Buy Now Pay Later Regulation To Start In July

Finally we have a date for the extension of consumer credit protection to certain 'buy now pay later' agreements. There has been a long delayed consultation process, which I've covered on this blog, resulting in a final Policy Statement issued today. As is typical, the FCA has made a few, fairly minor, changes to the approach that it consulted on in July 2025. Firms that aren't already regulated will be able to register for temporary permission between 15 May 2026 and 1 July 2026, and will have 6 months from 15 July to apply for full authorisation. If you need advice on the new regime, including whether you fall into it, please let me know. 

Broadly, BNPL is interest-free credit for a consumer's purchase of goods or services that is repayable within 12 months in no more than 12 instalments. This has benefited from an exemption from consumer credit regulation that the government has now limited to situations where the retailer or merchant ("supplier") is providing the credit directly to the customer. This means that such agreements will be regulated where a third party lender is involved ("deferred payment credit" or "DPC"). 

That market for DPC is already highly concentrated: three firms account for over 90% of the volume. But by regulating the product, the FCA thinks that other regulated firms might now offer it. I doubt it, but I suppose any unregulated firm that chooses to become regulated in order to offer DPC might decide to offer other types of regulated consumer credit.

Unlike with other forms of consumer credit (including various "exempt agreements" that do not include BNPL), the supplier will not need to be authorised as a credit broker in order to introduce the consumer to a DPC lender.

Ultimately, this is intended to benefit consumers. The FCA wants them to have fewer late payments to be treated better treatment when in financial difficulty. That means information to help them understand the risks of "deferred payment credit" as well as their rights, obligations and the protection available. This means they should have a better chance of being able to afford what they borrow, miss fewer repayments and be charged fewer late fees. Lenders should also end up being more supportive where the borrower encounters financial difficulty. 

If the impact of increased regulation of 'payday lending' is anything to go by, the extension of regulation into this space should mean fewer DPC than that aspect of the BNPL market today.

New UK Rules on Handling Data Protection Complaints

Among the recent changes to UK privacy law, UK controllers of personal data will need to update their privacy policies, processing agreements and related procedures by June this year to include a process for handling complaints about a breach of the UK's  data protection law and regulation, including by providing a complaint form which can be completed by data subjects electronically. This post is for information purposes only. Please let me know if you need any drafting or advice on how to comply.

Controllers must acknowledge receipt of a complaint within 30 days and, "without undue delay" take appropriate steps to respond and inform the complainant of the outcome. That includes making enquiries into the subject matter of the complaint, "to the extent appropriate", and informing the complainant about progress. 

The Information Commissioner has consulted on guidance on complaints handling requirements.

What if we already have a complaints procedure?

Some service providers are already required to have complaints handling policies and processes (e.g. financial services firms), and it's common for a customer to complain about more than one issue at the same time, so it's best to sweep up data protection complaints in the same process. 

Will we need to report the number of complaints received etc?

There's also the potential for the ICO to require controllers to report the number of complaints they receive in a given period, which may be in the pipeline. 

What other changes have been made?

The Information Commissioner has also issued more general guidance on the changes made under the Data (Use and Access) Act 2025, including changes relating to 'legitimate interests'.

This post is for information purposes only. Please let me know if you need any drafting or advice on how to comply. 

Have You Risk Assessed Your Chatbot? The General Product Safety Regulation

Amid the hype of agentic AI and people developing unfortunate relationships with chatbots, it's worth a reminder that the GPSR establishes safety obligations on manufacturers and their agents and other authorised representatives, importers, distributors, fulfilment service providers (e.g. warehouses) and online marketplaces who are targeting or otherwise participating in the EU consumer market, as well as Northern Ireland and the EEA (even if based outside the EU). This post is for information purposes. Let me know if you need legal advice, either via the UK or Ireland/EEA.

A 'product' could be any item, whether tangible, non-tangible or mixed nature, including software/AI applications, whether new, used, repaired or reconditioned, as of 13 December 2024 or since.

The GPSR does not legislate for product liability, which is dealt with under EU product liability legislation.

The European Commission has now issued detailed GPSR guidelines to help affected businesses to understand the requirements, including criteria for each category and how a business could fall into more than one. 

The UK government has also issued guidelines for businesses targeting or otherwise participating in the Northern Ireland market.

