Learn, unlearn, relearn: managing payments through regulatory shifts

The mantra I keep coming back to in this industry is "learn, unlearn, relearn." Nowhere does it apply more than in regulation. The frameworks that defined the last decade — PSD2, GDPR, PCI-DSS 3.x — are being revised, replaced, or extended in ways that change the day-to-day work of payment teams.

Three shifts to plan around

Instant payments are becoming the default. The EU Instant Payments Regulation requires PSPs offering credit transfers in euro to also offer instant credit transfers, at no additional cost, with payee verification. This is not a feature; it is a redesign of treasury, refunds, and chargeback workflows for any business handling SEPA.

Strong customer authentication is being tightened, not loosened. Despite years of industry lobbying for exemptions, the direction of travel under PSD3 is stricter. Behavioural biometrics, delegated authentication, and out-of-band confirmation are all in scope. If your fraud strategy relies on regulatory ambiguity, plan for it to disappear.

Data portability and open finance are expanding. What started with account information services is moving toward broader financial data. Merchants and fintechs that build the muscle to consume — and offer — open APIs will have a structural advantage.

A framework for keeping up

You cannot read every regulatory consultation. You can do three things consistently:

• Maintain a regulatory radar. A single living document, reviewed monthly, that lists every upcoming change with a date, an owner, and a one-line impact assessment. Most teams that fall behind do so because they have no central artefact.
• Tie compliance to roadmap planning. Treat regulatory deadlines like product launches. Block engineering capacity in the relevant quarter, not the week before the deadline.
• Build relationships with two or three trusted external advisors. Not for the answers — for the early signals. A 30-minute call with someone who reads the consultations for a living can save you a quarter of misdirected work.

The mindset matters more than the framework

The teams I have seen thrive through regulatory cycles share an attitude rather than a process. They treat new rules as opportunities to redesign rather than as taxes to pay. PSD2 created Apple Pay's European moment. The Instant Payments Regulation will create the next set of category winners.

Learn the old rules well enough to understand why they existed. Unlearn the workarounds you built around them. Relearn the new ones with a clean head. That is the only sustainable strategy in a regulated industry.