulatory scrutiny.

‍Source: FATF

‍

FSB Cross-border Payments Summit: New Implementation Phase for G20 Roadmap

‍Effective Date: 12 March 2026 (announcement) / End-2027 target for significant improvements

‍Issued By: Financial Stability Board 

‍Applies To: Global payment service providers, banks, fintechs, central banks, and any businesses involved in cross-border payments.

‍Summary:

• What: The FSB has kicked off a new implementation phase for the G20 Roadmap on cross-border payments, pushing for jurisdictional action plans and stronger public-private collaboration to meet the end-2027 goals.
• Why: Despite progress, cross-border payments are still too slow, expensive, and opaque for many users. The FSB is making clear that the work isn't done and that collective action is essential to deliver real improvements.
• What's Next: Public authorities will develop jurisdictional and regional action plans. The IIF will produce a report later this year on how the roadmap should evolve. Swift is rolling out a new retail payments framework from June 2026.

‍Key Changes:

• Jurisdictional action plans: FSB members will develop practical action plans identifying priorities for enhancing payment systems within their jurisdictions and regions.
• Private sector leadership: The Institute of International Finance (IIF) is assessing how the external environment has changed since 2020 and will deliver industry recommendations for the next phase of the roadmap later this year.
• Swift retail payments framework: From June 2026, banks will offer a new framework ensuring consumer payments over Swift benefit from faster speeds, cost certainty, and end-to-end transparency.
• Blockchain integration: Swift is also building infrastructure for a shared, blockchain-based ledger, targeting 24/7 real-time cross-border payments.
• End-2027 deadline: The push is on to deliver significant improvements by the end of 2027.

‍What This Means for Merchants Onboarding Team:

If you're onboarding merchants with cross-border payment capabilities, expectations are shifting towards greater transparency and visibility of how transactions flow across jurisdictions. This requires onboarding teams to capture accurate data on payment flows, counterparties, and jurisdictions, and to ensure decisions are clearly documented and defensible. 

With payment frameworks moving towards faster and real-time cross-border processing, as highlighted by Swift’s initiatives, onboarding data must be structured and reliable enough to support real-time risk monitoring, where transaction activity can be assessed continuously with limited opportunity for delayed intervention.

Recommended Actions:

• Capture cross-border payment flows at onboarding: Collect structured data on how merchants send and receive international payments, including corridors, counterparties, and transaction types to support transparency and traceability 
• Get ready for Swift's retail framework: Ensure onboarding workflows captures key data to support faster, more transparent cross-border payments and evolving infrastructure requirements 
• Map jurisdictional exposure at onboarding: Record the countries involved in payment flows to support alignment with upcoming jurisdictional and regional action plans
• Engage with industry bodies: The IIF is kicking off its assessment work around the IMF and World Bank Spring Meetings. If you're in the payments industry, this is your chance to have input.
• Support real-time payment readiness: Ensure onboarding data is structured and complete to enable continuous monitoring as cross-border payments move towards real-time processing

‍How OnBoard Helps:

OnBoard enables organizations to capture and govern cross-border onboarding data in a way that supports transparency, jurisdictional control, and defensible decision-making as payment expectations evolve. 

• Smart Forms capture structured cross-border payment data: Fully customizable, white-labeled digital application forms collect detailed information on international payment activity and jurisdictions at onboarding, with data automatically passed to the risk engine for real-time verification and alignment with evolving cross-border requirements. 
• Decision Engine enforces onboarding controls: Automates approval decisions in real time based on pre-defined risk criteria (e.g. cross-border activity, jurisdictional exposure and more), enabling straight-through processing for low-risk cases while flagging exceptions for review.
• Reporting enables auditability and visibility: Maintains a clear record of onboarding data and decisions to support transparency and alignment with regulatory expectations

Source: Financial Stability Board (FSB)

‍

United States

Federal Banking Agencies: Revised Basel III & G-SIB Surcharge Proposals

‍Effective Date: Proposed rules released 19 March 2026 

‍Issued By: Federal Reserve Board, FDIC, OCC

‍Applies To: Large US banking organizations, including Category I and II banks, banks with significant trading activity, and smaller banks that opt into the framework.

‍Summary:

• What: The Federal Reserve, FDIC, and OCC have released revised proposals to implement the final 2017 Basel III standards, along with updates to the G-SIB surcharge and the Standardized Approach for risk-weighted assets.
• Why: The agencies are recalibrating the 2023 proposals to address industry feedback, reduce unnecessary burden on smaller banks, and ensure capital requirements are appropriately tailored to risk.
• What's Next: The proposals were considered by the FDIC Board on 19 March 2026 and are subject to a 90-day comment period. Finalization of related stress testing changes is expected later this year.

