The Payment Expert Podcast

In today’s episode, Host Louis Thompsett is joined by Shaanil Senarath-Dassanayake, Associate at Charles Russell Speechlys, as the duo discuss the seismic shifts in the UK’s regulatory landscape and what the transition from "unregulated" to "fully authorised" actually means for the next generation of fintech innovators.

Key Discussion Points
  • The Crypto Authorization Gateway: Why the move from AML registration to full FCA authorization is more than just a paperwork exercise—it’s a total shift in operational expectations.
  • Senior Management Accountability: How the extension of SM&CR to crypto firms is forcing founders to rethink personal liability and governance in a maturing market.
  • The BNPL "Regulation Day": Navigating the July 15, 2026, deadline for Deferred Payment Credit and the compliance hurdles for firms facing FCA consumer credit rules for the first time.
  • Structural Shakeups: What the consolidation of the PSR into the FCA means for payments firms and whether a "single supervisor" model will truly simplify the complex UK ecosystem.
  • The AI Liability Gap: Insights from the FCA’s Mills Review on where the legal "buck stops" when agentic and generative AI systems cause consumer harm.
Host: Louis Thompsett
Guest: Shaanil Senarath-Dassanayake
Producer: Anaya McDonald
Editor: Anaya McDonald

Learn more about the latest payments insights: https://paymentexpert.com

What is The Payment Expert Podcast?

Welcome to The Payment Expert weekly podcast, brought to you by SBC Media. Each week we analyse the news driving the global payments industry forward; the innovation, the infrastructure, and everything that has to happen to make it all possible.

:
I think without consistent and clear views, the UK will risk becoming a flyover jurisdiction. And I think industry plays a part in informing each of these regulatory bodies of actually the reality. you Hello and welcome back to the Payment Expert podcast, your source for the latest news, insights and analysis on the payments industry. I'm Lewis Thompson, news editor at Payment Expert and with me today, I'm delighted to have Shanil, who's an associate at Charles Russell Speech Leeds. Shanil is joining us today to discuss the busy and ever-changing financial services regulation landscape here in the UK. Welcome, Shanil. Before we begin, just tell us a little bit about yourself, uh your role uh and what you've been up to lately in the space with your work at Charles Russell. Yeah, sure. And thanks so much for having me on the podcast. I feel very honored to be on it. as uh Louis said, so I'm Sharnel. I'm an associate in the financial services regulation team at Charles Russell Speech Lease. I have been working in FinTech regulations. from the moment that I started uh my legal career. So I started with a lot of startups and fintechs, and then uh that also included a lot of crypto and blockchain businesses. And then I've also worked with institutional clients, individuals, a whole variety. But I will say that my baby is in that intersect of digital assets, payments, uh and general fintech regulation as well. It's certainly been a really, really busy. busy time. think busy is an understatement, if I'm being honest. I think it's fair to say that the amount of changes that are coming in, and especially if you're touching on a lot of regimes, it can be overwhelming. So, know, to industry out there, you're not alone. Yeah, absolutely. It's exciting, though, to be in the space. It's why I chose to be in it. There's just constant change. There's always something new to learn. So yeah, I love it. Yeah, I mean, there's been a lot recently, even if we look over the last couple of weeks, but in, you know, even the last two to three months, you know, new crypto frameworks, buying up later, coming into scope, open finance on the horizon. um where you sit in your role, your advising clients, mean, you've said it's crazy, but what does it look like on the ground right now in terms of uh cross industry or within financial services and how these new regulations are shaping from there? the business side, the organizational side. Yeah. So really, you know, for a lot of businesses, I think it depends also on where you're starting out with. are, there are some businesses where they're only looking at maybe one regime, even though it's very busy, but re in reality, a lot of people are tracking various regimes. Right. So you're looking at digital assets, you're looking at perhaps maybe banking and then payments as well at all at the same time. So really on the ground, what you're seeing is that firms are tracking multiple consultation timelines. uh They're preparing for new authorization requirements. em And while doing that, they're also trying to future-proof compliance infrastructures across regimes that are still being finalized. uh I think what it looks like on the ground, on a practical level, really depends on sophistication and the size of the business. But one thing that is a shared experience is around prioritization. So which of these relevant work streams is going to affect their business model first? Because frankly, there are limited resources. And so that's, it's really, an allocation of resources issue. So what are you going to focus on now versus what are you going to focus on maybe a little later? Not that it's because It's not important, but a lot of this exercise as you get is, you know, it comes with trade-offs. So you have to balance that with, you know, commercial risks that businesses are willing to accept um against other risks. So for example, we're