Manufacturers must perform and record an internal risk analysis before placing a product on the EU market (the guidelines include a template). Those based outside the EU will need to appoint a "responsible person" in the EU (who could be an importer etc) and disclose that on the product, packaging, parcel or an accompanying document. The 'responsible person' also has certain obligations, including notification of accidents. 

Safety recall and warnings to consumers should be done in a certain manner; and there is a Safety Business Gateway that firms (or their 'responsible person') must use to inform the authorities about dangerous products and accidents, depending where they sit in the supply chain.

This post is for information purposes. Let me know if you need legal advice, either via the UK or Ireland/EEA.

New Security Requirements For Digital Products - Hardware and Software

The EU's Cyber Resilience Act begins to apply from June 2026, ahead of full implementation in December 2027.

When designing, developing and producing any product with digital elements that is specified as 'critical' or 'important', the manufacturer will need to ensure that the product meets the essential cybersecurity requirements, carry out cyber risk and conformity assessments and comply with reporting obligations. 

Importers, distributors and 'open-source software stewards' also have specific obligations. 

The CRA itself is here, and the technical descriptions of 'important' and 'critical' products have just been published. 

There is also an initial set of FAQs that seems likely to evolve as implementation proceeds.

The full implementation time line, with links to relevant docs, is set out here.

This post is for information purposes. Please let me know if you need advice on it, whether you're based in or outside the EEA.

Tsunami Warning: The UK's FCA Consults On How It Will Regulate Crypto Activities

In April, the UK government published its proposed financial regulations for certain activities related to cryptoassets that will be supervised by the Financial Conduct Authority. Now, the FCA is consulting on the rules that it will apply. The consultation paper is a useful 'explainer' for those unfamiliar with FCA's approach to regulation and supervision, as many in the crypto world will be. There is a lengthy 'cost benefit analysis' in Annex 2 that's worth burrowing into for the specific impact of the rules on the crypto sector (as the FCA views it). The consultation ends on 12 November, with some items for comment by 15 October. Even more, activity-specific rules will be published for consultation on by year end as part of the FCA's 'crypto roadmap'.

The regulated cryptoasset activities will include issuing qualifying stablecoins, safeguarding qualifying cryptoassets and specified investment cryptoassets, operating a qualifying cryptoasset trading platform, intermediation and staking. 

FCA rules are very extensive and require firms to have appropriate systems, controls, processes, financial resources and expertise. For a sector that is very much anchored in libertarian, 'techno optimist' waters, this represents a tsunami...

 

EU Payment Services Reform: PSD3 & PSR Loom Larger

We are apparently nearing the next step in the evolution of EU payments law, with the publication of new versions of the proposed directive and accompanying regulation. The original proposals were published in June 2023, which I covered here. 

PSD3 will govern licensing and supervision of e-money and payment institutions, while the PSR will govern the operation of payment services (including those offered by banks). Of course, the directive will need to be implemented under the national laws of each member state, while the regulation will apply directly (though will likely require some local implementation).

Among the more revolutionary aspects are proposals for an anti-fraud framework. Regulated payment service providers (PSPs) will have to share fraud-related information and adopt a system to check IBANs against the corresponding bank account name before permitting transfers. 

The proposals also bring electronic communications service providers - internet service providers and messaging platforms - within scope for fraud prevention, specifically requiring them to "take all reasonable organizational and technical measures to detect and prevent fraud within their sphere of competence, in accordance with applicable Union and national law." 

ATMs will have to show all fees and exchange rates before each transaction. 

There are also proposals for more transparency on payment card scheme fees and rules that should help merchants compare acquiring services (as the UK's Payment Services Regulator was also seeking to achieve, before being subsumed into the FCA).

I will keep following developments until the new legislation is passed. It appears the legislation will take effect 24 months later.

Changes to UK Data Protection Regime

The UK's Data (Use and Access) Act 2025 (DUA) has been passed, though much of it is yet to take effect. There are some important tweaks to the UK's data protection laws (Data Protection Act 2018/UK GDPR and cookies regulation (PECR)). Firms will need to reconsider their privacy policies relating to research, (direct) marketing, cookies and AI in particular. There are now the same potential fines for cookie violations as for UK GDPR breaches - note that the Information Commissioner seems to care more about cookies and automatically scans for non-compliance. If you need legal advice on any of this, please let me know.