‍Key Changes:

• Basel III Proposal: Banks will move to a simpler, single method for calculating capital, using more consistent risk measures across credit, equity, and operational activities. 
• G-SIB Surcharge: The revised surcharge would decrease modestly for most global systemically important banks, with changes to the short-term wholesale funding component and smaller 10-basis-point increments.
• Standardized Approach Proposal: Smaller banks focused on traditional lending could see moderately reduced capital requirements, with mortgage servicing assets no longer deducted from capital.
• Optional adoption: Any bank can opt into the Basel III framework, giving smaller institutions flexibility.

‍What This Means for Merchants Onboarding Team & Business Lending:

If you're onboarding merchants, this places greater importance on clearly understanding and classifying both the merchant’s business model and any associated business lending exposure at onboarding. As capital frameworks become more risk-sensitive, banks will rely more heavily on accurate merchant and financial data to determine how different activities and lending exposures are treated. This means onboarding teams must ensure data is complete, correctly categorized, and decisions are documented to support defensibility where treatment varies.

‍Recommended Actions:

• Classify merchants by business activity and lending exposure: Ensure merchants are correctly categorized based on their business model and any associated business lending exposure
• Capture structured merchant and financial data at onboarding: Collect consistent information to support accurate classification and assessment under risk-sensitive capital treatment. 
• Align onboarding inputs with risk-sensitive frameworks: Structure onboarding data so merchant activity and lending exposure can be assessed consistently and support real-time classification and decisioning under the revised framework 
• Validate merchant data for completeness and consistency: Ensure business and financial information is accurate and usable to support classification and risk assessment
• Document onboarding classifications and decisions: Maintain clear records of merchant classification, financial information, and decision rationale to support consistency and defensibility

‍How OnBoard Helps:

OnBoard enables organizations to capture, classify, and control merchant onboarding data in a structured way that supports risk-sensitive assessment and consistent decisioning.

• Smart Forms capture structured merchant and financial data: Dynamic application forms adapt to merchant inputs, capturing relevant business and financial details in a structured format to support accurate classification and downstream decisioning.
• KYB and KYC workflows verify merchant information: Ensure merchant identity and business data are validated in real time against global KYC and KYB data sources, including company registries, sanctions lists, PEP databases, and adverse media.
• Decision Engine enables real-time classification and decisioning: Uses customizable rules and scoring models to automate credit and risk decisions end-to-end, enabling straight-through approvals while managing only high-risk cases by exception.
• Reporting provides auditability of onboarding decisions: Maintains a clear record of merchant data, classification, and decision rationale to support consistency and defensibility. 

Source: Federal Deposit Insurance Corporation 

Learn how to remove onboarding bottlenecks across your onboarding workflows.

Download Now

Canada

FINTRAC Advisory – FATF High-Risk Jurisdictions & Ministerial Directives

‍Effective Date: March 2, 2026 (FINTRAC advisory)

‍Issued By: FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) & Department of Finance Canada

‍Applies To: All Canadian reporting entities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, including banks, money service businesses, payment processors, and fintechs.

‍Summary:

• What: Following the February 2026 FATF plenary, the Minister of Finance issued directives requiring enhanced measures for financial transactions involving jurisdictions identified by the FATF as high-risk, particularly those subject to a call for action such as the Democratic People’s Republic of Korea (DPRK) and Iran 
• Why: To safeguard the integrity of Canada’s financial system by addressing continued deficiencies in these countries' AML/CFT regimes and the heightened risk of sanctions evasion.
• What’s Next: Reporting entities must immediately apply mandatory high-risk treatment, enhanced due diligence, and specific reporting obligations for transactions linked to DPRK, Iran, and Russia. They also need to stay across the updated FATF ‘grey list’ of jurisdictions under increased monitoring.

‍Key Changes:

• Iran: New counter-measures have been introduced. All transactions originating from or bound for Iran must now be treated as high-risk, reported to FINTRAC, and subjected to enhanced customer due diligence (including source of funds and beneficial ownership checks).
• Myanmar: Entities must assess geographic risk, determine suspicious transaction reporting obligations, report sanctions evasion–related activity, and apply enhanced due diligence where appropriate.
• DPRK: The existing Ministerial Directive remains in force, requiring high-risk treatment and mandatory identity verification for all DPRK-related transactions, regardless of amount. Financial institutions must also assess correspondent banking partners' sanctions controls.
• Russia: The Minister of Finance requires all transactions linked to Russia to be treated as high-risk, with mandatory identity verification, customer due diligence focused on sanctions evasion risk, and record-keeping obligations. 
• ‘Grey List’ Update: The FATF has reaffirmed its list of 22 jurisdictions under increased monitoring, including Algeria, Angola, Bolivia, the British Virgin Islands, Bulgaria, Cameroon, Côte d’Ivoire, the Democratic Republic of the Congo, Haiti, Kenya, Kuwait, Lao People’s Democratic Republic, Lebanon, Monaco, Namibia, Nepal, Papua New Guinea, South Sudan, Syria, Venezuela, Vietnam, and Yemen. Reporting entities must factor geographic risk into their assessments
• Listed Person or Entity Reporting: As of March 2, 2025, the Terrorist Property Report is now the Listed Person or Entity Report, with new reporting obligations alongside existing requirements.