talking about governance and risk management. We're talking about the cost burden as well that's associated with compliance. But then versus protecting consumers and still remaining competitive. And while you're doing all of this, you've also got that exercise of, know, having in your mind whether these interests and the balance that you're doing is aligned with how the FCA may supervise you or has also supervised you to date. absolutely. I mean, when we look at some firms who perhaps are, you know, registered under current AML rules that are in place, there's no sort of automatic conversion, they have to then go through full, you know, FCA authorization, uh those kinds of processes. What does that transition involve for the businesses that have to go through it? Yeah. mean, look, I think that firms are sort of mentally prepared. Yeah. But I think some folks in the industry might be underestimating sort of how much time an investment actually goes. to getting it right from the start. And that also includes uh communications with the FCA, even at um what you call the pre-application support meeting. um One thing that I will say from the get-go is that the FCA has been super clear. Exactly as you say, it's not a light touch registration like the current MLR regime. It's full authorization. So you have various rules to comply with. The issue that I'm seeing at the moment right now, uh literally even yesterday in some discussions at a round table, is that there's some hesitancy in terms of whether firms should sort of wait for the final rules to come out before they get stuck into implementation. And I do get this, especially because there's just the significant costs involved. uh And there are a couple of sticky issues that The industry needs the FCA to clarify as well. And there could be too much on the line to have to change, right? Once the approach comes in and once the final rules are released. I think that makes sense around probably the stable coin regime. ah Just because there's been a lot of mixed signaling between regulators. But in my view, I think if you're waiting for the rest of the, you know, the crypto asset regime to come out, to start your preparation. think you're already behind given the pace of the rest of the market. um appreciate this kind of like a balance. know, I, I, I, but I think it's very likely that the FCA materials are basically in final form subject to some clarifications that they're most likely to come out in the summer when those past meetings start um sort of in practice, what firms, you know, should be sort of looking at what I expect is that, you know, you'll see these mature players. in the market in the first instance. So people that already have physical authorization that are maybe, sort of working to navigate the process a bit more smoothly. But, you know, for MLR registered firms, more specifically, you're really looking at, well, there's threshold conditions that you need to meet. Are you able to meet these minimum standards expected? Your business model, how does your current one and how does your expected business model? How does that look? You regulatory capital requirements. Do you actually have the capital and liquidity management system? you have the capital required to achieve? Do the activities propose? Senior managers. Do you have people there, but do you have people that understand the key roles that they're actually taking? Have these responsibilities been clearly allocated? these people and do they realize that they actually have ongoing responsibilities? Yes, it's a lot. It is a lot. And I think it's that point about transitioning from just registration to full authorization. And really it also means having internal conversations about why it matters and making sure that everyone is aligned, that it's not just risk, legal and compliance function that's responsible. It's people on a day-to-day basis. uh And yeah, start building now if you can. Yeah, sure. I mean, it makes sense what you're saying. Obviously some would like to wait. I mean, if you look at, mentioned the stable coin regime, obviously you've got the likes of the FCA, the Bank of England, the treasury, you know, all with proposals kind of simultaneously there on the table. So I suppose for, you know, those who, who it affects those organizations that it affects getting a here in picture around that is perhaps. uh slightly difficult, if there, I know you mentioned a few things there that, um, you know, businesses and organizations can look to start to do now. Is there anything in particular you think that, uh, from what you've seen from perhaps the clients you've advised that, uh, one thing that perhaps firms aren't doing that, that they should be to, um, get ahead of the regime. I that, honestly, I think that really it's that internal conversation piece. I think it's so, there are, you know, when we're interacting with different businesses, obviously we don't see every single person, right? We're usually either dealing with the GC or legal counsel or someone from risk. And that that's fine because you know, those, those, those are the staff members that tend to have uh most oversight over these activities. But really I think, It's, I think it's the wider internal conversation piece, especially for those that are transitioning from MLR to FISMA authorization. Cause I think sometimes people might just think, oh yeah, it's been light touch today. You know, a lot of it has been sort of founder led, you know, we've been able to just sort of, you know, carry on as we are. Of course there are still requirements being MLR