The Regulatory Context of 2025
The UK financial regulatory landscape in 2025 was characterised by a paradox. On one hand, the government's stated priority was growth: the financial services regulatory reforms initiated under the Edinburgh Reforms continued to emphasise competitiveness and proportionality as design principles. On the other hand, the practical experience of regulated firms was one of increasing compliance burden, driven by the simultaneous activation of several major regulatory regimes.
PwC's Financial Services Regulatory Outlook noted that the average compliance cost per employee in UK financial services rose by approximately 18% in 2025, the largest single-year increase in a decade. For fintechs, the picture was more acute: growth-stage businesses that had previously operated with minimal regulatory overhead were, for the first time, facing the full weight of Consumer Duty, the APP fraud reimbursement rules, the incoming crypto framework, and HMRC's expanded digital asset reporting obligations — all in the same year.
What follows is a CFO-level review of the six most significant regulatory developments of 2025, and their implications for 2026.
1. Consumer Duty: Year Two and the Enforcement Phase
The FCA's Consumer Duty entered its second year in July 2025. The first year, which ran from July 2023 to July 2024, was explicitly framed by the FCA as an implementation period during which firms were expected to embed the new standards but where supervisory patience was extended for transitional challenges. Year two brought a materially different stance.
The FCA published its first Consumer Duty annual report in mid-2025, which was blunt in identifying the areas where firms were falling short. The FCA identified three recurring failure patterns: firms that had completed the required governance work (Board champion, Board-level sign-off on the Customer Outcomes Assessment) but had not embedded the consumer outcomes framework in operational decision-making; firms that were applying Consumer Duty standards to new products but had not conducted the required review of legacy products; and firms in the consumer credit and BNPL space that were still using friction-heavy complaint and cancellation processes that were inconsistent with the ease of redress requirements.
Enforcement action in 2025 focused primarily on two areas: retail investment platforms where Consumer Duty requirements around suitability and fair value had not been properly implemented, and consumer lending businesses where the vulnerability assessment requirements were found to be superficial. Two significant s.166 (skilled person review) orders were placed on fintech firms in the consumer credit space, with remediation requirements that included board-level attestations to the FCA on specific remediation milestones.
For CFOs, the Consumer Duty enforcement experience of 2025 has two direct implications. First, the costs of remediation when a Consumer Duty failure is identified post-enforcement are materially higher than the cost of getting it right upfront; building Consumer Duty compliance costs into the annual budget is not optional. Second, the FCA's focus on fair value assessments — the requirement to demonstrate that the price charged to customers is proportionate to the benefit received — requires the finance function to provide detailed cost attribution data that many firms do not currently maintain at the required level of granularity.
2. The FCA Crypto Roadmap: From Consultation to Final Policy
2025 was the year the FCA's crypto regulation moved from consultation to publication. CP25/14 (covering conduct requirements for stablecoin issuance and custody) and CP25/15 (the CRYPTOPRU prudential sourcebook for crypto firms) were published in the first half of 2025. The consultation periods closed in Q3 2025, and the FCA has indicated that final Policy Statements are expected in H1 2026.
For crypto-active fintechs, the publication of CP25/14 and CP25/15 in 2025 meant the end of regulatory uncertainty about the shape of the regime. The five-layer capital structure for stablecoin issuers — combining the 1:1 backing pool with the ODDR, BACR, ILAR, and OFR requirements — is now substantially clear, even if minor adjustments may result from the consultation feedback. The September 2026 authorisation gateway is confirmed. The CRYPTOPRU prudential sourcebook sets out capital requirements that are analogous to the Investment Firms Prudential Regime (IFPR), adapted for the specific risks of crypto businesses.
One significant development in 2025 was the FCA's publication of further guidance on the cryptoasset financial promotion regime, which had been live since October 2023. By mid-2025, the FCA had taken enforcement action against several overseas crypto businesses that were communicating financial promotions to UK consumers without appropriate approval or exemption. This enforcement activity strengthened the position of UK-registered firms that had invested in compliance, but it also raised the bar for what "adequate" financial promotion compliance looks like.
3. PSR APP Fraud Reimbursement: The First Year of Operation
The Payment Systems Regulator's mandatory APP (Authorised Push Payment) fraud reimbursement rules came into force in October 2024, requiring PSPs to reimburse victims of APP fraud up to a maximum of £85,000 per claim, with the cost split 50:50 between the sending and receiving payment service providers.
The first full year of operation through 2025 revealed several areas where the rules created unexpected complexity for fintechs. The £85,000 maximum is higher than the industry had lobbied for, and the 50:50 cost-sharing mechanism creates a direct P&L cost for any receiving PSP that has accounts used by fraud perpetrators. For neo-banks and challenger payments firms with high account opening volumes, the cost of the reimbursement obligation in the first year was, in several cases, materially above initial projections.
The PSR conducted a data collection exercise in mid-2025 to assess the regime's operation and published preliminary data showing that reimbursement rates (the proportion of eligible claims that were reimbursed) varied significantly across PSPs. The FCA and PSR have signalled that firms with materially below-average reimbursement rates will face supervisory attention in 2026.