‍What This Means for Payment Providers:

If you're onboarding merchants, this significantly raises the stakes around geographic risk, particularly where exposure to high-risk or monitored jurisdictions exists. It is no longer sufficient to rely on surface-level checks. Onboarding teams must ensure that customer information, beneficial ownership, and transaction purpose are fully captured and verified to withstand scrutiny around sanctions evasion risk. This also means onboarding processes must consistently apply higher-risk treatment, enforce additional controls, and maintain clear records, as failures in classification or verification can directly expose the institution to regulatory, financial, and reputational risk.

Recommended Actions:

• Review your client base: Start by identifying any existing merchants or partners with ties to DPRK, Iran, Myanmar, Russia, or any of the 22 ‘grey list’ countries. 
• Capture detailed ownership and transaction purpose: Collect structured data on beneficial ownership, source of funds, and intended transaction activity to support sanctions evasion risk assessment
• Update your risk assessment: Make sure your onboarding risk scoring now flags geographic location from these jurisdictions as an automatic high-risk factor.
• Check your due diligence flow: Ensure your process for verifying identity, source of funds, and beneficial ownership kicks in before any transaction is completed, not after.
• Brief your team: Make sure your onboarding and compliance staff know that sanctions evasion is now a distinct reporting obligation. If something feels off, they need to flag it.
• Document and retain defensible onboarding decisions: Maintain clear records of risk classification, due diligence performed, and decision rationale to withstand regulatory scrutiny 

How OnBoard Helps:

OnBoard provides a structured onboarding architecture that enables organizations to apply consistent, risk-based controls at the point of merchant onboarding, ensuring high-risk cases are identified and managed with appropriate scrutiny while low-risk approvals continue without unnecessary delay.

• Structured data capture via Smart Forms: Standardizes the collection of merchant, ownership, and transaction data to support accurate geographic risk identification and defensible onboarding decisions.
• Real-time KYB, KYC, and AML checks: Verifies merchant identity, beneficial ownership, and risk exposure against global data sources to strengthen detection of high-risk and sanctioned entities in real-time. 
• OnBoard AIQ™ decision engine enables automated decisioning and document validation: Reads and analyzes merchant documents, extracts key data, translates content, and applies configurable prompts to determine whether submitted information meets pre-defined onboarding requirements.
• Flexible risk scoring tailored to jurisdictional risk: Allows payment providers to define and apply customized risk criteria across any jurisdictions, enabling consistent treatment of high-risk countries and monitored regions. 

‍Source: FINTRAC Advisory

‍

United Kingdom

HM Treasury Guidance: Using Digital Identities with the Money Laundering Regulations

‍Effective Date: 26 February 2026 

‍Issued By: HM Treasury

‍Applies To: All UK regulated entities covered by the Money Laundering Regulations 2017 (MLRs), including banks, payment institutions, money service businesses, fintechs, estate agents, legal firms, accountants, casinos, and high-value dealers.

‍Summary:

• What: HM Treasury has published guidance confirming that regulated entities may use certified digital identity services, listed on the Digital Verification Services (DVS) register, to verify customer identity as part of their customer due diligence (CDD) obligations under the Money Laundering Regulations.
• Why: The move aims to support the use of reliable and independent digital identity verification methods with appropriate anti-impersonation assurance, while maintaining existing AML requirements. 
• What's Next: Regulated entities should now review their onboarding processes to determine where certified digital identity services can be adopted, while maintaining their ultimate liability for appropriate customer due diligence.

‍Key Changes:

• Digital identities are officially recognized: Regulated entities can now use digital identity services that are certified against the UK trust framework and listed on the DVS Register to verify customer identities under Regulation 28 of the MLRs.
• Certification matters: Only services that are independently certified and on the DVS Register qualify as a "reliable and independent source" for identity verification. Non-certified services cannot be relied upon for compliance purposes.
• Scope covers individuals and directors: The guidance confirms that certified digital identity services can be used to verify both individual customers and company directors.
• Liability remains with the regulated entity: Even when using certified services, regulated entities remain ultimately responsible for any failures to apply CDD measures appropriately.
• Not a complete solution: Digital identities cover identification and verification but do not automatically fulfill all CDD requirements, such as assessing the purpose and intended nature of the business relationship.

‍What This Means for Merchants Onboarding Teams:

For onboarding teams, the guidance creates a clearer basis for using certified digital identity within customer due diligence, but it does not reduce the firm’s underlying AML responsibility. Regulated entities may use certified services on the DVS Register to support identity verification, but they remain accountable for whether CDD is appropriate, complete, and proportionate to risk. In practice, this means digital identity should be integrated into a broader control framework that still captures purpose, ownership, and risk context, with clear records of the verification method used and the rationale for the onboarding decision. 

