Merchant Onboarding: Global Updates – December 2025 / January 2026

Late 2025 marked a turning point for merchant onboarding as payments, crypto and compliance regimes mature across major markets. What were once infrastructure or policy changes now directly shape how PSPs assess merchants, structure onboarding data and manage early-lifecycle risk.

Across regions, regulators are pushing for richer data, faster settlement and clearer accountability—from ISO 20022 becoming the global payments standard to tighter scrutiny of stablecoins, instant payments and AML controls. For onboarding teams, the message is consistent: cleaner data upfront, stronger risk signals earlier, and less tolerance for remediation after go-live.

In this update (for merchant onboarding & compliance teams)

• What changed: ISO 20022, stablecoin oversight, VoP and data-driven AML enforcement are raising expectations for structured onboarding data and early-lifecycle controls.
• Why it matters: Regulators are shifting from policy guidance to operational scrutiny, making onboarding data quality and audit trails a measurable compliance risk.
• Regulatory signals: Data quality is becoming enforceable • Payee verification is moving upstream • Stablecoin activity is being regulated like financial infrastructure • Monitoring expectations are expanding post-onboarding.
• What to do next: Strengthen KYB/KYC capture at application stage, reduce reliance on remediation, and ensure monitoring (OCDD) is embedded post-activation.

‍

Global

ISO 20022 Cross-Border Payments & Reporting (CBPR+)

Effective Date: 22 November 2025 (payments); further changes through 2026

Issued By: SWIFT (industry standard), with implementation across global market infrastructures

Applies to: Banks and financial institutions sending/receiving cross-border interbank payments over SWIFT (CBPR+ message types), plus their operations/technology teams and vendor systems that create or consume payment messages.

Summary:

ISO 20022 is now the single global standard for cross-border payment messaging, replacing legacy MT formats. From November 2025, payment instructions must be processed in MX format, with stricter validation and richer data requirements. While primarily a payments infrastructure change, it materially raises expectations around data quality, structured information, and compliance readiness. 

Key Changes:

• MT103 and MT202 payment messages have been decommissioned for cross-border payments and replaced by ISO 20022 MX messages (pacs.008/pacs.009).
• Payments sent in MT format after this date incur additional SWIFT charges, including fees for multi-format messaging.
• Enhanced validation means incomplete or poorly structured data can trigger payment rejections (NAKs).
• Structured or hybrid postal addresses become mandatory from November 2026; fully unstructured addresses will no longer be supported.
• Richer data fields (e.g. purpose codes, end-to-end IDs, party roles) are now consistently transmitted across the payment chain.

What This Means for Merchant Onboarding Teams:

PSPs onboarding merchants with weak, incomplete, or unstructured KYB data will  experience rejected cross-border payments. This increases the importance of collecting accurate, structured merchant data at onboarding, rather than relying on remediation after go-live.

Recommended Actions:

• Update onboarding forms to capture structured or hybrid addresses by default.
• Review KYB data fields to ensure they support richer payment data, not just basic compliance checks.
• Flag merchants with legacy or poor-quality data as higher operational risk.
• Coordinate onboarding, payments, and compliance teams to reduce post-activation remediation.
• Prepare merchants early for richer data expectations in cross-border payments.

How OnBoard Helps:

OnBoard captures and validates structured business onboarding data upfront to reduce ISO 20022-related payment exceptions, rejections, and downstream remediation. OnBoard ensures onboarding teams collect and validate ISO-ready merchant data from the start by using Smart Forms to capture structured entities and address information in a consistent format, reducing reliance on free-text fields that can lead to payment rejections. Automated KYB and KYC workflows validate merchant data in real time, helping teams identify missing or poor-quality information before merchants go live, while the Automated Decision Engine flags applications with data gaps so onboarding, risk, and compliance teams can resolve issues early and avoid downstream cross-border payment failures caused by stricter ISO 20022 validation rules.