registered, but FISMA authorization is way more and it's, it's It's that reason because it is a high standard, know, this is what, this is what people look to the UK for. They know that if you have an FCA license or authorization, they're like, yeah, we'll, want to deal with them. know that they are probably being regulated and supervised really well. They've, they've got their stuff sorted. So the thing is that, that then, you know, you had to feed down, you know, right down to teams that are developing products as well. Sometimes, you know, obviously business continues, right? Even if regulation might be a little bit slow. Business still continues, you still need to make money, you still need to serve as customers, but you need to have kind of everyone on that journey to realize being like, sometimes we not be able to respond as quickly because guess what? We have these requirements along the way. So everyone kind of needs to know that they're all responsible for the license. So I think I just, what I haven't really seen is that wider internal conversation, I think piece, or at least that's what I've gathered from conversations. So it would be a recommendation. it's almost something that inevitably will need to happen as and when it does. That's another thing. It's perhaps not as big a change as, mean, if we touch on SM and CR, obviously that's been extended into crypto firms. So I think senior managers need to sort of be personally accountable. Should there be any operational failures or anything like that? It might come as a bit of a dramatic shift, perhaps for founders who've built their businesses in. unregulated environments, unregulated markets, uh, as well. Is that something you'd agree with? I think you're spot on. in terms of, and I, and I honestly, think it's like one, I think it's one of the, probably the most difficult, you know, the different conditions that I was mentioning in terms of getting authorization. I actually think that this is going to be where the most difficult is going to be, the difficult part is going to be because it's going to be such a genuine culture shock to many of these firms. So as we were sort of saying, you know, in the In the unregulated world, know, accountability structures, it's kind of informal, it's kind of flat, it's founder led, but with SMCR, it's very intentional in carrying high standards of behavior and naming individuals, you know, in respect to which that, you know, they have either certain roles or prescribed responsibilities and who will be held accountable if something happens. So. You know, everyone has a role to play as I was mentioning before, but if something goes wrong, VFCA will ask who is responsible. What did they know? What do they do about it? And you're right that the SMCI will apply in its current form to crypto asset businesses that are going to be authorized under the FSMA regime. that means, you know, senior manager functions, that means certification requirements, that means conduct rules. It gets super technical, but I will just say, just want to clarify that, you know, the application of these rules, it'll depend on if you are a core or if you're an enhanced firm. And the FCA has set out that stable coin issuers and crypto asset custodians that meet certain thresholds, they'll be what you call considered enhanced firms. So that means there are additional conduct requirements that apply in those cases. Makes sense as well, given the nature of the business. There was actually the FCA did do a webinar a couple of weeks ago on this exact topic. So highly recommend, highly recommend that people listen to this. And I'm sure that the recording is available on the FCA's website because you're literally hearing from the director, know, like directly from the regulator. don't think I've heard it either. Well, so highly recommend, but in case it's helpful, in case it's helpful, like, you know, there are a couple of key takeaways that I did take. you know, that I got from it, right? So you've got firms that are starting from scratch, right? Or that have never been regulated, but are now captured. So something that you should take away is actually good recruitment processes are going to be key. You wouldn't think about this, right? You talk about, digital assets, all that stuff, but good recruitment processes are going to be super important for this, especially for people that are holding certain roles. So these are the people that represent your firm. So you need to do your DED, make sure that you get the relevant documents, identify any development gaps. So do you need to train people as well that you currently have? Do they need to be supported? You need to make sure that they do references. It's not just a tick box, know, oh criminal check. It's not just that, there's more involved. So that's one thing. ah Another takeaway from that FCA webinar that was actually really helpful was that your obligations in relation to this regime, it doesn't stop at the... initial application, right? It's not at that state. It's ongoing. It's an ongoing requirement. And firms need to keep the FC informed if, you know, if there are issues to do with someone's and propriety, for example. And then I think I'd say the final, this is the final key takeaway for those that haven't had a chance to sort of watch the webinar is that if you are already MLR registered, you know, look back at the people that you currently have in these certain roles. Because the SMCI is going to require, it's so much broader than the MLR regime, right? And it's going to require these existing people to be able to meet the