For teams assessing delivery models for identity verification and due diligence, our article on outsourced KYC explores the operational and compliance considerations in more detail.

‍Recommended Actions:

• Check your current identity verification provider: If you're already using a digital identity service, make sure it's certified against the trust framework and listed on the DVS Register. If it's not, you can't rely on it for compliance.
• Review your onboarding workflows: Identify where certified digital identity can be applied within onboarding to support consistent and scalable identity verification, particularly for lower-risk merchants 
• Maintain risk-based assessment alongside digital identity: Ensure digital identity verification is used as part of, not a replacement for, existing risk assessment and enhanced due diligence processes 
• Check sector-specific guidance: Different sectors have their own detailed guidance from bodies like HMRC, JMLSG, and the Gambling Commission. Make sure you're up to speed on how digital identities apply in your specific area.
• Document your approach: Make a clear record of which certified services you're using and how they fit into your CDD process. If something goes wrong, you'll need to show you've taken reasonable steps.

‍How OnBoard Helps:

OnBoard enables organizations to incorporate certified digital identity into onboarding without weakening control over CDD, decisioning, or auditability under the MLR framework.

• Smart Forms allow fully customizable, white-labeled digital application forms to capture certified digital identity and KYC data, structuring information at source and passing it directly into downstream risk and verification workflows
• Real-time KYC validation by automating identity verification by processing and validating data against global databases including sanctions, PEP, identity, and adverse media sources in real-time.
• OnBoard AIQ™ enhances identity analysis by reading, extracting and validating data from submitted documents, classifying information in real time and improving the accuracy and quality of verification outcomes.
• Audit-ready records for digital identity verification: Maintains clear, traceable records of identity verification methods, documents collected, and decisions made to support compliance and defensibility under MLRs.

‍Source: GOV.UK

‍

PRA & FCA March 2026 Deferred Payment Credit (BNPL) Regulation Update 

‍Effective Date: 15 July 2026 

‍Issued By: Financial Conduct Authority (FCA)

‍Applies To: Deferred payment credit providers (including BNPL firms), and firms offering instalment-based payment solutions 

‍Summary:

• What: Deferred payment credit (including BNPL) is being brought into the FCA regulatory perimeter as a formal regulated activity, with new conduct, disclosure, and reporting requirements.
• Why: Regulators are addressing consumer harm risks, including poor transparency, unaffordable lending, and lack of oversight in the fast-growing BNPL market.
• What's Next: From 15 July 2026, firms must operate under FCA authorization (or temporary permissions), comply with Consumer Credit Sourcebook (CONC) requirements, and implement new reporting and customer protection controls.

‍Key Changes:

• BNPL becomes regulated: From 15 July 2026, BNPL products fall within the FCA regulatory perimeter.
• Authorization required: Providers must be FCA-authorized or operate under a temporary permissions regime to continue offering services.
• Criminal liability for non-compliance: Firms without permission cannot issue new BNPL agreements after this date, and doing so will be a criminal offence. 
• Stronger affordability checks: Providers must ensure customers can repay and fully understand the risks before borrowing.
• Greater customer protection: Firms must provide clear information and support customers who face financial difficulty.

‍What This Means for Deferred Payment Credit Providers:

BNPL providers can no longer treat merchant onboarding as a commercial intake process alone. Merchant approval now sits more clearly within a regulated credit and conduct framework, where weak onboarding, poor merchant oversight, or poorly governed customer journeys can create direct regulatory and criminal exposure. 

Recommended Actions:

• Tighten merchant onboarding controls: Ensure all merchants offering BNPL are properly vetted, documented, and aligned with FCA requirements before approval.
• Audit existing merchant base: Identify gaps in compliance, especially around customer journeys, disclosures, and credit offering practices.
• Implement clear eligibility and use-case rules: Define which merchants and products are appropriate for BNPL to avoid misuse or regulatory breaches.
• Strengthen monitoring and oversight: Continuously track merchant behavior to detect non-compliant activity early.
• Prepare for authorisation: Align onboarding, risk, and compliance processes with FCA expectations ahead of full regulatory approval.

‍How OnBoard Helps:

OnBoard enables payment providers to apply governed merchant onboarding controls in a newly regulated BNPL environment, ensuring that merchant approval, verification, and risk treatment operate within a defensible compliance framework.

• Smart Forms capture complete merchant and BNPL use case data upfront: Acting as the merchant application layer, Smart Forms ensures structured collection of merchants information, business information and relevant KYC/KYB data to fully assess risk exposure.
• OnBoard AIQ™ automates document verification and data extraction: AI reads, extracts, and validates merchant documents, removing manual checks and improving accuracy and consistency in onboarding decisions.
• Automated KYB, KYC and AML workflows enable consistent compliance by verifying merchant information against global data sources, detecting fraud and risk indicators early, and ensuring only compliant merchants progress through onboarding.