Source: J.P. Morgan Payments

‍

EMEA

Instant Payments Regulation (IPR) – Verification of Payee (VoP) Scheme Consultation

Effective Date: VoP effective 9 October 2025 (euro-area PSPs); VoP rulebook v1.1 expected mid-March 2026 following consultation

Issued By: European Parliament & Council of the European Union

Applies to: Payment Service Providers (PSPs) offering euro credit transfers (banks, payment institutions, e-money institutions) that must support instant euro transfers and implement Verification of Payee (VoP) requirements.

Summary:

The European Payments Council has opened a public consultation on urgent changes to the Verification of Payee (VoP) scheme rulebook following issues identified shortly after its initial deployment. The consultation signals that VoP implementation under the EU Instant Payments Regulation is still being operationally refined, particularly around interoperability and technical execution. For payment providers, this reinforces that payee verification requirements are evolving and must be accommodated within onboarding and account-setup processes without relying on static implementations.

Key Changes:

• The Verification of Payee scheme rulebook was deployed on 5 October 2025 to support VoP obligations under the EU Instant Payments Regulation.
• Following deployment, issues and inconsistencies were identified that require urgent updates to the rulebook and related technical documentation.
• The European Payments Council launched a public consultation on 18 December 2025 to gather feedback on proposed urgent change requests.
• Proposed updates may affect the VoP rulebook, API specifications, API security framework, and EPC Directory Service documentation.

What This Means for Merchant Onboarding Teams:

‍The EPC consultation reinforces that merchant onboarding must support upfront, real-time collection and validation of payee details, such as names and IBANs, rather than relying on manual or static checks. This increases scrutiny on whether onboarding processes can continuously verify and monitor payee information as VoP rules and APIs evolve.

Recommended Actions:

• Update merchant onboarding flows to capture payee names and IBANs in a structured format at application stage.
  
• Integrate real-time validation checks for payee information during onboarding, rather than post-activation.
  
• Avoid manual or static verification steps that cannot adapt to VoP rulebook or API changes.
  
• Ensure onboarding processes can support ongoing monitoring of payee data accuracy as requirements evolve.
  
• Strengthen coordination between onboarding, payments, and compliance teams around VoP readiness and data quality.

How OnBoard Helps:

OnBoard supports VoP readiness by capturing verified business and payee data during onboarding and maintaining consistent identity controls across onboarding and ongoing monitoring. Verification of Payee places scrutiny on how payee data is collected and validated upfront, OnBoard uses Smart Forms to capture merchant payee details in a structured, verification-ready format during onboarding. Once collected, OnBoard AIQ™ analyzes, validates, and enriches payee information in real time, improving data accuracy and interoperability as VoP rules and APIs evolve. Portfolio OCDD then supports ongoing monitoring, helping payment providers detect changes or inconsistencies in payee data and maintain audit-ready records under continued regulatory scrutiny. 

‍Source: European Payment Council

‍

UK Cryptoasset Regulatory Regime under FSMA

Effective Date: Expected 25 October 2027

Issued By: UK Treasury & Financial Conduct Authority (FCA)

Applies to: Cryptoasset service providers serving the UK market (e.g., exchanges, custodians and other in-scope crypto activities as defined in the draft regime), and regulated firms that onboard/partner with them.

Summary:

The UK is introducing a full regulatory regime for cryptoassets under the Financial Services and Markets Act (FSMA), bringing crypto activities into the FCA’s authorisation and supervision perimeter. From October 2027, firms providing crypto services in or to the UK must be authorised and meet FCA standards. For payment providers, this raises baseline expectations around how crypto-enabled merchants are identified, assessed, and verified during onboarding. 

Key Changes:

• The Treasury proposes to create new regulated cryptoasset activities under the FSMA Regulated Activities Order.
• Firms carrying out these cryptoasset activities will require FCA authorisation before operating.
• Proposed regulated activities include issuance of qualifying stablecoins, custody and safeguarding of cryptoassets, operating trading platforms, dealing, arranging, and staking.
• Cryptoasset firms in scope will be subject to FCA rules and supervision through the FCA Handbook.
• The FCA intends to introduce a dedicated cryptoasset sourcebook and clarify how existing Handbook rules apply to cryptoasset firms.

