Payments - Key Updates

(6 min read)

The article explores recent UK Government initiatives aimed at modernising the payments and data landscape to drive economic growth. It highlights the National Payments Vision (NPV), which sets out a strategy for next-generation retail payments infrastructure, including a new governance framework involving HM Treasury, the Bank of England, and industry participants. It also examines the Data (Use and Access) Act 2025, which establishes a regulatory framework for Open Banking, Smart Data schemes, and digital verification services. These developments aim to enhance innovation, competition, and consumer control over data while addressing privacy, security, and regulatory challenges. The article underscores the importance of industry engagement and anticipates further consultations and secondary legislation in 2025 to shape the future of payments, Open Finance, and data-driven services.

Next generation retail payments infrastructure

HM Treasury is collaborating with the Bank of England (BoE) to implement a new National Payments Vision (NPV) for the UK, focusing on a modernized, collaborative retail payments infrastructure. This involves establishing a new delivery model and organisational structure to accelerate the transition to next-generation technology and enhance, or even replace, the existing Faster Payments System (FPS). The initiative aims to foster innovation, competition, and security within the payments ecosystem, with key roles defined for public authorities and industry participants.

Headline aspects of the proposals:

The Payments Vision Delivery Committee will set the strategy for retail payments infrastructure. The Committee will be made up of HM Treasury, the Bank of England, the FCA and the PSR.
A Retail Payments Infrastructure Board chaired by the Bank of England and including representation from the payments industry. The Board will report to the Committee.
A Delivery Company will be established which will be industry-owned and responsible for procuring and funding next-generation infrastructure. The Board will oversee the Delivery Committee.
Pay.UK which will focus on the running of the existing interbank systems. Pay.UK will also contribute its expertise through representation on the Board and the Delivery Company.

Next Steps

The proposals set out a new governance framework for developing the next generation payments infrastructure. However, the finer details of how such arrangements will be funded and the interplay between the governance bodies of each forum is still uncertain.

We anticipate more details on the strategy and key priorities for retail payments to be published by the PVDC in Q3 of 2025. This will inform the work of the new Retail Payments Infrastructure Board, the Delivery Company and Pay.UK.

The PVDC will also publish the Payments Forward Plan by the end of the year, which will set out a sequenced plan of initiatives across the payments’ ecosystem including initiatives in both retail and wholesale payments, and the role of digital assets.

Open access: is data the next frontier

Headline aspects of the Act

1. Long-term regulatory framework for open banking

Part 1 of the Act creates a new framework for smart data schemes. The idea is to use the principles deployed to give life to open banking to enable new schemes, in the financial services sector and beyond, that allow consumers and businesses to permit third parties to access their data.

The Act will also set the groundwork for the long-term regulatory framework for Open Banking. It facilitates the transition of the regulatory oversight of the Open Banking interface body (initially established by the CMA’s Retail Banking Market Investigation Order 2017) to the FCA. This will also enable the FCA to help drive for a commercially sustainable and more equitable governance and funding model for open banking schemes.

Next steps

The details will be set out in secondary legislation which we are expecting to be published for consultation in Q3 2025. Currently, it is expected that the legislation setting out the new regulatory framework, empowering the FCA as regulator, will be in place by Q1 2026. We also anticipate secondary legislation setting the path for supporting the rollout of commercial variable recurring payments.

This sounds like quite a demanding timeline. However, the UK has been what has felt like a holding pattern on the next stages of open banking for a couple of years now. Many in the industry are now very keen to see things moving at greater pace.

2. Smart data schemes and open finance

Part 1 of the Act enables the Science and Technology Secretary and HM Treasury to introduce Smart Data schemes through specific regulations. These regulations will detail who must provide data, the type of data required, how and when it should be provided, and measures for data security and access authorisation. These schemes will enable the secure sharing of customer data, on the customer's request, with authorised third-party providers who can use that data to provide services for the customer or business as well as the sharing or publication of contextual business data. In other words, building on Open Banking, this legislation paves the way for the Smart Data model to be used in more sectors, as well as financial services. Consumers and businesses will have better control over their own data and access to new services.