Source: FCA 

‍

Ireland 

Consumer Protection Code 2025

‍Effective Date: 24 March 2026 (following 12-month implementation period)

‍Issued By: Central Bank of Ireland

‍Applies To: All regulated financial services firms in Ireland, including banks, insurers, investment firms, intermediaries, and (under recent updates) crypto-asset service providers (CASPs) and credit servicing firms.

‍Summary:

• What: Ireland’s updated Consumer Protection Code 2025 is now in effect, introducing strengthened conduct, governance, and consumer protection requirements, with a core focus on securing customers’ interests and improving how firms collect, assess, and communicate customer information.

• Why: The Central Bank is shifting toward a more proactive, consumer-outcomes-driven framework, requiring firms to take responsibility for ensuring customers are informed effectively, protected from fraud, and only provided with suitable products.

• What’s Next: Payment providers must ensure merchant onboarding and payment flows are designed to prevent misleading customer interactions, clearly distinguish regulated services, and embed controls to detect fraud and financial abuse across digital channels. 

‍Key Implementations :

• Ensure merchant onboarding captures how services will be offered to end customers, including use case, product structure, and customer interaction model
• Enforce clear and non-misleading presentation of customer-facing information within merchant payment and checkout flows
• Implement controls to prevent merchants from misrepresenting regulated services or creating confusion for end customers
• Strengthen fraud and financial abuse controls across onboarding and ongoing merchant activity
• Design digital payment and onboarding journeys to support transparent, informed customer interactions rather than speed-driven decisions

‍What This Means for Merchants Onboarding Teams & Payment Providers:

While not directly affecting merchant onboarding, the Code raises the bar on PSP accountability for fraud, scams, and customer outcomes. Manual checks such as reviewing documents in isolation are no longer enough, as providers must capture complete and accurate information upfront to properly understand how merchants will operate and where risks exist. Onboarding must be structured and transparent, ensuring customer-facing journeys are clear and not misleading, as any gaps in data or oversight can directly lead to regulatory exposure.

Recommended Actions:

• Capture sufficient merchant use case and service delivery information during onboarding to understand how customer interactions occur
• Replace manual, fragmented document checks with structured and consistent verification processes
• Ensure onboarding processes support clear and accurate customer-facing outcomes across payment journeys
• Strengthen fraud and scam risk controls at onboarding and through ongoing merchant monitoring
• Maintain complete, accurate, and auditable onboarding data to support transparency and regulatory review 

‍How OnBoard Helps:

OnBoard enables payment providers to strengthen merchant onboarding controls by structuring application data, automating verification, and maintaining full visibility over how merchants are assessed and approved.

• Smart Forms enable structured capture of merchant use case and service delivery data, ensuring onboarding collects complete and accurate information on how merchants operate and interact with customers.
• OnBoard AIQ™ enables automated document processing and validation, replacing fragmented manual checks by extracting, interpreting, and verifying data consistently across all onboarding applications.
• Automated KYB, KYC and AML enable standardized verification and fraud detection, ensuring risk indicators are identified early and compliance controls are applied consistently across onboarding.

Source: Central Bank of Ireland

‍

European Union

ECB Digital Euro: Technical Preparations Update & Piloting Launch

‍Effective Date: Speech delivered 24 March 2026 / Piloting begins H2 2027

‍Issued By: European Central Bank

‍Applies To: All payment service providers (PSPs), banks, fintechs, merchants, and businesses operating in the euro area.

‍Summary:

• What: The ECB has provided an update on its ongoing technical preparations for a potential digital euro, including pilot activities involving payment service providers (PSPs) and continued work with market participants to integrate the digital euro into the European payments ecosystem. 
• Why: The digital euro is seen as essential to strengthening EU monetary sovereignty, reducing fragmentation in retail payments, and supporting the resilience of the Single Market, particularly in light of geopolitical uncertainty.
• What's Next: A call for PSPs to join the pilot closed in May 2026, with selected participants notified in June. Piloting runs for 12 months from the second half of 2027, with a potential issuance as early as 2029, subject to legislation.

‍Key Changes:

• Pilot programme launched: The ECB has invited licensed PSPs to participate in a pilot to test digital euro infrastructure in real-life conditions, focusing on person-to-person and person-to-business payments.
• Inclusion and accessibility by design: The ECB is working with disability organizations to ensure the digital euro app is accessible to all, including features like voice commands, large-font displays, and simplified workflows.
• Innovation platform expansion: The ECB will support market participants in developing value-added services like conditional payments, bill-splitting, e-receipts, and offline payments functionality.
• Co-badging with domestic schemes: The digital euro can be co-badged with existing European domestic payment schemes on physical cards, reducing reliance on international card schemes.
• Common European standards: The ECB expects to announce the European standards for digital euro by summer 2026, giving the market certainty to prepare.