What This Means for Merchant Onboarding Teams:

‍Teams must place greater emphasis on accurately identifying crypto-related business activities at application stage, rather than relying on broad merchant categories. Even where crypto is not the primary product, onboarding teams need to confirm whether any part of the merchant’s offering could fall within regulated cryptoasset activities. This increases the importance of structured data capture and clear verification during onboarding 

Recommended Actions:

• Identify merchants offering crypto payments or crypto-adjacent services.
• Update onboarding questionnaires to capture crypto use cases and FCA status.
• Flag merchants whose crypto activities may fall within the FCA regulatory perimeter for additional review.
• Ensure onboarding teams apply consistent classification criteria for crypto-enabled merchants.
• Prevent approval where crypto activity cannot be clearly identified or explained during onboarding.

How OnBoard Helps:

OnBoard helps firms onboard cryptoasset businesses safely by applying structured KYB, risk classification, and ongoing due diligence controls aligned to evolving UK regulatory expectations. Because crypto use must be identified during the merchant application, OnBoard Smart Forms ask clear crypto-specific questions only when relevant. OnBoard AIQ™ then reads and validates the information provided, helping onboarding teams quickly understand how crypto is used. Automated KYB workflows verify the merchant entity and ownership, allowing teams to make confident onboarding decisions without manual rework. 

Source: Financial Conduct Authority (FCA)

Explore Breaking Bottlenecks for practical strategies to speed up merchant onboarding while staying compliant.

Download Now

Americas

Proposed Stablecoin Act (Bill C-15, Budget Implementation Act 2025)

Effective Date: Expected 2026–2027 (subject to Royal Assent and regulations)

Issued By: Government of Canada / Department of Finance / Bank of Canada

Applies to: Issuers of fiat-referenced stablecoins in Canada (especially non-prudentially regulated issuers), and financial services firms/PSPs that distribute, custody, or facilitate payments using those stablecoins. 

Summary:

Canada’s proposed Stablecoin Act introduces a federal regulatory framework for fiat-referenced stablecoins made available to Canadians, overseen by the Bank of Canada. While the rules apply mainly to stablecoin issuers, they will shape which stablecoins can be used in payments and under what conditions. This will directly affect how payment providers onboard merchants that accept or rely on stablecoin payment rails.

Key Changes:

• Stablecoin issuers must register with the Bank of Canada before offering stablecoins in Canada. 
• Stablecoins must be fully backed 1:1 by fiat currency or approved high-quality liquid assets held with a qualified custodian.
• Issuers must allow redemption at face value, even during stressed market conditions.
• Issuers are not allowed to offer interest, yield, or rewards to stablecoin holders.
• No automatic transition or grandfathering currently exists for existing stablecoins.

What This Means for Payment Providers:

For PSPs, ISOs, fintechs, and acquirers, stablecoin usage is now an onboarding risk because only registered issuers are permitted and no grandfathering exists. As issuer eligibility, reserve backing, and redemption capability can change over time, onboarding teams need processes that support real-time verification and reassessment of stablecoin and issuer information, making static, document-heavy onboarding less effective.

Recommended Actions:

• Update onboarding flows to capture stablecoin usage and issuer details.
• Integrate verification of issuer registration status as part of merchant onboarding forms. .
• Flag unregistered or foreign-issued stablecoins as elevated risk during onboarding.
• Align merchant risk scoring with reserve, redemption, and custody requirements.
• Prepare for parallel federal and provincial compliance checks during onboarding.