standards of the licensing regime. So you need to confirm that these existing hires are suitable. And so that might mean you need to train them more. So yeah, there's a couple of things. um Yeah, as you say, it's a lot, but it is doable. It is doable, I think, just in a... in a structured way. Yeah, sure. Absolutely. Let's touch a bit on something that perhaps affects more of the consumer side. We've seen that by now, Pellet says sort of regulatory perimeters are due to come into force. I think it's July. I might be wrong. that right? Got it right. You're right. Yeah. the 15th July. um So obviously with that, mean, that's now kind of, obviously, yeah, as we mentioned, formally defined. But I suppose for firms, are kind of for them compliance pressure points. Perhaps if they've ever had to navigate the kind of consumer credit rules before from the FCA and obviously how they kind of translate the shift to their consumers. Obviously, by now, late, it's still a relatively new-ish mode of credit. I suppose how... keeping customers on board with that, yeah, with those checks now in place. Something that was perhaps seamless now has an additional check in there. Yeah, and I think that's right. um I mean, by way of context, you know, the FCA did introduce these rules around buy now, pay later. Well, deferred payment credit is the term that they're using now. It is mainly because they wanted to, you know, reduce the risk of harm to consumers because I will say, you know, as a consumer that this is, many years ago before I got enrolled in this world. You think you sort of see buy now, pay later. You're like, oh yeah, great. I can buy that. Yeah, I'll pay later. But then you don't realize like, oh, this might be affecting my credit ratings. This might be, I might be incurring costs later on if it's not just free money. ah So really what the FCA wanted to do is to start to formalize this with what I'll call, know, DPC uh lenders, because they want to make sure that consumers are actually given effective, timely, you know, information. so that they can actually make informed decisions about the DPC borrowing. It's not just about, you know, clicking about and being like, yeah, buy now, pay later. It's like, oh no, you're actually kind of borrowing this money for a period of time, really. But people don't necessarily realize that because obviously the process has been so sort of smooth to date. uh Then also, you know, the FCA wants to make sure that the DPC lenders actually make sure that they are lending responsibly and affordably. Can these people actually afford it possibly? ah And then to support customers as well. They may have sort of gone on this journey and then that have now come across financial difficulty. So you're right. There are pressure points, uh especially for DPC firms that have never done this because they are, yeah, there are quite a few, but if I had to mention a couple of pressure points, I think one of the first things is I think aptly to mention is obviously authorization. ah And that is You know, from the 15th of July. the DPC lender, need to either be authorized or sorry. then to be authorized for the uh relevant consumer credit activities, or they need to have a temporary permission under the DPC regime. Now to apply for the temporary permission. So firms have between the 15th of May. just last week, up to the 1st of July this year to complete a notification form. and to pay the relevant fee. So there is still time. There's still time to get that temporary permission. The other sort of key pressure point is the affordability section. that's, know, lenders need to uh actually conduct credit worthiness assessments for every transaction. Even those below 50 pounds. So as you said, uh it's a fundamental shift, right? From what you find is the current frictionless check out model and now you're going to have sort of, you your UX is very likely to change because you have these additional questions now and making sure that people actually know what they're signing up for. em I'd say there are two other sort of main points. I would say it's mainly from the DPC lender's perspective. And it's the fact that they are now subject to broader rules. So the FCA's framework, em you're looking at the consumer duty principles for businesses and other conditions as well. you know, like we were talking with the, with the crypto asset regime as well. These sorts of rules as well, when you're undertaking it for the first time, it's, it's a lot, it's a lot. But the final thing that's also a new point is the fact that the customers will have access to the financial ombudsman service for the first time. So, you know, which means that firms actually need to have proper complaints processes in place. And the fact that they need to be prepared that there might be FOSS scrutiny over their lending decisions as well. So, know, hopefully, hopefully firms are nearly there because, know, if they're not compliant by the 15th of July this year, they'll need to stop providing the, um, buy now pay later services. Uh, but yeah, it is, it is an undertaking. I think that, I think that consumers will also feel it in the sense of that user experience. Uh, but it's in the view, you know, the FCA in order to ultimately protect them from getting into debt really. Yeah, sure. Really great insights, Sean, and I'm sure our viewers will take some learnings from this if they haven't already. I mean, just lastly for me, when it comes to the FCR, I've been asking a lot of speakers, there's obviously the PSR was folded into that, which is quite a big structural change in how it