‍What This Means for Payment Providers:

For PSPs, the digital euro is not yet an immediate onboarding obligation, but it does reinforce the need for onboarding models that can capture merchant payment capabilities, configuration requirements, and control logic in a structured way from the outset. As payment methods become more configurable and standards-based, firms will need onboarding processes that can support change without relying on fragmented rework, manual interpretation, or inconsistent merchant setup. The operational implication is clear: onboarding data must be structured, governed, and flexible enough to support future payment rails within a controlled framework.

‍Recommended Actions:

• Update merchant application forms to capture payment capabilities: Ensure onboarding forms clearly capture how merchants intend to accept payments, including readiness to support emerging payment methods within a unified European framework
• Design flexible onboarding data fields for evolving payment methods: Ensure onboarding forms can dynamically adapt to support new payment types like the digital euro, without disrupting existing workflows designed for current merchant payment applications
• Automate low-risk onboarding pathways: Implement automated decisioning for low-risk merchants to streamline approvals and reduce operational strain, particularly as additional resources may be required during the digital euro rollout
• Maintain auditability of payment configurations: Keep clear records of how merchant payment capabilities are defined at onboarding to support consistency as payment frameworks evolve 

How OnBoard Helps:

OnBoard enables PSPs to maintain control over merchant setup as payment frameworks evolve, by structuring onboarding data, configuration logic, and approval pathways within a governed onboarding architecture.

• Smart Forms enable structured capture of merchant payment capabilities, allowing application forms to collect how merchants intend to accept payments, including readiness for digital euro and other emerging payment methods within a unified European framework. 
• Flexible onboarding logic adapts application forms in real time, presenting relevant fields based on merchant inputs so new payment types like the digital euro can be supported without disrupting existing onboarding workflows
• OnBoard AIQ™ enables automated decisioning for low-risk merchants, using AI to extract and assess onboarding data against configurable criteria to streamline approvals while flagging higher-risk or complex cases for review
• Reporting and audit capabilities enable full traceability of merchant payment configurations, maintaining clear records of onboarding data and decisions to support consistency and control as European payment standards evolve

Source: European Central Bank

Australia

RBA Payments System Board – March 2026 Meeting Update

Effective Date: 5 March 2026 

Issued By: Reserve Bank of Australia, Payments System Board

‍Applies To: Australian payment service providers, banks, merchants, card scheme participants, cash distribution providers, and businesses involved in account-to-account (A2A) payments.

‍Summary:

• What: The Payments System Board has outlined its priorities for 2026, including regulatory action on card surcharging and interchange fees, a proposed framework for cash distribution, and concerns about industry progress on modernizing account-to-account payments.
• Why: The Board is pushing for a more resilient, transparent, and competitive payments system, with a particular focus on ensuring cash remains accessible for regional communities and that the transition away from legacy systems like Bulk Electronic Clearing System (BECS) is orderly.
• What's Next: A Conclusions Paper on card payment regulation is due by the end of March 2026, with an implementation timeline. The final report on Project Acacia (tokenised assets) will be published in late April 2026.

‍Key Changes:

• Card surcharging and interchange: The Board is considering changes to the regulation of card payment surcharging, interchange fees, and fee transparency. 
• Cash distribution framework: The Board supports a proposed regulatory framework for cash distribution services, including crisis powers for the public sector to ensure continuity of cash access, particularly in regional and remote areas.
• Account-to-account (A2A) payments: The 2030 target end-date for the BECS has been removed, reducing short-term pressure. However, the Board is concerned about industry consensus and warns it will take further action if progress stalls.
• Tokenised assets: Project Acacia findings confirm the potential benefits of tokenized asset markets, but barriers remain. The RBA will pursue an ongoing program of public-private collaboration to support innovation in wholesale payments.

‍What This Means for Merchants Onboarding:

For payment providers, the shift toward more data-rich and real-time payment environments increases the importance of structured merchant onboarding. As payment methods diversify and infrastructure changes, fragmented or manual onboarding creates greater risk that merchant configurations, payment capabilities, and approval decisions will be applied inconsistently. The immediate implication is not simply speed. It is control: firms need onboarding processes that capture payment-relevant data accurately, apply consistent decision logic, and support future changes without weakening governance. 

Recommended Actions:

• Eliminate manual onboarding bottlenecks: Identify and remove manual processes that will not scale in a real-time, A2A-driven payments environment.
• Adopt automated, digital-first onboarding: Implement straight-through, API-enabled onboarding to support faster, data-rich merchant setup and evolving A2A use cases.
• Design for multi-rail and future A2A compatibility: Ensure onboarding frameworks can support both existing payment methods and future A2A models without requiring re-onboarding.
• Capture deeper merchant payment data upfront: Collect insights on payment flows, bulk payment needs, and digital readiness to enable smoother transition to A2A infrastructure.
• Segment onboarding by cash vs digital dependency: Tailor onboarding journeys based on merchant reliance on cash versus readiness for digital payments to manage risk and transition effectively.