How OnBoard Helps:

OnBoard strengthens stablecoin-related onboarding by verifying business identity, ownership, and risk signals upfront, with audit-ready controls that support regulated digital asset activity. OnBoard supports stablecoin-related onboarding by using Smart Forms to capture clear, structured information on stablecoin usage and issuer details at application stage, reducing reliance on physical documents. OnBoard AIQ™ then reads, extracts, and validates issuer and merchant documentation, enabling real-time verification and reassessment as issuer status or compliance conditions change. These insights feed directly into Automated KYB workflows, which draw on data from over 10,000 sources across 190+ countries to independently verify business and issuer information, helping onboarding and compliance teams identify higher-risk or non-compliant stablecoin arrangements before merchants are approved.

Source: Segev LLP

‍

Consumer-Driven Banking Act (CDBA) – Bill C-15

Effective Date: Target launch early 2026 (subject to regulations)

Applies to: Participating entities under the CDBA, including federally regulated financial institutions, regulated credit unions, registered payment service providers under the Retail Payment Activities Act, and other accredited entities that receive consumer-directed financial data. 

Issued By: Government of Canada / Department of Finance / Bank of Canada

Summary:

Canada’s Consumer-Driven Banking Act introduces a federal open banking framework allowing consumers and businesses to securely share financial data with accredited third parties. Supervised by the Bank of Canada, the regime sets rules around consent, security, accreditation, and liability. While not an onboarding regulation per se, it materially reshapes data access expectations that will feed directly into digital onboarding and verification journeys.

Key Changes:

• The Bank of Canada becomes the supervisory authority for open banking participants.
• PSPs, banks, credit unions, and accredited third parties must obtain formal accreditation.
• Explicit consumer consent is required for all financial data sharing, with revocation rights.
• Participating entities must meet enhanced security, breach reporting, and liability standards.
• Mandatory complaints handling and external dispute resolution are introduced.

What This Means for Merchant Onboarding Teams:

‍Onboarding processes that rely on shared banking or payment data must now meet higher standards for consent capture, security, and auditability. Onboarding teams need clear visibility into whether data sources and third-party providers are accredited, and must be able to demonstrate that consent was properly obtained, managed, and revoked where required during onboarding. This increases the importance of structured, traceable onboarding workflows over informal or ad-hoc data sharing.

Recommended Actions:

• Review onboarding flows that rely on open banking or shared financial data.
• Prepare to verify accreditation status of third-party data providers.
• Strengthen consent capture, storage, and processes within onboarding flows .
• Align onboarding security controls with Bank of Canada expectations.
• Anticipate increased scrutiny of data-sharing partners during merchant due diligence.

How OnBoard Helps:

OnBoard enables audit-ready onboarding workflows by capturing structured consent, verifying entities and authorized representatives, and maintaining consistent controls across onboarding and ongoing due diligence. Built for Consumer-Driven Banking, OnBoard Smart Forms adapt merchant onboarding flows in real time to capture consent, data-sharing disclosures, and accreditation details at the point of onboarding.

Alongside this, OnBoard AIQ™ validates and enriches onboarding and third-party data as it is collected, reducing manual checks and improving data accuracy. The result is cleaner onboarding records and audit-ready reporting aligned with CDBA expectations. 

Source: Baker McKenzie

‍

FinCEN Data-Driven Border Enforcement Operation (MSB AML/BSA Compliance)

Effective Date: December 22, 2025 (announcement of ongoing operation)

Issued By: Financial Crimes Enforcement Network (FinCEN), U.S. Department of the Treasury

Applies to: Money Services Businesses (MSBs) and other BSA/AML-regulated financial institutions exposed to higher-risk cross-border activity (including payments/transfer businesses), and the compliance teams responsible for SAR/CTR controls and monitoring. 

Summary:

FinCEN has launched a large-scale, data-driven enforcement operation targeting U.S. money services businesses operating along the southwest border for potential Bank Secrecy Act (BSA) non-compliance. The operation uses advanced analytics across millions of transaction reports to identify AML failures and has already resulted in investigations, IRS referrals, and compliance actions. While not a formal rule change, it materially raises enforcement expectations for MSBs and their merchant onboarding practices.