For CFOs, the APP fraud reimbursement cost is now a recurring P&L line that needs to be modelled and managed. The key drivers are: total payment volume, fraud rate on the firm's accounts (both sending and receiving), and the proportion of fraud cases that meet the eligibility criteria. Finance functions that do not have a clear view of fraud exposure by payment type and direction are flying blind on a cost line that could be material.
4. Open Banking: The Variable Recurring Payments Milestone
Open Banking implementation in the UK made its most significant structural progress in 2025 with the launch of the first commercial Variable Recurring Payments (VRP) services beyond the existing sweeping use case. Following the Joint Regulatory Oversight Committee's (JROC) roadmap, the PSR mandated the nine largest UK banks to make VRP APIs available to third-party providers for a broader range of payment use cases from mid-2025.
This development has direct financial implications for fintechs and payment processors. VRPs offer an alternative to card-based subscription payments and direct debits, with potentially lower unit costs. For fintechs that process significant volumes of recurring payments (subscription billing, regular savings, utility payments), the economics of the VRP route versus existing payment rails are now worth modelling in detail.
The competitive implications are also significant: Open Banking-enabled account-to-account payments reduce the interchange income that card issuers and payment networks generate, and create new competitive pressure on those parts of the payments value chain that have historically benefited from the cost of card-based payments.
5. HMRC Digital Asset Framework: CARF Implementation
The Finance Act 2024 received Royal Assent and came into effect in 2025, implementing the OECD's Crypto-Asset Reporting Framework (CARF) in UK law. From 1 January 2026, UK-registered crypto service providers are required to begin collecting and reporting customer data to HMRC under the new regime.
The practical preparation required through 2025 was substantial: identifying which customers are reportable, implementing due diligence processes to collect and verify tax identification information, building or adapting transaction recording systems to capture the data required for CARF reporting, and training operational staff on the new requirements. For exchange platforms that process millions of transactions, the data infrastructure requirement alone is significant.
HMRC has confirmed that the first CARF reporting deadline — covering the 2025-2026 reporting year — will fall in 2026. Firms that have not completed their CARF readiness work are at risk of enforcement action and, potentially, of having their registration status put under review by the FCA as part of the authorisation gateway assessment.
"The cumulative regulatory burden on a UK fintech in 2025 was qualitatively different from anything the sector has experienced before. The question for 2026 is not whether to invest in compliance infrastructure — it is how to do so without choking the growth that justifies the investment."
6. The FCA's AI and Data Agenda
The FCA's approach to AI regulation in 2025 was notable for its deliberate restraint on new rules, combined with an increasingly assertive supervisory stance on AI governance. Rather than introducing a dedicated AI rulebook, the FCA's position throughout 2025 was that existing rules — particularly SMCR accountability, Consumer Duty outcomes, and the operational resilience framework — apply to AI-driven decisions in the same way they apply to human-driven ones. The accountability for an AI model that produces a biased credit decision sits with the approved person responsible for that function.
In practice, this means that the use of AI in consumer-facing financial services decisions requires firms to maintain model documentation, explainability standards, and ongoing monitoring that would satisfy an SMCR-level accountability test. The FCA's Consumer Duty assessment of fair value applies to any pricing or lending decision made by an AI model. The operational resilience standards for important business services apply to AI systems that are critical to the delivery of those services.
For CFOs, the AI governance agenda creates specific requirements. Model risk management for AI systems used in credit decisions, pricing, or fraud detection requires investment in model validation capability that many fintechs do not currently have. The finance function may need to build or procure the capability to perform ongoing monitoring of AI model performance against fair value and Consumer Duty metrics.
The Cumulative Compliance Burden: What CFOs Must Prioritise
Taken individually, each of the six regulatory developments described above is manageable. Taken together — and layered onto the existing obligations of a typical UK fintech — they represent a genuinely material increase in compliance infrastructure, operational change, and ongoing management cost. The HM Treasury Fintech Review published in late 2025 acknowledged this cumulative burden and noted that smaller fintechs were disproportionately affected, given the fixed-cost nature of much compliance infrastructure.
For CFOs prioritising their 2026 compliance investment, the sequencing question is critical. The September 2026 FCA authorisation gateway has the hardest deadline and the most severe consequences of non-compliance for crypto-active businesses. Consumer Duty enforcement is active and creating real costs now. APP fraud reimbursement is a live P&L line that needs to be modelled and managed in the current year. CARF reporting has an immediate 2026 deadline for the first report submission.
Key Takeaways
- Consumer Duty entered its enforcement phase in Year 2 of 2025; s.166 orders were placed on fintech consumer credit firms and the FCA's patience for transitional excuses is exhausted.
- CP25/14 and CP25/15 are published; the September 2026 FCA authorisation gateway is confirmed and the five-layer capital structure for stablecoin issuers is substantially set out.
- APP fraud reimbursement costs in Year 1 exceeded projections for several neo-banks; this is now a permanent P&L line that requires ongoing modelling and management.
- VRP APIs are now available beyond sweeping use cases; the economics of account-to-account payments for recurring billing deserve detailed modelling in 2026.
- CARF reporting goes live in January 2026; firms that have not completed due diligence collection and system build are at immediate regulatory risk.
- The FCA's AI governance approach is principles-based via SMCR and Consumer Duty; model risk management for AI-driven decisions is a CFO-level responsibility.
- The cumulative compliance cost increase across all these developments was approximately 18% per employee in 2025; budget accordingly for 2026.