‍How OnBoard Helps:

OnBoard enables payment providers to replace fragmented onboarding with a controlled, scalable framework that supports changing payment models without sacrificing governance or data quality.

• Smart Forms capture structured data required for A2A payment models by dynamically adapting application forms to collect detailed information on merchant payment flows, use cases, and digital readiness upfront, ensuring merchants are onboarded with complete and compatible payment configurations.
• Automated Decision Engine supports real-time onboarding at scale by applying configurable rules to assess merchant risk and approving low-risk applications instantly, removing manual bottlenecks that cannot keep pace with real-time A2A payment expectations.
• OnBoard AIQ™ eliminates manual document review and improves data quality, by automatically reading and extracting key information from merchant documents, validating inputs against onboarding criteria, and reduces reliance on manual checks while maintaining consistency.
• Portfolio OCDD ensures ongoing alignment as merchants transition to A2A through continuous monitoring of merchant behavior and risk in real time, allowing providers to manage changes in payment usage without relying on static periodic reviews.

Source: Reserve Bank of Australia

‍

Personnel Due Diligence Requirements (AML/CTF Reform)

Effective: 31 March 2026 (Now in force)

Issued by: AUSTRAC

Applies To: Reporting entities regulated under Australia’s AML/CTF regime, particularly those responsible for customer due diligence, merchant onboarding, compliance operations, and approval governance.

Summary:

• What: AUSTRAC’s strengthened personnel due diligence requirements are now in effect, extending AML/CTF accountability beyond customers to the individuals responsible for onboarding and compliance decisions.
• Why: The reform makes personnel suitability, approval authority, and evidential governance more central to AML/CTF compliance, particularly where staff perform regulated onboarding and decision-making functions.
• What’s Next: Reporting entities must ensure personnel performing AML/CTF functions are assessed before engagement and on an ongoing basis, with documented procedures, reassessment triggers, and retained evidence embedded into AML/CTF programs.

For a deeper breakdown, see Australia’s 2026 AML/CTF Personnel Due Diligence Reforms.

Key Changes:

• Mandatory initial and ongoing due diligence: Personnel must be assessed before engagement and throughout their role
• Risk- and role-based assessments: Requirements scale based on ML/TF exposure and seniority
• Competence and integrity checks: Including AML/CTF knowledge, capability, and background screening where appropriate
• Policy and documentation requirements: Procedures, reassessment triggers, and outcomes must be formally defined and recorded 

What This Means for Merchant Onboarding Teams:

Merchant onboarding is now a controlled regulatory function, not just an operational process. Providers must ensure that only qualified, authorized, and consistently assessed personnel are making onboarding decisions, with clear audit trails. Informal approval structures or undocumented decisioning now create direct AML/CTF exposure.

Recommended Actions:

• Conduct immediate due diligence on all onboarding personnel by assessing and documenting competence, AML/CTF knowledge, and integrity.
• Define and enforce named approval authority by assigning specific individuals or roles to approve merchant applications and removing informal access.
• Implement defined reassessment schedules and triggers including periodic reviews and event-based checks such as role or risk changes.
• Centralize and retain all assessment and approval evidence ensuring records are complete, documented, and readily available for supervisory review.
• Eliminate manual and uncontrolled onboarding decisions by enforcing structured, governed workflows with no ad hoc approvals.

How OnBoard Helps: 

Governance over onboarding decisions now needs to extend beyond customer due diligence to the personnel and approval controls behind it. MVSI supports this through OnBoard by MVSI and TalentScreen by MVSI, combining controlled onboarding decision-making with structured personnel due diligence.

• TalentScreen by MVSI supports personnel due diligence at scale: Enables pre-engagement and ongoing integrity, background, and qualification checks for individuals performing AML/CTF functions, helping firms assess, document, and evidence personnel suitability.
• OnBoard by MVSI enforces controlled onboarding decision-making: Embeds  role-based approval authority within onboarding workflows so only authorized personnel can approve merchant applications, while maintaining structured records of approval authority, user activity, and decision logic to support supervisory review.
• Audit-ready governance supports defensibility: Together, these capabilities help firms maintain consistent, controlled, and evidentially robust onboarding governance under AUSTRAC scrutiny.

Source: AUSTRAC

‍

India 

Regulation name: Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025

Effective: 1 April 2026

Issued by: Reserve Bank of India (RBI)

Applies To: All payment system providers and payment system participants in India, including banks and non-bank entities. The Directions apply to domestic digital payment transactions unless specifically exempted, with additional requirements for certain cross-border card-not-present transactions from 1 October 2026.