Key Changes:

• FinCEN is actively analysing CTRs and SARs at scale to detect AML and sanctions risks.
• MSBs face investigations, IRS examinations, civil penalties, and potential criminal referrals.
• Increased scrutiny is placed on customer identification, transaction monitoring, and reporting controls.
• Oversight expectations extend to agents, branches, and third-party service providers.
• Enforcement is ongoing, not a one-time supervisory review.

What This Means for Merchant Onboarding Teams:

‍For payment providers, strong KYC, customer due diligence, and early risk monitoring are now critical, as transaction data is analyzed at scale by regulators. Manual or one-time verification at onboarding is less effective when merchant identity, activity patterns, and agent relationships are tested against ongoing transaction data. This increases the need for accurate, well-documented verification and risk assessment before merchants are activated, rather than relying on remediation after issues surface.

Recommended Actions:

• Tighten merchant KYC/KYB requirements for MSB-adjacent merchants and agents.
• Review onboarding risk models for exposure to cross-border and cash-intensive activity.
• Strengthen transaction monitoring thresholds at onboarding and early lifecycle stages.
• Validate SAR/CTR readiness before merchant activation, not post-onboarding.
• Document AML controls clearly to support regulator or partner due diligence.

How OnBoard Helps:

OnBoard improves AML defensibility by standardizing KYB/KYC data capture, risk decisioning, and audit trails that support monitoring, escalation, and regulatory review. OnBoard embeds automated AML workflows to verify merchant and counterparty information against authoritative and government data sources as onboarding occurs, ensuring information is captured in a consistent and defensible way. Once data is collected, OnBoard AIQ™ analyzes, validates, and enriches it, improving data quality and generating clearer insights for compliance teams. Portfolio OCDD then applies ongoing monitoring to detect changes in risk, behaviour, or data integrity over time, helping maintain audit-ready reporting and stronger AML defensibility under continued FinCEN scrutiny. 

Source: FinCEN

‍‍

APAC 

New UPI Payment Rules & Operational Guidelines (2025–2026)

Effective Date: 1 April 2026 - Enhanced authentication 

Issued By: Reserve Bank of India (RBI) & National Payments Corporation of India (NPCI)

Applies to: UPI ecosystem participants, especially banks and Payment Service Providers (PSPs), that must comply with NPCI operational limits and performance rules; second-order impact for merchants reliant on UPI flows.

Summary:

India’s UPI framework is entering a tighter operational and security phase, with stronger authentication, stricter platform controls, and refined transaction limits. While consumer-facing payments remain friction-light, the rules raise baseline expectations for payment security, monitoring, and auditability. For PSPs, this sets the direction of travel for future onboarding, controls, and risk segmentation.

Key Changes:

• Mandatory two-factor authentication for all domestic digital payments from April 2026, with at least one dynamic factor per transaction.
• Category-based UPI transaction limits expanded (up to ₹5 lakh per transaction for select merchant categories).
• Operational caps introduced on balance checks, account discovery, and transaction status queries to reduce system abuse.
• Recurring (AutoPay) transactions restricted to non-peak hours with controlled retry logic.
• UPI market-share cap for third-party apps extended to 31 December 2026, delaying forced scale-downs.

What This Means for Merchant Onboarding Teams:

‍UPI onboarding will require more merchant data upfront, as transaction limits, authentication, and AutoPay access now depend on accurate merchant classification. Manual, document-heavy onboarding will not scale, because missing or unstructured information will lead to blocked payments or failed transactions after go-live. Onboarding teams must capture and validate merchant information digitally at application stage to avoid downstream bottlenecks.

Recommended Actions:

• Update merchant application forms to capture UPI transaction size, frequency, and use of recurring payments upfront.
• Align merchant risk tiers with UPI transaction limits and authentication expectations.
• Prepare for stronger post-onboarding monitoring tied to transaction behaviour, not just static checks.
• Design application forms to surface additional information requirements automatically for higher-value or recurring UPI use cases. 
• Coordinate onboarding and fraud teams to reduce downstream disputes and operational friction.