Next steps

One of the first areas being explored is the potential for Smart Data in digital markets, and how it can support growth through the competition and consumer benefits of data maturity. The government launched a consultation on this on 28 July 2025.

The UK government is also currently exploring the potential of a Smart Data scheme for the energy sector, aiming to empower consumers with greater control over their energy usage and facilitate the transition to clean energy. The idea is that a scheme would enable secure and standardised data sharing between consumers, energy suppliers, and third-party providers, potentially leading to personalised services and more informed energy choices. This consultation was also launched in July 2025.

We also anticipate a consultation in Q3 of 2025 on HM Treasury’s intention to build out open finance in specific use cases. Recently the FCA and ICO published an article outlining future areas of focus on Open Finance and Smart Data. They are focused on ensuring robust data protection, trust, and privacy by design while addressing regulatory challenges such as data minimisation, transparency, and interoperability. They explore how emerging technologies like Application Programming Interfaces (APIs), Artificial Intelligence (AI), Distributed Ledger Technology (DLT), and DVS are expected to drive Open Finance forward.

Next steps include the FCA’s launch of a Smart Data Accelerator and continued testing of Open Finance use cases, alongside the ICO’s support for data protection in innovation and digital identity frameworks. Both regulators will collaborate with Government, industry, and other stakeholders to ensure Open Finance develops in a secure, lawful, and consumer-centric manner.

3. Digital verification

Digital verification services allow individuals and businesses to prove their identity online, replacing the need for physical documents in various transactions. These services use may use technologies like facial recognition, document scanning, and data matching to confirm a user's identity digitally. However, it is anticipated that smart data scheme arrangements using APIs will also facilitate the obtaining and sharing of data from both public and private data holders.

In the UK, the Data (Use and Access) Act 2025 will establish a legislative structure for the provision of digital verification services (DVS).

The Act requires the Secretary of State to publish a "trust framework" setting out rules governing the provision of DVS, which can include rules as to who can provide those services, and rules governing their conduct. The Act also requires the creation of a register of certified digital verification service providers. Admittance to the register will be determined based upon whether that provider has been granted a certificate by a "conformity assessment body" confirming that they are in compliance with the rules set out in the trust framework.

The Act further establishes the creation of “conformity bodies”. The bodies that are empowered to certify that a provider is compliant with the rules in the trust framework.

Once a provider is registered, the digital verification service can request data from public authorities as well as private and those public authorities may disclose that information to the provider without this constituting a breach of confidentiality. These data flows are referred to as “information highways”.

Next steps

DVS is aimed at enabling secure access to established data in a more efficient and streamlined way. Possible benefits include, improvements to customer onboarding journeys – speeding up identity and verification as well as the ability to obtain financial data to support credit decisions. There may also be scope here for them to improve and make more efficient their customer due diligence processes to meet anti-money laundering requirements. Some firms may also consider becoming certified providers themselves, monetising access to the data they already hold.

4. Changes to existing data protection laws

The Act amends UK data protection law, as set out in the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR). It gives the Government the power to make regulations on access to and use of customer and business data, digital verification services, and the processing of personal information. The Act introduces a new requirement to put in place a procedure for complaints about breaches of data protection law and increases fines for breaches of PECR's marketing rules. It also relaxes the rules on consent for low-risk cookies, automated decision making and international transfers, as well as amending the rules on data subject access requests (DSARs) to reflect the Information Commissioner’s Office (ICO) guidance.

Please see a previous article from our Commercial and Data Protection team on an overview of the Act.

Final Remarks

It is likely that such developments will require considerable investment by impacted firms’ (data holders).

Firms should monitor these announcements and consultations over the next 6 to 12 months. Stakeholder engagement will remain central to the process to enable regulators and authorities to gather feedback from across the ecosystem and ensure participation.