Summary: 

• What: The RBI has issued the Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025, requiring digital payment transactions to use at least two distinct factors of authentication, with at least one dynamic factor for transactions other than card-present payments.
• Why: The Directions are intended to strengthen the integrity of digital payment authentication, support alternative authentication methods beyond the ecosystem’s historic reliance on SMS-based OTP, and enable firms to apply stronger risk-based controls where transaction risk is higher. 
• What’s Next: Firms must comply by 1 April 2026 unless otherwise specified. For certain cross-border card-not-present transactions involving cards issued in India, issuers must implement validation and risk-based handling mechanisms by 1 October 2026.

Key Changes:

• Minimum two-factor authentication: All digital transactions must be authenticated using at least two distinct factors of authentication (e.g. OTP + PIN, biometrics, or token), unless an exemption applies. 
• Dynamic authentication requirement: For digital payment transactions other than card-present transactions, at least one factor must be dynamically created or proven and unique to that transaction.
• Risk-based controls: Issuers may assess transactions using behavioral and contextual parameters such as location, user behavior, device attributes, and transaction history, and may apply additional checks beyond the minimum authentication requirement where risk warrants it.
• Issuer accountability: Issuers are responsible for ensuring the robustness and integrity of the authentication mechanism before deployment. Where loss arises from transactions processed without complying with the Directions, the issuer must compensate the customer in full.
• Cross-border CNP requirements: By 1 October 2026, issuers must implement validation mechanisms and a risk-based framework for cross-border card-not-present transactions involving cards issued in India. 

What This Means for Merchant Onboarding:

For payment providers onboarding merchants in India, the Directions increase the importance of capturing payment configuration, authentication dependencies, and risk controls correctly from the outset. Where merchants operate in digital environments that depend on card-not-present or other remote payment flows, onboarding must do more than verify identity and business status. It must also establish whether the merchant’s payment setup, customer journey, and transaction profile can support compliant authentication and risk treatment. As authentication becomes more risk-sensitive and accountability remains with the issuer, weak merchant setup and incomplete onboarding data become more difficult to defend.  

Recommended Actions:

• Review merchant onboarding fields to ensure payment configuration and transaction context are captured in a structured way
• Confirm that remote and card-not-present payment journeys can support compliant authentication requirements
• Align onboarding logic with higher-risk transaction types, channels, and merchant profiles
• Ensure approval decisions and payment setup assumptions are clearly documented and auditable
• Prepare for the October 2026 cross-border card-not-present requirements where relevant merchant exposure exists 

How OnBoard Helps: 

OnBoard enables payment providers to structure merchant onboarding in a way that supports compliant payment setup, stronger authentication governance, and defensible decision-making from the outset.

• Smart Forms capture authentication, payment, and KYC requirements at onboarding by dynamically collecting merchant profile data, authentication methods, and compliance information to ensure complete and compliant setups from day one.
• Automated Decision Engine enables enforcement of 2FA and risk-based onboarding decisions by applying configurable rules to merchant data, allowing low-risk and compliant cases to be approved instantly while escalating higher-risk or non-compliant cases for further review. 
• OnBoard AIQ™ ensures accurate validation of merchant data during onboarding, by extracting and validating key information from submitted documents to reduce manual errors and ensure authentication and risk criteria are correctly recorded.
• Audit-ready reporting provides full traceability from onboarding onwards: Maintain structured records of merchant configurations, authentication setup, and approval decisions to support compliance, dispute resolution, and regulatory review.

Source: Reserve Bank of India (RBI)

‍

Cross market signals for onboarding and compliance teams

March points to a clear supervisory shift: onboarding is increasingly being treated as the point where fraud controls, jurisdictional risk, identity assurance, approval governance, and evidential standards must come together in practice. Across markets, regulators are raising expectations not only about what firms assess, but about how consistently those assessments are applied, escalated, and recorded.

• Fraud and financial crime treated as onboarding risks, not just transaction monitoring issues
• Greater scrutiny on how merchants operate, not just who they are
• Structured onboarding data required to support cross-border transparency and real-time payments
• Liability and accountability sitting firmly with providers, even when using digital identity or third parties
• Regulated payment products (like BNPL) bringing merchant onboarding directly into the regulatory perimeter
• Manual onboarding controls no longer sufficient under increasing regulatory expectations

This is no longer primarily an efficiency challenge. It is a governance challenge at the point of entry.

OnBoard by MVSI supports that shift by bringing digital onboarding, KYB, AML screening, underwriting and ongoing customer due diligence into a single controlled architecture for regulated payment environments.

We work with payment providers, acquirers, PayFacs, lenders and banks to embed KYB, KYC, AML, CDD and approval governance directly into merchant onboarding workflows.

If your onboarding model needs stronger control, clearer auditability, and more consistent merchant risk decisions under increasing regulatory scrutiny, speak with us about OnBoard by MVSI. 

‍

This content is provided for general information only and does not constitute legal or regulatory advice.