How OnBoard Helps:

OnBoard reduces operational friction by capturing complete merchant onboarding data once and routing risk, compliance, and approval workflows efficiently across high-volume payment environments. With UPI onboarding requiring more structured merchant data upfront, OnBoard uses Smart Forms to capture transaction behaviour, limits, and recurring payment usage directly in the merchant application. OnBoard AIQ™ then validates and structures this information in real time, reducing reliance on manual documents that cannot scale. Reporting provides clear, audit-ready records of how merchants were classified and approved, supporting tighter RBI and NPCI scrutiny. 

Source: National Payments Corporation of India (NPCI) & Reserve Bank of India (RBI)

‍

Hong Kong Implementation of OECD Crypto-Asset Reporting Framework (CARF) and Amended CRS

Effective Date: 1 January 2027 (first exchanges in 2028)

Issued By: Financial Services and the Treasury Bureau (FSTB) and Inland Revenue Department (IRD)

Applies to: Reporting financial institutions in Hong Kong (CRS scope) and reporting crypto-asset service providers (RCASPs) under CARF once implemented, including tax and compliance teams responsible for AEOI reporting readiness.

Summary:

Hong Kong is implementing the OECD’s Crypto-Asset Reporting Framework (CARF) and expanded CRS rules. While tax-focused, the changes significantly increase due diligence, data collection, and registration requirements for crypto and digital payment providers. These requirements will indirectly raise onboarding and transparency expectations for merchants with crypto exposure.

Key Changes:

• PSPs offering or enabling crypto payments must support enhanced customer and UBO data capture.
• Mandatory registration and reporting increase expectations for PSP-level visibility over merchant crypto activity.
• Transaction reporting requirements raise the bar for monitoring crypto-to-fiat and crypto-to-crypto flows.
• Digital money products are treated more like traditional payment accounts under CRS.
• RCASPs must keep sufficient records for at least 6 years, and penalties scale based on the nature of non-compliance (including per-user penalties in some cases).
  

What This Means for Merchant Onboarding Teams:

‍Hong Kong’s CARF and CRS changes signal greater compliance scrutiny on crypto-related activity, raising expectations for data accuracy, consistency, and long-term record keeping. For merchant onboarding, this means teams must collect clean, structured information that can be relied on later to identify and evidence risk, rather than relying on fragmented documents or informal checks. 

Recommended Actions:

• Clearly identify merchants with crypto or digital-asset activity during onboarding.
• Capture accurate, structured KYB and ownership data that can support future scrutiny.
• Ensure onboarding records are complete, consistent, and retained to meet audit expectations.
• Use onboarding data to surface potential risk indicators early, not after go-live.

How OnBoard Helps:

OnBoard strengthens compliance readiness by verifying entity structures and controlling onboarding data quality, supporting audit trails and ongoing due diligence for reporting and regulatory obligations. As Hong Kong increases scrutiny on data accuracy and record keeping, OnBoard Smart Forms capture clean, structured KYB, KYC, and AML information at onboarding.  OnBoard AIQ™ then validates and enriches this data, helping teams establish a reliable baseline. Portfolio OCDD continuously monitors merchants after onboarding, flagging changes, inconsistencies, or new risk indicators so records remain accurate, traceable, and audit-ready over time.

Source: OECD / Hong Kong Financial Services

Cross-market signals for onboarding and compliance teams

Across regions, regulators are converging on the same operational expectations:

• Structured onboarding data upfront (less tolerance for remediation post go-live)
  
  
• Earlier risk classification (KYB, ownership complexity, crypto exposure)
  
  
• Real-time verification readiness (VoP, issuer status, accreditation status)
  
  
• Ongoing monitoring as standard (OCDD, portfolio changes, audit trails)

Need help translating regulation into onboarding controls?

We work with payment providers, acquirers, PayFacs and banks to operationalise KYB, AML and ongoing monitoring requirements inside end-to-end onboarding workflows.

Request a demo. 

‍

This content is provided for general information only and does not constitute legal or regulatory advice.