works. Maybe I'll put my neck out and say perhaps the PSR was a bit more strict or historically strict. the FDA has recently been a bit more consumer friendly or collaborative perhaps with the industry. What do you think that consolidation means in how things work? Did you think the kind of FDA's collaboration maybe takes over a bit, but obviously the PSR's role is still there somewhere within that structure? So funnily enough, the government actually published their consultation response a few weeks ago on how it on how it plans to consolidate the PSR into the FCA. But as expected, so the lowdown, as expected, it's basically confirming that the FCA will lift the PSR's functions and powers and just shift it into the FCA's existing framework. What the implementation of it looks like though, it requires primary legislation. so, The current plan is to introduce legislation as soon as parliamentary time allows. And from what I've heard, I mean, it's unlikely to come into effect until 2027. That's just what I've heard. But in practice, what I think the consolidation may look like for firms and how it might impact them is mainly in the way I think that they're used to being supervised and regulated. So... two particular points, so objectives. And you kind of alluded to it actually in what you were saying before. So the FCA and the PSR, they have already been aligning operationally. So they've been having conversations and it has possibly made public. And the FCA has said that the shared objectives, so things like competition, innovation and consumer protection, they remain the same. But there are certain statements from the government. which kind of suggests to me that there might be a shift in priorities. So for example, with the PSR, originally they had a stronger competition focus, whereas the FCA tends to be uh focused more strongly on consumer protection. know, just take a look at the regulatory priorities and actually how they're, you know, statutorily set up. It's, it's, it's consumer protection is like one of the, it's the one slash the prior, you know, primary objective. Yeah. Primary objective. Yeah, primary objective. uh But that sort of begs the question of, know, whether things like consumer duty obligations, conduct of business requirements, and you know, other things when you start bringing people into the FCA world, whether those will be extended to these firms once consolidation is complete, or whether they'll be subject to transitional provision. So that's not entirely clear yet. uh And the other thing kind of on that note is around enforcement. So you know, bearing in mind sort of the FCA's framework for penalties and enforcement is wider and potentially harsher than the PSR's more sort of limited regime, which has been considered light touch or lighter touch. yeah, I mean, you know, with that in mind, whilst I kind of hope, you know, the whole purpose of this consolidation, the ambition is for simplicity going forward. And I hope that's going to be the case. But I think that the reality might be that the complexity is not going to disappear altogether, but maybe sort of fine tuned over time. Yes. Well, we'll have to wait and see on that. Well, thank you very much. Thank you very much, Sharnil, for your time today. I mean, if there's any last word of advice you'd offer to anyone, whether it's through the new stable coins regime, SMC or indeed anything around binoculars, feel free to go ahead and give your... Your last words of encouragement or advice, suppose, ahead of upcoming regulation. Yeah. mean, you know, given sort of binary pay, that's kind of more set in stone. What I would sort of offer my comments around is that stable coins regime, right? you know, there has, there have been, sorry, conflicting signals, right over the past few weeks. And I think just by way of a quick example, uh you know, sort of other week, the Bank of England sort of made comments around the threat to financial stability with introducing stable coins, but then there was significant industry backlash and they backtracked a few days ago because the stuff is still developing and I think the industry still has a voice and I think there needs to be a bit more pressure put on. It's a shame because there's a lot of potential for the UK. to still be a leader in the space, not just the U S UK still, still can do it. Um, but I think Lord Holmes and a post that he made the other week, of acid adaptably, know, consistent and clear views, the UK will risk becoming a flyover jurisdiction. And I think industry plays a part in informing each of these regulatory bodies of actually the reality. Sure. So a push needed from everyone. Listening, watching. It's not just up to the regulators. It really isn't. think industry needs to take ownership in that as well. Yeah. And educating the regulators. Shrano, thank you very, very much for your time today. It's been really great having you on. But unfortunately, I think we're just about out of time. So to anyone who's been listening. all right. This has been such a fun conversation, honestly. Thank you so much for having me Thank you very much for joining us today. And just to anyone who's been listening, watching, if you're not already subscribed to the podcast, make sure to subscribe wherever you get your podcasts for more from the likes of Sharnil and other guests we've had on previously. And we've got plenty more insights, of course, in the coming weeks and months ahead. And for the latest news as it happens, you can just head over to paymentexpert.com. We'll see you all next time. And thanks to Sharnil once again.